Google and The Right to Be Forgotten Case Study


Conduct a strategic analysis using the Executive Summary template.  Prepare and submit a three-page executive summary that discusses what strategic alternatives are available and provide a recommended strategy. 

Explanation & Answer length: 3 pages

Case 8 Google and the Right to Be Forgotten1 Cynthia E. Clark Bentley University In 2009, Mario Costeja Gonzalez, a self-employed attorney living in a small town outside Madrid, Spain, casually “googled” himself and was startled by what came up on his computer screen. Prominently displayed in the search results was a brief legal notice that had appeared more than a decade earlier in a local newspaper, La Vanguardia, which listed property seized and being auctioned by a government agency for nonpayments of debts. Among the properties was a home jointly owned by Costeja and his wife. Costeja immediately realized that this information could damage his reputation as an attorney. Equally troubling, the information was no longer factual. He had paid his debt nearly a decade earlier.

Abanlex, Costeja’s small law firm, depended on the Internet to gain much of its new business, which was often generated by a Google search. Potential clients might choose not to hire him based on the old auction notice, he reflected. His mind then turned to the possible effects of this kind of information on other people’s livelihoods. “There are people who cannot get a job because of content that is irrelevant,” he thought.2 “I support freedom of expression and I do not defend censorship. [However, I decided] to fight for the right to request the deletion of data that violates the honor, dignity and reputation of individuals.”3 The next week, Costeja wrote to La Vanguardia and requested that it remove the article about his debt notice, because it had had been fully resolved a number of years earlier and reference to it now was, therefore, entirely irrelevant.4 In doing so, he was making use of his rights under Spain’s strong data protection policies, which recognized the protection and integrity of personal data as a constitutional right under Section 18 of the nation’s Data Protection Act.5 In response, the newspaper informed him that it had recently uploaded to the Internet all its past archives, dating back to 1881, to allow them to be searched by the public.

It also noted that the auction notice had originally been publicly posted in order to secure as many bidders as possible. The newspaper refused Costeja’s request, stating that the information was obtained from public records and had thus been published lawfully.6 To be sure, the real problem for Costeja was not that the notice had appeared in La Vanguardia’s digital library, but that it had shown up in the results of the most widely used search engine in the world, Google, where potential clients might use it to judge his character.7 Following this reasoning, Costeja then wrote to Google Spain, the firm’s Spanish affiliate, only to be told that the parent company, Google Inc., was the entity responsible for the development of search results.8 Costeja was taken aback by this development.

“The resources Google has at their disposal aren’t like those of any other citizens,” he reflected.9 Costeja felt he would be at a disadvantage in a lawsuit against an industry giant like Google. In March 2010, after his unsuccessful attempts with the newspaper and Google Spain, Costeja turned to Spain’s Data Protection Agency (SDPA), the government agency responsible for enforcing the Data Protection Act. “Google in Spain asked me to address myself to its headquarters in the U.S., but I found it too far and difficult to launch a complaint in the U.S., so I went to the agency in Spain to ask for their assistance.

They said I was right, and the case went to court,” he explained.10 In a legal filing, Costeja requested, first, that the agency issue an administrative order requiring La Vanguardia either to remove or alter the pages in question (so that his personal data no longer appeared) or to use certain tools made available by search engines in order to shield the data from view. Second, he requested that the agency require that Google Spain or Google Inc. remove or conceal his personal data so that it no longer appeared in the search results and in the links to La Vanguardia. Costeja stated that his debt had been fully resolved.11 With these steps, a small-town Spanish lawyer had drawn one of the world’s richest and best-known companies, Google, into a debate over the right to be forgotten. Google, Inc. Google Inc. is a technology company that builds products and provides services to organize information.

Founded in 1998 and headquartered in Mountain View, CA, Google’s mission was to organize the world’s information and make it universally accessible and useful. It employed more than 55,000 people and had revenues of $45 billion. The company also had 70 offices in more than 40 countries. The company’s main product, Google Search, provided information online in response to a user’s search. Google’s other well-known products provided additional services. For example, Google Now provided information to users when they needed it, and its Product Listing Ads offered product image, price, and merchant information. The company also provided AdWords, an auction-based advertising program and AdSense, which enabled websites that were part of the Google network to deliver ads. Google Display was a display advertising network; DoubleClick Ad Exchange was a marketplace for the trading of display ad space; and YouTube offered video, interactive, and other ad formats.

Search Technology In its core business, Google conducted searches in three stages: crawling and indexing, applying algorithms, and fighting spam. Crawlers, programs that browsed the web to create an index of data, looked at web pages and followed links on those pages. They then moved from link to link and brought data about those web pages back to Google’s servers. Google would then use this information to create an index of how exactly to retrieve information for its users. Algorithms were the computer processes and formulas that took users’ questions and turned them into answers. At the most basic level, Google’s algorithms looked up the user’s search terms in the index to find the most appropriate pages. For a typical query, thousands, if not millions, of web pages might have helpful information. Google’s algorithms relied on more than 200 unique signals or “clues” that made it possible to guess what an individual was really looking for. These signals included the terms on websites, the freshness of content, the region, and the page rank of the web page.12 Lastly, the company fought spam through a combination of computer algorithms and manual review.

Spam sites attempted to game their way to the top of search results by repeating keywords, buying links that passed Google’s PageRank process, or putting invisible text on the screen. Google scouted out and removed spam because it could make legitimate websites harder to find. While much of this process was automated, Google did maintain teams whose job was to review sites manually.13 Policy on Information Removal Google’s policy on the general removal of information was the following: Upon request, we’ll remove personal information from search results if we believe it could make you susceptible to specific harm, such as identity theft or financial fraud. This includes sensitive government ID numbers like U.S. Social Security numbers, bank account numbers, credit card numbers and images of signatures. We generally don’t process removals of national ID numbers from official government websites because in those cases we consider the information to be public.

We sometimes refuse requests if we believe someone is attempting to abuse these policies to remove other information from our results.14 Apart from this general policy, Google Inc. also removed content or features from its search results for legal reasons. For example, in the United States, the company would remove content with valid notification from the copyright holder under the Digital Millennium Copyright Act (DMCA), which was administered by the U.S. Copyright Office. The DCMA provided recourse for owners of copyrighted materials who believed that their rights under copyright law had been infringed upon on the Internet.15 Under the notice and takedown procedure of the law, a copyright owner could notify the service provider, such as Google, requesting that a website or portion of a website be removed or blocked. If, upon receiving proper notification, the service provider promptly did so, it would be exempt from monetary liability. Google regularly received such requests from copyright holders and those that represented them, such as the Walt Disney Company and the Recording Industry Association of America. Google produced and made public a list of the domain portions of URLs that had been the subject of a request for removal, and noted which ones had been removed.

As of July 2015, it had removed more than 600,000 URLs out of more than 2.4 million requests.16 Likewise, content on local versions of Google was also removed when required by national laws. For example, content that glorified the Nazi party was illegal in Germany, and content that insulted religion was illegal in India.17 The respective governments, via a court order or a routine request as described above, typically made these requests. Google reviewed these requests to determine if any content should be removed because it violated a specific country’s law. When Google removed content from search results for legal reasons, it first displayed a notification that the content had been removed and then reported the removal to, a website established by the Electronic Frontier Foundation and several law schools. The Chilling Effects database collected and analyzed legal complaints and requests for removal of a broad set of online materials. It was designed to help Internet users know their rights and understand the law

. Researchers could use the data to study the prevalence of legal threats and the source of content removals. This database also allowed the public to search for specific takedown notifications.18 Google removed content quickly. Its average processing time across all copyright infringement removal requests submitted via its website was approximately six hours. Different factors influenced the processing time, including the method of delivery, language, and completeness of the information submitted. The Right to Be Forgotten The right to be forgotten can be understood as peoples’ right to request that information be removed from the Internet or other repositories because it violated their privacy or was no longer relevant. This right assumed greater prominence in the digital era, when people began finding it increasingly difficult to escape information that had accumulated over many years, resulting in expressions such as “the net never forgets,” “everything is in the cloud,” “reputation bankruptcy,” and “online reputation.”19 According to Jeffrey Rosen, professor of law at George Washington University, the intellectual roots of the right to be forgotten could be found in French law, which recognized le droit à l’oubli—or the “right of oblivion”—a right that allowed a convicted criminal who had served his time and been rehabilitated to object to the publication of the facts of his conviction and incarceration.20 Although the right to be forgotten was rooted in expunging criminal records, the rise of the Internet had given the concept a new, more complex meaning.

Search engines enabled users to access information on just about any topic with considerable ease. The ease with which information could be shared, stored, and retrieved through online search raised issues of both privacy and freedom of expression. On the one hand, when opening a bank account, joining a social networking website or booking a flight online, a consumer would voluntarily disclose vital personal information such as name, address, and credit card numbers. Consumers were often unsure of what happened to their data and were concerned that it might fall into the wrong hands—that is, that their privacy would be violated. On the other hand, by facilitating the retrieval of information, search engines enhanced individuals’ freedom to receive and impart information.

Any interference with search engine activities could, therefore, pose a threat to the effective enjoyment of these rights.21 As Van Alsenoy, a researcher at the Interdisciplinary Center for Law and Information Communication Technology, argued, “In a world where search engines are used as the main tool to find relevant content online, any governmental interference in the provisioning of these services presents a substantial risk that requires close scrutiny.”22 Europe Since the 1990s, both the European Union and its member states (such as Spain) had enacted laws that addressed the right to privacy and, by extension, the right to be forgotten. A fundamental right of individuals to protect their data was introduced in the EU’s original data protection law, passed in 1995. Specifically, the European Data Protection Directive 95/46 defined the appropriate scope of national laws relating to personal data and the processing of those data.

According to Article 3(1), Directive 95/46 applied “to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.”23 Article 2(b) of the EU Data Protection Directive 95/46 defined the processing of personal data as: any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Individual countries within the European Union also enacted their own laws, which were sometimes stronger than those of the EU. For example, in Spain, the protection of data was a constitutional right. The Spanish Constitution recognized the right to personal privacy, secrecy of communications, and the protection of personal data.

These rights were protected through the Data Protection Act (the “Act”), passed in 1999, which incorporated the 1995 European Directive on data protection, and was enforced by the Spanish Data Protection Agency (SDPA). Created in 1993, this agency was relatively inactive until the passing of the Act, which gave it more powers and a mandate to enforce privacy rules in a wide range of situations.24 The Spanish agency exercised its powers broadly. For example, in 2013, it fined telecom firm Telefonica SA £0,000 for twice listing an individual’s phone number in local phone books without the individual’s prior consent. In 2008, the agency fined a marketing company £00 for using “recommend this to a friend” icons on websites, saying that senders of recommendation emails had to first request the recipient’s permission. The agency had also successfully required anyone using security cameras to clearly mark their presence with a recognizable icon.

Supporters of this move have highlighted the importance of transparency in protecting one’s privacy.25 Over time, however, differences in the way that each EU country interpreted privacy rights led to an uneven level of protection for personal data, depending on where an individual lived or bought goods and services. This led the European high court to take a second look, in 2013, at the original law.26 A European Commission memo at that time noted that the right “is about empowering individuals, not about erasing past events or restricting freedom of the press.”27 The changes were intended to give citizens more control over their personal data, making it easier to access and improve the quality of information they received about what happened to their data once they decided to share it. An unanswered question, however, was the latitude given to national courts and regulators across Europe to set the parameters by which these requests could be made.28 The United States U.S. courts had taken a very different approach to privacy and to the right to be forgotten.

A few U.S. laws recognized the right to be forgotten; the Fair Credit Reporting Act of 1970, for example, gave individuals the right to delete certain negative information about their credit— such as late payments, tax liens, or judgments—seven years from the date of the delinquency. But, for the most part, fundamental differences in legal philosophy made this right less likely to become widely supported in the United States. In an article published in the Atlantic in May 2014, Matt Ford suggested that in the U.S. context, one person’s right to be forgotten logically imposed a responsibility to forget upon someone else, a notion that was alien to American law. The First Amendment to the Constitution barred the government from interfering with free speech.

Law professor Rosen argued that the First Amendment would make a right to be forgotten virtually impossible, not only to create but to enforce. For example, the U.S. Supreme Court ruled in 1989 that penalizing a newspaper for publishing truthful, lawfully obtained information from the public record was unconstitutional.29 The Lawsuit and Court Decision The main focus of Costeja’s complaint before the Spanish Data Protection Agency (SDPA) was his request that La Vanguardia remove the debt notice from its archives. In doing so, he was claiming his constitutional right to protect the integrity of his personal data. Costeja’s request had two parts: that (1) La Vanguardia be required either to remove or alter the pages in question or to use certain tools made available by search engines in order to protect the data and (2) that Google Spain or Google Inc. be required to remove or conceal the personal data relating to him so that the data no longer appeared in search results.

In July 2010, two months after Costeja’s original request, the SDPA ordered Google Spain and Google Inc. to take “all reasonable steps to remove the disputed personal data from its index and preclude further access,” upholding that part of the complaint.30 However, the SDPA rejected Costeja’s complaint as it related to La Vanguardia, because it considered that the publication by it of the information in question was legally justified.31 A year later, Google filed an appeal against the decision by the SDPA before the Audiencia Nacional in Madrid, Spain’s highest national court.

In March 2012, this court referred the case to the European Court of Justice, the EU’s high court, for a preliminary ruling.32 In their briefs, Google Spain and Google Inc.’s argument hinged on the meaning of “personal data” and “crawling.” Crawling, as noted above, was the use of software programs to find multiple websites that responded to requests for information online.33 These programs were configured to look for information on the Internet, according to a set of criteria that told them where to go and when.34 Once the relevant web pages had been copied and collected, their content was analyzed and indexed.35 Google compared its search engine index to an index at the back of a textbook, in that it included information about words and their locations.36 Specifically, Google argued before the European Court of Justice that because it crawled and indexed websites “indiscriminately” (that is, without a deliberate intent to process personal data as such), no processing of personal data within the meaning of Article 2 (b) of the EU Data Protection Directive 95/46 actually took place. This absence of intent, the company argued, clearly distinguished Google’s activities as a search engin…

Do you have a similar assignment and would want someone to complete it for you? Click on the ORDER NOW option to get instant services at