Google ECJ case: No commish, it means we don't need right-to-be-forgotten rewrite Brussels' Justice Commissioner Viviane Reding claimed that today's EU Court of Justice's landmark search engine case, which stunned Google, served as a "strong tailwind" for her draft rewrite of the 28-member state bloc's 19-year-old data protection rules. But is she being a little optimistic? As I noted earlier today, the …
"Reding argued, following the judgment:
The data belongs to the individual, not to the company. And unless there is a good reason to retain this data, an individual should be empowered by law to request erasure of this data."
So, if a Mr. X does something to me, and I blog about it, I don't own my account of what happened - Mr. X can demand that it be removed from search engines, etc? It sounds like a form of government enforced censorship.
If you identify him by name and don't get a waiver from him, yes he can.
Certified press is different, I believe.
But a normal person or business cannot give out any personally identifiable information about a third party (name, address, telephone number, email address etc.) without that third parties explicit permission.
Heck there are even strict rules on what you can do with PII within your own 4 walls - you can't for example plough through your CRM database and extract all the email addresses and put them in your own newsletter feed, they have to opt in to that; that isn't Data Protection directly, but is loosly related and falls into the purview of a company's Data Protection Officer.
For example, PII has to be restricted within a company that only those that need to see the information to perform their job can access that information; no other employee is allowed to see that data - for example testing changes to your internal CRM database, the developer cannot see live data, all test data must be anonymised first. And "doing their job" is also strictly controlled under the DPA, a customer service rep, for example, cannot see into your last invoice when you call them, unless you first give them permission - Telekom / T-Mobile in Germany won't even let them look at the data then, you can't tell them over the phone that they can look at it, you have to send them a copy of the invoice!
@big_D: are you claiming that, in Germany, a private individual, cannot send a letter (envelope contains PII by your definition) to someone who has not expressly said they wish to receive it? Or that someone cannot send out a group email to members of a club they all belong to unless it is channelled through one of the committee who holds a list of approved addresses? What about contacting someone I briefly met at a conference who I look up and then call, write to or email?
Based on work I have done regarding the Data Protection Directive and its implementation throughout the EU, it seems to me that the rules you are working to are significantly over-the-top. The DPD does not require anything close to what you have described, and it is hard to see how those rules are even close to workable.
As a private individual, it isn't as strict, privately, but at work or in a club, yes. If the member of a club hasn't given permission, then no, you can't send him a newletter type mail. If they have given you their email address, you can converse with them.
Electronically you cannot give out their personal details without their permission - in business or club etc. Likewise a company cannot sell on the data to another entity without permission. As I said above, you can't even use the details internally to add them to a mailing list.
Within the company you must ensure that the data is kept on a need to know basis. If the PII doesn't belong to the job function, you don't get to see it. This is why things like invoices aren't available to support desk workers etc.The same goes for financial information about customers etc.
I am not one to say what is specific by law in Germany as you did not state that what you were quoting was specific to Germany and I am not inclined to look up German Law but stating the DPA on The Register you would expect it would apply to the UK Data Protection Act which makes your points definitely not apply under UK Data Protection Laws.
For instance in the UK you are quite welcome to e-mail your CRM databases your newsletter if they have a relationship with you, without their explicit permission. You are not allowed to buy in databases from elsewhere for potential leads for non-business individuals unless they have given consent though.
You can also identify someone by name quite readily without "a waiver" under many circumstances and use personally identifiable information without a waiver. For instance if someone sent in a letter of recommendation saying how great your company was, you could pin it up on your wall in the reception without needing to ask explicit permission. It would be polite to ask but not necessary by law.
"The data belongs to the individual, not to the company."
In the case against Google, the data was a newspaper report (belonging to the Spanish newspaper) of a court case in Spain and is therefore a matter of public record throughout the EU. There is some very woolly thinking and strange arguments being bandied around in this area.
The 'right to be forgotten' should be about personal photographs and early attempts at poetry, not court cases that you now find embarassing.
In English Law (I don't know about Scotland) there is the concept of the "spent conviction". After sufficient time a conviction ceases to be on public record.
It might still have been in a newspaper report. lost in microfilm records in a local archive or the newspaper office, but getting from you to the record is hard.
Now newspapers are being digitised, and you can read a newspaper in Australia over the internet. And then you find a story of the vicar in the village where your father grew up.
Maybe some Australian is reading about my father's one conviction, some fifty years ago. He'll find mention of a right troublesome family, who had a Council House within fifty yards of the local Police Constable.
It doesn't matter to me. It might matter to one of the other people mention by name in a newspaper report. But how can there be any controls if they do not apply to Google and their like?
Or should I have left the text, garbled by OCR of old newsprint. I and my father knew and remembered enough to clean it up. My father is dead now. but should I have let his stories die with him?
But what do I want to see published about me? And if Google can spew my life over the world, lets see all the tales of what those Bullindon laddies were doing.
I visited Oxford occasionally in those days. And friends said I was good at looming.
I think I might have done more than loom if I had run into that mob.
The thing is that newspaper themselves are online now. Is the ECJ saying that the newspapers own (searchable) archives must delete stories even if they're true? Is that okay just because the story is no longer "lost in microfilm records in a local archive or the newspaper office"? I don' t bloody think so.
It's a crazy, stupid ruling by morons in fancy dress trying to drum up more work for their mates in the legal industry. These same knobheads will be the ones arbitrarily deciding that this fact is historically valuable and that one isn't and since they're the top of the legal tree in Europe there's nothingyou can do about their decisions.
The thing with newspaper archives is that they have *always" had this kind of information available. There has never been a process by which a notice went out for all copies of a certain edition to be censored of the details of details pertaining to a crime, or anything else. This is good, because they are a historical record, and nothing should be deleted from them. Let's face it, if this is taken to its logical extreme, court reports will have to be destroyed after the spending of a conviction - they are all online these days. It's going to make the UK's doctrine of precedent really difficult to maintain, but hey, it's a small price to pay for having "the right to be forgotten"!
There needs to be some sensible discussion about this, not driven by a bunch of idiots so embarrassed about what they did that they want to forget it all. There are some arguable cases where being able to vanish is something to be allowed, but being able to rewrite (or completely remove) history to soothe wounded pride doesn't fall into that category.
"We should look to better understand each other and our respective laws rather than unpicking enduring principles and introducing an entirely new, and quite possibly impractical regulatory framework."
This.
It's an EU ruling. Ignoring any discussion of the merits or otherwise of the idea, it's little trouble to find information stored outside EU jurisdiction, even if it is blocked within Europe.
I've been on the other end of this as sysadmin for a social network and had to deal with requests for allegedly libelous content too be removed that was posted by 3rd parties on our site and then indexed by Google. I don't believe this is Google's problem but rather that of the source and hosting site.
If somebody wants something removed they should inform the site hosting the information. The host should remove it, return a 404 with no index and no follow for that URI and then request a re-index of that page from google and other indexing sites that they allow via robots.txt. That includes archive.org.
The Internet Archive raises the issue of cached copies. This should also be dealt with via the 404-noindex-nofollow. Good caches should always respect the 404 and delete their cached copy.
This approach recognises that a piece of data on a URI may be copied repeatedly all over the web not just by search engines or by some future technology that makes that data visible. There needs to be a protocol for saying "It's gone as if it never existed". And sure enough, there is. It's 404.
There is a problem though that perhaps this EU ruling deals with. It's not normally possible for a 3rd party to tell Google to re-index a URI where they're not the webadmin as recognised for Google's webadmin tools. The source may have disappeared and 404 but google still has a record. It should be possible for the courts or a private individual via the courts to force Google to re-index that URI.
Please correct me if I'm wrong but just deleting something from a search engine doesn't actually remove it from the source. So, it's still out there in the Interwebs ready to be found again later.
Also, does this just apply to the EU? So if I search on a US site or a Russin one for that matter will I still find the offending material ?
well if it isn't linked to by search engines for the most part it may aswell not exist for the majority of people.
Already there seem to be a number of interesting requests for having information removed according to the beeb, a paedophile that wants links to his trial / case / etc removed from the internet and a politician that wants links to naughty things he's said removed.
I'm sure there will be many more exciting things, a bit like ukip trying to bully twitter users into not highlighting their policies...
I happen to agree with the judgement, and feel it's been careful in what it does and doesn't say.
From my understanding, the judgement deliberately only applies to Search engines and not the source, this is so that the original information is not deleted, edited or censored in any way. What the judgement does say is that the search engine can no longer link to the original information, thereby protecting the privacy of the relevant individual.
As compromises go I think this is about the best we can do in terms of having a free uncensored internet and individual privacy.
What really annoys me about the likes of Google and Wikipedia, from their post judgement statements, and their pervious actions, is there belief that they and everyone on the internet has the right to every bit of information about you, and you have no right to privacy. This is wrong, and luckily the ECJ recognises our individual right to privacy.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
