Balancing acts
The Court of Justice of the European Union had an important moment on Tuesday, albeit overshadowed by another court elsewhere, ruling that the right to be forgotten can be limited to the EU. To recap: in 2014, in its ruling in Google Spain v. AEPD and Mario Costeja González ("Costeja") CJEU required Google to delist results returned by searches on a person's name under certain circumstances. Costeja had complained that the fact that a newspaper record of the foreclosure on his house in 1998 was the first thing people saw when they searched for him gave them a false impression. In an effort to balance freedom of expression and privacy, the court's ruling left the original newspaper announcement intact, but ordered Google to remove the link from its index of search results. Since then, Google says it has received 845,501 similar requests representing 3.3 million links, of which it has dereferenced 45%.
Well, now. Left unsettled was the question of territorial jurisdiction: one would think that a European court doesn't have the geographical reach to require Google to remove listings worldwide - but if Google doesn't, then the ability to switch to a differently-located version of the search engine trivially defeats the ruling. What is a search engine to do?
This is a dispute we've seen before, beginning in 2000, when, in a case brought by the Ligue contre le racisme et l'antisémitisme et Union des étudiants juifs de France (LICRA), a French tribunal ordered Yahoo to block sales of Nazi memorabilia on its auction site. Yahoo argued that it was a US company, therefore the sales were happening in the US, and don't-break-the-Internet; the French court claimed jurisdiction anyway. Yahoo appealed *in the US*, where the case was dismissed for lack of jurisdiction. Eventually, Yahoo stopped selling the memorabilia everywhere, and the fuss died down.
Costeja offered the same conundrum with a greater degree of difficulty; the decision has been subsumed into GDPR as Article 17, "right to erasure". Google began delisting Costeja's unwanted result, along with those many others, from EU versions of its search engine but left them accessible in the non-EU domains. The French data protection regulator, CNIL, however, felt this didn't go far enough and in May 2015 it ordered Google to expand dereferencing to all its servers worldwide. Google's version of compliance was to deny access to the listings to anyone coming from the country where the I-want-to-be-forgotten complaint originated. In March 2016 CNIL fined Google €100,000 (pocket change!), saying that the availability of content should not depend on the geographic location of the person seeking to view it. In response to Google's appeal, the French court referred several questions to CJEU, leading to this week's ruling.
The headlines announcing this judgment - for example, the Guardian's - give the impression that the judgment is more comprehensive than it is. Yes, the court ruled that search engines are not required to delist results worldwide in right to be forgotten cases, citing the need to balance the right to be forgotten against other fundamental rights such as freedom of expression. But it also ruled that search engines are not prohibited from doing so. The judgment suggests that they should take into account the details of the particular case and the complainant, as well as the need to balance data protection and privacy rights against the public interest.
The remaining ambiguity means we should expect there will be another case along any minute. Few are going to much happier than they were in 2013, when putting right to be forgotten into law was proposed, or in 2014, when Costeja was decided, or shortly afterwards, when Google first reported on its delisting efforts. Freedom of speech advocates and journalists are still worried that the system is an invitation to censorship, as it has proved to be in at least one case; the French regulator, and maybe some other privacy advocates and data protection authorities, is still unhappy; and we still have a situation where a private company is being asked to make even more nuanced decisions on our behalf. The reality, however, is that given the law there is no solution, only compromise.
This is a good moment for a couple of other follow-ups:
- Mozilla has announced it will not turn on DNS-over-HTTPS by default in Firefox in the UK. This is in response to the complaints noted in May that DoH will break workarounds used in the UK to block child abuse images.
- Uber and Transport for London aren't getting along any better than they were in 2017, when TfL declined to renew its license to operate. Uber made a few concessions, and on appeal it was granted a 15-month extension. With that on the verge of running out, TfL has given the company two months to produce additional information before it makes a final decision. As Hubert Horan continues to point out, the company's aggressive regulation-breaking approach is a strategy, not the work of a rogue CEO, and its long-term prospects remain those of a company with "terrible underlying economics".
Illustrations: Justitia outside the Delft Town Hall, the Netherlands (via Dennis Jarvis at Wikimedia.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.