Right to be forgotten: Legal Validity and Practical Challenges

Background

In 2010, a Spaniard, Mario Costeja González approached the Spanish Data Protection Agency with a complaint against Google and a local newspaper. A Google search of his name led to an auction notice of his repossessed home on the local newspaper. Costeja claimed that since the proceedings had been resolved many years ago, the search results still being available online was a breach of his privacy. The Spanish court referred the matter to the Court of Justice of European Union. Among numerous questions considered by the EU Court, the most notable was whether individuals have a right to request that their personal data be removed from accessibility via a search engine. In a landmark judgement, the EU Court held that where the information is ‘inaccurate, inadequate, irrelevant or excessive,’ individuals have the right to ask search engines to remove links with personal information about them. The court also ruled that even if the physical servers of the search engine provider are located outside the jurisdiction, the privacy rules would apply if they have branch office or subsidiary in the Member State.

epast

Theoretical debate on Right to be Forgotten: US v. EU

Position under EU Law

The 1995 EU Data Protection Directive contains the basis for what has evolved into the much debated right to be forgotten. Article 12 of the Directive allows a person to seek deletion of personal data once it is no longer required.[1] Later the EC released a proposal in 2012 to unify data protection across Europe under a single law, General Data Protection Regulation. The regulation is still under consideration and is expected to be adopted soon. Under this regulation, a right to erasure is provided under Article 17 which would enable the data-subject to seek deletion of data. Under Article 17, consideration regarding data controller’s legitimate business interests may be overridden by the fundamental rights of the data subject.

Position under US Law

Ever since the Costeja judgment there has been a furore over this issue. The ideological debate on the right to be forgotten can be seen a reflective of the divergent positions of EU and US on privacy. In EU, the right to be forgotten flows from the French law right to oblivion. On the other hand, in US, the approach has been to have sector specific privacy laws such as the HIPAA and Children’s Online Privacy Protection Act rather than an all encompassing law. Further, the right to be forgotten as perceived in Costeja or the proposed regulation in EU would likely be seen as contravening on the First Amendment position on free speech in the US.

As far as search results go, the position is likely to be different in US for another reason. The Communications Decency Act, 47 U.S.C. § 230, provides immunity to search engines and other Internet access providers from any liability for linking to others’ content. The theoretical criticism of the right to be forgotten also pits it against right to privacy in that it goes one step beyond. Right to privacy is only applicable to that which is private, whoever, right to be forgotten seeks to remove what is already in the public domain legitimately.

Legal basis for right to be forgotten:

There is a point of view that private information should be treated as a form of intellectual property and accordingly, individuals should be given the property rights to control their data which would include all ‘personally identifiable data.’ This could theoretically be a legal basis for the ‘right to be forgotten’ as deeming the data as intellectual property would make it applicable on all parties, not merely those with privity of contract. However, as mentioned above, this would involve significant speech restrictions and whether the publication is truthful or not would have no impact. This arrangement would run counter to First Amendment and defamation where truth is always a defence. This theory of right to be forgotten could also give rise to the notion that if data is treated as property, it can be traded in a ‘private data market.’

Ambiguities: Legal and Technical

What is personal data?

There are no precise definitions in the EU Regulation of where the right would apply. Personal data is broadly defined[2] as information that can be linked, either by itself or in combination with other available information, to uniquely identify a natural person. However, it is open to interpretation whether personal data includes information that can be used to identify a person with high probability but not with certainty, for instance, an account of a person’s history, actions or performance. Neither is the Regulation clear on whether it includes information that identifies a person not uniquely, but as a member of a small set of individuals, such as a family. The difficulty is that the EU regulations and laws tend to be deliberately broad and general, to allow for a range of interpretations appropriate for many different situations. However, this poses significant technical issues without a precise definition of the data and circumstances to which the right to be forgotten shall apply.

Who can exercise the right to be forgotten?

This is another issue that needs greater clarity. Often a piece of information could concern more than one individual and in such a scenario there could be a conflict between their respective wishes on how such data or information is to be treated. A related question is how the right to be forgotten should be balanced against the public interest in accountability, journalism, history, and scientific inquiry. Would the same standards be applicable to a regular individual, a politician and a celebrity when it comes to deletion of embarrassing reports from the past? There are also no proposed regulations that could ensure neutrality by the data controllers.

What constitutes ‘forgetting?’

The strictest way of looking at what constitutes ‘forgetting’ would be deletion of all copies of data from all sources to the point that recovering the data is not possible by any means. This may prove be impractical and a weaker way to enforce the right would involve allowing the data to survive in an encrypted form, or even allowing the data to remain unencrypted but not present in a public domain.

Impact so far:

As of July 2014, Google Inc. has begun to comply with the CJEU decision. A form that allows individuals to request the removal of their personal information from Google Inc.’s search results in the local domains is available for users. Notably, for all proper name searches within local domains of EU Member States (e.g., “google.es” or “google.co.uk”), Google Inc. has added the phrase, “Some results have been removed under data protection law in Europe” at the bottom of the search results page. It is interesting though that is the case only for the local domains of the EU member states and even within these state, one can do a search on ‘google.com’ to access the unedited search results.

Conclusion

The idea behind the right to be forgotten definitely has considerable merit, especially in the age where information is disseminated so freely and unlike the ephemeral information pre-digital era, most data continues to remain accessible. However, the right as contemplated by EU is still at a very half baked stage in terms of how exactly it would be enforced. Significant technical and conceptual challenges remain in (i) permitting a person to identify and locate personal data about them; (ii) controlling all information derived from the data in question from which the data in question could be derived; (iii) having fixed criteria for who has the right to request erasure; and, (iv) implementing the entire process of removal of all data and derived information when an authorized person exercises the right.

[1] Article 12 – Member States shall guarantee every data subject the right to obtain from the controller:….(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

[2] The new proposed EU regulations define personal data in art 4 as follows: “(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; (2) ‘personal data’ means any information relating to a data subject.”Data protection directive, definitions in Article 2 are “(a) ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

Image Source – Link

Advertisements