Is a right in itself and maybe you can derive a "right to search" from it, but in doing so you would only prove my point that a "right to search" by itself is nowhere in the law books.

Nice hyperbole, but entirely beside the point. I already explained in my original posting what the legal situation actually is, I don't see why I should repeat it.

Of course, you can refute me easily. Find the correct EU law that contains the phrase "right to search" and post a link. I will apologize if you do.

You are jumping to conclusion there.

Europe would like its laws to be honoured by corporations doing business in the EU. If Google was ordered to remove X, but it is still present if I simply go to google.com instead of google.co.uk, then Google has not complied with the removal order.

It is absolutely technically possible to filter based on source IP address country. They can do it for advertisement, so there's absolutely no excuse for not doing it for legal compliance.

It is mostly not about stuff people put out there themselves. There are people out there who can't get a job because they were wrongfully accused of molesting a child 10 years ago, and the searches turn up the accusations, but not the acquittal (mostly because press rarely writes about it).

While you are right on this, I doubt it has much to do with this law. This law has been in the works since 1995 and was passed in 2012 if I recall correctly (many EU laws go into effect delayed, or require national laws to be passed to implement them). It was on the table long before anyone knew the name Snowden, and if at all then the NSA scandal only affected some final touches.

Legally speaking, they not only don't appear, they are not. The legal definition of censorship (at least here in Germany, YMMV) means pre-publication, government-agency control. Having a court (as opposed to a government agency) found something illegal and removing it has never been considered censorship in the legal sense.

Actually, the reason they don't is that if the source is outside the EU, it is a very lengthy and uncertain process. Now while you hail Internet anarchy, consider what options the lawmakers have:

1. They could sit on their thumbs doing nothing. While this option pleases the anarchist in us, you cannot expect a lawmaker to ignore lawbreakers - in fact, in most other instances of such an event, we would complain very loudly that they're lazy, corrupt bastards.
2. They can filter at the ISP level - welcome Internet censorship infrastructure. I'm pretty sure you don't want this alternative.
3. They understand that for 90% of the users, Google et al is The Internet, and if it can't be found in a search, it doesn't exist.

For all the whining here, the option they've taken is actually the least intrusive.

There is no such right, except in your imagination. There is a right (at least in my country, probably similar ones in the EU as a whole) to get information from publicly available sources. So the government cannot stop you from searching at all. But it can intervene in the information available if that information breaks laws. For example, copyrighted content, state secrets, but also information a court has found to be libel or slander.

And quite frankly speaking, for the cases this law is intended for (let's not focus only on the abuses, as most idiot journalists do because it makes for better headlines), the right of an individual to not have their life ruined by, say, completely made-up allegations of child abuse and rape quite clearly trumps your right of finding false and misleading information.

And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.

That means spending a considerable amount of time and effort on everyone. Scale that up to a 3,000 people company. Now get approval for the budget for this. Not many companies are going to spend this amount of money.

That is true. But you missed the point I was making. Of course you need in-depth technical documents when you actually secure a somewhat complicated system. But the policy - the document that you expect every employee in the company to read and know - should not contain those details.

Same with almost every security awareness training I've personally seen. Half of its contents can be thrown out with no loss of vital information, and if the people who run the trainings don't do it (because if they did, they'd only get half as much money for it), then the recipients will do it via filtering. The end result is the same.

No, because the wrong problems are addressed. I've given a keynote not long ago about these things as my contribution to improving the status quo. One of the points I keep repeating is that most password policies actually make passwords less secure, not more. (they follow predictable patterns because most people will build the most simple password the policy allows, for example).

What I mean is that we replace actual security with trainings and think it's a solution. Basically, instead of putting belts and airbags into cars, we tell people to not crash into each other - as if they did it intentionally, as if crashes only happened because nobody told people to not crash their cars. Yes, there's a good reason to tell people to drive carefully, but just like those roadside signs, it doesn't give any measurable gain to hammer the message in. Simple messages and time-spaced reminders work better than extensive training. In fact, if you train people too much, you can get the opposite effect, as they become annoyed by being told the same thing they already know for the 100th time.

Sure I have my own view and experiences and my attitude is the result of what I've seen and what I think about it. Also the result of knowing a lot of people in the IT consulting business privately, where they tell you what they really think.
I don't consider it a psychological problem, it's a simple fact of life. If your life experience is different, you'll have different expectations. By exchanging them here, we can both widen our horizon, which at least for me is the main reason I'm posting.

I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.

It's not a problem of IT security. Fire security trainings are quite similar, except that they have evolved thanks to decades of experience - in a modern company, those responsible know that the fire drill is primarily to drain the assigned helpers and floor supervisors, not the employees.

I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large. Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.

I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.

I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.

"Either your name is on the volume licensing agreement... or your brains."

As we speak, Microsoft is instructing its European "business partners" to give a certain French city a shitload of really cheap Office licenses.

I have to confess, I'm pretty mystified. For our own internal servers, I have my own CA, and can see no reason why I would want to have someone else sign internal certs.

Sounds like yet another way in which the commercial CAs scam stupid CIOs out of cash.

You're a really sorry loser, posting ad hominem attacks against people you know nothing about as an AC. 20 years of online experience tell me one thing: There's a 95% chance that you are in fact the exact opposite of the man you pretend to be if you act like that.

While I agree with your main point, equal rights is not the problem. Equal treatment is. We have the same rights, feminism has won long ago. But in many areas men and women are still treated very differently. Sometimes the women are treated badly, and there are many feminists making a big scandal of it, and sometimes the men are treated badly, and almost never anyone says a word.

Blame Twitter. If you had more than 140 characters available, you could properly voice your opinion in a way they cannot find fault with, for example by lauding them so excessively that anyone with three working brain cells understands what you really want to say.

Twitter is a free SMS broadcast service and public link sharer, nothing more. People use it for stuff that they really should take a minute of calm and a slightly longer text format for. Brevity is a virtue, but only really good writers can properly convey a complete thought in a short sentence.

If efficiency were your policy, you'd stop applying special rules based on arbitrary distinctions. While deeply engrained in our culture, there's no reason to treat families differently from other people travelling together, who may (or may not) have equally compelling reasons to want to sit in one row.

Airlines have destroyed their own customer friendliness by collectively fighting a price war until the point where they need to make you pay for napkins so they can operate profitably. I personally find it insulting that some arbitrary rules give some people priviledges that other people have to pay for. Do it 100% or don't do it at all.