Google says Australia’s online privacy law should target websites instead of search engines

One of the key proposals is similar to the European-style “right to be forgotten” laws but specifically targets online search results. It calls for a right to de-index online search results containing personal information, such as medical history; information about a child; excessively detailed information; or inaccurate, out-of-date, incomplete, misleading or irrelevant information.

Enright told Guardian Australia that while Google is broadly supportive of the proposed reforms, the company believes search engines should not be singled out.

“We feel strongly that if you are creating a legal right to remove information from the internet, those requests should be directed to the publishers of that content rather than to search engines because, of course, even if it is suppressed from a search engine, that content still exists on the internet elsewhere,” he said.

“So a more effective way to answer the public policy objective … would be to create that legal obligation for the organisation that’s hosting the content.”

Based on data from Google’s European transparency report, the Privacy Act review estimates Google likely received about 58,000 requests from Australians to de-list about 250,000 results between 2014 and 2022.

Out-of-date or inaccurate information in search results has led some to take defamation action against Google in Australia. Last year Google won a high court case that determined Google was not a publisher for linking to a defamatory article on the Age’s website about a Victorian lawyer.

“In reality, a hyperlink is merely a tool which enables a person to navigate to another webpage,” the court said.

Enright said if the host of the information takes it down, then the issue would “correct itself” as Google’s website crawlers routinely survey the website. People could also request an accelerated review.

But the Office of the Australian Information Commissioner has argued that targeting search engines for the right to de-index makes the most sense in cases where it’s difficult to remove the information at its source, such as where the site is hosted overseas, anonymous or ignores takedown requests.

Enright said the proposed changes are a step in the right direction, but admitted that no law being written now could anticipate what changes the advance of artificial intelligence could bring to privacy law.

Google this week delayed the launch of its AI chatbot Bard in Europe amid concerns from the Irish Data Protection Commission that not enough information had been provided about Bard’s privacy policies.

Enright said Google was in constant dialogue with the agency over its requirements, and the delay came after more questions were raised about compliance.

“We explained to them what our original launch timeline was, and they came back to us with additional questions. They wanted clarifications. They wanted us to update our documentation,” he said.

“We fully respect and appreciate the authority of the DPC to do that, that is precisely what the GDPR [General Data Protection Regulation] anticipates them doing. So we adjusted our launch timeline appropriately and we’re now working with the DPC to answer their questions.”

Enright said regulators around the world are increasingly communicating with each other about how to regulate privacy, so laws appearing in different parts of the world are being streamlined – albeit with some differences that make it difficult to navigate as a global company.

“We are seeing still increasing level of alignment and more data protection requirements, stronger data subject rights, more restrictions on the processing of data, that is the clear direction of travel,” he said. “But when you get into the details of each of those individual bills, and just the sheer volume of the number of laws that are being contemplated, there’s a lot of complexity there which is going to create a great deal of legal challenge.”