France’s privacy regulator, the CNIL, has rejected Google’s request that the “right to be forgotten” ruling on their websites should only remain restricted to Europe domain names, vs applying to all Google websites worldwide.
The decision requires Google to close a loophole that enabled searchers to defeat a judgment by the Court of Justice of the European Union (CJEU) last year, whereupon they removed results from more localised sites such as google.fr, google.co.uk etc, but continued to display disputed links on google.com. The French regulator stated Google’s various domain names were just “different paths to the same processing operation”, making it easy for users to circumvent the block.
As we widely reported in our blogs in May 2014, the CJEU recognised the right to be forgotten, thus allowing people to ask search engines not to display certain links if they requested, following a search on their name.
Based on the original Spanish ruling, the upshot from the Spanish court was not to erase the original searches, but make them far harder to find. The desire and drive for data privacy was duly thrown into conflict with the arguments for freedom of speech and public interest.
It’s essentially one of the inevitabilities for society when citizens have access to such an incredibly powerful search tool at our fingertips, which today’s younger generation greedily take for granted. It’s only a generation ago in pre Google days before 1998, when people would have had to resort to books and library articles to comb paper archives to get the information they wanted. We move now at such lightning pace with technology that we must always be mindful about some of the downsides of this technology and fully maintain our corporate responsibilities surrounding data privacy, or pay the heavy penalties.
For a business a privacy breach might prompt a penalty of up to 5% of their global profits, however, in the EU regulation ring, there is a seemingly weak trust from the particular CNIL sword. After four months, the French national threat is limited to “discussing appointing someone to report to its sanctions committee with a view of obtaining a ruling on this matter”.
With 500 million EU citizens, there is a mess of different legal regimes, making it hard for European businesses to work towards. This is what the new EU Data Protection Regulations hopes to cure, if the EU stakeholders can agree the text. It would certainly be a stimulant to Google if it knew it had one Euro privacy regulator to deal with and 5% of ITS turnover at stake if it broke the rules. It seems a long way off, but organisations should consider data security and data protection as amongst their highest priorities looking ahead.