Google Must Expand Privacy Delistings, Says French Watchdog

The French data protection watchdog has ordered Google to widen its implementation of the so-called European ‘right to be forgotten‘ so that links are also delisted from all Google domains, including google.com, not just (as is currently the case) from the .fr French subdomain.

Quick backgrounder here: the rtbf refers to a legal ruling by Europe’s top court last year. It identified search engines as data controllers and required they process requests from private individuals wanting outdated, inaccurate or irrelevant information delisted from a search result for their name.

Google, which is by far and away the dominant search engine in Europe, started processing these requests last summer. However the way Google implemented the court’s ruling has created a trivial workaround because it only delists links from European sub-domains (such as .fr and .co.uk), not from google.com.

Last November European regulators urged that link delisting should take place on the .com domain too. Google has ignored that guidance thus far, but the screw looks to be tightening if national regulators step up enforcement efforts.

Today the French CNIL said it has put Google on notice to expand delisting requests to all its domains, including .com. It has given Google 15 days to comply with its request. If Google does not comply it says it will initiate sanction proceedings.

“If Google Inc does not comply with the formal notice within the fifteen days the President will be in position to nominate a Rapporteur to draft a report recommending to the CNIL Select Committee (the Committee in charge of imposing sanctions in case of violation of the French data protection law) to impose a sanction to the company,” the CNIL said today.

The CNIL also notes it has received “hundreds” of complaints from individuals whose requests for delisting have not been granted by Google. After assessing these complaints it says it has requested Google carry out the delisting of “several results”. And despite specifying the delisting should be effective “on whole search engine, irrespective of the extension used”, the CNIL notes that where Google has granted appealed delisting requests it has only done so on European sub-domains.

In a statement provided to TechCrunch regarding the CNIL’s order, a Google spokesperson said: “We’ve been working hard to strike the right balance in implementing the European Court’s ruling, co-operating closely with data protection authorities. The ruling focused on services directed to European users, and that’s the approach we are taking in complying with it.

Google failed to respond directly when asked whether it will be expanding delisting to .com, in accordance with the CNIL’s order. The company has previously argued that applying delisting to .com is unnecessary because only a “very small percentage” of European traffic goes to .com.

Another option, that’s not apparently on the table at this point but which might offer a third way between two clearly clashing positions, would be to offer global link delisting on a case-by-case basis (as posited in a recent research paper, covered by Slate), rather than having blanket requirements that search engines always delist globally, or a blanket refusal from search engines to offer anything other than partial (and thus trivially circumvented) delisting — which is the current impasse.

The rtbf ruling has always been about striking a balance between any public right to know information, and a private individual’s right to privacy. And given the inevitable variance involved in individual delisting requests then any general solutions — be it blanket requirements or blanket refusals — are always going to feel a little ill-fitting.