Reflecting on Google's GNI Engagement

 As the year comes to a close, we’re reflecting on Google’s Global Network Initiative (GNI) assessment and some of this year’s important developments in our work to protect the free expression and privacy interests of our users.

Last week, in our continued effort to increase transparency around government demands for user data, we made available to the public the National Security Letters (NSLs) Google has received where, either through litigation or legislation, we have been freed of nondisclosure obligations. Our goal in doing so is to shed more light on the nature and scope of these requests. We’ve also supported policy efforts to ensure that the privacy interests of non-U.S. persons are addressed as U.S. policymakers consider government surveillance issues.

Earlier this month, we highlighted our efforts to comply with the right to be forgotten in Europe. For much of the last year, we’ve worked to defend the idea that each country should be able to balance freedom of expression and privacy in the way that country sees fit, and not according to another country’s interpretation. One Data Protection Authority, the French Commission Nationale de l'Informatique et des Libertés (the CNIL), ordered Google to delist French right to be forgotten removals for users everywhere. We agree with the CNIL that privacy is a fundamental right — but so, too, is the right to free expression. Any balance struck between those two rights must be accompanied by territorial limits, consistent with the basic principles of international law.

These are some examples of Google’s public policy work that illustrate our commitment to the freedom of expression and privacy rights of our users. We know that pressing global issues are best addressed in partnership with with key stakeholders — and the GNI is critical to Google’s efforts.

The GNI is at the core of our multi-stakeholder engagement on free expression and privacy issues. Google is proud to be a founding member of the GNI, an initiative that brings together ICT companies with civil society organizations, investors, and academics to define a shared approach to freedom of expression and privacy online. The GNI provides a framework for company operations, rooted in international standards; promotes accountability of ICT sector companies through independent assessment; enables multi-stakeholder policy engagement; and creates shared learning opportunities across stakeholder boundaries.

Earlier this year, GNI released the second round of assessments, and announced the board’s determination that Google is compliant with the GNI framework. The assessment is an important tool for companies, NGOs, academics, and others working together to review how companies address risks to privacy and free expression.

The assessment process includes a review of relevant internal systems, policies and procedures for implementing the GNI Principles (“the process review”), and an examination of specific cases or examples that show how the company is implementing them in practice (the “case review”).

Our cases were selected for their salience to our approach to implementing the GNI Principles, taking into consideration Google’s products and services, geographical footprint, operating environments, and human rights risk profile. In addition, to the Google-specific cases discussed in GNI’s public assessment report, we wanted to provide additional examples to illustrate the types of non-U.S. cases reviewed.

Request for user data
A request was made for Gmail user information by a federal police department. A key part of our process is making sure that the requests we receive are appropriately supported by legal process. In this case, we found that the initial request was inadequate due to failure to have a judicial stamp or signature, and we therefore pushed back, as we would not comply unless the request was judicially authorized. Once these items were obtained and, we determined that it was a valid legal request (including that it was not overbroad), we complied with the request.

Request for removal
A request for Blogger content removal was made by a regulatory agency. The requestor claimed that content was subject to removal under the country’s statute prohibiting appeals to mass riots, extremist activities, and mass actions against established order. In reviewing the request, we determined that the content did not violate our terms of service.  We then responded by requesting a copy of the decision citing specific URLs that are illegal. This would be evidence of an authoritative interpretation of the local law as applied to the content.  As there was no response from the requestor, and the content did not violate our company policies, the request was denied and we did not remove the material.

RTBF: Push for Judicial Review; Careful Development and Implementation of Rigorous Removal Process for Requests
This example describes how we responded to requests subsequent to the Google Spain v AEPD and Mario Costeja ruling, which presented risks to freedom of expression. In the Costeja case, we appealed through the court process, but were unsuccessful.  We pushed back on this ruling because we considered the requirement for Google to take down this information to be in conflict with freedom of expression. On appeal, the Court of Justice of the European Union found that people have the right to ask for information to be removed from search results that include their names if it is “inadequate, irrelevant or no longer relevant, or excessive.” In deciding what to remove, search engines must also have regard to the public interest, without additional guidance regarding what information constitutes “public interest.” The court also decided that search engines don’t qualify for a “journalistic exception.” We continue to fight court cases seeking to expand this requirement for takedowns globally.

We also convened the Advisory Council to Google on the Right to be Forgotten to review input from dozens of experts in meetings across Europe, as well as from thousands of submissions via the Web. The Council included Frank La Rue, the UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression. The Council advised us on performing the balancing act between an individual’s right to privacy and the public’s interest in access to information.

In response to the Costeja ruling, Google established a dedicated team to develop and implement a system to remove valid RtbF requests. We evaluate each request appropriately, complying with the law, but making sure that, if there is a legal basis for the content to remain available, we will assess how that applies. To address the ruling, we assembled a team to address the new category of requests arising from the rights articulated in Costeja. Our web removals site was updated to include information about and a portal for RtbF requests. Requests are reviewed by the legal removals team; after review, the requester is notified of the determination. Since implementing this system, we have delisted approximately 780,000 URLs. Our process responds to individual requests and carefully evaluates  each request against the criteria for removal. We also notify websites when one of their pages has been removed pursuant to a RtbF claim. In addition to removing URLs, we include information about RtbF requests and removals in our Transparency Report.

Our assessors also provided us with recommendations for enhancing our implementation of the GNI Principles. These recommendations, combined with feedback and ongoing engagement with GNI stakeholders, will inform our policies and practices and strengthen our advocacy in 2017.