Interview with Lawyer (Avocat à la Cour) Sabrina Salvador on Holding Google Accountable
We have all done it: searched ourselves on Google just to see what pops up. Most of us find benign memories of past graduations, sporting endeavors or professional milestones.
Imagine, however, that the “you” that shows up online has little to do with you at all, or worse, is a slanderous misrepresentation.
Since the dawn of search engines, individuals have simply had to accept their online baggage. All that changed in 2014, when the EU’s Court of Justice backed a Spanish man’s “right to be forgotten” after he was haunted by a 1998 online auction notice of his repossessed home.
This judgment was based solely on the outdated 1995 data protection rules, drafted at a time when less than 1% of Europeans had internet.
The truth is that anyone can fall victim to data abuse. Nobody thinks twice about it until something goes wrong.
In April 2016, the Council and Parliament finally modernized the 1995 rules and adopted the EU data protection reform, a welcome step to the over 67% of Europeans who said they are concerned by their lack of control over personal online information, according to a recent EU Commission study.
“The truth is that anyone can fall victim to data abuse. Nobody thinks twice about it until something goes wrong,” said Sabrina Salvador, Partner at Kaufhold & Réveillaud, Avocats, “but now, individuals have a high level of uniform data protection as well as a clearer roadmap for how to defend their rights.”
Currently working with a client who faces defamation online, Salvador has witnessed the process first hand. She has seen how one’s digital identity can jeopardize banking relationships, business partnerships and forward mobility.
The new reform more explicitly articulates an individual’s personal data rights – 20 years after the first rules attempted to do so in a pre-social media world where pagers reigned and Amazon was in its infancy. This reflects a key challenge in the fight for data protection: How can law, a slow-moving machine, keep up with the tech world’s lightning speed?
“This reform was being discussed four years ago. That’s too long. It’s difficult to regulate at the same pace as technology, so we need to simplify the process, which is happening,” Salvador said.
The Regulation and Directive outline many rights that were inferred from the original data protection rules but not expressly stated: the requirement of consent to use certain personal data, an individual’s right to know how data is being used and the right to know when it has been hacked.
We’re heading in the right direction and data protection is becoming more accessible to everyone.
Another important contribution of the new rules is the strengthening of data protection authorities like the CNPD in Luxembourg, for example, by giving them the possibility to impose fines and by creating a new EU body called the European Data Protection Board.
Salvador welcomes the progress since the Spain vs. Google ruling. “We’re heading in the right direction and data protection is becoming more accessible to everyone. Now that EU authorities represent a united front, they could be a powerful intermediary between the people and Google,” she said.
When asked what has surprised her most about this data protection case, she admitted that it was Google’s lack of cooperation, but at a recent conference she learned the cause. One of Google’s lawyers was present and an attendee posed the question of why a high volume of requests are refused.
His simple answer? The search engine has a team of about 10 employees in Europe dedicated to such requests, so fact checking each case is impossible. To put that into perspective, in the first year after the 2014 Spain case was decided, Google received 253,617 link removal applications. On average, they receive 1000 requests from French citizens each day to remove or change information.
“We are working with a client whose initial request for removal was refused because Google assumed the serious allegations online were true, and therefore relevant to the public. However, they’re not true. On the other hand, some of the information is confidential but being illegally shared,” Salvador said.
In terms of an EU digital single market, the reform standardizes data protection rules and creates a supervisory authority charged with handling all requests, saving an estimated €2.3 billion/year. With this simpler and stronger infrastructure, Europe hopes to draw in business and encourage innovation, for example big-data developments.
The Regulation and Directive entered into force in May 2016 and will apply as of May 2018 to all operators on EU territory.
Despite the changes, Salvador suspects that there are many people who are still naïve to the risks involved with online data. “Today, when you meet a person, it’s a reflex to Google them and know ‘everything’ about them. When you’re young you put it all out there, and this information follows you. Many don’t realize that it could have consequences in the future.”
The new reform raises the question that if we have control over our real-life identities, why should we not have control over our online identities? Instead, they are too often dictated by a stranger with a computer half way around the world.
According to this new wave of data protection, accountability is king and search engines cannot remain faceless machines forever.
“It’s not ‘normal’ that so much personal information, whether true or not, is accessible online. It’s not right that the person targeted has no control. We have to create laws and go through this process just so that citizens can win back control of their own data,” Salvador added.
For further information, please contact:
Partner, Kaufhold & Réveillaud, Avocats
T: +352 444 222 1