1. the complainant told google to delete something
2. google says no
3. the complainant complains to the DPA, who agrees with them and fines google 600k
The implementation of "right to be forgotten" is problematic. It forces service providers to take down content on the request of a complainant, without going through judicial approval. It's up to the service provider to render a decision, and if they wrongly refuse the request, they could be subject to a fine. This is problematic because there's almost zero incentive for the service provider to keep the content up, and plenty of potential downside if they keep the content up. Thus, the "safe" decision is to always comply with any request, regardless of merit. This is the same problem with DMCA, where every request gets rubberstamped, because if you don't comply with the request and it later turns out to be valid, you lose your safe harbor status and can be held liable for the infringement. Needless to say, this effect is terrible for free speech on the internet. Also, unlike court, there isn't any "defense" so to speak. Who is supposed to be representing the public interest or the author?
> The implementation of "right to be forgotten" is problematic. It forces service providers to take down content on the request of a complainant, without going through judicial approval. It's up to the service provider to render a decision, and if they wrongly refuse the request, they could be subject to a fine.
That is not how it works. I'm guessing that some information is missing in this article. How it works is that you make a request to the service provider, if they refuse your request you can appeal to your Data Protection Agency. Only if the service provider fails to comply with DPA decision can it face legal action.
The article reads as if this wasn't the case. Do you have a source that mentions this? Everything I can find reads exactly the same as DMCA, where there's no 'central authority' to listen to, but you're just expected to treat each request as if it was part of a lawsuit.
This is especially insane, since this was undoubtably the action of an agent at Google, and we have no idea how many claims Google does properly handle. If each wrong handling is a 600k fine, you will quickly see every single request approved.
>That's not correct. Often DPAs are issuing corrective instruction prior to a fine, but not always, and there's nothing in the law that requires it.
It's not quite as obvious as a clause like "Supervisory Authorities must not fine unless..." but the GDPR clearly anticipates that fines should not always be imposed.
Give Article 83 ("General conditions for imposing administrative fines") of the GDPR a read.
To wit:
Paragraph 1 states "the imposition of administrative fines [...] shall in each individual case be effective, proportionate and dissuasive"
The introduction of proportionality means SAs can't just jump to issuing fines if a warning will suffice (and if they do then it can be overturned by a court or by the EDPB issuing a binding instruction).
Paragraph 2 states "When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following" and then lists 11 factors that the SA must take in to account.
Again, if these aren't taken in to account then the SA risks losing a judicial review of the decision to fine.
Assuming that bureaucrats will be totally reasonable seems to be a uniquely European thing. They may be more reasonable than ours in the US, but the incentives of the system don't support the latitude they're given.
As with everything, the devil's in the details. The Belgian Data Protection Authority agreed with Google about one set of info (possible political affiliation) and with the complainant on the other (unfounded harassment charges). From the article:
>Google was “particularly negligent” according to the DPA, because it “had evidence that the facts were irrelevant and outdated.”
The article's thin on info, so I don't know if Google's able to appeal the fine and argue their case. I also don't know if the DPA gave Google a chance to remove the info before the fine.
The statement from the DPA claims Google has proof the search results (about unproven accusations of bullying, years ago, for which the complainant was never prosecuted) were irrelevant and outdated (https://www.gegevensbeschermingsautoriteit.be/nieuws/600000-...), so step 3 seems to have included “the DPA asks Google for clarification”.
But yes, it seems the national DPAs have a lot of power without a (¿clear?) way for appeal.
I think you're exactly right. They won't achieve balance by levying massive fines for mistakes one way and nothing for mistakes the other way. Its the DMCA all over again: a license for anyone with a lawyer to control whats permitted.
Except that's not how DMCA works. If your content gets taken down by a DMCA request, all you have to do is fill out a form stating that your content is not violating copyright, send it to the hosting service, and they are required to restore your content unless the take down requestor shows them proof that they have actually filed a lawsuit against you.
Yes, I know that's not what happens at YouTube. YouTube has their own system for dealing with copyright complaints that they use instead of DMCA.
The DMCA does grant the target of a DMCA notice to sue the person who gives the notice for knowing material misrepresentation, including access to damages. But indeed it's been enforced very rarely and at very inadequate damage levels after subtracting legal fees. The main example of this provision being enforced is OPG v. Diebold: https://en.wikipedia.org/wiki/Online_Policy_Group_v._Diebold....
1. the complainant told google to delete some things
2. google says no, some things include invalid request for political official
3. oh, it did include an invalid request, but the other part was valid, here is a fine
One thing I would like to know is who will be getting fined for submitting an invalid request? I am also curious if anyone more familiar with the case knows whether a totally-valid request was submitted in whole and was similarly rejected. I admit not being familiar with the details beyond what I read in the link.
On a general note, I completely agree with your concerns about the right to be forgotten and the unbalanced incentives. I applaud Google for pushing back.
What you leave out in 3 is that they had proof for the valid part, most likely court documents dismissing the fraudulent case. Ignoring official, legal documents issued by the country you operate in seems like a very bad idea if you do not want to be fined.
> This is the same problem with DMCA, where every request gets rubberstamped, because if you don't comply with the request and it later turns out to be valid, you lose your safe harbor status and can be held liable for the infringement.
You've left out the other half of the DMCA. Yes, the take down request gets rubber stamped and your content goes down.
But if you file a counter-notice with the provider saying the the content was not violating copyright, that too is rubber stamped and the provider is required to put the content back up unless the take down requestor shows that they have actually filed a copyright infringement suit against you.
To get the content taken down and have it stay down the requestor has to go through the judicial system.
Unfortunately it’s all pretty theoretical now that YouTube and others use a content ID system that goes well beyond the legal requirements thanks to all the lawsuits years ago.
The application of the law as intended is not 'problematic', it is Google that is problematic in the sense that they seem to be of the opinion that the law does not apply to them. If you don't act in good faith and in fact try to interpret the law when it comes to the actions of private individuals then you really can not complain if the judiciary disagrees with you. That's a risk you took. Keep in mind that Google would have lost nothing if they had just complied with the request, instead, they decided to make a stand and show that they were in the right. Tough luck.
> it is Google that is problematic in the sense that they seem to be of the opinion that the law does not apply to them.
Except the article explicitly states:
> Google refused to delete the search results. According to the Litigation Chamber, this was justified with regard to possible links with a political party
It seems to me that the law only applies to them. One should be punished for trying to use the law to request things be deleted that are not illegal.
> Keep in mind that Google would have lost nothing if they had just complied with the request
This is scary, one-sided thinking. Google loses their ability to determine if the request is even a legal one if they comply blindly. Similarly the public accepts unnecessary content censorship.
Of course, nobody would argue otherwise. The point was at least some of request was invalid by the law in Belgium. So a reasonable person might read the article and conclude "one side didn't abide by a partially invalid request" and "another side submitted a partially invalid request". I am lacking on details of the issue at hand, but it's clearly stated some of the request is invalid.
We have seen the consequences of invalid takedown requests in other situations (e.g. DMCA), and we should appreciate companies not just taking every takedown request at face value.
> The point was at least some of request was invalid by the law in Belgium.
From what little information was provided in the article, it sounded like Google maintained that these search results were exempt from the law, because they were political in nature, so they stood their ground.
However the DPA determined that these results were NOT exempt, due to the particular facts of the case (the results were "irrelevant and outdated"). So, keeping them up did not serve the public good (which, I resume, is the justification for these exemptions).
To me, it sounds like Google chose the wrong test case to stand their ground on. I appreciate them taking a stand on keeping information available if it is important.
But, crucially, Google claiming the request was invalid does not make it invalid; that's for the DPA to decide.
> But, crucially, Google claiming the request was invalid does not make it invalid; that's for the DPA to decide.
Except apparently the DPA requires google to decide. And hits them with a hefty fine if they pick the wrong answer. I believe this is the point being made in the thread. Google suffers all the risk.
I read about this case when it was first filed and pretty much predicted the outcome, the error Google made was that they get to interpret the law in the way that suits them best instead of in the way that the individual affected would be best served. But that's something that many large American corporations seem to have issues with. You can expect a lot of clashes like these unless the coin really drops: privacy is important, and the effect of a decision by a company on someone's private life matters a lot in Europe. And judges will be more than happy to charge tuition fees until that lesson has been learned.
Seconded. If the data subject mixed into the request all data about them that they don't like, it seems reasonable for Google to stop analyzing as soon as they find something out of line.
This seems a bit one-sided. As the opening paragraph of the article says, there are very good reasons for not just complying with every request:
“The right to be forgotten must strike the correct balance between, on the one hand, the public’s right of access to information and, on the other hand, the rights and interests of the data subject,” said Hielke Hijmans, Director of the DPA’s Litigation Chamber.
They were so obviously wrong that they could have saved themselves 600K, a bunch of legal fees and a serious dent in their privacy image. After all, the fact that a complaint is leveled against someone is not something that needs to follow that person the rest of their life if not substantiated.
This is the reason why in many countries suspects are not named until conviction. So that they can clear their name in case the allegations are not substantiated enough to lead to conviction. Just being a suspect of anything should not ruin your life, even when you are a public figure. This as opposed to the United States where even just being a suspect can ruin your life easily, complete with mugshot and newspaper articles that detail the complaint but that never seem to find the resources to deal with the cases that don't make it to court or that fail to lead to a conviction. But that doesn't matter, in the court of public opinion the damage will be done.
As GP alluded, the potentially problematic endgame is that Google will have "learned their lesson" that they should just comply with requests, and it will look a lot like DMCA takedown requests on Youtube.
Startup idea: crawl the web for mentions of client names, do automated sentiment analysis, file automated takedown request of all negative content.
You can appeal these fines in the court system if you want, and google always does this. Sometimes they win, sometimes they lose.
There's no chilling effect on free speech that I can see. All speech is subject to GDPR, so it only matters when the speech is collected and how it is processed, not what the speech actually is. This is different from DMCA where whether a request is rightful or wrongful is determined by the content that the user provided. In the case of GDPR whether the request is wrongful is determined by your own actions as a controller, not any action of the user. Therefore the chilling effect is only on collecting and processing speech, not on the expression of it.
> You can appeal these fines in the court system if you want, and google always does this. Sometimes they win, sometimes they lose.
So? Lawyers aren't free. If you appeal and end up not paying the fine, you're still out lawyer/court fees. At the end the the safe decision is still to always comply.
>There's no chilling effect on free speech that I can see. All speech is subject to GDPR, so it only matters when the speech is collected and how it is processed, not what the speech actually is. This is different from DMCA where whether a request is rightful or wrongful is determined by the content that the user provided. In the case of GDPR whether the request is wrongful is determined by your own actions as a controller, not any action of the user. Therefore the chilling effect is only on collecting and processing speech, not on the expression of it.
I'll be more direct. Person A accuses person B of being an unsavory individual (eg. neo-nazi) and makes a blog post about it. A few years pass. Person B runs for MEP, thinks that the accusation would be bad for his campaign, and files a "right to be forgotten" request. Google gets the request, knows it's probably bogus, but doesn't want the hassle/fines/legal fees from fighting it, and so complies with the request. The blog might still be up, but it's impossible to discover. You don't see the issue here?
>The implementation of "right to be forgotten" is problematic. It forces service providers to take down content on the request of a complainant, without going through judicial approval
you forget that people can bully each other online, sabotage businesses for no reason, and that the person or business bullied should have the right to have the content removed.
Whether or not "the right to be forgotten" can be used for "good" is irrelevant to the discussion on whether it's flawed, or can be abused. Just as mob justice can be used for "good" (eg. punishing individuals protected by a corrupt justice system), doesn't mean we should endorse it.
The content is still "up". This request was only to remove the search results. Removal of the results means Google cannot profit from the content. However, the publishers of the content can still profit. In some cases, the information may be published as a part of the public record, a service financed through taxes on citizens. In such cases, it is arguable there should be no "profit". However third party "tech companies" are routinely utilising public records to generate web traffic to satisfy their advertising, tracking and user data collection "business" models.
"Right to be forgotten" enables people to ask search engines to remove certain results. It does not enable them to, e.g., ask newspapers to remove articles that contain accusations of harassment.
As long as the articles remain available from the original publisher, the newspaper, the "right to be forgotten" has no effect on access to the information. What it does do is cut out the search engine online ad sales services middleman, the Google web search engine, and forces the reader to go to the original publisher of the information.
A third party search engine could theoretically be purely objective in its presentation of search results however it could also be non-objective, e.g., biased in favour of advancing its own interests. Now the reader has an additional potential source of bias to deal with, besides the newspaper -- the search engine.
If "right to be forgotten" were the law of land worldwide, then perhaps it would put evolutionary pressure to develop more innovative methodologies and mechanisms for web users to find information on the web without using third party middlemen, e.g., ad-supported web search engines. Currently, we have continuing evolutionary pressure to centralize all web access through a few third party websites, e.g., Google.
> As long as the articles remain available from the original publisher, the newspaper, the "right to be forgotten" has no effect on access to the information.
Only in the technical sense. Being removed from google results will kill most or all of the traffic, especially for stories that aren't front page news. Citizen sleuths might be able to unearth it, but I'd wager that unless the person is running for an important position (eg. congressman), it's not going to turn up. With the way local news is dying, I'm not even sure whether journalists at local newspapers would be able to turn it up. I fully expect political candidates at the local/regional level to use this to suppress "bad" stories about them.
>If "right to be forgotten" were the law of land worldwide, then perhaps it would put evolutionary pressure to develop innovative methodologies and mechanisms for web users to find information on the web without using third party middlemen, e.g., ad-supported web search engines. Currently, we have continuing evolutionary pressure to centralize all web access through a few third party websites, e.g., Google.
The key concept here seems to be that Google decided that a public figure shouldn't be able to have something forgotten (which is reasonable, and in line with Right To Be Forgotten), but failed to account for the fact that something proven to be inaccurate or unfounded should still be able to be forgotten because it isn't true.
The latter issue is particularly important, as someone should not be permanently be harmed by a mere accusation of wrongdoing. Accusations should not follow someone after they've proven inaccurate.
According to lumendatabase the defamation complaints were filed 8 times by her lawyer about a private video (that seemingly was uploaded without her consent to porn websites) where she appeared as a "hooker from Brussels".
I think this is a serious human rights issue, in times where not everybody knows what's actually going on on their mobile devices, where Android malware is not a joke anymore and commonly spread around.
I mean, just imagine the same case that your private pictures or videos get uploaded to a porn website and Google simply ignores your legal complaints to take those down ... social- and work-life must be a living hell from that point on.
At risk of sounding callous, whether or not there was a violation of human rights is irrelevant to this decision. The law shouldn't be interpreted so that it hurts somebody (who might deserve it) right now. If the previous allegations were wrongly seen as unsubstantiated, then that case should be investigated separately.
However, I could see an argument for keeping criminal allegations public to allow future investigations by a concerned public. How would we balance that against possibly lifelong damage to a person's reputation?
> social- and work-life must be a living hell from that point on.
Why? Even if all of my colleagues have seen me nude that really won't change my work-life. Socially I'm absolutely certain my friends would not care. Is this unusual somehow?
Malware can take them for you, and it doesn't need to be your phone either. Maybe your gf is playing some mobile game, while pointing the camera at you... which is pretty reasonable situation.
That's what people get for trying to put every function into a single device...
This is a lesson that Google really needs to learn. If you’ve ever been on the wrong side of Google you know that they will dodge you like you are collecting debts and often the only way to get their attention is to shame them in the media, back channel someone you know, or engage them in court. They probably could have avoided this fee entirely just by answering the phone and realizing that the automation missed something.
I try really hard to like Google because overall they have done a lot of good, but sometimes it’s just jaw dropping how a company with so many smart people fails so badly at the most basic things.
maybe the cost of answering the phone and putting the effort to fix something that automation missed, case by case, outweights the risk of getting this kind of fine.
This is why punishment should be exemplar, read disproportionate, and the basic customer support should be enforced by law. Otherwise companies will just take the cheap way out and risk lawsuits.
It's hardly a random employee's fault that Google lost the court case.
I doubt anyone would be fired for a $600k mistake. When you work processing legal requests, there is always a chance you get sued. If Google blamed their court losses on the employee that originally caused the problem... they'd have a hard time convincing anyone to do that work at all.
This person probably handles dozens of requests a day. There would have to be serious evidence of neglect for the employee to suffer any punishment.
Thanks for the link! My only complaint would be this is restricted to only gdpr fines but there are more which occurred before gdpr was a thing and fines outside of the EU.
I'll do some more searching though since it seems likely it exists in full exhaustive format
At least in Germany that is due to the fact that taxes and afaik fines are not directly used for such things but are added to the budget which then in turn is used to fund these things
The fine is due to personal privacy damages against the users of said companies services.
IMO - the freaking fines should go directly to the users. Not some opaque and potentially mis-managed “general budget.
An analogy would be to say - tesla had a bug in thei software which caused 1,000 teslas to act “not as regulated, designed or intended” so the government is going to fine teala 600k and allocate that wherever they want.
The actual users of the product/service are the ones that need reimbursement - not some opaque “generl budget”
Thats why i hate these fines.
Its false justice for thise actually affected by the issue for which the company is being fined for.
Let me give tou a concrete personal example:
The 2008 housing mortgage crash.
I go to pay my mortgage one day - and the payment option is missing. I cant pay my mortgage on my $480,000 (put 100k down) home in San Jose.
Long story short - after 9 montha of nefarious dodging of to whom the “sold my mortgage to” (me: credit 780 - never missed a payment nor late)
Made $175,000/ year at the time , wife made $150,000z
So the just foreclose on me. Multiple times telling me “obamas going to fix it”
Demand $75,000 in three days or else. So i get foreclosed upon.
Sue.
But instead added to a class action suit against this.
I “win”
They pay me out my settlement: $1,100.08
I have never recovered from that and this is why i think these things are bullshit and i rage about it to this day.
Do you know that that home zillows for (i stand corrected - last tome i zillowed it it was at 1.39 million - but that was like two years ago. It sold last month for 790k
Still has all my remodels that i did at forclosure time. The custom capiz cabinets i had specially built and shipped from the philippines for $11,000 my bamboo floors my lighting the only thing in that house i didnt do was the green shower and the wainscoting in the closet my tv wall my downstairs bathroom.
> the freaking fines should go directly to the users. Not some opaque and potentially mis-managed “general budget.
This is what created the "I'll sue you" for everything mentality in the US. It's peak individualism and I'll be happy if we can keep this american cancer culture out of Europe for as long as possible.
Also, it goes to the end user, building roads, schools and other infrastructures. Even an half assed public budget is still better for me than some random dude getting half a millions euros out of nowhere. This guy didn't lose any money and didn't get any physical damage, why would giving him $600k be a truer sense of justice ?
You seem very angry about a broken system that doesn't have anything to do with the article btw. I don't think you could ever end up in a situation like yours in Europe, there are too many safeguards and regulations, but I guess that's too close to """communism""" for people across the pond
I find it very hard not to interpret at least “some” of the intention behind this fine to be about recapturing some of the evaded tax by national governments. €600K sounds like a lot of money.
It seems wrong to go in the direction of telling intermediaries to blacklist and curate traffic. The right thing is to develop a scalable way to notify sources to take down the content.
Better title would be Google fined an equivalent of 2.5 minutes of its revenue for thing X. That puts things in the right perspective. Absolute fines were always senseless for corporations.
That's interesting but ultimately pointless, the way to look at this is as a signal: don't do this, it will be at least 600K per individual if you do it again. And knowing the way courts work a little bit that second violation is going to generate a lot more attention and a third is likely something that even the Google board would want to know about.
Don't ignore the courts or they will make sure you notice them.
No, it's 600k per individual that successfully pursues this to the point where government regulators step in. I'd say it's quite likely that for every individual that gets this acted upon, there's a significant number that either (a) never complain, (b) don't have the political pull to get the regulators interested or (c) simply can't pass the burden of proof despite being in the right.
Actually it does. Finland calculates fines, e.g. speeding tickets, as a function of your income, otherwise the rich will treat them as a simple nuisance.
This is why I measure in person months and not dollars.
You fine the speeder a fraction of their income (person months), not a fraction of their entire support networks income (months). Doing the latter would tend to discourage people from forming large support networks (large companies).
But because they got together in a bigger group they can afford such fines easily and in order to be effective at all you need way stronger incentives.
I think it is quite unlikely that the Gmail team had anything to do with the search teams decision here. Certainly I wouldn't expect them to be well enough informed about the legalities and the details of the case to be colluding.
It's time that courts come to terms with the amount of money companies now control. A 600k fine is quite large if an individual. For a large corp, it's a rounding error. If a court wants to signal they are unhappy with the behavior of a corp, then they really need to adjust their punishment. These corps have money that rival nation states, and should be treated as such.
Bear in mind this is for a single violation, not a widespread noncompliance issue. Considering the number of RTBF complaints Google fields (I believe it's north of a million by now), a large number of violations would ratchet up the costs significantly.
This is probably a good example of RTBF working as intended. For as loud as Google was opposing to it, they've done, on average, a reasonably good job complying with it (people who know me should know I do not give Google more credit than they deserve, ever), and penalties like this for individual failures seem reasonable for the impact on the individuals who file them.
RTBF for better or worse places the burden of deciding how to respond to a request on Google, not an independent judiciary. That cuts down a lot of red tape, but I think it also means the appeals process can't be too harsh on the penalty here: The trial court usually isn't penalized for being overturned on appeal.
And also a first violation of this kind for this court. A second one would likely not pass unnoticed. A case here in NL where a hospital first got warned then got fined a small amount and then got fined a - for that hospital - massive amount certainly put them on notice. That's an error that will not be repeated a fourth time.
It is one case. Obviously the fine cannot be extreme. However GDPR fines can go up to 4% of revenue. But such a fine would be based on many users, not just one.
1. the complainant told google to delete something
2. google says no
3. the complainant complains to the DPA, who agrees with them and fines google 600k
The implementation of "right to be forgotten" is problematic. It forces service providers to take down content on the request of a complainant, without going through judicial approval. It's up to the service provider to render a decision, and if they wrongly refuse the request, they could be subject to a fine. This is problematic because there's almost zero incentive for the service provider to keep the content up, and plenty of potential downside if they keep the content up. Thus, the "safe" decision is to always comply with any request, regardless of merit. This is the same problem with DMCA, where every request gets rubberstamped, because if you don't comply with the request and it later turns out to be valid, you lose your safe harbor status and can be held liable for the infringement. Needless to say, this effect is terrible for free speech on the internet. Also, unlike court, there isn't any "defense" so to speak. Who is supposed to be representing the public interest or the author?