Remember Thomas Goolnik? Apparently, he doesn’t think you should. But let’s start this post off with some special notes for two specific parties, and then we’ll get into some more details:
Dear Thomas Goolnik: I’m assuming you’re reading this because you seem to come across every post we write about you and then file bullshit complaints in the EU about how they need to be forgotten. And, every time that happens, we write another post. Perhaps you should think about not trying to abuse the GDPR and the Right to be Forgotten, and recognize that it’s perfectly legal to mention your name. We won’t even mention the original original story you so badly want censored, even though I imagine lots of people will now go hunt that down.
Dear Google RTBF reviewers: this is not an article about some long ago no-longer-relevant event in Mr. Goolnik’s past. Even if we disagree about whether historical convictions should be disappeared down the memory hole, the right to be forgotten is supposed to apply only to past events that are no longer occurring. This article is not about Mr. Goolnik’s past. It is about his present: the fact that he repeatedly is abusing the Right to be Forgotten rules to try to delete our articles about him. This article is about this most recent attempt, and not his past, whatever that might include.
We at ignorantandunreasonable also got hit with one last week.
You’ll recall, of course, that prior to the GDPR, there was a big case against Google in the EU that created, out of thin air, a “right to be forgotten” (perhaps, more accurately, “a right to be delinked”) saying that for certain classes of information that showed up in Google’s search index, it should be treated as personal data that had to be delinked from that user’s name as no longer relevant. This never made any sense at all. A search result is not like out-of-date customer database info, yet that’s how the Court of Justice in the EU treated it. Unfortunately, with the General Data Protection Regulation (GDPR) going into effect earlier this year, the “right to be forgotten” was even more officially coded into law. We’ve noted recently, there have been a few attempts to use the GDPR to delete public information on American sites, and now we at Techdirt have been hit with what appears to be just such an attempt.
Last week we wrote about receiving our very first Right To Be Forgotten notice from Google, disappearing an earlier post that talked about articles in the NY Times that had been disappeared thanks to other RTBF requests. Yes, someone used a RTBF request to remove our article about the RTBF which was referencing other articles that someone had removed via a RTBF request.
And… yesterday we received a notification that this new article was also chucked down the memory hole thanks to a RTBF request, so that anyone who searches on a particular name in Europe will no longer see that article either. At this point, it’s fairly clear that it’s Thomas Goolnik who is making all of these RTBF requests, as he’s the only individual named. We don’t think either of our articles should be removed even under the EU’s laws that allow for a RTBF, because those laws only apply to out of date/irrelevant information, and the fact that Goolnik has just now made a RTBF request in an attempt to censor us and to edit his own Google results is not obsolete information and is entirely relevant and newsworthy.
Google faces fines if it does not comply with ridiculous recursion.
EU’s ‘right to be forgotten’ is still relatively new — the original ruling was made less than a year ago. Since then, the EU courts and companies have been trying to work out what it means in practice, which has led to some broadening of its reach. But an interesting court ruling in Spain seems to limit its scope. It concerns the following case, reported here by Stanford’s Center for Internet and Society:
The claimant was a Spanish citizen who found that when typing his name on Google Search, the results included a link to a blog with information about a crime he had committed many years ago. While the official criminal records had already been cancelled, the information was thus still findable on the internet.
The Spanish Data Protection Authority (DPA) made two rulings. One was that Google should remove the information from its search engine, and the other was that Google should remove personally identifiable information from a blog hosted on its Blogger platform. When these decisions were reviewed by Spain’s National High Court, it confirmed the first ruling, and clarified that Google needed to remove the link to the criminal records information from its search results. However, it did not confirm the second ruling:
The National High Court reversed that and held that the responsible for the processing is not Google but the blog owner. It further held that the DPA cannot order Google to remove the content within a procedure for the protection of the data subject’s right to erasure and to object.
This is significant, because it says the “controller of the processing” — a key concept in EU data protection law — is the blog owner, not Google, and so the latter cannot be forced to take down a blog post. The Center for Internet and Society post notes:
Arguably, under the rationale that the platform is not the controller of the processing, other user generated content sites such as YouTube or social networking sites might also fall outside the scope of the right to be forgotten.
Well, not entirely outside the scope: presumably, search engines could still be required to remove links to user-generated content, but it would be the creator of that content that would be asked to remove it entirely, not the hosting company. Clearly, further cases will be needed to clarify how exactly this will work in Spain, and whether it applies anywhere else.