A Google search that throws up negative results can be extremely stressful.
Negative content about you or your business can have detrimental effects on your personal and professional life.
If a Google search turns up inaccurate, untrue, or unwanted content on a web site, page or within company details, there are steps you can take.
Data protection laws in the EU and the UK are similar, but not exactly the same. Since Brexit, the UK has brought in its own version of the EU GDPR, which follows much of the same legislation including things like the Right To Be Forgotten (RTBF).
Negative Google search results and your online reputation
For many reasons, some more obvious than others, negative content online is damaging.
Whether it’s in the form of YouTube videos, news stories, a defamatory blog or personal comments, negative content related to your name or business name can rank high in Google search results.
This means that anyone searching your name on any of the major search engines, will come across it. And that is how they will form their opinion of your business or your personal information.
Google’s search results are vital in the quest for a positive online reputation
Fair or not, the first few results on a Google search are key to your online reputation and other people’s perception of you.
Negative, unfair or unwanted content can damage not only your personal online reputation, but also that of any business interests you have. It can taint your family and friends by association and generally cause an enormous amount of distress and problematic interactions.
It can harm your career development, job prospects, personal and professional relationships and your mental health.
There are ways to request removal of unwanted content, whether articles or images under the Right to Be Forgotten (RTBF).
Before I go into the differences between data protection and content removal in the UK and EU since Brexit, let’s have a quick dive into the Right to Be Forgotten.
Request removal through the Right to be Forgotten
The whole reason Igniyte exists is to help people deal with unwanted content online.
We know the distress it causes to find unfair, untrue or otherwise unwanted information about you through a simple Google search.
No one wants to be linked with negativity online, which is why we have developed complex expertise in dealing with this.
GDPR and the right to erasure
The Right to Be Forgotten is an EU initiative that was introduced in 2014 as part of the General Data Protection Regulation (GDPR).
GDPR is about your right as an individual to the right of erasure of data.
It governs how personally identifiable information and data protection is collected, used and erased.
An EU Court of Justice judgement in 2014 set the precedent for the RTBF within the GDPR regulations.
However, obviously this is not as simple as an individual making a removal request and having it granted straight away.
The Internet has connected our personal and professional data in such an amalgamated way that it makes the right to remove content or make an attempt in limiting access to unwanted information more difficult.
What exactly is the right be forgotten?
If you check out Article 17 GDPR, you find that, under certain conditions, the individual “shall have the right to obtain from the controller the erasure of personal data.”
It goes on to talk about how the controller (usually the website owner) must do this without “undue delay”, which is generally accepted as around a month.
Article 15 of the GDPR act is linked to the RTBF. This concentrates on people’s right to access information about themselves.
Without the right to actually request to remove information, the right to access it would essentially be meaningless.
This makes the process of removal sound simple and straightforward. However, the right to request removal of content and have it granted is not absolute.
The conditions necessary for the right to be forgotten
According to GDPR, a person can have their personal data scrubbed from Google search results only if the following conditions are met:
The content from Google is outdated
If the personal data available to be found through Google’s search results or on a website, blog or anywhere else on the Internet is actually no longer necessary for its original use.
For example, if you signed up for a newsletter with your personal information and no longer wish to receive it, then you have the right to request removal.
You remove or withdraw the original consent
Generally speaking, organisations are legally reliant on the individual’s consent to collect and use their.
Should the individual then withdraw this consent for their personal information or business listings, then the right to request removal applies.
This gives the individual some measure of control over outdated content.
There is no actual legitimate reason for the organisation to keep processing the data
If the organisation holding the data justifies keeping and processing it for legitimate reasons, but the individual objects to this.
The company is using the personal data for direct marketing
If an organisation is holding your data solely for direct marketing and you don’t want them to, then you can initiate the removal process.
The personal data has been processed illegally
The website owner or holder of the personal data has legal obligations to remove it.
When does the right to be forgotten NOT apply under GDPR?
There are many reasons why an organisation’s rights to individual data supersedes that person’s right to be forgotten.
This highlights the complexity of the very concept of data protection on the Internet.
It’s a vast, interconnected realm of billions of pieces of personal data that can quickly be lost in the morass.
This is why a simple Google search of a person or business can throw up unwanted content from ten years ago, that is still there and still available and accessible.
GDPR states that the following override the right to be forgotten for individuals:
Freedom of expression
Where the personal data is being used by the organisation or web page to exercise the right of freedom of information and freedom of expression.
Complying with a legal duty
If the data is online because it’s compliant with a legal ruling then the this supersedes the right to request removal.
It’s in the public interest
For example, the data is being used to do something that benefits the wider public interest or if it’s in the organisation’s official authority to use it in this way.
This applies if the data is vital for preventative or occupational medicine.
It’s important for research
If the data being processed is considered necessary for research that ultimately serves the public interest, whether that’s scientific, historical or statistical and where a removal request would impair progress, then there’s no way to remove content.
The data is necessary for legal obligations
If the data details are being used to establish a legal claim or to create a legal defence, them removal doesn’t apply.
Does the Right to be Forgotten actually work in 2021?
Seven years after Google brought in the Right to be Forgotten, how much difference has it made?
And now that the UK has left the EU, what does that mean for data protection and privacy?
When the RTBF was launched, its main feature was to give individuals the right to ask for outdated content, irrelevant information or inaccurate information to be removed.
And while many people saw the right to remove personal information as a plus, others didn’t.
How many removal request has Google received?
It has been a contentious feature ever since it was launched because of the idea that individuals can remove a link to a site and therefore change what others can find through a Google search.
Since it was introduced, Google has received more than one million requests to remove content from search results since the 2014 ruling. This equates to removal requests for around 4.3 million URLs (as of June 2021) and has accepted around 47%.
GDPR and the RTBF impacts every individual in the EU, but where does that leave the UK now it’s a third country?
Brexit and GDPR – what’s the score?
The UK finally left the EU in December 2020 after years of protracted negotiations since the 2016 Referendum.
How does that leave the country in terms of GDPR and domestic data protection?
Under the EU’s GDPR, the UK is a third country. This means that it is a country external to the EU.
However, there was a provision covering GDPR in the ‘oven ready’ Brexit deal signed in December 2020 between the UK and EU.
This provision ensured that, for an interim period initially of six months, that data would still be able to flow between the EU and the UK with no blocks.
Following the end of the initially agreed six months, on 28 June 2021, the EU made a further decision about the protection of the UK’s personal data.
This ‘adequacy decision’ ensures that personal data will continue to flow freely between the UK and the EU until June 2025.
What does the EU’s adequacy decision mean for the UK?
Basically, UK websites, organisations and companies can continue collecting and processing data from people across the UK.
It’s very much ‘business as usual’, at least for the next four years.
After that, the Eu will need to deliver a new process to decide whether the UK will still have the same level of data protection.
UK legislation changes
The general data protection rules within data law in the UK have been changed.
This is because the EU GDPR’s domestic law applicability no longer applies.
Legal changes include new domestic data privacy laws (UK-GDPR) and updates to the old Data Protection Act.
All of the changes can be found in the UK Government’s DPPEC regulations, that is the Data Protection, Privacy and Electronic communications (Amendments etc) (EU Exit) Regulations 2019.
The most important elements of the DPPEC regulations are that a new domestic law has been created (UK-GDPR) and the 2018 Data Protection Act has been updated.
UK-GDPR is pretty much exactly the same as the EU GDPR. It even uses the same legal text, although there are obviously slight differences.
So, the rights of the data subject (that is, the individual) under the EU GDPR under Articles 15 to 22 remain. And this is where the right to be forgotten comes in.
If a UK-based web site has users from countries within the EU, then it must still comply with EU GDPR in the same way as before Brexit.
The most significant difference comes with who is empowered to decide on legal removals, copyright infringement or to remove content from Google.
EU GDPR no longer applies to the UK domestically. So, the UK’s law is now supervised and enforced by the Information Commissioner (ICO) since 1 January 2021, whereas it used to the European Data Protection Board (EDPB).
GDPR-UK under the ICO
For all the details on the ICO’s rulings for the GDPR-UK you can head to their website here.
For businesses, organisations and companies in the UK, it’s important to understand the ramifications of data collection and how the removal process works.
There are times when individuals will request that outdated content be removed, when it actually can legally stay.
An example of this is if someone makes a request to a previous employer to remove all of their details and personal data.
As the organisation has a legal obligation to disclose salary details to HMRC, it can therefore refuse this request for data removal.
Every request removal must be treated individually
Organisations can refuse the request for data removal from a site, web pages, a link, URL, or any other information demanded by an individual for various reasons.
Each case is different, and exemptions to the relevant request for content removal must be analysed carefully.
If the request to remove content from Google search results (such as outdated content on a website, or data collected for a specific purpose) is considered excessive or manifestly unfounded then the company doesn’t have to act on it.
Manifestly unfounded according to the ICO
A removal request could be considered as manifestly unfounded if:
- The person making the removal request is attempting to use the request as some form of leverage.
- The removal request form the site, web page or company database is deemed to have malicious intent and is only being made to cause some form of disruption to the company owner.
How do users make a request?
Under GDPR-UK, there is no specific best approach to submit a request.
The data owner, therefore, can end up receiving removal requests by letter, email or verbally.
It’s also not necessary that the request is made directly to one person in charge, and in fact the removal request can be made to any part of business.
And it’s for the data owner (the business, web site owner etc) to ascertain that a removal request has been made and to deal with legally.
Further reading is highly recommended for anyone who could be asked to either remove content, whether it’s outdated content or data that the owner considers susceptible or at risk to things like identity theft or financial fraud.
This is a highly complex and important area of data protection.
Differences between EU and UK data protection implementation
Europe absolutely leads the way in ensuring that the legal processes surrounding the RTBF under GDPR are put into practice.
There are, so far, many more cases of individuals successfully exercising their RTBF and having outdated content or otherwise unwanted content being removed by Google.
Within the EU, Google is legally responsible for the removal of the outdated content. By forcing Google to remove this content from Google search results, GDPR is protecting the data rights of the individual.
In the UK, GDPR laws mean that businesses, organisations, website owners or other data owners that refuse to comply with exercising the data owner’s RTBF could be fined massive amounts of money.
Fines for organisations refusing to comply with a request removal of content from Google or other search engines means a fine of up to £20 million or 4% of the annual turnover globally – whichever is higher.
And while there is no absolute RTBF, the organisation must comply with the legal rights of the individual.
Want to request removal of unwanted content?
As you can see, while there are ways to remove content from Google’s search results, it can be a complex process. Igniyte works with individuals and businesses from all over the world to ensure that search engines display the best content. For more information click here.