Case #11a. Google Contests Europe’s Privacy Laws (In preparing your case analysis, you can read quickly though the history of the “right to be forgotten” issue in Europe. Most of the history, dating to Spain, is not crucial to analysis of the case.) In late March 2016, France’s data-protection regulator fined Google for not implementing Europe’s “right to be forgotten” globally. In its action, France’s Commission Nationale de l’Informatique et des Libertés, (CNIL), rejected a compromise offered by Google. Google’s decision sets up a battle in the European Court of Justice (ECJ), EU’s top court, over the scope of Europe’s “right to be forgotten” rule. France’s CNIL, said that Google had violated a formal order last year, ordering it to apply Europe’s new “right to be forgotten” rule to “all domain names” of the search engine, including google.com, and fined the company €100,000 ($112,000). The fine was assessed after negotiations between the European Commission, the executive arm of the European Union, and the United States Commerce Department broke down without a resolution before a February 1, 2016 deadline, to no surprise of legal experts, government officials and industry watchers. CNIL rejected a compromise offered by Google and support by the United States Commerce Department, in which it would apply the rule to all of its sites when they were accessed from an European Union country where a removal-request originated. A Google spokesman said the company would appeal the ruling, adding that “we disagree with the CNIL’s assertion that it has the authority to control the content that people can access outside France.” The CNIL’s fine is a small for Google, compared with Alphabet’s annual revenue of $74.54 billion in 2015, so both sides are fighting to set a precedent over how far the right to be forgotten can extend. The “right to be forgotten” was established in a 2014 ruling from European Court of Justice, EU’s top court, lets European residents ask search engines to remove links from searches for their own names, if the information is old, irrelevant or infringes on their privacy. Google vets requests, weighing privacy rights against the public interest in having that information tied to the person’s name. Google provoked the ire of some European privacy regulators like France’s CNIL by applying the rule only across its EU sites, including google.fr and google.de. In May 2015, France’s CNIL issued an order to Google to cover all Google’s search sites; otherwise, the CNIL said, users could simply search at google.com. Earlier this year, Google offered regulators a compromise, under which it would, in addition to removing links from its European sites like google.fr also remove links from its non-European search sites, including google.com, when a user in an EU country searches for information about a person who has exercised the right to be forgotten from the same EU country. For example, links about a French person that are removed under the right to be forgotten would also be removed from all Google sites when the searcher is in France—but not if the searcher is in Germany or outside the EU. CNIL said that compromise was insufficient because people the requester knows might be searching outside the EU, or in other countries within the EU, and it is easy to use an Internet address from a different country using a service like a virtual private network. "For people residing in France to effectively exercise their right to be delisted, it must be applied to the entire processing operation, i.e. to all of the search engine’s extensions,” CNIL said in a statement. “American companies do not have an immediate right to collect data on our citizens,” Ms. Falque-Pierrotin, said recently in an interview. “If they are on our soil, then they need to live with the consequences.” Greater oversight fell to Europe’s national data regulators in October 2015, when the European Court of Justice (ECJ) annulled the 15-year-old pact known as “safe harbor,” which had allowed companies to move information freely between the United States and Europe. The judges ruled that Europeans’ data was not sufficiently protected when transferred to the United States. “The French aren’t afraid to pick fights with companies,” said one observer. Ms. Falque-Pierrotin, head of CNIL, follows a long tradition of French officials promoting strict privacy rights. In 2014, her peers elected her to lead an increasingly powerful group of European privacy regulators — a position that she is the forerunner to retain when new elections take place next month. Up to now, her strategy also has focused on communication, not just enforcement. Bruce Andrews, the deputy secretary of the Commerce Department, dismissed Europe’s concerns, saying that the United States had already offered the European Commission a number of guarantees on how its citizens’ data would be treated. “We’ve agreed to make major changes,” he said. “The U.S. takes individuals’ privacy very seriously.” In a parallel development, in February 2016, Margrethe Vestager, head of the Directorate-General for Competition (DG) the European Union’s antitrust agency, which reports directly to the European Commission, warned that the collection of a vast amount of users’ data by a small number of tech companies like Google could be in violation of the region’s tough competition rules. The Company Google Inc. is an American multinational corporation specializing in Internet-related services and products. These include search, cloud computing, software, and online advertising technologies. Most of its profits are derived from AdWords. Rapid growth since incorporation has triggered a chain of products, acquisitions and partnerships beyond Google's core search engine. It offers online productivity software including email (Gmail), an office suite (Google Drive), and social networking (Google+). Desktop products include applications for web browsing, organizing and editing photos, and instant messaging. Google has been estimated to run more than one million servers in data centers around the world that process over one billion search requests and about 24 petabytes of user-generated data each day. In Europe, Google has 90% of the search market. This market dominance has led to criticism of the company over issues such as copyright, censorship, and privacy. (Google is now subsidiary of Alphabet, Inc., a new company formed when Google reorganized itself in 2015.) History of the Internet Privacy Issue in Europe There has been a significant tightening privacy laws related to the Internet over the past decade. In Europe, this concern led to a 2008 Google challenge to Spain's Agency of Data Protection (AEDP), a government organization that dealt with complaints from citizens over the handling of their personal data on the Internet. The agency claimed that, under Spanish law, Google must delete links on its search engine to any websites containing information that could compromise an individual's right to privacy. This could include potentially embarrassing information about an individual's activities. Google resisted, and the case ultimately ended up in the European Court of Justice (ECJ), which ruled in May 2014 that Google must remove certain links on request. The ruling has established a digital “right to be forgotten”—and forced Google to tackle one of the thorniest problems of the internet age: setting the boundary between privacy and freedom of speech. Google’s search engine has become a widely used tool for learning about the backgrounds about potential mates, neighbors and co-workers. What it shows can affect romantic relationships, friendships and careers. For that reason, Google regularly receives pleas asking that it remove links to embarrassing information from its search index or least ensure the material is buried in the back pages of its results. The company, based in Mountain View, Calif., almost always refuses in order to preserve the integrity of its index. In 2013, the European Commission crafted controversial legislation to give people more power to delete personal information they previously posted online. At the time, Artemi Rallo, director of the Spanish Data Protection Agency (AEDP) declared, “This is just the beginning, this right to be forgotten, but it’s going to be much more important in the future. Google is just 15 years old, the Internet is barely a generation old and they are beginning to detect problems that affect privacy. More and more people are going to see things on the Internet that they don’t want to be there.” Google defends its linking policy in a Spanish court In January 2011, Spain's AEDP and Google on Wednesday faced off in court where the search company defended its content linking policies and business model. Google denied being responsible for any of the content it indexes, according to the news agency Europa Press. Moreover, Google has defended what it considers its right to link to external pages and to not remove information. "Doing so would be a form of censorship," said Luis Javier Aparicio Falón, a Google attorney. The lawsuits should have been filed against the content creators, and not against Google, Aparicio Falón said. "Asking search engines to remove information in an arbitrary fashion are very dangerous because search engines are a fundamental part of the information society and freedom of speech would be under attack." Peter Barron, Google European Director of External Relations, said in a statement: "We are disappointed by the actions of the Spanish privacy regulator. Spanish and European law rightly hold the publisher of material responsible for its content. Requiring intermediaries like search engines to censor material published by others would have a profound chilling effect on free expression without protecting people's privacy." For Google, the solution would be for editors to use existing tools to limit access to certain information via the Internet. Beyond the five cases, Spain’s AEPD has also requested that Google remove 100 links, saying that they are "potentially libelous." On Dec. 1, Artemi Rallo, the AEPD's general director, in an appearance before Spain's Congress, brought up the growing concern in Spanish society over citizens' data privacy. During his speech, he said that "the major providers of Internet services have already crossed the line several times with regards to respect to privacy," referring to AEPD objections involving Google Buzz, Google Street View, Facebook, Microsoft and Yahoo. Spain refers Google privacy complaints to EU's top court Spain's highest court, the Audiencia Nacional, decided to refer the case to wants the top court in Europe, the European Court of Justice (ECJ), to decide if requests by Spanish citizens to have data deleted from Google's search engine are lawful, in a case that could put more pressure on it to review its privacy policies. The Spanish judges also asked the ECJ whether the complainants must take their grievances to California, where Google is based and said it wanted the matters heard. The referral of the case to the ECJ marks the first formal inquiry into when people can demand that their data be deleted. "We support the right to be forgotten, and we think there are ways to apply it to intermediaries like search engines in a way that protects both the right to privacy and the right to free expression," a Google spokesman told Reuters. Such a "right to be forgotten" was included in updated data protection rules proposed in 2012 to the EU Parliament by Viviane Reding, at the time the European Commissioner for Justice, Fundamental rights and Citizenship. The right, would be codified as part of a broad new proposed data protection regulation. Although Reding depicted the new right as a modest expansion of existing data privacy rights, in the view of some American critics it represents the biggest threat yet to free speech on the Internet. For example, if fully implemented the right to be forgotten would make Google liable for up to two percent of their global income if they fail to remove photos that people post about themselves and later regret, even if the photos have been widely distributed already. As such critics, foresaw a dramatic clash between European and American conceptions of the proper balance between privacy and free speech, leading to a far less open Internet “I cannot accept that individuals have no say over their data once it has been launched into cyberspace,” Ms. Reding said at the time. She said she had heard the argument that more control was impossible, and that Europeans should “get over it.” But, Ms. Reding said, “I don’t agree.” “What you really have here is a trans-Atlantic clash,” said Franz Werro, who was born and raised in Switzerland and is now a law professor at Georgetown University. “The two cultures really aren’t going in the same direction when it comes to privacy rights. “ For instance, in the United States, Mr. Werro said, courts have consistently found that the right to publish the truth about someone’s past supersedes any right to privacy. Europeans, he said, see things differently: “In Europe you don’t have the right to say anything about anybody, even if it is true.” Mr. Werro says Europe sees the need to balance freedom of speech and the right to know against a person’s right to privacy or dignity, concepts often enshrined in European laws. The European perspective was shaped by the way information was collected and used against individuals under dictators like Franco and Hitler and under Communism. Government agencies routinely compiled dossiers on citizens as a means of control. Court cases over these issues have popped up in many corners of Europe. In Germany, for instance, Wolfgang Werlé and Manfred Lauber, who became infamous for killing a German actor in 1990, are suing Wikipedia to drop the entry about them. German privacy laws allow suppression of criminal identities in news accounts once people have paid their debt to society. The lawyer for the two killers argues that criminals have a right to privacy too, and a right to be left alone. Google has also faced suits in several countries, including Germany, Switzerland and the Czech Republic, over its efforts to collect street-by-street photographs for its Street View feature. In Germany, where courts found that Street View was legal, Google allowed individuals and businesses to opt out, and about 250,000 have. The issue, however, has had no traction in the United States, where anyone has the right to take pictures of anything in plain sight from the street. Google declined to discuss the Spanish cases, instead issuing a statement saying that requiring search engines to ignore some data “would have a profound chilling effect on free expression without protecting people’s privacy.” European Right to Be Forgotten Legislation Today In 2012 the European Commission disclosed a draft European Data Protection Regulation to supersede the directive, which includes specific protection in the right to be forgotten. To exercise the “Right to be Forgotten” and request removal from a search engine, one must complete a form through the search engine’s website. Google’s removal request process requires the applicant to identify their country of residence, personal information, a list of the URL’s to be removed along with a short description of each one, and attachment of legal identification.^ The applicant receives an email from Google confirming the request but the request must be assessed before it is approved for removal. If the request is approved, the link is removed from search results but the content, however, remains online and is not completely erased.^ After a request is filled, a panel reviews the request, weighing “the individual's right to privacy against the public's right to know,” deciding if the website is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.” ^ Google has formed an Advisory Council to carry out these decisions, full of various professors, lawyers, and government officials from around Europe. However, the review process is still a mystery to the general public. Guidelines set by EU regulators were not released until November of 2014, but Google began to take action on this much sooner. In July 2014, in the early stages of Google's effort to comply with the court ruling, legal experts questioned whether Google's widely publicised delistings of a number of news articles violated the UK and EU Data Protection Directive, since in implementing the Directive, Google is required to weigh the damage to the person making the request against any public interest in the information being available.^ Google is not required to comply with removal requests at all, as it can refer requests to the information commissioner in the relevant country for a decision weighing the respective merits of public interest and individual rights. However, national privacy regulators in the European Union would like to change this. As of 2014 the European Commission has been pushing for the deletions requested by EU citizens to be implemented by Google not just in the European Union (as in google.co.uk, etc), but on google.com. This means that the European Union wants Google to have to implement these deletions on a worldwide scale, not just in the EU. Regulators want delistings and deletions to be implemented on the full google.com so that the law cannot be circumvented in any way. This EU privacy regulating body also claims that by not deleting links from their international '.com' site Google isn’t providing sufficient guarantee of privacy and the right to be forgotten to citizens of the European Union, and is therefore not fully complying with the law. Due in part to their refusal to comply with the recommendation of the privacy regulating board Google has become the subject of a four-year-long antitrust investigation by the European Commission. In 2014, the ECJ allowed anyone with connections to the region to request that links about him or her be removed from search engine results. This so-called right-to-be-forgotten ruling has pitted Google, whose search engine holds a roughly 90 percent market share in Europe, against some of the region’s privacy regulators. Other search engines, including Microsoft’s Bing service, also must comply with the decision. On 30 July 2015, Google announced that it would not comply with demands from France’s privacy regulator, the CNIL, that ruled Google must apply a European data protection ruling to all of its global domains. Google has said agreed to remove links on its European domains like Google.fr in France, but will not apply the decision to its non-European domains, including Google.com. In response, several of Europe’s privacy regulators — led by Isabelle Falque-Pierrotin, who heads the NCIL, — have said that Google must remove links on its worldwide domains or face financial penalties. NCIL has the power to issue one-time fines of up to 300,000 euros, or almost $330,000, to companies that fail to comply with its data protection rules.) She added, “We note that Google’s arguments are partly political. Those of CNIL, in turn, were based strictly on legal reasoning.” In a blog post published on 30 July 2015, Peter Fleischer, the company’s global privacy counsel, said that no country should control the type of online content available in other countries. Mr. Fleischer added that such practices could lead to multiple countries’ trying to outdo one another with strict rules, which could eventually reduce all types of material that are available online. “If the CNIL’s proposed approach were to be embraced as the standard for Internet regulation, we would find ourselves in a race to the bottom,” he wrote in a blog post. “In the end, the Internet would only be as free as the world’s least free place.” In a statement, CNIL said it had received Google’s statement, and that it would respond within the next two months. In refusing to apply the right-to-be-forgotten decision to its global domains, Google is now expected to fight the case in local courts. That process could take several years. Since Europe’s right-to-be-forgotten decision was first announced in May 2014, more than 60,000 requests have been made from France, more than from any other country. About half of those links in France were removed, according to Google’s latest transparency report. In an interview in Wired, CNIL’s Falque-Pierrotin said she believes that U.S. companies are not holding up their end of the EU’s “Safe Harbor” agreement that allows U.S. companies to store data on European citizens provided they protect it. She further lamented the small fines her agencies and others in Europe can impose on Google for privacy violations, in France’s case 150,000 euros, a fine assessed Google by France in 2014. In defense of delisting, she described it as “…probably one of the first very symbolic examples of the rebalancing of the relationship between the data subjects and the industry representatives and the data controllers. It gives the possibility to each of us not to alter the past but to have the possibility to control a little bit what we have done in the past and their digital appearance. In terms of balance of the right of individuals and right of data controllers, there is a kind of shift that’s wanted by the individuals. On the other hand, it’s not an absolute right. We should not fall into a kind of digital revisionism, where you could say that something did not even happen. It has to be balanced between the right of the individual and the right of the public to have access to the information.” Question: What strategy do you recommend for Google to achieve its goal of stopping the imposition of Europe’s “Right to be Forgotten” right to all of its global operations? In answering this question, you must: a) (6) draw a power diagram showing relations among the primary actors in the case. (They are those highlighted in the case). b) (3) Define what model will best describe the public policy decision-making of each of the governmental actors in this case and explain your choice. (DO NOT offer a single model for all of the governmental actors!) (5) In formulating your strategy, given your power diagram and the models you have cited, be sure you make clear what power Google (and its potential allies) have over the government decision makers and other actors. (200 words maximum) . Summary of Actors in the Google Case Google United States Commerce Department European Union (28 member nations) European Commission (EC) reports to EU Directorate-General for Competition (DG) reports to EC European Commissioner for Justice, Fundamental Rights and Citizenship reports to EC France’s Commission Nationale de l’Informatique et des Libertés, (CNIL) reports to EC European Court of Justice (ECJ) reports to EU Implicit but not highlighted in the case: European users of Google as a search engine Current and Potential Competitors to Google in Europe