Google proposes legal obligations for information-hosting sites.
Google’s privacy officer suggests focusing on information-hosting websites rather than search engines in Australia’s “right to be forgotten” law. Keith Enright’s visit aligns with increased attention on digital privacy following major data breaches. The Albanese government has proposed amendments to the Privacy Act to modernize it.
A significant proposal aims to address online search results by granting a “right to de-index” personal information, including medical history, information about children, excessive details, inaccuracies, outdated data, incompleteness, misleading content, or irrelevant information. It resembles the European-style “right to be forgotten” laws.
Enright expressed to Guardian Australia that while Google generally supports the proposed reforms, the company believes search engines shouldn’t be specifically targeted. Instead, he suggests directing requests to remove information from the internet to the content publishers, as the content can still exist elsewhere even if it’s suppressed from search engines.
The Privacy Act review estimates, based on Google’s European transparency report data, that Google received approximately 58,000 requests from Australians to de-list around 250,000 results from 2014 to 2022.
Defamation actions have been initiated against Google in Australia due to outdated or incorrect information appearing in search results. Google won a high court case last year, establishing that it is not considered a publisher for merely linking to a defamatory article on the Age’s website involving a Victorian lawyer.
Enright mentioned that if the information’s host removes it, the issue would resolve itself as Google’s website crawlers regularly scan the site. Additionally, individuals could request an expedited review process.
However, the Office of the Australian Information Commissioner argues that targeting search engines for de-indexing is more practical in cases where it’s challenging to remove the information at its source, such as when the site is hosted overseas, anonymous, or ignores takedown requests.
Enright acknowledged that the proposed changes are a positive step forward but acknowledged that any current legislation cannot predict the impact of artificial intelligence advancements on privacy laws.
We hold deep respect and recognition for the authority of the DPC in carrying out their responsibilities, as outlined in the GDPR. Consequently, we have made appropriate adjustments to our launch timeline and are actively collaborating with the DPC to address their inquiries.
Enright noted that regulators worldwide are increasingly engaging in discussions on privacy regulation, aiming to streamline laws across different regions. However, despite efforts towards alignment, there are still variations that pose challenges for global companies in navigating the complex landscape of numerous proposed laws.
“We observe a growing level of convergence and stricter data protection requirements, expanded data subject rights, and increased limitations on data processing. That is the evident trend,” Enright stated. “Yet, when delving into the specifics of each individual bill and considering the sheer volume of laws under consideration, there is a substantial complexity that will inevitably present significant legal hurdles.”
