It looks as though Europe’s broad crackdown on privacy, data laws, and specifically U.S. tech companies is working.
Reports note this week that Google is buckling to European data protection regulators’ demands that it apply the “right to be forgotten” practice of granting delisting requests to the Google.com domain, rather than just European subdomains as it already does.
The “right to be forgotten” famously required Google to set up a system for processing and granting delisting requests, and it churned controversy worldwide concerning Google’s role as a publisher and/or arbiter of personal information. But the company pushed back against the various courts that demanded that Google widen its implementation of the ruling, and extend it to Google.com proper in order to ensure the delisting of content from all search domains, not just European ones. It seems as though Google has thrown in the towel. Reuters reports that since the “right to be forgotten” ruling in 2014, “Google has received 386,038 requests for removal, according to its transparency website. It has accepted about 42 percent of them.”
Facebook is facing fire on all sides in Europe, too. This week the Wall Street Journal reported that France’s data protection regulator has threatened to fine the company if it doesn’t change how it handles user data. The order from France’s Commission Nationale de l’Informatique et des Libertés (CNIL), demands that the firm rework its data collection tactics or pay a series of fines that could total as much as $168,000.
While that is chump change for Facebook, it’s another thorn in the side of the company that has struggled to meet privacy requirements and requests in Europe, often issuing blowback in the form of claiming its immunity to most mandates because it operates out of Ireland.
And U.S.-E.U. data transfer rules as a whole have been challenged by the overturning of the Safe Harbor Act. (Last week, the E.U. Commission and the U.S. set an agreement for a new framework for transatlantic data flows dubbed the “EU-US Privacy Shield” that has been criticized as not accomplishing much in the way of changing how Europeans’ data is moved and used.) It was a move that made clear the European Commission’s intent to challenge U.S. processing of European data as a whole.
Europe’s campaign against what it considers to be loose privacy guidelines and inadequate measures for protecting user data has been a few years in the making, but notably more driven since the Snowden leaks of 2013. And at the beginning, technology companies somewhat dismissed the mandates and investigations from the European Commission and other bodies such as local courts. But now it is clearer that what may have looked like anger-driven probes have fleshed out into real, enforceable legislation. Companies are aware of tightening rules, and are continuously facing new threats from regulators who are on high alert for potential violations from overseas. And tech companies are kowtowing.