Landmark Court Decision Means Canada Has Now Joined The 'Right To Be Forgotten Globally' Club

from the long-reach-of-the-moosen dept

Techdirt has written plenty about the controversial "right to be forgotten" -- strictly speaking, a right to be de-listed from search engine results in general, and from Google in particular. Although most people associate this with the European Union, which pioneered the approach, the idea has now spread to other countries, including South Korea, China and Japan. In an interesting article in The Globe and Mail, Michael Geist suggests that Canada has now joined the club:

the Federal Court of Canada issued a landmark ruling that paves the way for a Canadian version of the right to be forgotten that would allow courts to issue orders with the removal of Google search results on a global basis very much in mind.

The details of the case are rather unusual. They involve a website in Romania that obtained and posted Canadian judicial and tribunal decisions. These were all public documents, but they were not previously indexed by Google, which meant their contents were effectively hidden. The Romanian site allowed its copies to be indexed by Google, which made the decisions and the Canadian citizens involved visible for the first time -- something the people affected were not happy about. They complained to the Privacy Commissioner of Canada, who ruled that the Romanian site violated Canadian privacy law. The case then moved to Canada's federal court, which ruled that it had jurisdiction over the website in Romania, since it had strong connections with Canada through its holdings. It then went on to make a declaratory order:

The court noted that the declaration could be used to submit a request to Google seeking the removal of the offending links from its search database. While acknowledging that there was no guarantee that Google would act, it was persuaded by the Privacy Commissioner that "this may be the most practical and effective way of mitigating the harm caused to individuals since the respondent is located in Romania with no known assets."

As Geist notes, whether or not it was the federal court's intention, it seems to have created the Canadian equivalent of a right to be de-listed from search results:

While more onerous than a direct request to Google, the court's approach suggests there is now a road map for the global removal of search results of content that may be factually correct, but which also implicates the privacy rights of individuals.

One indirect effect of this ruling will be to strengthen the idea that there is some kind of "right to be forgotten globally," which will itself probably encourage people in other countries to bring privacy cases that seek to spread it yet further.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: canada, free speech, privacy, right to be forgotten

Senior Brazilian Court Says 'Right To Be Forgotten' Cannot Be Imposed On Search Engines

from the memorable-ruling dept

Brazil's Superior Court of Justice (STJ), the highest court for non-constitutional questions of federal law, has ruled that the "right to be forgotten" -- strictly speaking, the right to be delisted from search results -- cannot be imposed upon Google or other search engines. As a post on Global Voices explains:

According to judiciary rapporteur Nancy Andrighi, the ruling stated that forcing search engines to adjudicate removal requests and remove certain links from search results would give too much responsibility to search engines, effectively making them into digital censors.

We don't know the details of the case, which was held "under secrecy of justice" according to the article. But the Global Voices post points out that there's another important "right to be forgotten" decision coming up in Brazil, this time from the country's top court:

Brazil's Supreme Court -- which is a higher court than the STJ -- will soon hear a different case on the right to be forgotten involving TV Globo, Brazil's largest TV network. The case is brought by relatives of Aida Cury, an 18-year-old girl who was brutally raped and assassinated in 1958, in a case that was never resolved. In 2008 TV Globo broadcasted a story on the case. The relatives sued the network, arguing that the story 'unearthed a painful time for the family' and their lawyers invoked the thesis of the "right to be forgotten".

If Brazil's Supreme Court joins the STJ in refusing to acknowledge a "right to be forgotten" here, this would place the country at odds with South Korea, which has decided to follow the EU in introducing this new right. If nothing else, that discrepancy would demonstrate that it is not a foregone conclusion that other jurisdictions will adopt this particular European innovation.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: brazil, data protection, free speech, right to be forgotten, search engines
Companies: google

Why Wikipedia Is Worried About Global 'Right To Be Forgotten' Delistings

from the book-of-laughter-and-forgetting dept

As Techdirt reported last year, the problematic "right to be forgotten" -- strictly speaking, a right to be delisted from search results -- took a really dangerous turn when the French data protection regulator told Google that its orders to delist results should apply globally, not just in France, a view it confirmed twice. The latest development in this saga is the submission of a petition to the French Supreme Court against the global reach of delisting, made by the Wikimedia Foundation, the organization behind Wikipedia. As its blog post on the move explains:

Although the [French data protection authority] CNIL's case is directed towards Google, the gradual disappearance of Wikimedia pages from Google search results around the world ultimately impacts the public's ability to find the invaluable knowledge contained within the Wikimedia projects. Search engines have played an important role in the quest for knowledge -- roughly half of Wikipedia visits originate from search engines.

The CNIL's most recent order, if upheld, threatens the capacity to write and share important information about history, public figures, and more. It undermines the public's ability to find relevant and neutral information on the internet, and would make it exceedingly difficult for projects like Wikimedia's to provide information that is important for society.

The fact that half of Wikipedia's visits come from online searches emphasizes the point that delisting a page from search results effectively removes it from the Internet. The Wikimedia post goes on to make all the obvious -- and completely valid -- arguments why global delisting is such a bad idea. It also mentions the following:

As part of our efforts to bring more transparency to these requests, when we receive notice that a Wikipedia article was removed from a search engine due to a "right to be forgotten" delisting request, we publish the notice in a public index for the Wikimedia community's reference.

The page not only includes interesting statistics about delisting notices, but also helpfully provides copies of the notices themselves. From these we can see the Wikipedia articles that are no longer listed in search engines, which allows us to guess the names of those who don't want information about them to be readily available, and inevitably encourages us to speculate why that might be.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: censorship, eu, france, right to be forgotten, rtbf
Companies: google, wikimedia

China Gets Its First 'Right To Be Forgotten' Lawsuit

from the even-the-Great-Firewall-of-China-couldn't-keep-it-out dept

Techdirt has written a number of posts about the controversial "right to be forgotten" idea -- strictly speaking, a right to be de-listed from search engine results. As Mike noted a couple of months ago, there is no doubt that this idea is starting to "infect" an increasing number of governments and legal systems around the world. The Fei Chang Dao site has a fascinating post about what appears to be China's first "right to be forgotten" case. It includes a translation of the following background information provided by the court itself:

Recently the Haidian Court concluded a case involving a lawsuit filed by Plaintiff Ren against a certain Internet Services Company for infringement of the right of reputation, name, and general personality. On May 13, 2014, a European court issued a final judgment confirming that ordinary citizens have a "right to be forgotten" with respect to personal information, and following that the European Union has established the scope of a "right to be forgotten." During the two year period following the European court's recognition of the "right to be forgotten," the Haidian Court has concluded proceedings in the first case involving the scope of judicial protection of the "right to be forgotten" for a citizen's personal information. This case study has significant theoretical and practical value with respect to the issue of how China will conduct regulatory development and judicial practice to safeguard the "right to be forgotten" for personal information in the Internet age.

It's fascinating to see a Chinese court pointing to these developments in Europe, even though it later goes on to emphasize:

China's law as it exists today is unable to define a category of rights that is the so-called "right to be forgotten." The "right to be forgotten" is only touched upon in foreign statutory and case law, which cannot serve as the legal basis for China's protection of this kind of right.

If you're interested in the details of the case, the Fei Chang Dao site has a good summary, with full translations of all the relevant information. Suffice it to say that the court rejected Mr Ren's request to remove certain links, and gave the following explanation why:

the information at issue in this lawsuit regarding [the plaintiff] Ren Jiayu's work history relates to very recent events, and he continues to work in the business administration education profession. This information happens to form a portion of his professional history, and his current individual professional credibility is both of directly relevant and of ongoing concern. Ren Jiayu hopes to make use of his own good reputation in the industry to attract customers and students going forward, but information about his personal qualification is important information that customers and students rely on in making a judgment.

That eminently sensible reasoning augurs well for the future, if and when China decides to join the burgeoning "right to be forgotten" club officially by bringing in new laws on the matter.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: censorship, china, right to be forgotten

Google To France: No You Don't Get To Censor The Global Internet

from the well-this-could-get-interesting dept

As we've been covering here at Techdirt, French regulators have been pushing Google to censor the global internet whenever it receives "right to be forgotten" requests. If you don't recall, two years ago, there was a dangerous ruling in the EU that effectively said that people could demand Google remove certain links from showing up when people searched on their names. This "right to be forgotten" is now being abused by a ton of people trying to hide true information they just don't like being known. Google grudgingly has agreed to this, having little choice to do otherwise. But it initially did so only on Google's EU domain searches. Last year, a French regulator said that it needed to apply globally. Google said no, explaining why this was a "troubling development that risks serious chilling effects on the web."

French regulators responded with "don't care, do it!" Google tried to appease the French regulators earlier this year with a small change where even if you went to Google.com, say, from France (rather than the default of Google.fr), Google would still censor the links based on your IP address. And, again, the French regulators said not good enough, and told Google it needed to censor globally. It also issued a fine.

As we noted at the time, Google immediately said it planned to appeal and that's now officially in motion, as was explained in a writeup on Google's own blog (and was also published in France's Le Monde newspaper).

As a matter of both law and principle, we disagree with this demand. We comply with the laws of the countries in which we operate. But if French law applies globally, how long will it be until other countries - perhaps less open and democratic - start demanding that their laws regulating information likewise have global reach? This order could lead to a global race to the bottom, harming access to information that is perfectly lawful to view in one’s own country. For example, this could prevent French citizens from seeing content that is perfectly legal in France. This is not just a hypothetical concern. We have received demands from governments to remove content globally on various grounds -- and we have resisted, even if that has sometimes led to the blocking of our services.

This is a big, big deal for how the global internet will function. Giving the most censorious and autocratic countries veto powers over the global internet should obviously raise serious concerns among everyone -- even those among you who hate or fear Google.

Filed Under: borders, censorship, france, free speech, internet, jurisdiction, right to be forgotten
Companies: google

France Still Thinks It Regulates Entire Internet, Fines Google For Not Making Right To Be Forgotten Global

from the not-how-it-works dept

This isn't necessarily surprising, but it is incredibly stupid. As you hopefully recall, in the summer of 2014 the EU Court of Justice came out with a dangerous ruling saying that a "right to be forgotten" applied to search engines and that Google needed to "de-link" certain search results from the names of individuals. We've discussed at great length the problems with this ruling, but it continues to be a mess.

Last summer, French regulators began to whine about Google's implementation of the right to be forgotten, saying that it should apply worldwide. Google, instead, had only applied it to its EU domainspace. That is, if you were on Google.fr, you wouldn't see those results, but Google.com you would. Since Google tries to default you to the right top level domain for your country, that would mean that most people in the EU would not see the results that people wanted censored. But French regulators still demanded more. Google responded, telling the French regulators that this was crazy, because it would be a threat to free speech globally. If Google had to moderate content globally based on the speech laws of a single country, we'd have the lowest common denominator of speech online, and a ton of ridiculous censorship. Furthermore, Google pointed out that 97% of French users were on the Google.fr domain, so demanding global censorship was pointless.

The French regulators came back, saying "don't care, censor globally." Finally, last month, Google made a small change to try to appease the regulators, saying that it wouldn't just censor based on the top level domain, but entirely on whether or not it thought you were in France, based on your IP address or other indicators. So, even if you were in France, you couldn't get around the block by typing the ".com" address in instead of the ".fr."

And now, the French regulators have decided, once again, that this just isn't good enough. It's issued a fine for failing to censor the global internet:

On Thursday, France’s privacy regulator said its citizens’ rights could be upheld only if the European privacy decision was applied globally, and that Google had failed to remove — or “delist” — links from search results outside the European Union.

"For people residing in France to effectively exercise their right to be delisted, it must be applied to the entire processing operation, i.e. to all of the search engine’s extensions,” the agency, known as the Commission Nationale de l’Informatique et des Libertes, or CNIL, said in a statement.

CNIL also claims that Google's concerns about regulating speech outside of France are misplaced, since it only applies to speech about people in France, so it's their "data protection rights" that are the issue. That seems... shortsighted at best.

Google is planning to appeal the decision, and this is a big, big deal. Again, France -- or any country -- should have no authority to regulate or censor the global internet. It shouldn't be difficult to recognize why this is.

In the decision, CNIL directly notes that a non-global solution is no good since people can use VPNs:

... technical solutions exist to circumvent the filter measure proposed by the company that allow Internet users to select the geographical location of their IP address (e.g. use of a VPN).

Um, yes. Of course not many people do that, but some do. Is that really a reason to argue that the global internet must be censored? Would France be comfortable if, say, China or Iran or North Korea suddenly decide that Google must also be censored to block out links to content they dislike, and that such content must be inaccessible in search results in France? Or are French data protection regulators really so short-sighted to not see the impact of this ruling?

Filed Under: cnil, france, jurisdiction, right to be forgotten, search engines
Companies: google

South Korea Embraces Ridiculous Right To Be Forgotten As Well

from the forget-you dept

It's spreading! Now that the right to be forgotten is in full swing (and likely expanding) in Europe, it appears other parts of the world are jumping in as well. The latest? South Korea, whose governmental "media monitoring agency" has said it will release guidelines for people who wish to remove information from the internet:

Under the administrative guidelines to be proposed by the Korea Communications Commission, Web users will be able to demand that Web portals remove personal information that they do not want online.

“We have studied the rights to be forgotten for more than a year through a group composed of legal, academic and industry experts,” an official from the media watchdog said. “We plan to introduce the guidelines in the first half of the year.”

Basically, South Korea is figuring out just how much censorship of truthful and legal information it will allow -- which is kind of crazy when you think about it. Apparently, there are still some big decisions to be made, though:

The media watchdog said it will map out the guidelines in a loose, self-regulated form, given ongoing controversy over censorship and the public’s right to know.

One sticking point is whether to give the right to ask for deletion only to those who write the posts in question. Also, it has yet to be decided whether the guidelines will only apply to large search engines or even include smaller Web platforms. The communications regulator is also mulling over whether to set up a separate body to determine what data can be removed.

I'm still in a position where I don't understand this at all. If the information is somehow false or "illegal" I can understand the desire to remove it. But I have a lot more trouble understanding the ability to remove truthful and legal information just because someone doesn't like it. This kind of system will always be abused to just censor perfectly reasonable and often useful information, just because it exposes something someone doesn't like. It's disappointing that South Korea appears to be embracing such a head in the sand approach to information.

Filed Under: free speech, right to be forgotten, south korea

Google Partially Caves To French Demands For More Global Censorship Of 'Forgotten' Links

from the disappointing dept

For a while now we've been highlighting the problems of Europe's "Right to be Forgotten" concept as it applies to search results. The idea is that, rather than a search engine, Europe thinks of companies like Google as creating something of a "dossier" on individuals, over which they should be able to delete old or irrelevant "data." This means that, in the EU, people can apply to Google to "de-link" certain stories that they consider to no longer be relevant, even if those stories are 100% accurate and true. Not surprisingly, given a chance to "delink" yourself from truthful information has resulted in lots and lots of people demanding Google "forget" links about them. Google now has a process to go through these, and certainly has rejected many requests, but it still appears to accept many requests that appear to be obviously bogus attempts to hide information someone just dislikes.

Last summer, French regulators decided that Google wasn't doing enough, and that Google needed to not just censor links on Google's EU domains, but globally. Google responded, noting that this was highly problematic, given that the EU did not have jurisdiction over the globe, and France basically responded with a "shut up, do it anyway."

And now it appears that Google has gone back to the French regulators with a partial solution. While some have said it means that Google will, in fact, start "forgetting" links globally, that does not appear to be the case from looking at the details. Instead, it looks like Google will now try to block based on where Google thinks users are coming from, rather than which Google domain they're using. This is a subtle difference which, in most cases, may not be different at all. That is, when you visit Google from a variety of countries, Google already tries to geolocate you, and will often redirect you to the "local" version of the search engine -- such as Google.fr in France.

Under the current RTBF system, Google removes those links on the specific searches if you're on such an EU domain. However, if you're in France and you force your browser to visit Google.com, the same links would not be missing. So the "compromise" is that now Google will remove the links based on where it thinks you physically are, even if you force your browser to visit a non-local domain name. This will not really impact that many people -- just those who force Google to visit a different domain than their local domain. But, still, it's a further compromise and a move towards greater censorship of accurate link results. Of course, what's stupid is that basically anyone who knows enough to force Google to not use a local domain probably also knows how to use a VPN or proxy to appear to be coming from outside Europe.

Still, the big question now is whether or not French regulators will find this an "acceptable" compromise, or if they will continue to insist on global censorship over accurate information in an effort to suppress truthful information.

Filed Under: eu, france, global search, jurisdiction, links, right to be forgotten, search
Companies: google

NY Times Warns About Europe Expanding The 'Right To Be Forgotten'

from the good-for-them dept

We recently warned about how the new Data Protection Directive in the EU, while written with good intentions, unfortunately appears to both lock-in and expand the whole right to be forgotten idea in potentially dangerous ways. A big part of it is that the directive is just too vague, meaning that the RTBF may apply to all kinds of internet services, but we won't know for certain until the lawsuits are all finally decided many years in the future. Also unclear are what sorts of safe harbors there may be and how the directive protects against abusing the right to be forgotten for out and out censorship. Unfortunately, many are simply celebrating these new rules for the fact that they do give end users some more power over their data and how it's used.

But ignoring how these new rules will almost certainly be abused for censorship and to hold internet providers liable for the speech of others is a mistake. Thankfully, the NY Times has a good editorial warning about this very issue:

The most problematic measure would expand what is known as the right to be forgotten, which lets people request that businesses delete personal information that they believe is no longer relevant or is out of date.

It is reasonable to allow people to delete some information, like embarrassing photographs they posted on Facebook. But this right has been used to make it harder to find legitimate information, like old news articles. More than 350,000 Europeans have asked Google to remove links to 1.3 million web pages from search results since the European Court of Justice ruled in May 2014 that people have a right to request such deletions. (The company says it has complied with 42 percent of the requests it has received. People can appeal Google’s decision to privacy regulators and courts.)

The proposed law requires Internet companies like Google to immediately take down information while they decide whether a request for a permanent deletion is warranted. Disturbingly, news organizations and other websites would not have an opportunity to object to those immediate removals and might not even have a chance to protest permanent deletions.

The editorial also notes that the proposed rules don't make it clear whether the EU expects these rules to apply globally or just in the EU, and that could make a huge difference. As we've noted France and Google are currently fighting this fight right now. And the new rules don't provide any further clarity, which likely means people will push to use them as a sort of global censorship tool.

The end result is the removal of truthful information from the internet, as well as fewer incentives for companies to create useful platforms for free speech. Yes, we know that the standard line is that Europeans value privacy more than free speech, but that's both too simplistic a response and doesn't even address the real issue. This new directive is going to be a tool that is abused to silence free speech and punish innovation. That's not about protecting privacy at all. It's about out and out censorship.

Filed Under: data protection, data protection directive, eu, europe, free speech, gdpr, privacy, right to be forgotten

EU Broadens Right To Be Forgotten In Dangerously Vague Ways With New 'Data Protection' Directive

from the bye-bye-free-speech dept

A few months ago, we noted that the EU was working on its new General Data Protection Regulation and Data Protective Directive -- and warned that it was putting free speech and privacy on a crash course. We also had a podcast about this with Daphne Keller, from Stanford's Center for Internet and Society. While the intentions of the data protection efforts sound good, the actual impact could be quite devastating. The idea is that all these companies are collecting lots of data, and individuals should have more control over what's collected and how it's used (and abused). Conceptually, that sounds really valuable. But, in practice it can be a disaster -- especially if the people who are focused on privacy/data protection don't think about or understand the consequences of what they're doing.

And now, the EU has announced that the new data protection rules have been finalized -- and while there's plenty in there that may be useful, these new rules are almost certainly going to create some new dangerous consequences. A notable concern is that it reinforces this ridiculous "right to be forgotten" concept, and allows for the "erasure" of information. The theory here is that it's supposed to let you delete old data about you from databases, and you can see why that might make sense. People don't feel comfortable with, say, old credit information hanging around when it's no longer relevant. But, as we know, it's also been interpreted to mean that search engines can be forced to memory hole totally accurate, public information about someone, and that's now created a vast tool for suppressing free speech. But the new rules more or less double down on that right to be forgotten.

There were fairly simple ways in which the EU could have changed the rules to make them not so problematic, but it ignored those suggestions and kept things troublingly vague, which will almost certainly lead to abuse and the suppression of free speech. A big part of the problem is that it's not even clear who really is required to obey these right to be forgotten requests, and that's going to lead to a huge mess:

The GDPR doesn’t tell us whether hosting platforms like Facebook or Twitter are controllers with RTBF erasure obligations. We know that search engines are controllers and thus have RTBF obligations -- that was a key holding in the Google Spain/Costeja case.  The GDPR doesn’t tell us what other Internet intermediaries will fall in that category.  Realistically, I find it hard to imagine DPAs excusing major social networks from erasure obligations, in the long run.  But there will be a lot of arguing first. 

There are some strong arguments against RTBF obligations for hosts – for example, that they cannot be controllers because they only process content at the direction of a user, who is herself the controller.  There are also some widely accepted legal arguments that will, if they prevail, lead to more complicated answers.  Following one of them, RTBF would apply to hosts that are too “active” in managing user content, but not to “passive” hosts.  Following another argument, hosts would have to erase some content, but not nearly as much as the content that search engines must de-index.   (Example: Google may have to remove search results pointing to the Facebook page where I posted about my cousin, but Facebook still won’t have to remove the post from its platform.)

And, this is a big deal. A key part of the new rules is that failing to abide by them can mean fines up to 4% of global revenue. Notice that it's not just EU revenue, and not profits. That gives the EU tremendous power to force companies to censor the internet globally. I understand that this is being done with good intentions and with privacy in mind, but the potential impact here on basic free speech should be a huge concern.

And while other rules concerning liability for internet services have some protections against abuse, it's not at all clear if those kinds of protections apply here:

We still don’t know the answer to the €20 million question: Do intermediary liability laws under eCommerce Directive Articles 12-15 apply to RTBF erasure requests?   Existing rules under the eCommerce Directive tell Internet companies how to handle removal requests for other legal claims, like defamation.  Those rules have real flaws, but they at least build in some protections against legally groundless or abusive attempts to silence online expression.  There is no reason to use a whole new process for RTBF claims, so the answer to the question should be yes: eCommerce procedural rules for notice and takedown apply to RTBF erasures.  That would mean, among other things, that intermediaries don’t have to take down content until they know the removal request states a valid claim.

The GDPR’s plain language seems to support this answer, but has a loophole that will fuel argument for years.  Both GDPR Recital 17 and Article 2.3 say the GDPR is “without prejudice” to “the liability rules of intermediary service providers in Articles 12 to 15” – the eCommerce rules that govern notice and takedown. The problem is, many data protection experts say that the eCommerce “liability rules” are irrelevant, because the GDPR doesn’t technically hold intermediaries liable for the speech of a third party.   Following this argument, the “without prejudice” language has no practical consequence.  As long as this question is unresolved, intermediaries can’t be certain whether they can use existing eCommerce removal systems, or whether they must develop new tools to implement the troubling new removal process prescribed by the GDPR.  Putting faith in the simpler interpretation of Article 2.3, and assuming it excuses an intermediary from following the specific rules described in the GDPR, is an expensive gamble.

Again, the intentions here are good, but the actual impact here may be devastating to the internet. I know it's easy to dislike big internet companies (even as people make use of their services, often for free, every day), but attacking them in a way that harms their users and their free speech rights seems like a bad bet -- and one that likely won't help develop a next generation of internet services in Europe.

Filed Under: data protection, eu, gdpr, intermediary liability, privacy, right to be forgotten