A Blog by Jonathan Low


Apr 20, 2016

Even As Pressure on Google Intensifies, Europe's Assault May Have Backfired

Even as they continue to attack what they perceive to be Google's digital hegemony, officials in Europe find themselves ever more dependent on the company because it is the only entity with the capacity to execute their privacy-focused initiatives. JL

Mark Scott reports in the New York Times:

Muted official response (to Google) — from both European regulators and politicians — is partly because agencies lack the financial, technical and human resources to handle the substantial influx of “right to be forgotten” requests.
Google is a top target for European regulators and privacy watchdogs, who openly fear and distrust its dominance. The American tech giant’s search engine alone gobbles up roughly 90 percent of the European market.
But a landmark court ruling intended to rein in Google has instead put it at the forefront of Europe’s enforcement of Internet privacy. That has upended conventional wisdom about the company and raised questions about the role of commercial interests in protecting people’s privacy, often with little or no transparency.
In the almost two years since Europeans gained the “right to be forgotten” on the Internet, Google has passed judgment in over 418,000 cases — roughly 572 a day — from people wanting links of certain search results to be removed, according to the company's records. It has approved fewer than half of those requests, all behind closed doors.
Google’s total number of privacy-related judgments is double those of most of Europe’s biggest individual national authorities over the same period, even though these public agencies address a wider range of data protection complaints.
Despite a history of animosity toward the company, national regulators have handed over the review powers to Google with few complaints, saying they are merely following Europe’s complex data protection rules. Other search companies, including Microsoft, have been given the same authority, though their number of judgments pales by comparison.
Some consumer groups and privacy experts are not satisfied with that arrangement. They have sounded alarm bells over a for-profit company — one that relies on tapping into people’s digital lives to make billions of dollars and that is the subject of multiple privacy and antitrust investigations — playing such a central role in protecting individuals’ data, and doing so in such a secretive manner.
Google has not responded to requests, including an open letter last year from primarily European and American academics, to explain how its review process works. And since 2014, when “right to be forgotten” was enshrined, the company has declined to give any journalists access to its team of fewer than 50 employees — mostly lawyers and paralegals based at its Dublin offices — who review the demands. Google also did not respond to questions for this article about the decision process.
“It’s a half-baked solution,” said Luciano Floridi, a University of Oxford professor who previously sat on an advisory council to help Google handle its role as a de facto privacy regulator. “If Europe really wanted to regain control over personal data, giving Google this type of power is an odd outcome.”
Less than 1 percent of Google’s decisions are appealed to Europe’s privacy authorities, according to the regulators’ statistics, and those authorities said they generally ruled in the company’s favor.
But several individuals who sent requests to Google told The New York Times that the lack of detail over how these decisions were made left them frustrated and, in some cases, angry that a company adjudicated on such delicate matters. These people spoke on the condition of anonymity because they did not want to publicize their own privacy cases.
“If governments were handling ‘right to be forgotten,’ they would have to publish data,” said Martin Husovec, a professor at the Tilburg Institute for Law, Technology, and Society in the Netherlands, and a signatory of the open letter to Google. “But with Google, we can’t see what’s happening behind the company’s closed doors.”
After Europe’s highest court ruled in May 2014 that people with connections to the Continent could ask search engines like Google and Microsoft’s Bing to remove links about themselves from online search results, the companies were handed the power to decide which of these requests were legitimate. Citing European privacy rules, the European Court of Justice mandated that search engines, and not a public body, should be the first port of call for the decisions. Europe’s top court did not require that companies make their decision-making process open to public scrutiny.
People’s privacy requests must relate to online information, like personal circumstances or a past criminal conviction, that is no longer relevant or not in the public interest, definitions that privacy lawyers say are inherently fuzzy.
Thus far, that has mostly involved people demanding mundane information like phone numbers or addresses be removed from links to online directories (the largest collective group of sites affected). Individuals have also requested that links to references about themselves on social media, including Facebook, be taken down.
In some cases, however, newspaper articles, including one in The Times covering somewhat questionable business practices, have been removed from European search results. Elsewhere, a Romanian website that publishes court proceedings has been hit with complaints.
People requesting the removal of links must submit an online form, attaching an official ID.
Though Google would not comment publicly about the review process, two company executives gave some detail on how decisions were made. They spoke to The Times on the condition they not be named.
Typically, requests are sent to Google’s legal team. Straightforward rulings, like those that involve a public figure who cannot legally apply for links to be removed, are handled by junior staff members. Tougher decisions are referred to senior lawyers who must weigh an individual’s privacy against the public’s right to information, the company officials said.
When Google’s team accepts a request, it informs an individual that the privacy demand has been successful, while also notifying the website that links to certain European search results have been removed. The website cannot appeal the decision. If Google refuses the request, the company must tell an individual that the decision can be appealed, but does not specifically explain why the submission failed.
Some European officials remain wary of handing Google the power to make privacy decisions, though they declined to comment publicly on the court-mandated privacy process. But regulators acknowledge that the company’s system — which has so far dealt with removal requests for 1.4 million links — has proved surprisingly straightforward. Some officials also remain satisfied that Google makes these initial privacy rulings despite a lack of openness over how decisions are made.
“When it comes to appeals, we agree with Google most of the time,” said Mathias Moulin, a deputy director at the Commission National de l’Informatique et des Libertés, the French privacy authority.
This muted official response — from both European regulators and politicians — is partly because agencies lack the financial, technical and human resources to handle the substantial influx of “right to be forgotten” requests, according to regulatory officials and legal experts.
Still, for privacy campaigners and some regulators, Google’s regulatory track record remains outweighed by Europe’s effectively handing the policing of one of its fundamental rights to a for-profit company.
“Is Google the right entity to have such power over these decisions?” said Johannes Caspar, supervisor at the Hamburg data protection authority, the primary regulator in Germany that oversees American tech companies such as Alphabet, the parent company of Google, and Facebook. “We have to live by European law, and that says Google must decide.”


Post a Comment