Google and the Right to be Forgotten: Insights for GDPR Compliance

The General Data Protection Regulation (GDPR) is less than three months away from enforcement. With its broader and more defined scope, more organizations are expected to feel its impact as compared to other data regulations from the EU. One example is its predecessor, the Data Protection Directive 95/46/EC, which was the basis for the legal recognition of EU citizens’ “right to be forgotten” in 2014. The ruling mainly affected search engines operating in Europe.

The right to be forgotten has been considered an EU-specific issue. But now, as part of compliance with the upcoming GDPR, organizations worldwide are set to face the same challenges previously posed to only a few. However, a recent survey by a big data application provider reveals that two-thirds of organizations are still not ready for this facet of the GDPR and organizations are confused on how it would work in practice.

With three years more experience, search engines have first-hand information on “right to be forgotten” compliance. Google, in particular, had been greatly affected by the ruling, as a case against the company was one of the reasons the right was legally solidified. Since 2014, Google has received over 655,000 requests — which translates to over 2.4 million links — for removal from its search results.

Last week, Google released a draft research paper which provides insight into the identity and the nature of the requests it has received since the EU ruling. The report shows that Google has removed 43.3 percent of the requested links. The remaining 56.7 percent Google has chosen to keep after considering alternative solutions, technical reasons, duplicate links, and the public interest.

Google’s findings reveal that the requests had predominantly come from private individuals, generating 85 percent of the total count, and 5 percent were from minors. Non-government public figures such as celebrities requested the removal of 41,213 links, while politicians and government officials requested for another 33,937 links.

Regionally, Google found that the requests were skewed slightly towards France, Germany and the United Kingdom, with the three countries making up 51 percent of the total request count. The more frequent requesters were law firms and reputation management services.

Differences were also apparent in regional attitudes towards data privacy. Requests from France and Germany were directed towards the removal of social media and directory pages, while requests from Italy and the United Kingdom were more targeted towards removal in news sites. Requesters were inclined to target local content: over 77 percent of the requests to remove links rooted in a country code domain came from people in the same country.

Google periodically releases updates on its compliance. The company’s reports shed light on what personal data people expect to be forgotten or removed, especially for organizations which could join Google in receiving such requests soon. Google continues to experience repercussions of the right to be forgotten, as it is again on the receiving end of a lawsuit for denying a request.

Google’s compliance efforts reflect the challenges the GDPR will pose to more organizations upon its implementation, especially with only 43 percent of organizations in the big data survey having any defined process for deletion of records and confirmation checks. The GDPR is designed to protect the data privacy and protection rights of individuals, and applies no matter where the organization handling the data is from. Under the GDPR, the “right to be forgotten” is officially named as the “right to erasure,” which states that an individual can obtain from an organization the erasure of his or her personal data.

However, the GDPR also brings with it an opportunity for organizations to review and further develop how they handle data processing. Despite GDPR’s tougher and broader approach, it simplifies compliance by providing organizations a single data privacy and protection regulation to follow instead of the multiple that exist at present.

Information and recommendations to help with compliance have been made available since the GDPR was first announced. With only weeks to go, the question of preparedness bears more urgency. Under the GDPR, organizations are obligated to have the right processes and technology in place for breach prevention and meaningful cybersecurity analysis. This mandate translates to employing state-of-the-art technology, and is more than a matter of compliance but also an opportunity to be equipped against the evolving world of cyberthreats.

Despite the changes GDPR brings, compliance can be a chance to better understand the customers and anyone involved with the organization’s business. Through GDPR compliance and utilization of appropriate technologies, organizations can collect and process data more efficiently and also cater to the data rights — not just the right to be forgotten — of their customers.  


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Online Privacy