Google.com Extends 'Right To Be Forgotten' for Europeans
Europeans who want to exercise their "right to be forgotten" will have those requests honored across all of Google's domains rather than just across the search giant's European extensions, according to reports. Google previously said it would consider Europeans' delisting requests only for their regional domains, such as google.co.uk in Great Britain, google.fr in France or google.de in Germany.
The change comes after Google's informal appeal of a right-to-be-forgotten delisting order was rejected in September by the Commission nationale de l'informatique et des libertés (CNIL), the agency that regulates data privacy issues in France.
Europeans' right to be forgotten was established by the European Court of Justice in a 2014 ruling that said EU citizens could ask search engines to remove links to personal information about them that is "inaccurate, inadequate, irrelevant or excessive." Google originally responded to that decision by agreeing to remove only links generated by regional Google searches but not by searches on Google.com.
Delisting Based on Searcher's IP Address
However, Google has now said it will delist search results across all of its domains for qualifying EU citizens, but only for search results in the country in which that requesting citizen lives, according to reports today in The Guardian and other newspapers.
For example, a person in Frankfurt could ask Google to remove links to old news stories about that person's past bankruptcy if that information could now be considered irrelevant. If Google agrees with that request, it would no longer show those results in searches of that person's name for anyone searching from Germany.
Google would make its determination as to which search results to delist based on the requesting person's country of residence and on the search user's IP address, which indicates the physical location of the individual's computer or other device. We contacted Google to learn when these changes might be implemented, but have not received a response.
More EU Regulation Coming
Companies operating in Europe also face EU's new General Data Protection Regulation (GDPR), which was formally proposed in December after four years of discussion by various governing bodies. Expected to be formally adopted sometime early this year and take effect in 2018, the GDPR will "put an end to the patchwork of data protection rules that currently exists in the EU," according to the European Commission.
"[N]ow that the EU GDPR is a reality and the new privacy rules will be ratified by the European Council in early 2016, many organizations have a considerable amount of work ahead of them to align their IT governance and data protection programs with both regulatory and customer demands," Pat Clawson, CEO of Blancco Technology Group said last month upon releasing a report titled "EU GDPR: A Corporate Dilemma."
"If organizations want to be ready for GDPR compliance by 2018, they will need to assess their current weaknesses," Clawson said. "Once they have done so, they will need to develop end-to-end data lifecycle management processes, create transparent processes and customer communications regarding their data removal methods/tools, and finally, improve their security posturing as a whole to include detection and response and the gathering and sharing of threat intelligence."
Image credit: Google; Artist's concept.