30 Nov 2020
Taking on a tech giant like Google requires preparation and hard evidence, particularly when the target for legal challenge is the jewel in its crown – the Google search engine. A recent ruling made against Google shows European nations are taking preparation seriously and WYNG Fellow in Law, Trinity Hall, Dr David Erdos has been assisting them through his research into the company’s notification practices when deindexing material under the ‘right to be forgotten’.
Dr Erdos’ work analysing how Google’s practices undermined an individual’s right to deindexing was cited in submissions the Swedish Data Protection Authority made to the Swedish Administrative Court.
This sought to ensure that Google was prevented from continuing with its nonconfidential disclosures to websites.
On Monday, 23 November this court upheld the regulator including in its imposition of a SEK50 million fine (approximately €5M) on Google for its previous practices. It gave Google eight weeks to change its ways.
Google’s deindexing webform was also found to be misleading and incomplete and, partly as a result of this design but also due to the narrow manner in which it analysed the data received, it was also found to have failed to act promptly to deindex all relevant material in one of the specific cases put before the court. The latter violations, however, attracted a smaller penalty than that suggested by the data regulator of just SEK2M.
Dr Erdos, said: “It’s great to have my work used by the Swedish Data Protection Authority in its claim that unsafeguarded webmaster notification is incompatible with de-indexing rights under GDPR and also that Google must take greater care and responsibility when responding to right to be forgotten claims.”
“At the moment Google alerts webmasters to the fact it is de-indexing material, going so far as to supply the URL of the page without any confidentiality guarantees. These disclosures readily identify individuals who can consequently find this material republished precisely at the time when Google itself has found that they have a right to benefit from greater obscurity.”
“Such practices can exert a wider chilling effect on de-indexing as those who have every right to claim this may fear that in doing so their actions could lead to greater rather than lesser publicity of what can often be old, yet impactful, personal data – the precise opposite of what the de-indexing right is designed to achieve.”
“Whilst Google is almost certain to appeal this judgment, it is still a great first step in ensuring that individuals’ data rights are effective online.”
The GDPR is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. Google’s practices have come under scrutiny following a landmark case in Spain which ruled citizens had a right to require that search firms, such as Google, that gather information for profit should remove links to personal data when asked, provided this indexing is found to be in breach of the fairness, adequacy, non-excessiveness or other core safeguards established for individuals under European data protection .
Dr Erdos’ research article on this topic was published in the September 2020 edition of Computer Law and Security Review and the working paper can be seen on SSRN’s eLibrary. A series of slides detailing its main arguments can be found on Slide Share. He has also penned a wider submission on the regulation of search engine indexing for the European Data Protection Board which can be viewed on the Board’s website.
The original Swedish courts news piece is available on their webpages (NB: the piece is in Swedish).
Dr David Erdos is Deputy Director of the Centre for Intellectual Property and Information Law (CIPIL), University of Cambridge.
Main image: Culture of Shock (Truthout.org)