International Data Privacy Law, 2013, Vol. 3, No. 3
ARTICLE
149
Forget me not: the clash of the right to be
forgotten and freedom of expression on the
Internet
Muge Fazlioglu*
Introduction
Abstract
The individual disclosure of personal information has
become the ‘default’ setting throughout the digital
world, a necessary condition if one is to enjoy the
variety of goods and services that it offers.1 At face
value, it is desirable for users to be able to exercise
at least a modicum of control over personal information pertaining to themselves that is publicly available online. It is precisely this idea that underpins
the European Commission’s proposed legislative
reform to its privacy framework known as ‘right to
be forgotten’.2 In enabling individuals to demand
erasure of personal data previously shared online, the
European Union seeks to give Internet users legal recourse to force data controllers to ‘forget’ their personal information.
The application of this right in the digital world,
however, may pose an obstacle to free expression and
the public interest in access to information. Thus,
while understanding the right to be forgotten as a tool
enabling users to better control their image and existence on the Internet, this paper analyses the ways in
which this right may also function as a hindrance to
freedom of expression. The first part of the paper discusses the privacy framework of the EU and the
notion of the right to be forgotten, while the second
part examines the shortcomings of the concept. It
then turns to the potential impact of the right to be
forgotten on freedom of expression and access to information. Lastly, the paper addresses the contrast
between the right to be forgotten and important perspectives in US privacy law.
*
1
PhD student, Law and Social Science, Maurer School of Law, Indiana
University. Email: [email protected]. I would like to thank Professor
Fred H. Cate for his invaluable comments and support. I would also like to
thank Kyle A. Heatherly and the anonymous reviewers for their helpful
suggestions.
danah boyd and Alice Marwick, ‘Social Privacy in Networked Publics:
Teens’ Attitudes, Practices, and Strategies’ (Oxford Internet Institute, A
# The Author 2013. Published by Oxford University
† The European Union’s (EU) proposed enactment
into law of the ‘right to be forgotten’ aims to
provide users with more control over their personal data by granting them the right to request
erasure of information from ‘data controllers’.
† While legislative efforts to extend the scope of
users’ rights to protect their personal data should
be lauded, without clearly defined limits, the right
to be forgotten presents numerous challenges in
its practical application.
† The nebulous boundaries and susceptibility to
misuse of the right to be forgotten make it a blunt
instrument for data protection with the potential
to inhibit free speech and information flow on the
Internet.
† Considering the ‘borderless’ characteristic of data
flow over the Internet, the intent of the right to be
forgotten fails to recognize disparities in data protection laws across various legal systems. Specifically, in its currently proposed form, the right to be
forgotten contrasts with the safeguards for free expression afforded by the First Amendment in the
United States.
Development of the EU Privacy
Framework and the right to be forgotten
The ‘idea of erasure’ was first present in the 1995 Data
Protection Directive (95/46/EC), the European Union’s
2
Decade in Internet Time: Symposium on the Dynamics of the Internet and
Society, Oxford, 2011) ,http://papers.ssrn.com/sol3/papers.
cfm?abstract_id=1925128. accessed 22 February 2013.
Commission, ‘Proposal for a Regulation of the European Parliament and of
the Council on the protection of individuals with regard to the processing
of personal data and on the free movement of such data (General Data
Protection Regulation)’ COM (2012) 11 final, ch III, art 17.
Press. All rights reserved. For Permissions, please email: [email protected]
150
International Data Privacy Law, 2013, Vol. 3, No. 3
ARTICLE
most fundamental piece of legislation on data protection, which was adopted for the purposes of protecting
the ‘data subject’s right of access to data’ and ensuring
the free flow of personal information between Member
States.3 Pursuant to the Directive, Member States ‘shall
guarantee every data subject the right to obtain from the
controller . . . the rectification, erasure or blocking of
data’, when the data processing is not in compliance with
the Directive and particularly in instances where the data
are ‘incomplete or inaccurate’.4
An important subsequent development in the European data protection scheme was the Stockholm Programme,5 which produced a five-year plan for Member
States that touched upon a wide variety of issues, including migration, children’s rights, economic crime and
corruption, as well as the exercise of privacy rights
within the promotion of fundamental rights.6 Concerning the EU’s data protection regime, it declared that citizens’ privacy ‘must be preserved beyond national
borders, especially by protecting personal data’.7
Aligning with the Stockholm Programme, the Commission had emphasized the need for ‘a comprehensive
and coherent approach’ guaranteeing full respect for ‘the
fundamental right to data protection for individuals’.8 In
2012, following public consultations, extensive stakeholder dialogues, and an impact assessment on the
policy alternatives, the Commission put forth the proposal of the final legal framework aimed at protecting
individuals’ data.9 With the support of the European
Parliament, European Council, and Economic and
Social Committee, these developed into the proposed
General Data Protection Regulation.10 The proposed
regulation seeks to grant individual users more control
over their personal information, primarily by means of
access, rectification, deletion (the right to be forgotten),
and withdrawal (data portability).11
Article 17 of the proposed regulation takes the right
of erasure in the 1995 Directive one step further, allowing users to withdraw consent and request deletion and
removal of their data from processing if they are no
longer necessary for the data controllers’ collection and
processing purposes.12 Where the data controller has
made the personal data public, the proposed regulation
puts the obligation of informing third-party data processors of the requested erasure on the data controller.13
Data controllers can delay the erasure only if certain
limited conditions apply, such as when the data are
being used for historical, scientific, or statistical research
purposes, reasons of public interest in the area of public
health, or in the exercise of free expression.14
The underlying purpose of the right to be forgotten is
to help individuals ‘better manage data-protection risks
online’ by allowing them to demand erasure of data they
have supplied that they no longer wish to be processed
or when there is no legitimate reason for retention of the
data.15 By shifting more responsibility onto data controllers, the right to be forgotten aims to strengthen individual privacy. Simultaneously, it signifies an effort to
respond to the enormous quantities of personal information being transferred via the Internet with or
without the explicit consent or knowledge of the data
subjects.16
While the proposed legislation on data protection
aims to empower users in a world where it is increasingly
difficult to know what personal information about
oneself is being shared with whom, it also marks an ambitious attempt by the EU to establish rules governing
the interactions and practices of Internet users. In addition, the right to be forgotten in its current form raises
serious questions about the scope of its implementation
and its potential for misuse. To better understand these
concerns, it is helpful to examine how the right to be forgotten might be applied in the online world.
3
10
11
12
13
14
15
4
5
6
7
8
9
Council Directive 1995/46/EC of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free
movement of such data [1995] OJ L281/31.
Ibid, at 12.
Commission, ‘Action Plan on the Stockholm Programme’
(Communication) COM (2010) 171 final.
European Council, ‘The Stockholm Programme—An open and secure
Europe serving and protecting citizens’ [2010] OJ C115/01.
Ibid, at 4.
Commission, ‘A comprehensive approach on personal data protection in
the European Union’, COM (2010) 609 final, 4.
Commission, ‘Safeguarding Privacy in a Connected World, A European
Data Protection Framework for the 21st Century’ (Communication), COM
(2012) 9 final.
Implementation of the right to be
forgotten
As of yet, the scope of the right to be forgotten has not
been explicitly defined, nor has the question of its applicability to different types of data on the Internet been
Ibid.
Commission, ‘Commission Staff Working Paper’ SEC (2012) 73 final, 5.
General Data Protection Regulation (n 2), art 17(1).
Ibid, at 17(2).
Ibid, at 17(3).
Commission, ‘Factsheet: Why do we need an EU data protection reform?’
,http://ec.europa.eu/justice/data-protection/document/review2012/
factsheets/1_en.pdf. accessed 22 February 2013.
16 Facebook, for example, allows one’s information, including biographical
and demographic details, date of birth, religious views, favourite political
websites, and family photos to be ‘leaked’ by accounts of friends who make
use of third-party applications. Facebook, ‘Data Use Policy’ (2012): ‘if you
share something on Facebook, anyone who can see it can share it with
others, including the games, applications, and websites they use’.
Muge Fazlioglu . Forget me not
thoroughly addressed. To understand the practical
boundaries of this right, it is necessary to analyse the
ambiguities, current experiences, and relevant concepts
of the proposed movement towards strengthening the
right to be forgotten.
The right to be forgotten would give individuals the
ability to direct erasure requests to a large number of
data controllers. With respect to its possible scope, the
European Commission has emphasized that these rules
would apply whenever a person can be identified directly
or indirectly by such data, even when the ‘personal data
is handled abroad by companies that are active in the EU
market’ or ‘offer their services to EU citizens’.17
However, in order to invoke the right to be forgotten,
a user must first be able to identify the data controller(s)
with whom one’s personal data has been shared.18 This
task, however, can be a daunting one. In their sharing of
personal data, users tend to
ignore notices, often do not understand the choices (which
often aren’t meaningful in any event), and resist making
them unless compelled to do so (in which case they almost
always make the choice required to obtain the desired
service or product).19
Thus, although the effective exercise of the right to be
forgotten depends to a large degree on user awareness,
users are often not cognizant of the identities of the
myriad data controllers who are digitally processing and
storing their personal data.
Awareness of what and with whom personal information is being shared is becoming especially problematic
in the era of ‘big data’. Mayer-Schönberger and Cukier
have discerned that as the value of data migrates ‘from
its primary use to its potential future uses’, companies
are continuously exploring new ways to produce market
value with data they process and store.20 Ambrose
has explicated how ‘different information has different
value and that value changes as time passes’.21 Although
17 Commission, ‘Commission proposes a comprehensive reform of data
protection rules to increase users’ control of their data and to cut costs for
businesses’ (2012) IP/12/46.
18 European Network and Information Security Agency, ‘The right to be
forgotten—between expectations and practice’ (2012) 8.
19 Christopher Kuner, Fred H. Cate, Christopher Millard, and Dan Jerker
B. Svantesson, ‘The challenge of “big data’ for data protection’ (2012)
2 IDPL 47, 48.
20 Viktor Mayer-Schönberger and Kenneth Cukier, Big Data: A Revolution
that Will Transform How We Live, Work, and Think (Houghton Mifflin
Harcourt, Boston, MA 2013) 99.
21 Meg Leta Ambrose, ‘It’s About Time: Privacy, Information Life Cycles, and
the Right to be Forgotten’ (2013) 16 StanTechLRev 101, 131.
22 Mayer-Schönberger and Cukier (n 20), at 110.
ARTICLE
151
companies are motivated to ‘use data only so long as it
remains productive’, it remains difficult to determine
‘what data is no longer useful’.22 As companies extend
the time they retain data, this may put even more
pressure on users to be aware of what data they have
previously shared—and have themselves forgotten.
This (in)ability of users to retain knowledge about
and access to the controller of their information may be
further weakened by migration of information from
search engine indexation systems onto offline servers.
Because personal data may also be stored on discarded
storage equipment, desktop computers, or USB sticks,
once it has been deleted from an online location, there
may still be a need to ‘distribute and retain removal
requests indefinitely so that removed data items stored
on offline media can be deleted as soon as the media is
connected’.23 Mayer-Schönberger has implied that the
right to be forgotten would still be an effective tool even
if personal information remains stored in an offline,
back-up server: ‘if you carry out a search on yourself and
it no longer shows up . . . you have effectively been
deleted’.24 Although some may find the removal of the
information from Google’s search index sufficient, this
may vary according to the type of information one
wishes to be deleted, or the purposes for which such
non-indexed personal information is being used.
The Article 29 Working Party, an authority established under the 1995 Directive for maintaining the ‘protection of individuals with regard to the processing of
personal data and on the free movement of such data’,25
suggests that the very way in which the Internet functions may also limit how this right can be applied.26
As outlined above, the right to be forgotten enables an
individual to request erasure of data from data controllers, who are ‘persons or entities which collect and process
personal data’.27 Problematically, in cases where data are
jointly controlled, the proposed EU regulation requires
the joint data controllers to ‘determine their respective
responsibilities for compliance with the obligations’, but
23 European Network and Information Security Agency (n 18), at 11.
24 Kate Connolly, ‘Right to erasure protects people’s freedom to forget the
past, says expert’, The Guardian (Berlin, 4 April 2013) ,http://www.
guardian.co.uk/technology/2013/apr/04/right-erasure-protects-freedomforget-past. accessed 9 April 2013.
25 Commission, ‘Article 29 Working Party’ (2013) ,http://ec.europa.eu/
justice/data-protection/article-29/index_en.htm. accessed 22 February
2013.
26 Article 29 Working Party, ‘Opinion 01/2012 on the data protection reform
proposals’ (2013) WP191, 13.
27 Commission, ‘Who can collect and process personal data?’ (2012) , http://
ec.europa.eu/justice/data-protection/data-collection/index_en.htm. accessed
22 February 2013.
152
International Data Privacy Law, 2013, Vol. 3, No. 3
ARTICLE
does not provide explicit guidance on how this should
be done.28 Moreover, in determining whether to erase
data, all data controllers are required to strike a ‘reasonable
balance’ between their business interests and the privacy
interests of the data subjects.29 Achieving such a balance—
in particular, evaluating the potential future value and
uses of data—would be an arbitrary task for data controllers, and another hurdle to applying the right to be forgotten in practice.
In its opinion, the Article 29 Working Party critically
observed that even if the data controller has taken all reasonable steps to inform third parties of the user’s erasure
request, it may still not be aware of all existing copies of
the data—or when new ones crop up. Furthermore, it
noted the concern that only data controllers are subject
to the proposal, as ‘no provision in the regulation seems
to make it mandatory for third parties to comply with
the data subject’s request unless they are also classified as
controllers’.30
This issue was raised by Google’s chief privacy
counsel, who argued that hosting platforms and search
engines should not be expected to delete materials
created by others or ‘exercise control over materials published by third parties’,31 and that the fundamental responsibility to delete should reside with the person or
entity that first published the material.32 However,
Viviane Reding has indicated that ‘social networking
[websites] and search engines may exercise control on
the content, conditions, and means of processing,
thereby acting as data controllers’, which would make
them subject to the obligations laid down in the proposed data protection regulation.33 The Council of
Europe also stressed that the role of search engines goes
beyond simply facilitating access to information, suggesting that through the aggregate usage of their services,
search engines do more than merely catalogue existing
external data; they generate a novel kind of data in the
28 General Data Protection Regulation (n 2), art 24.
29 Commission, ‘Collecting & processing personal data: what is legal?’ (2012)
,http://ec.europa.eu/justice/data-protection/data-collection/legal/index_en.
htm. accessed 22 February 2013.
30 Article 29 Working Party (n 26).
31 Peter Fleischer, ‘Our Thoughts on the Right to be Forgotten’ (16 February
2012) Google Europe Blog ,http://googlepolicyeurope.blogspot.com/
2012/02/our-thoughts-on-right-to-be-forgotten.html. accessed 22
February 2013.
32 Ibid.
33 David Meyer, ‘EU puts Google straight on “right to be forgotten”’ (22
February 2012) ZDNet ,http://www.zdnet.com/eu-puts-google-straighton-right-to-be-forgotten-3040095097/. accessed 30 April 2013.
34 Council of Europe, ‘Recommendation on the protection of human rights
with regard to search engines’, CM/Rec (2012).
35 Cited in Karen Eltis, ‘Breaking Through the “Tower of Babel”: A “Right to
be Forgotten” and How Trans-Systemic Thinking Can Help Re-
form of individual search histories.34 Therefore, owing
to these complexities surrounding data-sharing practices
on the Internet, determining when, where, and to whom
the right to be forgotten should be applied is an enormous challenge.
The standpoint espoused by the French Senate Report
that described the right to be forgotten as the embodiment of the idea that the user is the ‘protector of his own
data’35 overlooks these complex dynamics of data
privacy and protection on the Internet. ‘[P]rivacy is not
simply about zeros and ones’ of data, but concerns ‘how
people experience their relationship with others’ and
share their personal information.36 Importantly, Internet
users are sharing not only their own information on the
Web, but also information about others.
In this context, the right to be forgotten, or granting
users the right to act as the ‘protector of one’s data’, may
vicariously constitute policing others in attempting to
limit how much and what type of information about
oneself can be shared. In addition, users are constantly
evolving in their interactions on the Internet. A recent
study has shown that individuals treat search engines as
a type of ‘external memory’, which impairs our ability to
recall certain information, but leaves intact our propensity to remember where to find it.37 The growing attachment to the Internet in all aspects of daily life is another
reflection of our evolving online behaviour. In other
words, ‘[m]edia are to us as water is to fish’, a necessary
part of human existence and survival.38
Mayer-Schönberger has proposed a novel and creative
approach to information, suggesting that, like our memories, ‘information also has a life span’.39 The framework
he advocates would incorporate an ‘expiration meta tag’
into digital files (similar to the meta tags for the filename, location, date created/modified, etc.) that would
impose upon our data ‘the finiteness of memory’.40 This
is precisely what technologies such as those promoted by
36
37
38
39
40
Conceptualize Privacy Harm in the Age of Analytics’ (2011) 22 Fordham
IntellPropMedia & EntLJ 69, 90.
danah boyd, ‘Facebook’s Privacy Trainwreck: Exposure, Invasion, and
Social Convergence’ (2008) 14 CONV 13, 18.
Betsy Sparrow, Jenny Liu, and Daniel M. Wagner, ‘Google Effects on
Memory: Cognitive Consequences of Having Information at Our
Fingertips’ (2011) 333 Science 776.
Mark Deuze, Media Life (Polity Press, 2012) x.
Viktor Mayer-Schönberger, Delete: The Virtue of Forgetting in the Digital
Age (Princeton University Press, 2009) 15.
Ibid. By biological and evolutionary necessity, Humans forget a large of
portion of their everyday experiences. It is this uncanny ability, and right,
to forget that allows individuals to reason abstractly and evolve cognitively,
keeping what is important and discarding what is not. See Austin Allen,
Interview with Viktor Mayer-Schönberger, Director of Information Policy
Research Center, National University of Singapore (22 April 2010).
Muge Fazlioglu . Forget me not
the German company X-pire attempt to do, by allowing
users to create ‘self-destructing’ photos, which automatically expire after short, designated periods of time. Such
technologies, however, are likely to clash with the financial interests of search engines and social networking
websites.41
The concerns over what information is being shared
online and with whom will remain at the forefront of
discussions in privacy law. Such questions are also becoming more difficult to answer with each passing day
of technological development. The proposal of the right
to be forgotten, however, ignores the ways in which individuals are coping with the changing realities of the
Internet, and serious questions remain as to its potential
to interfere with others’ right to access information
and the protection of individuals’ freedom of expression.
The next section analyses the right to be forgotten along
the lines of these considerations.
The right to be forgotten as a threat
to free expression?
The right to be forgotten is not limited to the personal
data that one has personally shared; it includes the right
to delete ‘personal data’, which may be broadly defined
as ‘any information relating to a data subject’.42 Reporters Without Borders (RSF) has criticized this as a generalized right that individuals can invoke when digital
content no longer suits their needs, essentially trumping
the public interest in the information’s availability.43
RSF also contends that the demand for complete erasure
of online content, or the ‘right to oblivion’, could place
impossible obligations on content editors and hosting
companies.44 EU Commissioner Viviane Reding
responded to the criticism from RSF by explaining that
the right to be forgotten is ‘not an absolute right’, and
that its implementation would not affect the jobs of
journalists who report and digitally log stories of public
interest.45
41 Jeffrey Rosen, ‘The Deciders: The Future of Privacy and Free Speech in the
Age of Facebook and Google’ (2012) 80 Fordham LRev 1525, 1535.
42 Jeffrey Rosen, ‘The Right to be Forgotten’ (2012) 64 StanLRev 88, 89.
43 Reporters Without Borders, ‘Enemies of the Internet Report 2012’ (March
2012) 6.
44 Ibid.
45 Reporters Without Borders, ‘Viviane Reding Responds to Reporters
Without Borders’ Criticism of “Right to be Forgotten”’ (16 March 2012).
46 Kashmir Hill, ‘Plastic Surgeon Legal Quest to Facelift Google Search
Results’ Forbes (3 July 2011) ,http://www.forbes.com/sites/kashmirhill/
2011/03/07/plastic-surgeons-legal-quest-to-facelift-google-searchresults/. accessed 9 April 2013.
47 Paul Sonne, Max Colchester, and David Roman, ‘Plastic Surgeon and Net’s
Memory Figure in Google Face–Off in Spain’ WallStJ (7 March 2011)
ARTICLE
153
It is difficult, however, to ignore the expansive boundaries of the right to be forgotten in the light of real
erasure claims, such as the famous case of the Spanish
plastic surgeon Guidotti Russo, who requested erasure of
a newspaper article published in 1991 that centred on a
dispute he had with a former patient. Twenty years after
the incident occurred, Dr Guidotti Russo, supported by
Spain’s privacy regulator, contended that the story of the
dispute was personal information. He wanted the article
removed by Google, as it would display on the first page
of search results when his name was queried.46 Although
Spanish law protects the free expression of newspapers,
legal gazettes, and other publications, the Spanish data
regulator insisted these protections did not extend to
Google and other Internet search engines.47 Thus, the
wish to guard one’s reputation and the public’s access to
information seem to collide head-on, with the right to
be forgotten lying at the centre of the dispute.
Similarly, in a case recently referred to the European
Court of Justice (ECJ), Spain’s highest court, the Audiencia Nacional (AN), ordered Google to delete information
from its search engine pertaining to a Spanish citizen’s financial problems detailed in an old news report.48 One
of the issues the ECJ is expected to clarify is the obligation of search engines to stop searches. A ruling against
Google would essentially extend data subjects’ right to
be forgotten to search engines, or information published
lawfully on third-party websites.49 Google’s lawyer in the
case has contended that such requests for search engines
to remove personal information would mark ‘a fundamental shift of responsibility from the publisher to the
search engine [and] amount to censorship’.50 The ruling
of this case is certain to enlighten the debate over
whether search engines are data controllers, clarify their
obligations, and could establish a benchmark for European rules of online personal data protection and the
right to be forgotten.
This potential impact of the right to be forgotten on
freedom of expression is not thoroughly addressed in the
proposed General Data Protection Regulation. Pursuant
,http://online.wsj.com/article/SB1000142405274870392150457
6094130793996412.html. accessed 9 April 2013.
48 Reuters, ‘EU judges to hear Google “right to be forgotten” case’ The
Telegraph (26 February 2013) ,http://www.telegraph.co.uk/technology/
google/9895279/EU-judges-to-hear-Google-right-to-be-forgotten-case.
html. accessed 9 April 2013.
49 Case C-131/12, ‘Reference for a preliminary ruling from the Audiencia
Nacional (Spain) lodged on 9 March 2012—Google Spain, S.L., Google
Inc. v Agencia Española de Protección de Datos, Mario Costeja González’.
50 Stephanie Bodoni, ‘Google Cites Censorship Risk in EU Data Control Law
Suit’ Bloomberg (26 February 2013) ,http://www.bloomberg.com/news/
2013-02-26/google-cites-censorship-risk-in-eu-data-control-lawsuit.
html. accessed 9 April 2013.
154
ARTICLE
International Data Privacy Law, 2013, Vol. 3, No. 3
to it, the exemptions for the erasure of data apply to personal data processed for ‘journalistic purposes’, or for
the purposes of ‘artistic or literary expression’.51 In light
of this, as Rosen points out, search engines and social
networking websites would have to demonstrate to EC
authorities that their information processing activities
are a literary or artistic exercise.52 This would require
hosting services and search engines to engage in a very
difficult line-drawing exercise that would hinder their
existence as a ‘neutral platform’.53
Although freedom of expression is one of the exemptions in the application to the right to be forgotten, this
issue is complicated by the fact that the limitations to
these exemptions are to be determined by the member
states.54 Ironically, it was precisely the inconsistencies
in member states’ implementations of the 1995 Directive
that spurred the creation of a coherent single system
for data protection. The proposed data protection regulation, vis-à-vis a ‘one stop shop’ system, would establish
a single data protection authority for companies operating throughout different countries.55 Unfortunately,
where data protection rules clash with freedom of expression, EC law remains silent, giving each member
state the authority and discretion to determine a fair
balance between the rights in question and freedom of
expression.56
This points to another weakness of the right to be forgotten: the concepts contained therein can be subject to
broad and multiple interpretations. In some cases, as
noted above, what constitutes ‘freedom of expression’ is
left up for the member states to decide, which may vary
widely in their determinations. In Lindqvist, for
example, the ECJ established that ‘Directive 95/46 allows
the Member States a margin for manoeuvre in certain
areas’.57 In this case, the defendant was charged with violating Swedish laws on the protection of personal data by
publishing personal information, including the names,
telephone numbers, and hobbies of her colleagues from
a church charity on her personal webpage.58 This case
exemplifies the possibility for broad interpretations of
concepts such as ‘processing data’ by member states.59 In
addition, the various determinations that could be made
by different member states as to what defines ‘artistic
expression’ may end up weakening the protection for
freedom of speech.
In the EU, everyone has a right to ‘the protection of
personal data concerning him or her’,60 and this protection is considered a fundamental right.61 This right is
also established within the European Convention on
Human Rights (ECHR) as the entitlement of each individual to ‘respect for his private and family life, his
home and his correspondence’.62 Article 10 guarantees
the right to freedom of expression, but emphasizes when
it may be subject to restriction (eg for the protection of
the reputation or rights of others).63
Smet discusses this conflict between the protection of
reputation and freedom of expression in his analysis of
Chauvy and others v France, a defamation case where the
Court recognized this tension.64 The case concerned a
book that described the arrests of leaders of the French
resistance movement during World War II. Notably, the
book contained allegations of treason against Mr and
Mrs Aubrac.65 The court considered the protection of
one’s reputation to be encapsulated within the right to
‘respect for private life’, which is protected under Article
8 and constitutes a legitimate aim for the purposes of
Article 10 of the ECHR, and found there to be no ‘unreasonable’ or ‘undu[e]’ restrictions placed upon the applicants’ freedom of expression.66 In his analysis, Smet
points out that in such cases where freedom of expression and the right to reputation have come into conflict,
the legal reasoning of the European Court of Human
Rights (ECtHR) ‘suffers from a lack of clarity, consistency, and transparency’.67
With respect to penalties for noncompliance, monetary sanctions of up to 500,000 EUR—or up to 1 per cent
of an enterprise’s annual worldwide turnover—could be
imposed if the data controller ‘does not comply with the
51
52
53
54
55
61 Charter of Fundamental Rights of the European Union (2000) OJ C 364/
01, art. 8
62 Convention for the Protection of Human Rights and Fundamental
Freedoms (European Convention on Human Rights, as amended) (ECHR)
art 8.
63 Ibid, art 10.
64 Stjin Smet, ‘Freedom of Expression and the Right to Reputation: Human
Rights in Conflict’ (2010) 26 AmUInt’l LRev 183.
65 Chauvy and others v France App no 64915/01 (ECtHR, 29 June 2004) 2.
66 Ibid, at 20. Pursuant to the doctrine of Praktische Konkordanz, however,
neither freedom of expression nor the right to reputation should be given
absolute preference. See Smet (n 64), at 194, 236.
67 Smet (n 64), at 187.
56
57
58
59
60
General Data Protection Regulation (n 2), at 94 – 95. Rosen (n 42), at 90.
Rosen (n 42), at 90.
Ibid, at 91 –2.
General Data Protection Regulation (n 2), at 94.
Commission, ‘Factsheet: How will the EU’s data protection reform simplify
the existing rules?’ ,http://ec.europa.eu/justice/data-protection/
document/review2012/factsheets/6_en.pdf. accessed 22 February 2013.
General Data Protection Regulation (n 2), art. 80, see also Rosen (n 42), at
90.
Case C-101/01 Lindqvist [2003] ERC I-13027.
Ibid, at 12971.
Ibid, at 13007.
Treaty on the Functioning of the European Union (TFEU), Article 16(1).
Muge Fazlioglu . Forget me not
right to be forgotten . . . or does not take all necessary
steps to inform third parties’ about the erasure
requests.68 This threat of sanction may cause data controllers to choose the path of deletion in unclear cases,
which would be a chilling side effect of the rule.69
Although giving additional responsibilities to data controllers may serve to protect privacy online,70 without an
understanding of how the sanctions would be applied,
the risk of facing huge/repetitive monetary fines may
lead data controllers to make decisions that impair
public access to information and constrain expression.
Considering the proposed EU data protection regulation designed to ensure that ‘personal information is
protected no matter where it is sent, processed, or
stored—even outside the EU’71—it is important to consider the different understandings of privacy across national borders. As scholars such as Rosen have argued,
the clash of the right to be forgotten and freedom of expression poses a challenge for the universal application
of this right.72 Because the evolving structure of ‘[t]he
global governance of data invites a cosmopolitan understanding of privacy law’,73 the final section discusses the
right to be forgotten with respect to the distinctive
considerations within US law for privacy and freedom of
expression.
The right to be forgotten and
US privacy law
The ‘personal data’ that may be subject to a deletion
request through the use of the right to be forgotten
include ‘any information relating to [an individual], regardless of its source’.74 This is an important facet of the
regulation to consider, given the protections extended to
freedom of expression in the United States. The First
Amendment guards the publishing of ‘lawfully obtained
truthful information on a matter of public significance’,
and requires that restrictions on these publications ‘be
68 General Data Protection Regulation (n 2) art 79.
69 Rosen (n 42), at 91. The empowerment of each supervisory authority ‘to
impose administrative sanctions’ can be understood in such a way that
competent Data Protection Authorities from different member states may
impose fines, creating concerns regarding the ‘principle of double
jeopardy’. On this point, see Christopher Kuner, ‘The European
Commission’s Proposed Data Protection Regulation: A Copernican
Revolution in European Data Protection Law’ (Privacy and Security Law
Report, 2012) 21 –2, and Article 29 Working Party (n 26), at 24.
70 Fred H. Cate and Victor Mayer Schönberger, ‘Notice and Consent in a
World of Big Data’ (2012 Microsoft Global Privacy Summit Summary
Report and Outcomes) 6.
71 Commission, ‘Data protection reform: Frequently asked questions’ (2012)
Memo 12/41
,http://europa.eu/rapid/pressReleasesAction.do?reference=
MEMO/12/41&format=HTML&aged=0&language=EN&guiLanguage=en.
accessed 22 February 2013.
72 Rosen (n 42).
ARTICLE
155
reviewed with strict scrutiny’.75 Strict scrutiny requires
the highest level of government interest and the narrowest fit between interest and regulation, which is very difficult to establish.76
One distinction, as discussed in the previous section,
may concern European support for treating search
engines as ‘data controllers’, enabling requests for deletion of third-party sources that can be reached via search
engine services. In contrast to this view, Volokh argues
that, because they create no content themselves, ‘search
engines are fully constitutionally protected in showing
excerpts from selected other sites’.77 In illustrating the
differing approaches to privacy and data protection
between the EU and the United States, it may be helpful
to consider the case of Haynes v Alfred Knopf.78
The US data protection regime differs from the EU in
that it is highly contextual, sectoral, and largely based on
private law, affirmative agreements, self-regulation, and
(sometimes) implied agreements later enforced by
federal or state laws.79 In the USA, the publication of
private rights tort is actionable in cases where a private
fact that is offensive and of no legitimate public concern
has been published.80 A book entitled The Promised
Land: The Great Black Migration and How it Changed
America, describes the relationship between Ms Daniels
and her ex-husband Luther Haynes, and makes ‘revelations about [Mr Haynes’] heavy drinking, unstable employment, adultery, and irresponsible and neglectful
behaviour towards his family’.81 Haynes objected to
being explicitly identified in the book by name.82 The
federal court, in interpreting these revelations, found
that Haynes’ past publicly observable behaviours, such as
his drinking, were not private facts. Moreover, the judge
affirmed that the subject of the book was a legitimate
public concern, and found the identification of Haynes
to be an important aspect of the book’s subject matter.
What is worth noting is that while this case deals
with the protection of ‘intimate physical details’, the
73
74
75
76
77
78
79
80
81
82
Eltis (n 35), at 74.
Rosen (n 42), at 89 –91.
Smith v Daily Mail Pub Co, 443 U.S. 97 (1979).
Cohen v Cowles Media Co, 501 U.S. 663 (1991).
Eugene Volokh and Donald M. Falk, ‘First Amendment Protection for
Search Engine Search Results’ (White Paper, Google, 2012) 14.
Haynes v Alfred Knopf, Inc, 8 F. 3d. 1222 (1993).
Fred H. Cate, ‘The Growing Importance (and Irrelevance) of International
Data Protection Law’ (LCIL Snyder Lecture, Cambridge, 2011) ,http://
www.lcil.cam.ac.uk/news/article.php?section=26&article=1581. accessed
8 April 2013.
Mark A. Franklin, David A. Anderson, and Lyrissa Barnett Lindsky, Mass
Media Law (8th edn, Foundation Press 2011) 265.
Ibid, at 267.
Ibid, at 269.
156
ARTICLE
publication of which would ‘not be merely embarrassing
and painful but deeply shocking to the average person
subjected to such exposure’,83 Haynes’ subjective views
were not the deciding factor in the case. Rather, privacy
disputes in the USA are evaluated considering the views
of an ‘objective third party’, a person with ‘reasonable
sensibilities’.84 In contrast, right to be forgotten erasure
requests involve the data subject’s personal and individual sensibilities.
As Cate and Litan argue, ‘The essential thrust of the
First Amendment is to prohibit improper restraints on
voluntary public expression of ideas; it shields the man
who wants to speak or publish when others wish him to
be quiet’.85 Other factors, however, may influence the
protection afforded by the First Amendment, including
the changing definitions and expectations of ‘privacy’, the
magnitude of the threats posed by too much or too little
privacy protection, and the object of privacy laws and their
impact on expression, commerce, individual behaviour, and
society.86
This approach can be seen to differ drastically from the
EU’s approach, which may enable an individual’s wish to
overpower protections for freedom of speech. Even if
new approaches to privacy arise in the future, the right
to be forgotten clashes fundamentally with First Amendment values, and its application poses an explicit threat
to free speech.
Conclusion
Invoking the right to be forgotten can effectively restrict
freedom of expression by providing additional leverage
to arguments for the protection of reputation. Since the
right to be forgotten is such an amorphous concept,
when employed in the service of guarding one’s reputation, it makes the task of balancing rights even more
complicated.
Search engines and Internet users will continue to
voice disparate concerns about the regulation of personal data. From the perspective of the search engines and
social networking sites that make use of such personal
data, information is not only being shared on the
83 Ibid, at 270.
84 Ibid, at 270, 265.
85 Fred Cate and Robert Litan, ‘Constitutional Issues in Information Privacy’
(2002) 9 Mich Telecomm TechLRev 35, 41.
86 Ibid, at 50.
87 Julia Angwin and Jeremy Singer-Vine, ‘Selling You on Facebook’, Wall
Street Journal (New York, 7 April 2012).
88 Natasha Singer, ‘Mapping, and Sharing, the Consumer Genome’, The
New York Times (New York, 16 June 2012) ,http://www.nytimes.com/
International Data Privacy Law, 2013, Vol. 3, No. 3
websites, but with them.87 This paper analysed whether
the right to be forgotten enshrined in the new EU proposal on data protection offers a legitimate and effective
tool for safeguarding the privacy of users. Owing to the
vagueness of the concept, however, the right to be
forgotten can actually inhibit access to information and
work against freedom of expression.
Individuals’ lack of awareness about the information
collection practices they are subjected to by third-party
data brokers88 points to one of the biggest flaws in effectively implementing the right to be forgotten as a privacy
protection tool: users must have knowledge of and
access to the data controller which will be the target of
their erasure request. There is also the conundrum of
striking a balance between one’s desire to exist in the
online world and the protection of personal data. It may
be worth surrendering a bit of privacy in order to
connect with an old friend, but oftentimes one is not
aware of exactly how much control over one’s privacy
has been given up. The appeal of trading a phone
number for a $5 coffee89 may in a sense be what the
right to be forgotten seeks to shield us from, since
choices that can greatly impact one’s privacy are often
made in a matter of seconds.
The conundrum of existence in the online world,
however, cannot be solved through recourse to the right
to be forgotten in its current form, which raises serious
questions about protecting the right to free expression,
and has been used in the past to enhance individuals’
reputations more so than it has their personal privacy.
Although some companies are seeking to add expiration
meta-tags to information, the impending clash of financial and data interests makes the wide-scale adoption of
these types of technologies doubtful at the moment,
meaning that ‘online memories’ will persevere well into
the future.
Harmonizing laws in privacy and data protection first
requires a consideration of which laws are working and
which are not.90 Though an alluring concept that
appeals to an instinctual wish for certain personal information to be ‘forgotten’, the application of the EU’s proposed regulation should be accompanied by greater
clarification on the different laws that regulate it, as well
2012/06/17/technology/acxiom-the-quiet-giant-of-consumer-databasemarketing.html?smid=pl-share. accessed 8 April 2013.
89 Google Commerce, ‘Attention, coffee lovers: Google Offers to run $5 for
$10 Starbucks deal tomorrow’ (3 April 2012) ,http://googlecommerce.
blogspot.com/2012/04/attention-coffee-lovers-google-offers.html.
accessed 22 February 2013.
90 Fred H. Cate, ‘The Growing Importance (and Irrelevance) of International
Data Protection Law’ (LCIL Snyder Lecture, Cambridge, 2011) ,http://
www.lcil.cam.ac.uk/news/article.php?section=26&article=1581. accessed
8 April 2013.
Muge Fazlioglu . Forget me not
as how it could be harmonized with other existing data
protection laws.
While shifting more responsibility onto data controllers sends a powerful signal about the protection of
users’ fundamental rights, the ambiguities of the right to
be forgotten may produce chilling side effects on access
to information and freedom of expression online. Considering the difficulties in implementing the right to be
forgotten discussed in this paper, for users, the greatest
ARTICLE
157
tool in the struggle to preserve privacy may turn out to
be a greater awareness of the numerous interactions that
occur every day on the Internet. Now may be the right
time to rethink whether it is worth trading one’s privacy
for a cup of coffee, the chance to reconnect with an old
friend, or a world of data.
doi:10.1093/idpl/ipt010
Advance Access Publication 27 May 2013