Privacy Insider: July 13, 2021

I have to tell you something, but I'm really ashamed. Once, when I was about seven years old, a friend and I collected money from my neighbors that we said was going to help poor people. We literally took an envelope door to door and asked people for spare change or dollar bills. And we were adorable. So they gave it to us.

When we got home, we realized we had an envelope full of cash. And we were hungry. So, we thought, what if we just used this money to get Happy Meals at McDonald's and then replaced it at some point with our allowances?

Luckily, my mother caught us scheming and forced us to return all the money and apologize for being liars. Plus, we didn't get Happy Meals. Which seemed unfair.

It's a memory that still brings me shame, and I'm so glad Facebook or NextDoor didn't exist then. Surely some of the neighbors would have posted something like, "Beware: Cute neighborhood girls collecting money are frauds!!" And that would have been embarrassing. But worse? Those posts would live online forever.

This week, a federal judge ruled that Canada's privacy law applies to Google search results.

In the case, a man alleged Google was causing him harm by prominently displaying links to articles about him that were incorrect and disclosed his sexual orientation and medical condition.

The ruling is a big deal for champions of what's called the "right to be forgotten," and it resurfaces a long-debated philosophical argument in the digital age: Do we deserve a fresh start in an era where everything is remembered?

The right to be forgotten is a European-based legal concept enshrined in the EU General Data Protection Regulation and other copycat laws. But as a concept, it's been used in legal battles as early as 2009 when an Argentian pop star fought to have search results that incorrectly associated her with pornography removed from indexing.

It stems from the French concept, "le droit à l'oubli," and the idea is that we all deserve the right to start over. But that can be nearly impossible now because information lives online in perpetuity.

Take the (very silly) example I shared of my criminal past above. What if every time someone Googled my name, those long-ago posts from the neighbors I'd tried to scam would appear somewhere in the results. That could include employers or, (worse!), potential romantic interests doing some recon work.

I'm using a benign example for entertainment value. But what if someone falsely accused you of committing a serious crime? Imagine not being able to escape your digital legacy.

That's what the right to be forgotten aims to address. But it's complicated and messy. When does a person have that right?

Under the GDPR, a person has the right to request an organization delete information about them under certain circumstances, including that the data was collected unlawfully or is no longer needed for the purpose it was collected.

The "Google Spain" case in 2014 set the precedent that users can ask search engines to remove certain links from search results if they lead to information that's no longer relevant, correct or excessive." The court sided with a Spanish citizen asking for Google to withdraw links to newspaper articles about legal actions against him that he alleged had been resolved for years and harmed his reputation. But the court also said it's up to search engines to determine when that's the case, leading to all sorts of questions about what "relevant" or "excessive" means.

For now, Google is handling requests on a case-by-case basis, but it receives thousands upon thousands of requests every year.

What do you think? Should we have the right to start over? Should we have the right to be not only forgotten but forgiven?

We're going to talk about this and more on our next Twitter Spaces chat. Join us Thursday, July 15, at 1 p.m. Pacific, 4 p.m. Eastern. Join from your phone as a listener or a speaker, whatever you prefer. I’d love to hear your thoughts. 

Enjoy reading, and I'll see you next week!

Man wins 'right to be forgotten' case against Google

A federal judge in Canada has ruled the results of Google searches are covered under Canada's privacy law, a victory for "right to be forgotten" champions. In the case, a man alleged Google was breaching the law by prominently displaying search results about him that were inaccurate and disclosed his sexual orientation and a severe medical condition, The Canadian Press reports. 
Read Story

SolarWinds hit with ‘zero-day’ hack, spotted by Microsoft 

The company hit with a supply-chain attack in December 2020, impacting nine U.S. government agencies and 100-plus private companies, says it’s identified a new zero-day vulnerability in its product line. Microsoft detected the active security threat and reported it to SolarWinds, Ars Technica reports. 
Read Story

The FBI took over a messaging platform in a sting

The FBI and 9,000 law-enforcement agencies worldwide duped hundreds of suspected criminals by taking over the messaging platform they were using to smuggle drugs and launder money, The Wall Street Journal reports. Police arrested more than 800 people and seized 8 tons of cocaine, 22 tons of cannabis and 250 firearms, among other assets. 
Read Story

WhatsApp complaint: Company 'pressuring' users to accept new terms

On July 12, the European Consumer Organization and its member groups filed a complaint against WhatsApp with the European Commission, claiming the messaging app is unfairly pressuring users to accept its new privacy policy, Reuters reports. The change indicates WhatsApp will share some data with Facebook, its parent company, and others, and it’s incited widespread criticism from all corners of the globe. 
Read Story

Chinese regulators have initiated a privacy crack-down 

China has recently taken a “zero-tolerance approach” toward tech giant monopolies in the country and is now pivoting its focus to data privacy, CNN reports. The government announced new privacy rules for any company seeking IPOs in the U.S. with more than one million customers’ data. Last week, it ordered ride-hailing service Didi, now more popular than Uber in China, to delete its app from mobile stores over data privacy concerns. 
Read Story

NYC bans businesses from profiting off biometric data collection 

New York City’s new biometrics ordinance has taken effect, TechCrunch reports. Businesses must now prominently disclose the biometric information (such as fingerprint scans and face prints) they collect on their customers at shops, theaters and restaurants. In addition, the rules state they may not from sell nor share the biometric data they collect. 
Read Story