EU, Google, Microsoft, Yahoo meet on 'right to be forgotten' but questions remain

Additional questions should be answered by the end of July

European data protection authorities still have questions after meeting with Google, Microsoft and Yahoo about the implementation of a recent ruling that gave European citizens the right to be forgotten by search engines.

The search engine providers have until the end of the month to answer additional questions in writing.

Google, Microsoft and Yahoo met with EU data protection authorities who are members of the EU's Article 29 Working Party (A29WP) in Brussels on Thursday to discuss the May ruling by the Court of Justice of the European Union (CJEU). The ruling gave people the right to compel search engines to remove search results in Europe for queries that include a person's name, if the results shown are "inadequate, irrelevant or no longer relevant, or excessive."

However, the implementation of the ruling has turned out to be difficult to execute. Google already described the guidelines for removing query results "very vague and subjective."

The A29WP data protection authorities (DPAs) said in a news release that they had requested the meeting with the search engine officials in order to get input for future guidelines. The aim is to ensure a consistent implementation of the take-down ruling on the part of the search engine providers as well as consistent handling of complaints lodged with the authorities by people whose requests were denied, the DPAs said.

Confusion about the ruling could lead to a large number of complaints that the DPAs would then have to deal with -- a situation they apparently want to avoid.

Google said at the meeting that it has refused about 30 percent of requests, according to the statement from the DPAs. So far, the search engine has received 91,000 take-down requests concerning 328,000 links to Web addresses, a Google spokesman confirmed. About 15 percent of requests prompted Google to ask additional information. Over half of all requests have been granted.

Other than confirming take-down figures, Google declined to comment on the meeting, as did Microsoft. Yahoo did not immediately respond to a request for comment.

During the meeting the DPAs asked the search engines to explain their delisting process, according to the news release. The DPAs said they asked what criteria search engines use when balancing their economic interest and the interest of the general public in having access to information with the right of the person who wants the search results delisted.

Search engines were also asked if they notify website publishers when links are removed -- something that Google does -- and if so, what legal basis they have for sending out notifications.

The DPAs also wanted to know on what domains search results are delisted. Google for instance removes results from its European domains but not from its .com domain. It argues that the .com domain is not covered by the ruling because it is not aimed at Europeans in particular.

Time seemed to have been too short on Thursday to discuss all the DPAs' concerns. Google, Yahoo and Microsoft were asked to answer additional questions in writing by July 31. By then, they should provide details about the proof of identify or authentication they demand from people who file take-down requests. They also were asked to describe what safeguards are in place to protect any personal data processed during the handling of delisting requests.

In addition, the search engines were asked whether they post notifications on search results pages letting users know when some results have been removed due to EU law -- which is something that Google does -- and asked what the legal basis is for showing that warning.

In particular, it appears that this notice is sometimes displayed even in the absence of removal requests by people, the DPAs said. They asked the search engines, "Can you confirm or exclude that this is actually the case and, if so, could you elaborate on the applicable criteria?"

The A29WP committee said that new guidelines would be issued in the autumn and that additional meetings on implementing the right to be forgotten rules may be organized with other stakeholders.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags YahooGoogleMicrosoftintellectual propertysecuritycopyrightlegalprivacy

More about EUGoogleIDGMicrosoftYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place