Saturday, August 22, 2015 - 02:38

Google and its troubles with European privacy laws

European privacy laws require Google to delete links under certain circumstances. Google however only implements it on its European sites arguing that EU law only affects those sites. Google is right and wrong at the same time.

Let's first get every non European on track here. European privacy laws require a company within the legal boundaries of the Union to disclose every information it has on me if I request it. It's also required to delete any information about me if I happen to demand it. This of course has limits. The two most relevant are the company is doing active business with me and the information is required to do that and  I'm a person of public interest and the information is in that context or the information itself is of public interest. In the latter case however it actually has to be an elevated interest. If I just happened to have killed someone that's ok. If I happened to have stolen a box of candies a decade ago that's not quite as elevated.

The European court decided that Google is processing personal data in that context. And that's true. Google might independently link my name to - let's say shoplifting - if it ever crawled pages that bring my name in context with shoplifting. While the source of that information clearly is not Google the semantic linking in fact is done by Google and data is retained by Google. The problem here isn't generally that Google might have a link about me that reports about my shoplifting activities. In 99% of cases this link would be so far towards the end of the index that I very likely would never find it. If it's really on top of a generic search I'm likely someone in the public interest or my shoplifting is quite extraordinary in which case it again might be of public interest itself. The real problem is that when I start typing my name Google suggests shoplifting as a completion or I come up on top with a more complex search of name+theft for example. Of course assuming that it's not just a matching name but actually me. That's how Google's poison cabinet can turn completely irrelevant results into prominent ones. You just have to find a suitable query. Usually that's pretty much what makes Google great. In this case it's mostly the core of the problem. It is really independent of that but if you don't find links you can't have them deleted and you probably wouldn't have an incentive to do so.

So If I demand that Google deletes that information Google has to comply. For shoplifting that might be arguable but I'm not a person of public interest in the context of the law and a decade ago is really not elevated enough. This is completely independent of the source. It's because Google is processing personal data. Not because the linked content is illegal. It doesn't even have to apply there as well. Now Google's argument is that by blocking this issue on European sites it's complying with the law. And that European law is obviously not applicable for any non European business they conduct. So the content is not required to be blocked on which in fact is not part of a European business of Google. It's mainly Google's US page.

The latter is absolutely true. EU laws are no more applicable to Google's US business than US laws are applicable to European entities doing business outside the US.

The problem is the first part of that claim. By blocking content Google is not in compliance with the law. The law requires the data to be deleted. And it's irrelevant if that data is in a single database or exists twice. In a European context where it might be deleted and maybe copied to a US context.

The reason for this strange and seemingly overextending European law into US jurisdiction is the US-EU safe harbor agreement to which Google claims compliance. This agreement extends European privacy laws into US jurisdiction under certain circumstances. First of all you have to be European. It doesn't affect any non European data. So US citizens cannot place a claim based on that agreement unless they have that data exported to the US by a European entity in which the agreement most likely would also be applicable. But for Google it mostly only works for Europeans. Information about the agreement can be obtained here and here's the compliance entry for Google Inc.

So it's entirely wrong when some nitwits claim that this demand is overextending European laws or is similar to China demanding that Google redacts information about the 1989 Tiananmen square massacre. It would be if China and the US would have a suitable agreement to which Google claims compliance. There is no such agreement to my knowledge.

Google is voluntarily complying with these rules. There is no general requirement for US entities to do that. The requirement really is on entities who want to export data outside of the Union. And to simplify the process US companies can white-list themselves by complying with the agreement to speed up and generalize the verification process in which case there is just a requirement to check if the status of compliance is current and not expired.

If Google is compliant with the agreement they have to delete the record no matter where it is stored or in which target audience it is used. That's the entire point of that agreement and the idea behind the law in the first place. It's that you do not have it anymore.

Google of course can retract its compliance with the agreement in which case they'd lose most of their European corporate customers as none of them would be allowed to export data to non-compliant 3rd parties. Or they could split the search away from the rest in which case the rest could remain in compliance with the agreement whereas the index has no requirement to do so.

Personally I find this decision massively overreaching. Technically speaking Google in fact is storing and processing personal data and with that in mind the law in fact could be applied. However the actual idea behind it doesn't necessarily target readily available public information you can quite literally get off of the internet which is where Google got it from in the first place. It's really more about restricted aggregated data. Like what information has my telco stored on me, what record has a credit information company on me or really what has the corporate NSA in store about me. In a Google context What has Google internally aggregated about me by sniffing through all my stuff? That's the kind of data we are talking about here. Not Google having a quite unfortunate photo of me indexed that's spread over hundreds of tumblr accounts and numerous other places.

The idea behind that law is to extinguish that data so a company who has aggregated it is no longer able to exploit it for whatever they are keeping it. This is quite pointless with data that's publicly available and that will remain publicly available no matter if it's deleted at one place or not.

This kind of lever is legally convenient to use as many sources might not be accessible for national law. A website in whatever place doesn't have to give a shit about the laws of some other crappy place. It's pretty much killing the messenger. It has not necessarily an effect on the message itself and it most certainly has no effect on the source.

And it only somewhat works because the search engine market is really just Google and Bing. And Bing isn't even important in that equation. If the market would be much more diverse this law would have zero effect.

I'd probably internally spin off the Index and exclude it as a distinct subsidiary from the agreement. I don't see how European corporations are exporting customer data to Google Search. You might not be able to deploy Google on site search without users' consent, which isn't necessarily a big problem as many sites in Europe have to do the very same with social media plugins.  A possible solution is the one you see below. That's not really a big deal. For a search it's a bit more problematic because activating a search isn't something you'd consider normal. But then again. Google's on site search isn't really normal in the first place for the sites I usually frequent. Very few use it.