Sunday, January 29, 2012

The right to be forgotten, or how to edit your history

The "Right to be Forgotten" is a very successful political slogan. Like all successful political slogans, it is like a Rorschach test. People can see in it what they want. The debate would sound quite different if the slogan were actually something more descriptive, for example, the "right to delete". The European Commission has now proposed to make the "right to be forgotten" into a law. It's a big step to turn a vague political slogan into a law. The time for vague slogans must now give way to a more practical discussion of how the "right to be forgotten" could actually work.

What is the "right to be forgotten"? There is a spectrum of views. On one end of the spectrum, the "right to be forgotten" is simply viewed as a re-branding of long-standing data protection principles, in particular: the rights to access and rectify one's own personal data, the right to oppose processing of one's personal data in the absence of legitimate purposes, the principle of data minimization. On this end of the spectrum, people think that the "right to be forgotten" is nothing new; at most, it is simply an attempt to apply long-standing data protection principles to the new worlds of the Internet and modern technologies. I'm firmly in this school of thought.

On the other end of the spectrum, the "right to be forgotten" is viewed more sweepingly as a new right to delete information about oneself, even if published by a third-party, even if the publication was legitimate and the content was true. This school of thought believes that people should have the right to force third-parties to delete content about them (photos, blogs, anything) that violates their sense of privacy, which in practice usually means their online reputations. Common examples of things people want to remove are compromising photos, references to past criminal matters, negative comments, etc. While I strongly believe that people should have the right to complain to third-party websites about information that is published there about them, I am deeply skeptical that the laws should obligate such third-parties to delete information on request of data subjects. This raises troubling questions of freedom of expression.

There is an even more extreme end of the "right to be forgotten" spectrum, which holds that this deletion right can be exercized not just against the publisher of the content (e.g., a newspaper website), but even against hosting platforms and other intermediaries like search engines that merely host or link to this third-party content. This view is being litigated in Spain, as the Spanish Data Protection Authority is suing Google to delete links to third-party content, like newspaper articles, that the DPA has acknowledged are legal. In other words, the DPA is attempting to apply this reading of the "right to be forgotten" to delete links to content in a search engine, despite the fact that the original content is legal and will remain on the Web. Cases like this will require judicial review, since they clearly posit a conflict of two fundamental rights: privacy and the "right to be forgotten" against freedom of expression. I expect this issue to be considered at the European Court of Justice.

As this debate unfolds, the lack of clarity is raising false expectations. As people read that there will soon be a legal "right to be forgotten", they are asking DPAs and search engines to delete third-party content about themselves or links to such content. I regularly hear requests from people to "remove all references to me, Mrs. X, from the Internet". No law can or should provide such a right, and politicians and DPAs should not mis-lead them to expect it.

We need more public debate about what the "right to be forgotten" should mean. We also need a debate about how it should be applied to hosting platforms and search engines. I think a balanced and reasonable and implementable approach is possible, based on a few principles: 1) people should have the rights to access, rectify, delete or move the data they publish online. 2) people should not have the automatic right to delete what other people publish about them, since privacy rights cannot be deemed to trump freedom of expression, recognizing that some mechanisms need to be streamlined to resolve these conflicts. 3) web intermediaries host or find content, but they don't create or review it, and intermediaries shouldn't be used as tools to censor the web. Stay tuned, and Happy Data Protection Day.

Monday, January 2, 2012

Harsher data protection sanctions are coming

When Apollo wanted to stop Laokoon from warning the Trojans that there were Greek soldiers in the famous Trojan Horse, he sent two giant snakes to kill Laokoon and his sons. Talk about sanctions! Have we considered using killer snakes to punish data protection violations and to discourage future bad practices?

Since 2012 has now begun, here's a prediction about the future: there's going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it's not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them.

We all think of Data Protection Authorities, and similar bodies, like the Federal Trade Commission, as responsible for enforcing privacy laws. These bodies around the world have vastly different enforcement powers, investigative cultures, and sanctions traditions, even within Europe. Some, like the Spanish DPA, impose a lot of large fines. Others, like the French CNIL, imposed only 5 financial sanctions in an entire year. The largest fine the CNIL has issued in its entire history was 100,000 euros. And yet others, like the Belgian DPA, don't have the legal power to impose fines at all. Other DPAs hardly ever use sanctions at all, in the classic sense, other than press releases and "name and shame" tactics. Moreover, in recent years, the US Federal Trade Commission has been moving in a different direction, namely negotiating consent decrees that are forward-looking, 20-year commitments for particular companies to abide by certain privacy standards and be subject to regular audits.

But if the plethora of DPAs and their varied enforcement practices were not divergent enough, privacy enforcement is by no means limited to these specialist regulators. In the US, the individual State Attorneys General regularly bring privacy actions. There's also an entire industry of US privacy-based class actions which has sprung up in the last few years.

Moreover, in many countries, privacy laws have been inscribed into the penal codes. Consequently, any criminal prosecutor can bring such privacy penal actions. For example, my prosecution and conviction in Italy for a "privacy violation" was brought by a Milanese public prosecutor and imposed by a criminal judge.

In the future, the proliferation of the numbers of authorities who can bring privacy enforcement actions is likely to increase. First, more and more countries are creating data protection authorities, e.g., roughly a dozen new ones have been created across Latin America and Asia in the last year. And in Europe, where class actions generally don't exist and don't fit into the existing legal framework, there are now serious proposals to create mechanisms for "collective redress" of privacy claims. And of course, there have always been the normal judicial channels, where anyone can bring privacy claims against someone else if they feel their privacy has been violated. The numbers of such cases is also exploding around the world, especially as more and more data about people is collected, exchanged and published.

I regularly hear people claim that there's not enough legal enforcement of privacy. In some places, as a matter of practice, that may well be true. But there is no shortage of overlapping authorities with the power to bring or adjudicate privacy claims. Curiously, in privacy circles, most of the focus is on the enforcement actions of the DPAs. But in practice, the DPAs are just one of many different authorities who can and do bring privacy enforcement actions. And the trend is clearly going up, both in terms of the numbers of laws that can be violated, in terms of the severity of sanctions, in terms of the numbers of complaints that are brought, and in terms of the breadth of authorities who are involved in enforcing privacy.

The European Commission has proposed instituting new fines for data protection breaches ranging up to 5% of global turnover! To a global company, that's probably scarier than killer snakes.