The modern innovators of Internet human rights are not U.S. leaders or bold Silicon Valley entrepreneurs. They are stodgy bureaucrats, politicians, and lawyers in Brussels, Berlin, and Strasbourg. As the National Security Agency (NSA) and American firms have relied on sucking up massive amounts of data to observe citizens and create and serve consumers, the European Union has fought to establish privacy rights. Over the last ten years, however, the EU initiative seemed to be on the ropes as the United States pressed Europeans to water down their privacy protections in a number of key sectors. But now, the tables are turned.
This month, the European Court of Justice, Europe’s closest equivalent to the Supreme Court, ruled that Google must delete search results linked to the name of a Spanish citizen that the citizen had found outdated and upsetting. The ruling obliges Google and other Internet firms to respect a limited version of the “right to be forgotten” -- the right to have certain kinds of information, such as former debts or inappropriate photos, removed from the public sphere. In its most extreme form, an individual could request that search engines remove all links to their name, making them virtually anonymous in the Internet. The right to be forgotten will be enforced by national data protection authorities, for example by the Federal Commissioner for Data Protection and Freedom of Information in Germany or the Information Commissioner in the United Kingdom.
The ruling could transform e-commerce and privacy in the digital age. To begin with, the European Court of Justice has challenged the very business model of U.S. e-commerce firms, which use vast pools of personal data to sell ads and model consumer behavior. After the ruling, doing so will become increasingly difficult in the important European market. Facebook alone booked nearly $500 million in ad revenue in Europe in the third quarter of 2013, making it the second biggest market after North America. With the rise of privacy concerns in Europe, companies such as Runbox, a Norwegian-based email hosting firm that puts a premium on privacy, have already seen a spike in users. At the same time, non-U.S. cloud computing firms have cancelled ten percent of their contracts with U.S. firms over privacy concerns.
Americans -- who usually prize free speech over privacy -- may find this turn of events upsetting. European officials can now tell U.S. businesses -- and Washington -- what information they can and cannot disseminate about European citizens. Yet Americans’ reflexive distaste for speech regulation should not blind them to realities. First, free speech isn’t what it used to be: U.S. courts are increasingly redefining it as a right to corporate bad behavior, striking down economic regulation in the name of free speech. Second, Europeans have legitimate human rights concerns. As technology expert Bruce Schneier has warned, surveillance is the business model of the Internet, and Europeans have no choice but to reshape this business model to accommodate individuals’ privacy rights, if those rights are to have any meaning.
If the ruling is a European overreaction, as Google Executive Chairman Eric Schmidt has argued, it is the child of U.S. overreach. The European Court of Justice’s newfound activism is just one of a broader set of European initiatives that push back against U.S. surveillance practices. The European Union is set to introduce new legislation in late 2014 that will formalize the right to be forgotten and impose massive fines on firms that do not comply with EU law. It is almost certain to restrict the existing “safe harbor” arrangement, in which U.S.-based multinationals may transfer data out of Europe and thus create global consumer profiles to avoid investing in redundant data storage facilities. Finally, the EU is pushing the United States to introduce safeguards against NSA collection of data on European citizens.