European data protection authorities still have questions after meeting with Google, Microsoft and Yahoo about the implementation of a recent ruling that gave European citizens the right to be forgotten by search engines.
The search engine providers have until the end of the month to answer additional questions in writing.
Google, Microsoft and Yahoo met with EU data protection authorities who are members of the EU's Article 29 Working Party (A29WP) in Brussels on Thursday to discuss the May ruling by the Court of Justice of the European Union (CJEU). The ruling gave people the right to compel search engines to remove search results in Europe for queries that include a person's name, if the results shown are "inadequate, irrelevant or no longer relevant, or excessive."
However, the implementation of the ruling has turned out to be difficult to execute. Google already described the guidelines for removing query results "very vague and subjective."
The A29WP data protection authorities (DPAs) said in a news release that they had requested the meeting with the search engine officials in order to get input for future guidelines. The aim is to ensure a consistent implementation of the take-down ruling on the part of the search engine providers as well as consistent handling of complaints lodged with the authorities by people whose requests were denied, the DPAs said.
Confusion about the ruling could lead to a large number of complaints that the DPAs would then have to deal with -- a situation they apparently want to avoid.
Google said at the meeting that it has refused about 30 percent of requests, according to the statement from the DPAs. So far, the search engine has received 91,000 take-down requests concerning 328,000 links to Web addresses, a Google spokesman confirmed. About 15 percent of requests prompted Google to ask additional information. Over half of all requests have been granted.
Other than confirming take-down figures, Google declined to comment on the meeting, as did Microsoft. Yahoo did not immediately respond to a request for comment.
During the meeting the DPAs asked the search engines to explain their delisting process, according to the news release. The DPAs said they asked what criteria search engines use when balancing their economic interest and the interest of the general public in having access to information with the right of the person who wants the search results delisted.
Search engines were also asked if they notify website publishers when links are removed -- something that Google does -- and if so, what legal basis they have for sending out notifications.
The DPAs also wanted to know on what domains search results are delisted. Google for instance removes results from its European domains but not from its .com domain. It argues that the .com domain is not covered by the ruling because it is not aimed at Europeans in particular.
Time seemed to have been too short on Thursday to discuss all the DPAs' concerns. Google, Yahoo and Microsoft were asked to answer additional questions in writing by July 31. By then, they should provide details about the proof of identify or authentication they demand from people who file take-down requests. They also were asked to describe what safeguards are in place to protect any personal data processed during the handling of delisting requests.
In addition, the search engines were asked whether they post notifications on search results pages letting users know when some results have been removed due to EU law -- which is something that Google does -- and asked what the legal basis is for showing that warning.
In particular, it appears that this notice is sometimes displayed even in the absence of removal requests by people, the DPAs said. They asked the search engines, "Can you confirm or exclude that this is actually the case and, if so, could you elaborate on the applicable criteria?"
The A29WP committee said that new guidelines would be issued in the autumn and that additional meetings on implementing the right to be forgotten rules may be organized with other stakeholders.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.