Google, the Right to be Forgotten & Multinational Corporations

Originally posted on May 14, 2015

Today, I joined 80 other academics in requesting Google to release more information about its implementation of the European Court of Justice’s“Right to be Forgotten” (RTBF) ruling.

Last year, in Harvard Business Review I said that the Decision presented opportunities for innovation and profit if transnational companies recognized the demands of established, and emerging, privacy markets.  However, profit isn’t the only reason why companies should be interested in Google’s RTBF process – it is a prime example of the important role that the private sector plays in setting transnational privacy standards.

The ECJ applied EU data protection law, but it did not set the procedures for the implementation of the Right to be Forgotten.   This task has been left to Google, which has been working with a core group of advisors and EU bodies like Working Party 29 to build internal procedures to comply with a legal concept that continues to evolve.  In effect, the Google experiment will set processes that will influence, either positively or negatively depending with whom you speak, the future of privacy and data protection for the EU and anyone who does business there.

Google’s actions, voluntary or not, are a valuable part of the data privacy dialogue among states, corporations, and individuals.   For any law to be successful (measure success how you will) it must take into consideration how companies operate.  In setting internal processes to comply corporations make their greatest contributions to data protection.

Google has already responded to our open letter saying it will “consider” more transparency.  I suspect it fears publishing data on still-evolving policies or revealing proprietary information.  However, clarifying RTBF procedures may assist the company to identify program strengths and weaknesses, reduce the number of ineligible removal submissions, help other companies to understand regulatory expectations and perhaps prompt them to adopt some of Google’s strategies, and in due time, inform the content and character of future legislation.

Thus, Google’s practices demonstrate the private sector’s influence on the implementation of data protection law.  It is also suggests that corporations shouldn’t have to engage in standards-setting only in response to a legal mandate.

In today’s global digital business atmosphere, companies confront transnational data flows and privacy conflicts in their operations every day. Yet, multinationals typically view privacy concerns as an infringement on their business models.  Instead, the private sector could use its operational knowledge and implementation power to create industry-wide data protection standards that consider national legislation, are responsive to customer concerns and lower their operational risks,before, oreven in the absence of regulatory mandates.

Adopting a privacy inclusive view of data operations is better than waiting for, and responding to, litigation, which is a losing strategy in an interconnected world.