Google probed by ICO over potential mishandling of ‘right to be forgotten’

Google is in discussions with the Information Commissioner’s Office (ICO) over a potential mishandling of the "right to be forgotten".

The search engine is still struggling to implement the breakthrough ruling from the EU’s European Court of Justice last year, which classified Google as a data controller and told it to delete links to "inadequate, irrelevant or no longer relevant" information if the person being written about requested it.

The ICO revealed it has handled more than 180 complaints from those unhappy that Google has turned down their requests, but judged the search engine had acted correctly in three-quarters of them.

David Smith, deputy commissioner of the ICO, said: "This suggests that, for the most part, Google is getting the balance right between the protection of the individual’s privacy and the interest of internet users.

"However, this still leaves a significant number of cases where we believe Google haven’t got it quite right and they have been asked to revise their decision."

He added that whilst "in many cases they have done so" there remain some disputes yet to be resolved, cases which may lead to the ICO having to use its enforcement powers, which include a mandate to fine companies or order them to update their data policies.

However a source familiar with the matter told CBR that the dispute was unlikely to reach that stage, since much ICO investigation centres on policies and procedures, which Google appears to be complying with, rather than specific instances of data protection infringement.

Commenting on the discussions, Google told the BBC: "We haven’t always got privacy right in Europe, not just because of errors we’ve made, but our attitude too.

"But our swift and thoughtful implementation of the right to be forgotten ruling showed that for Google this was a genuine ‘we get it’ moment.

"We’ve also worked hard to give users more control over the data we collect and we’re looking at how to make those tools easier to find and use. So stay tuned."

Whilst the "right to be forgotten ruling" did not introduce new laws into European data protection, it was a departure from previous wisdom that Google was not a data controller.

Guidelines from the Article 29 Working Group, which gathers people from data protection agencies across the EU, are currently being worked out to inform businesses how they should deal with the ruling.