Well, for more discussion of GDPR and it's effects, there is a forum [webmasterworld.com] for that.

With regards Google and Pagerank, it's hard to see how it's affected. GDPR specifically refers to natural (not legal) persons, so I cannot see how links or link-graphs qualify.

More specifically, a site's use or not of HTTPS cannot be regarded as PII, even under the most inclusive interpretation. It is not even aggregate data.

Interaction with SERPs, combined with login data, is a slightly different kettle of fish.

More specifically, a site's use or not of HTTPS cannot be regarded as PII

Of itself, no, but if PII (which an IP address might be) is transmitted without end-to-end encryption then it isn't secure. At what point in the transmission protecting PII becomes the responsibility of the operator is open to question - you can't blame the intended recipient of a letter if it gets lost or stolen en route - but HTTPS eliminates any possible doubt.

I think how Google uses PII is going to be where any fundamental changes are likely to occur, so Google SERPs might be affected by changes to "personalisation", but not by links.

I suppose some examples of anchot-text might qualify as PII (e..g. "See Joe Bloggs' article on trout fishing"), but even in that type of example we can probably safely assume that putting your own name on a billboard takes it beyond any third-party's responsibiliuty to protect it. I think the EU commission and Google will have enough to worry about without that level of nit-picking.

Of itself, no, but if PII (which an IP address might be) is transmitted without end-to-end encryption then it isn't secure

Sure, HTTPS protects PII. But Google's use of it as a ranking factor, per the OP, is not under the remit of the GDPR as it is not itself PII.

Although re-reading the OP, I wonder if the question asked is "Will Google reward GDPR-compliant sites" and citing HTTPS and GDPR-centric link policies (Bonuses for links to and from a GDPR-compliant site, negatives for links to non-compliant sites) as possible mechanisms for this. In which case, I would suggest there is no chance of Google rewarding legal compliance on it's own merits, as is does not improve relevancy.

I would suggest there is no chance of Google rewarding legal compliance on it's own merits, as is does not improve relevancy.

I agree.

Although I read the OP the other way round - will Google penalise for non-compliance? - I don't think there's much chance of that either.

Wilburforce - you read my post correctly. I meant to ask whether Google will penalize or be forced to penalize such sites. I will not be surprised if the EU requests Google show in SERPs GDPR risk bearing websites, the same way Google showed and still show non-https. Also, some SERP shifts are imminent even without Google's active interference. People will just outlink less in EU, forcing Google to react and perhaps tweak further their algo, to achieve the same relevance coming from links.

I will not be surprised if the EU requests Google show in SERPs GDPR risk bearing websites

Interesting thought. But surely that would be jurisdictional overreach?

I'm not sure if the link loss will be operationally important to Google. Link quantities are relative - fewer links should affect all sites proportionately, but successful link-building might be more valuable. I'm not sure if sites will link out less, however. For example, we are not changing our link policy and indeed I can see no reason why we would need to.

Both of you (@Wilburforce and @Nutterum) are in GPDR jurisdictions; are you changing your linking policy, and if so, why?

are you changing your linking policy

No, and I don't see a need for it. Presumably, as you are also UK, you have looked at the ICO guidelines ([ico.org.uk ]). I struggle to find anything there - or in the legislation itself - that would bring links into the frame: apart from IP address, linking doesn't pass any PII to the recipient, and anybody who doesn't know that their IP address is visible under default conditions needs education, not a consent request. Removing links is more of an unneccessary panic measure than a measured response to GDPR.

A lot of people, myself included, did a link audit (inbound and outbound) after Penguin, and I lost a lot of backlinks and removed a lot of outbound links then. I don't anticipate anything like the same scale of link-culling as a result of GDPR, so any effect from link-removal on SERPs is unlikely to be of much consequence.

@shadowws - Yes I am changing my policy to GDPR whitelist only. Basically, if the website has implemented the DNT policy I will link out. The reason is I want to be on the forefront of change in a way that if EU regulations somehow affect Google's policy for serving SERPs in EU to be more strict in terms of GDPR, I would already be on the safe side of the fence. If not I will still be on the safe side of fence, because I already know for a fact several German and Swedish developers are creating browser extensions that check if a website is "safe" in terms of data privacy and a Bulgarian-french co-op team is already 80% there on releasing a portal that one could check whether a website claims it's keeping your data safe or not and possibly whether it provides links and cites sources to websites that are not safe. There is even a $400 million strong startup already providing digital consultancy audits for businesses checking whether their overseas partners and subsidiaries or contractors are GDPR compliant.

When these types of services go really mainstream I want to already be squeaky clean and benefit from the early adoption of these new best practices getting more business in (cause I assure you the vast majority won't be!)

So yeah, the short answer is - I am already working on being GDPR champion for the businesses I consult and work in-house for.

Well, some of that sounds quite exciting- and I know places like Germany are very data-conscious. So the browser extension thing could provide a competitive advantage in some environments.

But I still would not expect Google to change their algo to reflect these legal requirements, although EUC might eventually insist Google flags non-compliant sites (Google is ahead of the curve on HTTPS, from a secure-by-design perspective- algo tweak and chrome browser warnings).

Although I wouldn't think it should have anything to do with it, there are, for example, a LOT of websites in the German-speaking world which have a legal 'external links' policy in their imprint (an imprint is also a legal requirement) and I can see a lot of those sites tending to be risk-averse.

(an imprint is also a legal requirement)

I use the term "Website Policy" and it includes:
• Privacy Policy including Cookies
• Do Not Track Policy
• Payments & Security
• Satisfaction Guarantee
• Anti-SPAM Policy
• Content Rating

I am changing my policy to GDPR whitelist only.

No more links to your Facebook page, then.

@wilburforce - yes. I am already working on a way get the blog sections of the businesses I am consulting from /blog to a subdomain and basically keep one separate of the other with only a handful of links going from one way to the other just to keep the link juice flowing to the main page. Once that is done, I can then utilise the posts more prominently on social media. Yes, this will hurt the traffic in the short run but, it will come back up. Also, no social buttons or log-in with Facebook/Gmail - no one bothers using those in the first place in Europe either way.