The European Approach to Protecting Your Data

Almost four years ago, the highest court in the European Union (EU)1 ruled that citizens of member countries had a “right to be forgotten”. Of course, that ruling left some holes and more than a few questions. But it did trigger some increasingly public conversations around the general topic of privacy and personal data.

That discussion, paired with some massive data breeches at high profile companies, led the EU Parliament to create a new set of laws2 dealing with data security and privacy. Those rules, the General Data Protection Regulations (GDPR), will become effective in the EU beginning in May.

In general, the GDPR sets strict guidelines for the kind of data that can be collected from individuals by companies and organizations, and how that data can be used. That data includes anything that can be used to specifically identify a person (including social media posts, location info, photographs, etc.), as well as not so obviously personal information like race, religion, and politics.

GDPR also requires companies to obtain more specific consent from the user as well as explaining more clearly how their data will be used. Specifically excluded is vague language like “Improving users’ experience”, “marketing purposes”, or “future research”. Companies must also make it easy for users to withdraw their consent and are then required to delete the material they’ve collected. 

So what has any of this got to do with those of us not living in Europe? Plenty.

While the regulations are specific to the member countries of the EU, most of what I’ve read about them suggest that all of us in the US, and elsewhere in the world, will likely be affected by them.

The law applies to any company or organization that does business in the EU member countries and collects personal data from their citizens. That includes many based in the US, familiar names like Facebook, Google, Microsoft, Apple, and more. Since most multinational corporations shuffle information around the world, it’s very likely that they will need to adapt their data handling practices everywhere, not just in Europe.

Plus the law also also provides for some pretty hefty penalties for misusing or failure to secure the data, including fines of up to €20 million or 4% of “global turnover”, whichever is larger. To put that in some perspective €20m (about $24m US at the moment) is pocket change for Facebook. 4% of their total income is not.

I know, all of this is pretty geeky stuff.

However, it’s also important if you’re concerned about the data most companies are already collecting about you and others. If you’re interested in more details of the GDPR in basic, non-legal language, check out this rough guide to GDPR and/or this short summary directed at US corporations.

Of course, the EU laws are not perfect. There will likely be much confusion when they take effect, and when the first law suits follow not long after. It will be interesting to see whether the big data collectors will be forced to change their behavior. Or will they just find new ways to continue their current practices? After all, our information is the foundation of their massive profits.

Beyond that, there’s also the larger question of whether the US should implement similar laws? It’s not likely to happen in this political climate, with political “leaders” who claim that the “free market” will protect us all. But maybe some outside pressure on US-based companies may effect some need change.


The map is from the BBC, showing the current configuration of the European Union. Of course, their home country, the United Kingdom, is in the process of a very contentious “Brexit” from the EU, so that map could change in 2019. In more than one way if the people of Scotland and Northern Ireland make some hard decisions.

1. Very tangential side note: I love that the official anthem of the EU is based on Beethoven’s “Ode to Joy”. Certainly more uplifting music than the militaristic tones of most national anthems.

2. In some of what I’ve read, experts says that GDPR isn’t so much “new” law as it is a clarification of many different data and privacy regulations that are already on the books, combined with court rulings. Either way, GDPR is likely going to change the way companies do business in the EU, and possibly elsewhere.

The Right to Censor

Two years ago this month, the highest court in the European Union declared all of their citizens had a “right to be forgotten”. Specifically, the justices said anyone could request that Google (and other search engines) remove from their results links to information about themselves that was out of date or in other ways irrelevant.

In the time since, the ruling has raised many questions about the concept, and created many more problems than it has solved.

Starting with the fact the court handed Google a great deal of power in determining what information should be “forgotten”. This at the same time the European Union is very concerned about the amount of data being collected by many large, multi-national corporations like Google, as well as where it’s being kept.

Then there’s the confusion over the requests themselves and what happens to the information. Completing the online form doesn’t automatically lead to removing a link. According to a recent report “Google refuses roughly 70 percent to 75 percent of requests”, with the top two reasons being the information concerns the professional activity of the requester or the fact that they “are at the origin of this content”. They also get a lot of compaints from people outside the EU who don’t understand why they can’t play in this game.

Plus, the information “removed” is still stored somewhere on the web. Deleting articles from search results has pissed off European news organizations, some of which now maintain lists of their forgotten links. Is Google now obligated to remove results that bring up those pages? Or to stories about links that have been removed? TechDirt, a Silicon Valley news site that deals in technology and government policy, has been playing with these questions and more by regularly posting on the right to be forgotten with links to “disappeared” stories included, to observe how quickly they are removed.

As amusing as some of the stories related to “right to be forgotten” are, there is a really scary aspect to all this. This is all part of a concerted, sometimes aggressive effort by governments all over the world to control the flow of information.

And not just in their countries. France, for example, has told Google they must “respect French “right to be forgotten” rulings worldwide”. The company is pushing back (for now) but the world is full of disreputable government officials who would like the power to disappear more than just embarrassing information.

Anyway, this issue of censoring digital information is just getting started. In terms of all of recorded history, the internet is a very new communications medium, and very much unlike other undemocratic, more easily controlled channels. It will be interesting to watch just how badly governments and large corporations can screw up the web and the creative new ways of circumventing the blocks people will develop.

For now, happy second anniversary to the “right to be forgotten”, although I’m not sure anyone interested in an open web should be celebrating.

Forgetting History

In May of 2014 the European Court of Justice, which is roughly the equivalent of a supreme court for the countries of the European Union, decided that their privacy laws provided citizens with a new right: the right to be forgotten.

Specifically, the court ordered Google to remove from search results that are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed” in European countries. The order was later extended to include Bing and other search engines.

It’s been interesting to watch the whole “right to be forgotten” story unfold. Now, a year and a half later, there are still far more questions than answers about this concept and how it is applied, not only in Europe but world wide. Questions that include:

Why didn’t the court require that the original material be taken down? From what I’ve read it’s because the justices felt existing libel and slander laws (which are much tougher in the EU than the US) covered that territory so this ruling applies only to search engine listings. Think of it as removing the card from the library catalog but leaving the offending book on the shelf (an analogy for all of us who remember “card” catalogs :-)

Who decides what’s “inadequate, irrelevant or no longer relevant”? Good question about very vague criteria. Turns out the court left that up to Google and the other search providers to determine. Anyone in the affected European Union countries can submit a request and then… someone at Google decides. And they have received a lot of requests.

Since the policy was put into place last May, Google reports that it’s received 348,085 total requests to remove links, covering a total of 1,234,092 URLs. Around 42 percent of the links (excluding cases that are still pending) ended up being removed.

Are stories written about the “right to be forgotten” process, ones that include links to material removed from search results, also required to be removed? Evidentally, yes. At least according to the UK “data protection watchdog.” A news site called Tech Dirt has been testing the process by writing a new post linking back to their removed posts every time they are notified of the removal. So far, they seem to be winning and many of the more traditional news outlets are posting their own lists of “forgotten” articles.

Does the “right to be forgotten” extend outside the European Union? Well, it seems the French government thinks it should. Last summer they ordered that the concept be applied everywhere in the world Google did business, with threats of heavy fines for non-compliance. Needless to say that didn’t go over well outside of France and, as far as I can determine, Google has not complied with the order.

There are, of course, many more questions about a “right to be forgotten”, along with the broader topic of privacy in a digital age, with very little that will be settled soon.

However, it’s a very interesting subject, one that anyone who lives and works on the web should be paying attention to. More ranting to come in this little corner very soon. You have been warned. :-)

Deleting History

In May the highest court in the European Union decided that everyone living in that jurisdiction now has a new basic human right: the right “to be forgotten”. The facts in the matter are ones many people can relate to, the persistence of unflattering or inconvenient personal information on the web.

In the matter before the Luxembourg-based ECJ, an attorney named Mario Costeja González previously filed a complaint with the Spanish Data Protection Agency claiming that his privacy rights had been violated. Specifically, Gonzalez was displeased that entering his name in Google’s search engine drew results including a legal notice dating back to a 1998 story on his forced property sale to satisfy mounting personal debt.

I find the whole issue fascinating. And as many analysts of the story1 have pointed out, the court’s decision generates far more questions than it provides answers. Starting with, is it even possible to completely rewrite your own history in a digitized, always recording world?

Of all the commentary I’ve seen, this seven minute segment from John Oliver’s new show pretty much nails many of the problems behind the concept of being forgotten.

So, now reports about this decision from the New York Times and hundreds of other media outlets, not to mention posts on thousands of other sites with far less authority (like this one), are posted on the web. In fact, the court’s own ruling is posted online.

Certainly all those documents have been sucked up into search engines and indexed. Are web indexing services obligated to censor all those articles as well? And what happens if I’m in a EU country but do my searching on the US version of Google?

As far as I can tell, the court’s decision only seems to apply to Google and similar general search tools. Is the next step ordering the original source, in this case a completely legitimate legal notice, to pull down the materials? Does the law also extend to social media like Facebook and Twitter. The justices didn’t say.

However, the more difficult question raised by this particular ruling are under what circumstances does information get blocked? The court only said that it should happen “in certain cases where the information contained is deemed ‘inadequate’ or ‘irrelevant’”. No ambiguity there.

From everything I’ve read, it’s not likely a right to be forgotten will be established as matter of general law in the US since the concept of free speech with few limitations has a long established legal history. But there are some efforts to enact what are called “eraser” laws like the California bill due to take effect next year giving “residents under 18 a limited right to delete personal information that they, as registered users of sites and networks, posted online or on a mobile app”.

Anyway, I’m sure there are many more ripples coming from this legal decision and more thinking to be done.

If nothing else, it should bring into question the validity of the search results you get. We already know that Google, Bing, and whoever their competitors are manipulate the listings returned to some degree.

But, in the end, rather than working hard to edit history, wouldn’t everyone’s time and effort be better spent by proactively building the positive internet presence they want the world to see? Certainly less stressful, not to mention fewer legal fees, than playing web whac-a-mole.

One more thing: although he sometimes gets a little hyperbolic (but rarely wrong), Jeff Jarvis’ post “The right to remember, dammit” is also worth a read.

Road Trip

It’s going to be quiet in this space here for a while.

We are off on our first extended trip not involving family or work since before the turn of the century – and the computers stay home.

If I find a free wifi point along the way, I may take a minute to upload a picture or two from the iPhone and write some tweets, but otherwise, this blog will wait until we return.

Thanks for dropping by and reading my rantings.