The Race to Consolidate Power and Stave Off Disaster
Every week, it seems that another company or organization is electronically infiltrated and its customers’ data compromised. In November alone, Comcast, British telecom TalkTalk, and T-Mobile all suffered security breaches that put sensitive information about their clients out in the open. But for all the immediate security concerns these hacks cause, it is the proliferation of sensitive but freely accessible personal information on the Internet—and the inability of many to ever delete or remove it—that can have lifelong repercussions.
The ability to conjure up endless facts and figures with a few keystrokes seems almost magical. But it comes at a price: the seemingly limitless and permanent storage of one’s personal data. Photos of youthful indiscretions and ill-conceived social media posts can follow people around forever. Individuals who witness a heinous crime may be permanently connected to it online. And those who were once cyberbullied may have to stare down the electronic traces of their painful past for the rest of their lives. Erasing one’s past online has been a nearly impossible task.
That is, unless the European Union has its way. In a landmark 2014 ruling, the European Court of Justice (ECJ) upheld the right of individuals to have certain types of information deleted from the Internet. Dubbed the “right to be forgotten,” this decision accentuated key differences in how the EU and the United States view digital privacy and prompted debates about data storage standards across the globe. Already this summer, Russian legislators adopted their own version of institutionalized forgetting, slated to go into effect in January 2016. A number of other countries, including Argentina, Brazil, Japan, and South Korea, are currently considering similar policies.
At the center of the debate is whether we have the right not only to be seen and heard on the Internet but also to sometimes have our gaffes and missteps erased from it—and what role the state should play in regulating prying electronic eyes. Policymakers in the EU and United States have responded in divergent ways, and the gulf between them is widening.
The EU Charter of Fundamental Rights provides the right to have personal information protected, as well as a right to privacy. Freedom of expression is also guaranteed, but within carefully prescribed limits. Consequently, European politicians have been proactive when it comes to the removal of internet content injurious to an individual’s dignity or reputation and have pushed for regulations that give Internet users direct control over personal data.
In contrast, the First Amendment tradition in the United States takes a broader and more absolute view of free speech, elevating it to a privileged position in the pantheon of rights. However troubling, hurtful, or hateful speech may be, it is protected in all but the most extreme cases, effectively making the question of whether an individual has a right to be forgotten a nonstarter. Not surprisingly, the United States provides fewer data privacy guarantees, and those legal protections that do exist focus on specific types of information, such as health care and financial data.
There are consequently fewer avenues for redress in the United States when privacy violations do occur outside of regulated arenas. The result is that individuals often have to stretch economic law or appeal directly to the courts to obtain justice when their personal data are breached. For example, victims of revenge pornography have been forced to assert copyright infringement over explicit images of their own bodies in order to have them removed from websites. Meanwhile, others who have been cast in a less than flattering light online resort to bringing civil defamation suits.
Complicating matters, those digital data categories that are not subject to federal protections may be regulated under a hodgepodge of state laws. Twenty-six U.S. states currently outlaw the posting of photographs of a sexual nature without the consent of those depicted, but the penalties for the crime vary tremendously (in California, posting revenge pornography is a misdemeanor; in Nevada, it is a felony). Host websites, meanwhile, are shielded from responsibility for what third parties upload under the 1996 Communications Decency Act, provided the content does not violate federal criminal or intellectual property laws.
A “RIGHT” TO BE FORGOTTEN?
Erasing people from public view is not a new concept. The ancient Romans practiced damnatio memoriae (condemnation of memory), the intent of which was to erase undesirable people from historical recall. The invocation of damnatio memoriae was a sign of shame, a punishment meted out to traitors and those who dishonored the state that entailed writing them out of history and defacing their public depictions. Today, however, citizens of the digital commons are altering this concept to remove their own digital histories.
The right to be forgotten movement began in 2010 when Spanish lawyer Mario Costeja González filed a complaint with the Spanish Data Protection Agency (AEPD) against the newspaper La Vanguardia and Google Spain. Twelve years earlier, the paper had published two notices announcing the debt-related auction of his property. Costeja González was indignant because this embarrassing information was still coming up in Google searches of his name, even though the underlying financial matter had been resolved a long time ago. As a result, he demanded that La Vanguardia remove references to the incident from its digital archive and that Google censor mention of it. Spanish authorities denied the first part of the complaint but granted the second, subsequently referring the matter to the ECJ for clarification.
The court addressed Costeja González’s complaint in a momentous three-part decision. First, the ECJ ruled that the EU’s 1995 Data Protection Directive, through which the AEPD justified its decision, does apply to businesses headquartered outside the EU, provided they or their subsidiaries solicit advertising revenue in a member state. Google had argued that as a company based in the United States, it was not subject to EU rules.
Second, the court found that EU data protection rules pertain to search engines as well as to websites, since the former ultimately control how available information is (Google claimed that it functioned merely as an intermediary in the information-gathering process and was therefore not culpable for what it indexed online). Specifically, the ECJ observed that search providers were responsible for their users’ ability to easily find and assemble information on those who would rather not have certain search results made available, which put a legal onus on them to remove links from appearing on their sites. The decision also conceded that search engines need to be involved in the process because it is impractical to hold websites solely liable when it comes to erasing information.
Finally, the ECJ determined that Europeans should be able to have information about themselves removed from the Internet, provided it is “inaccurate, inadequate, irrelevant, or excessive.” This set an important precedent: while acknowledging that there is a balance to be struck between free speech and privacy that considers the prominence of a person and the nature of the information in question, the court nonetheless decreed that, in principle, privacy rights override the data access interests of Internet users.
And by all accounts, Europeans are actively using their newly defined right. As of October 2015, Google, the dominant search engine in Europe, reported that over 1.1 million links (from 325,929 requests) have been evaluated through its online submission form. More than 58 percent of these have been removed. Although Google does not release data concerning the types of requests it receives, a recent investigation by The Guardian found that over 95 percent of link removal requests came from ordinary individuals and not from politicians or criminal figures, as many opponents of the right to be forgotten had argued would happen.
The implementation of the ECJ’s right to be forgotten verdict, however, has proven controversial. Google has become the frontline enforcer of digital privacy rights against its wishes and without a public mandate. It is a reluctant (and uncompensated) censor that is not overseen by the government and is not transparent about how its decisions are reached. In this context, the claims made by EU officials that the new expectations imposed on the company are neither unreasonable nor unduly burdensome ring hollow, particularly given the inherent subjectivity required to sort through alleged privacy violations and make judgment calls as to which links should be kept and which removed.
Digital privacy in the EU is still governed by the 1995 directive, but this is set to change. In early 2012, the European Commission proposed major revisions to EU standards. They were meant to clarify, harmonize, and update rules in place from the infancy of the Internet and to also provide a uniform legal basis for the rules’ enforcement across all 28 EU countries. The result is the General Data Protection Regulation, which is expected to be approved by the end of this year and to go into effect by 2017. The GDPR will explicitly recognize the right to be forgotten, specifying the conditions under which it may be invoked as well as instances in which the public interest requires information to remain freely available.
However, even if the EU passes this comprehensive legislation, global questions remain about the right to be forgotten. For example, in June, France’s National Commission on Informatics and Liberty (CNIL) determined that if Google removes links from European searches, it must do the same worldwide, as privacy protections within the EU could be circumvented easily by navigating to another, non-European Internet address. Google, whose appeal to CNIL was rejected on September 21, is expected to soon challenge the ruling in the French courts. Meanwhile, recent clarifications to EU policies have already begun to reverberate throughout the world. Notably, on October 6, the ECJ invalidated the U.S.-EU Safe Harbor Agreement. This measure, the basic framework for which was introduced in 2000, streamlined the EU compliance process for U.S. companies collecting and transmitting customer data outside of the European Economic Area. The ECJ determined that it provided insufficient protections to ensure the privacy of European citizens.
The future impact of growing differences between U.S. and EU digital privacy policies remains unclear. At the very least, given massive transatlantic trade flows, it is almost certain that the EU will prevail in imposing considerably stricter data standards on foreign firms with an operational presence in Europe. And it is not far-fetched to think that universal constraints may eventually be implemented by these businesses themselves, if they decide that it is more cost-effective to apply the strictest policies across the board in the name of compliance. Meanwhile, it seems inevitable that more countries will wade into the digital privacy fray and make their own demands heard, the results of which might not always be positive. For example, Russia’s vague criteria for removing Internet links in its new right to be forgotten law have raised fears that it could be manipulated to serve the purposes of specific ideological interests or of the state.
THE RIGHT WAY FORWARD
The advent of the Internet has democratized information, but by giving virtually anyone an ability to publish whatever they see fit online, it has also removed editorial scrutiny from the process in many cases. The result is an ever-increasing ubiquity of information, much of it of questionable quality and veracity, that may be cheaply and efficiently retained in perpetuity. This has raised vexing questions over how much of it should be allowed to be cataloged in this manner and, if the decision is made that some information should be removed from the Internet, who should be responsible for doing so.
The EU can certainly be criticized for its response to privacy concerns. The right to be forgotten arguably impinges on freedom of expression, and European officials have yet to enact sufficient forward-looking safeguards that would prevent sensitive elements of people’s lives from being published inappropriately on the Internet in the first place. There is also the issue of relegating the task of censorship to commercial enterprises, which does not guarantee forgetting so much as it imposes a highly selective form of digital amnesia. Regardless, the public’s desire to edit the Internet shows no signs of abating; in fact, just the opposite is true. Absent a universal data privacy standard, this desire poses a threat that competing regional regulations will Balkanize the Internet, creating fractured fiefdoms of unevenly accessible information.