The Right to Be Forgotten: Can We Have Our Data Privacy Cake and Eat It, Too?
At the end of February, Google and Spain’s data protection authority, the Spanish Data Protection Agency (AEPD), came head-to-head in the European Court of Justice. As European data protection efforts continue to zero in on search engines, this will be one of the most hotly anticipated decisions around the world (for those of us interested in privacy law, that is) and should be delivered by Europe’s highest court in June.
The case arose after Google challenged the Spanish government’s order to remove search results of a 21-year-old newspaper article that appears after performing a search on Dr. Hugo Guidotti Russo’s name. In 1991, Dr. Russo was featured in a newspaper article where a former patient alleged that the doctor had botched her plastic surgery. Although the doctor was later cleared of any wrongdoing, the article still shows up on the first page of Google’s search results of Dr. Russo’s name. This case is not the first of its kind in Spain. In fact, the AEPD has ordered Google to remove links to online news articles in 90 cases where petitioners complained about search results infringing on their privacy. Although Spain recognizes freedom of expression to protect newspapers, those protections do not extend to search engines. Meanwhile, Google claims that Spain is the only country that requires the company to remove links that do not contain illegal information.
Privacy infringement concerns have gained increasing attention within Europe. In fact, European lawmakers have proposed an update to its current data protection laws in an effort to provide a unified approach across the continent and respond to the growing concern among its citizens. One major change embraced by this update would be to establish a single, unified guideline for all European countries to implement. A single set of data protection rules in place throughout the continent would have many benefits. International companies would need to understand and comply with only one set of rules instead of the fragmented standards currently in place within each nation. Administrative burdens would also be greatly mitigated since organizations would only have to deal with one data protection authority in Europe. Additionally, changing to a single rule has been estimated to save businesses as much as $3 billion a year.
While the move to a unified guideline regarding data privacy in Europe has many merits, the actual content of the draft regulations faces several challenges. One particularly controversial component of the proposed regulation includes the new “right to be forgotten.” Viviane Redding, European Commissioner for Justice, Fundamental Rights, and Citizenship, first introduced the right to be forgotten in a speech at the beginning of 2012. As exemplified by the Dr. Russo case, European citizens desire the power to delete certain information about them on demand. The right to be forgotten is based on the concept that people and organizations should be permitted to control their own information and determine for themselves when, how, and to what extent that information is communicated to others. More specifically, it will give individuals the right to have their data expressly deleted when it no longer needs to be retained for a legitimate purpose.
As currently drafted, the right to be forgotten gives people the ability to obtain erasure of personal data relating to them and the abstention from further dissemination of such data in four circumstances: (1) when the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (2) when the person has previously given consent to the use of the information but later withdraws it; (3) when the person objects to the processing of personal data because the user (a.k.a. a company collecting data) does not have a legitimate interest or the person’s fundamental rights and freedoms override the user’s interests; and (4) when the processing of the data does not comply with the Regulation “for other reasons.”
The draft regulation emphasizes that the right to be forgotten is particularly relevant when a person had given his or her consent as a child, was not fully aware of the risks involved by the processing, or later wants to remove such personal data on the Internet. In other words, it could basically apply to any situation. According to Peter Fleisher, Google’s Global Privacy Counsel, three common “takedown” requests will result: (1) when a person posts something online and would like to delete it; (2) when a person posts something and then someone else copies it and re-posts it on his or her own site; and (3) when someone else posts something about the user who wants it deleted. Clearly, the most troubling is the third category of takedown requests, which would essentially transform search engines and websites from neutral platforms to censors that must balance privacy rights and freedom of expression – a delicate role traditionally reserved for the courts. And when facing the large fines included in the new regulations (up to € 1,000,000 or 2% of an enterprise’s annual global turnover), a publisher will likely simply delete content in ambiguous cases. Although a touch dramatic, it is no wonder that Jeffrey Rosen, a leading scholar on data privacy, has admonished the current version of the right to be forgotten to represent “the biggest threat to free speech on the Internet in the coming decade.”
Should the draft regulations get approved in its current form, two additional outcomes may result. First, the EU rule could actually become the de facto standard around the world for what is permitted online because, as a large market, the EU would have more power to influence other countries and the rules of how international companies do business online. Since the United States and Europe hold very different views on traditional privacy and data privacy rights, this would be a problem. Officials from Washington and lobbyists have unsurprisingly criticized the proposed regulation and are pressuring the European Commission to make changes. In particular, the Department of Commerce and lobbyists worry that the regulations will actually hurt the economy and cost jobs. A second possible outcome is that European courts will rule in the future that privacy outweighs freedom of expression whenever they come in conflict. This could ultimately create a form of censorship where media companies will choose to filter materials so as to be available only in certain jurisdictions, essentially segregating internet users based on their country and its governing rules.
In addition to the expected criticism from the U.S., there has also been some criticism from within Europe. The European Network and Information Security Agency (ENISA) published comments at the end of 2012 on the proposed regulations. While ENISA agrees that the right to be forgotten is appropriate and reasonable at a theoretical level, it doubts that the right could actually be implemented and enforced from a technical perspective. One suggestion made by ENISA that may represent a potential compromise between free speech and privacy would be to hide rather than remove data. While an article can remain on its original publication’s website, search engines would cease to link to them either after a certain amount of time or if the information is inaccurate.
Thus, as written now, the right to be forgotten would face major challenges both in Europe and especially in the United States due to free speech concerns. Unless the logistics, economics, and practicality of enforcement are carefully thought out and modified appropriately, its passage and implementation will face significant obstacles. Yet, the right to be forgotten is an interesting and very important issue in need of a resolution, particularly as technologies continue to advance. As such, it is important to fully address it and to develop a feasible solution that appeases both first amendment advocates and all of us desirous of privacy in the online space. Piece of cake, right?