This is how Google is dealing with 'right to be forgotten' requests

We will hear next week what the EU data protection authorities think of Google's methods

Google is employing a big team of lawyers, engineers and paralegals who have so far evaluated over half a million URLs that were requested to be delisted from search results by European citizens, the company said.

About six months after the Court of Justice of the European Union (CJEU) gave Europeans the right to compel search engines to remove search results in Europe for queries that include their names if the results are "inadequate, irrelevant or no longer relevant, or excessive," Google's team has reviewed about 170,000 requests to delist search results that covered over 580,000 links, Google's Global Privacy Council, Peter Fleischer, said Wednesday.

So far, about 42 percent of the requests have been granted, while about 58 percent were denied by the team, which looks at every request, according to an online tool provided by Google that tracks the takedowns in real time. A removals team handles the easy cases, while the more difficult ones are dealt with by a more senior group of lawyers and engineers, Fleischer told privacy professionals during the IAPP Europe Data Protection Congress in Brussels.

Google put a lot of work into the implementation because of the court's "vague" guidance, Fleischer said.

The delisting requests fall in to three categories. "There are the easy yeses, there are the easy nos and there are the really hard cases in the middle," he said.

One easily granted request, for example, involved a case in which photos of a woman "in a state of undress" were posted to the Web by her ex-boyfriend. Another easily granted removal involved a man who had revealed his HIV-positive status in a forum posting 10 years ago and wanted a link to it removed.

An easy denial was made to a request by an Italian politician who was convicted of accepting a bribe and wanted a link to that removed just before running for mayor, Fleischer said.

One of Google's problems, though, is that the process is often one-sided because a decision is based on information supplied by one person using a simple Web form.

Google was also asked to remove links pointing to information about someone who was convicted a crime a long time ago. "Which on its face sounds like, why wouldn't you do that? Except that later you find out that the person has a history of being convicted and reconvicted and reconvicted of the same crime up to the present day. Suddenly that shines a different light on that kind of a request," Fleischer said.

Due to the vagueness of the court guidance, Google also had to fill in other parts to implement the ruling. For instance, it decided to remove links from all 28 EU country domains, as well as from the Google domains in Iceland, Liechtenstein, Norway and Switzerland, countries belonging to the European Free Trade Association (EFTA).

However, the links weren't removed from the domain, which was criticized by Joe McNamee, executive director of European digital rights group EDRi who took part in the panel discussion. It is inconsistent that Google removed links to photos of scantily clad women on those 32 domains and not on the .com domain, he said.

Fleischer said that Google decided not to remove the links worldwide because it is quite clear to the company that other courts in other parts of the world would never have reached the same result as the CJEU. This will probably be an area of some discussion and disagreement, and perhaps even some further judicial review over time, he added.

Another point of critique was aimed at Google's practice of telling a site's webmaster that a link to their site was removed from the search results, without telling them why. This has already led to speculation about the person who requested the removal, resulting in people and media wrongly guessing who filed the request.

As the court's verdict was silent on the rights of the webmaster, sending such a notice is also a Google decision, Fleischer said. Because removing a link could result in less traffic for a site, the company felt obliged to alert the owner. "Remember, it is not about defamation. We are talking about valid and legal content here, that is indisputable," Fleischer said.

Google is planning to continue to delist search results in the same way in the future. While the company has struggled with the aftermath of the ruling, Fleischer said that such cases ultimately serve to strengthen human rights, so from that perspective, he welcomes future court cases. "In the end, that is good for privacy," he said.

Whether Google's methods please the EU's data protection authorities remains to be seen, though. The Article 29 Working Party (WP29), the group representing the authorities, is planning to provide common guidelines for dealing with right-to-be-forgotten requests after next week's plenary session, said Isabelle Falque-Pierrotin, chairwoman of the French data protection authority CNIL and the WP29, during the conference. The group wants to guarantee that every person in Europe has the same protection.

The focus shouldn't be on what the ruling means to Google, but on the people making the requests. "It means that people want to control their digital life," she said. "We have to listen to that."

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags Googleintellectual propertysecuritylegalprivacy

More about EUGoogleIDGNewsSwitzerland

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place