Sunday, January 29, 2012
The right to be forgotten, or how to edit your history
The "Right to be Forgotten" is a very successful political slogan. Like all successful political slogans, it is like a Rorschach test. People can see in it what they want. The debate would sound quite different if the slogan were actually something more descriptive, for example, the "right to delete". The European Commission has now proposed to make the "right to be forgotten" into a law. It's a big step to turn a vague political slogan into a law. The time for vague slogans must now give way to a more practical discussion of how the "right to be forgotten" could actually work.
What is the "right to be forgotten"? There is a spectrum of views. On one end of the spectrum, the "right to be forgotten" is simply viewed as a re-branding of long-standing data protection principles, in particular: the rights to access and rectify one's own personal data, the right to oppose processing of one's personal data in the absence of legitimate purposes, the principle of data minimization. On this end of the spectrum, people think that the "right to be forgotten" is nothing new; at most, it is simply an attempt to apply long-standing data protection principles to the new worlds of the Internet and modern technologies. I'm firmly in this school of thought.
On the other end of the spectrum, the "right to be forgotten" is viewed more sweepingly as a new right to delete information about oneself, even if published by a third-party, even if the publication was legitimate and the content was true. This school of thought believes that people should have the right to force third-parties to delete content about them (photos, blogs, anything) that violates their sense of privacy, which in practice usually means their online reputations. Common examples of things people want to remove are compromising photos, references to past criminal matters, negative comments, etc. While I strongly believe that people should have the right to complain to third-party websites about information that is published there about them, I am deeply skeptical that the laws should obligate such third-parties to delete information on request of data subjects. This raises troubling questions of freedom of expression.
There is an even more extreme end of the "right to be forgotten" spectrum, which holds that this deletion right can be exercized not just against the publisher of the content (e.g., a newspaper website), but even against hosting platforms and other intermediaries like search engines that merely host or link to this third-party content. This view is being litigated in Spain, as the Spanish Data Protection Authority is suing Google to delete links to third-party content, like newspaper articles, that the DPA has acknowledged are legal. In other words, the DPA is attempting to apply this reading of the "right to be forgotten" to delete links to content in a search engine, despite the fact that the original content is legal and will remain on the Web. Cases like this will require judicial review, since they clearly posit a conflict of two fundamental rights: privacy and the "right to be forgotten" against freedom of expression. I expect this issue to be considered at the European Court of Justice.
As this debate unfolds, the lack of clarity is raising false expectations. As people read that there will soon be a legal "right to be forgotten", they are asking DPAs and search engines to delete third-party content about themselves or links to such content. I regularly hear requests from people to "remove all references to me, Mrs. X, from the Internet". No law can or should provide such a right, and politicians and DPAs should not mis-lead them to expect it.
We need more public debate about what the "right to be forgotten" should mean. We also need a debate about how it should be applied to hosting platforms and search engines. I think a balanced and reasonable and implementable approach is possible, based on a few principles: 1) people should have the rights to access, rectify, delete or move the data they publish online. 2) people should not have the automatic right to delete what other people publish about them, since privacy rights cannot be deemed to trump freedom of expression, recognizing that some mechanisms need to be streamlined to resolve these conflicts. 3) web intermediaries host or find content, but they don't create or review it, and intermediaries shouldn't be used as tools to censor the web. Stay tuned, and Happy Data Protection Day.