Tuesday, September 27, 2011

The European Union: The Right to be Forgotten

The European Union is considering adding a “right to be forgotten” as part of a planned update to bring the 1995 Data Protection Directive in line with new technologies.  The controversial right would give individuals the right to withdraw their consent to data processing.  This means that, for example, an individual could withdraw their consent to Facebook retaining or sharing a photograph of themselves.  According to a spokesman for Viviane Reding, the EU Justice Commissioner, “after you have withdrawn your consent, there shouldn’t even be a ghost of your data left in some server somewhere.  It’s your data and it should be gone for good.”  Leigh Phillips, “EU to Force Social Network Sites to Enhance Privacy”, The Guardian (March 16, 2011).

The precise shape of this right remains unclear.  It seems likely that it will contain a requirement that individuals “opt-in” to allow data processing, as opposed to the current “opt-out” regime.  Matt Warman, “EU Proposes Online Right “To Be Forgotten”, The Telegraph (Nov. 5, 2010). It is also probable that data processors will face additional restrictions on the type of data which they can process and the length of time for which they can maintain it.  While it may be that the right will do little more than heighten already-extant consent requirements in the 1995 Data Protection Directive, a recent request by the Spanish government to Google illustrates that such a right could have wide-reaching implications.  John Hendel, “In Europe, a Right to Be Forgotten Trumps the Memory of the Internet”, New York Times (Feb. 3, 2011).  On January 19, 2011, Google refused a request from Spain to remove 90 links.  Id.  Most of the links were to newspaper articles and other public information which portrayed individual Spanish citizen plaintiffs in an unfavorable manner.  Id.  For example, one request came from a domestic violence victim whose address can be found on the search engine.  Another is from a woman, reports about whose criminal activity as a teenager are available online.  Ravi Mandalia, “Google Receives Data Deletion Request from Spanish Government” ITProPortal, (August 12, 2011).  Google argued that Spain’s request could do serious harm to freedom of speech and that responsibility for removing content rested with the publishers linked to, not Google.    Google is currently fighting several lawsuits related to the removal of these links under the “right to be forgotten” in Spain’s National Court.  The publications which maintain the data, primarily newspapers and other media sources, were not asked by Spain to remove the information Google linked to from their websites – presumably due to concerns about censorship or freedom of the press. 

The outcome of the battle over this case has potentially wide-reaching implications for the shape of social media websites throughout the world.  Ms. Reding has explicitly stated that “[p]rivacy standards for European citizens should apply independently of the area of the world in which their data is being processed,” and that “[t]o enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers.”  Ben Rooney, “Non-EU Websites Must Operate Under EU Privacy Laws”, The Wall Street Journal TechEurope Blog (March 16, 2011).  If investigations into the procedures used by social media websites in handling personal data become common, providers could be faced with the choice of conforming their entire operation to comply with EU privacy regulations or somehow segregating accounts used by European citizens for different treatment – potentially a daunting task.

Civil rights organizations have taken a mixed view of any potential right to be forgotten.  The American Civil Liberties Union (“ACLU”) has, in the past, advocated a potentially more limited “right to delete” which would “generally encompass the deletion only of any association with a given record, not necessarily the entire record itself,” except when such disassociation is impossible as for example, when a person’s face is captured by a security camera.  Chris Conley, “The Right to Delete” AAAI Spring Symposium Series (March 23, 2010). This is a more limited right than that which appears to be under consideration in Europe.  The ACLU also proposes safeguards to balance this right against rights of free speech and press by providing various exceptions, including exceptions for “newsworthy” content, but the ACLU acknowledges that the “right to delete” presents difficult issues in this regard.  In the United Kingdom – already facing criticism for not complying fully with the 1995 Data Protection Directive – Mr. Kenneth Clarke, Secretary of State for Justice, has criticized the notion of a broad “right to be forgotten.”  “Kenneth Clarke Warns on EU Data Protection Rules”, May 26, 2011.

Please be sure to visit our website at http://RobertBFitzpatrick.com

No comments: