- Campuses :
- Twin Cities
- Crookston
- Duluth
- Morris
- Rochester
- Other Locations
Throughout 2011, a controversial proposal to protect privacy online sparked debate accentuating fundamental differences in European and American attitudes. As both governments entertain legislative proposals aimed at strengthening consumer control of personal information, European Union support for a “right to be forgotten” has strengthened. The right, which purports to grant individuals the freedom to request removal of personal information released on the Internet, would curtail online expression by granting users greater control over their data. Observers on both sides of the Atlantic question the feasibility of such a right in the face of the Internet’s expanding presence in daily life, and fear that this type of legislation could create a “chilling effect” on free expression. (See also “Director’s Note” in the Summer 2011 issue of the Silha Bulletin.)
EU Announces Intent to Pursue “Right to Be Forgotten” Legislation
On Nov. 4, 2010, the European Commission, the European Union’s executive body, released a proposed privacy directive titled “A Comprehensive Approach on Personal Data Protection in the European Union.” Data protection provisions mandated in 1995 will be updated in response to a perceived need for transparency in personal data collection exacerbated by developments in technology and Internet use. The proposal is intended to clarify what the Commission dubbed “the right to be forgotten,” described as “the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes.” This right would give Internet users the ability to unilaterally remove personal data, allowing for complete deletion of social media profiles and photos. The Commission’s proposal can be found at http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf.
In March 2011, the EU further confirmed the right to be forgotten when Justice Commissioner Viviane Reding referred to it as a “pillar” of individual privacy rights and a necessary component of data protection reform. Speaking to the European Parliament, Reding, though failing to provide specifics, said “I want to explicitly clarify that people shall have the right — and not only the possibility — to withdraw their consent to data processing. The burden of proof should be on data controllers ... [t]hey must prove that they need to keep the data, rather than individuals having to prove that collecting their data is not necessary.”
Reding’s call to action follows a series of warnings she issued to social media giant Facebook in February 2010, reproaching the company’s decision to make user data publicly accessible by default on its website and thus capable of being indexed by search engines. In an effort to make privacy design more integrated into online services and less of an appended afterthought, the proposed laws would make the EU the first jurisdiction to implement a right to be forgotten. Reding has since offered few concrete details on the legislation, though an Aug. 9, 2011 New York Times article reported it was set to be introduced in fall 2011. In the interim, she continues to insist that the right to be forgotten will become a reality. “I cannot accept that individuals have no say over their data once it has been launched into cyberspace,” she stated during a June speech before the British Bankers’ Association at its Data Protection and Privacy Conference.
Conceptual and Practical Restraints On Right to be Forgotten
Although the concept is often presented as a simple solution to a growing concern, the broad grant of power presented by a right to be forgotten presents many problems, among them the difficulty of adequately policing the abundance of information on the Internet, defining “deletion” in a meaningful way, and distinguishing deletion from censorship. Martin Abrams, a policy director at law firm Hunton & Williams’ Centre for Information Policy Leadership, framed the right as “the right not to be observed in the first place,” a proposition he characterized as “absurd” in an interview with The Atlantic for a Feb. 3, 2011 story. The sheer volume of information generated daily on the Internet means that once content is published, it becomes difficult for any individual organization to control. The resources required for an organization to sift through deletion requests would require finding ways to distinguish between legitimate and invalid requests.
Factoring in the question of ownership of the data collected by online sites complicates the task. Google’s Global Privacy Counsel Peter Fleischer illustrated this problem in a post on his blog Privacy…? titled “Foggy Thinking About the Right to Oblivion,” in which he distinguished between deletion of a user’s own content, deletion of a subsequent reposting of the content, and deletion a third-party’s unique discussion of the same content. The first scenario may be easy, but the other two situations present a conflict between privacy rights and freedom of expression. Fleischer’s blog post can be found at http://peterfleischer.blogspot.com/2011/03/foggy-thinking-about-right-to-oblivion.html.
Some commenters fear the erosion of the ability to hold public officials accountable for misdeeds. In an April 17, 2011 Forbes editorial, Adam Thierer addressed this problem, asking “Could a public figure claim ‘a right to be forgotten’ when a journalist pens an article about them beating their wife or committing corporate fraud?” Rather than “using censorship as a privacy policy,” Thierer recommended encouraging better social norms and increased accountability by online operators. “Teaching our kids smart online hygiene and ‘Netiquette’ is vital,” he wrote. “‘Think before you click’ should be lesson #1.”
However, there has been qualified support for the right even in the United States, particularly in situations involving information posted by or about children. A bill introduced in the United States House of Representatives in May by Rep. Edward Markey (D-Mass.), H.R. 1895, the “Do Not Track Kids Act of 2011,” proposed extending coverage of the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506, and implementing an “eraser button” giving children and their parents the right to completely opt out and delete information. The legislation would require website operators to “implement mechanisms that permit users of the website, service, or application of the operator to erase or otherwise eliminate content that is publicly available through the website, service, or application and contains or displays personal information of children or minors.”
Beyond the practical difficulties of implementing this kind of right, the basic concept of the right as it has been proposed can be difficult for some to grasp. In a March 18, 2011 column for The Guardian, journalist Tessa Mayes argued there is no basis in European law for the right to be forgotten. “To say there should be a right to be forgotten is to say we can live outside society,” wrote Mayes. “The world is modern and complex, bound by laws, convention and culture.”
European and American Privacy Approaches
The United States and the EU take different approaches to individual privacy rights on the Internet. The two nations agree on general concepts such as designing privacy safeguards into Internet services from the start. However, questions in the United States have largely focused on whether Americans should have the right to subscribe to “do not track” lists in order to prevent marketers from recording user activity and engaging in behavioral advertising. According to a Sept. 28, 2011 story in the Bureau of National Affairs (BNA) Electronic Commerce and Law Report, panelists at the International Association of Privacy Professionals Academy ’11 conference argued that despite the Obama administration’s March 2011 call for a “privacy bill of rights” law and the introduction of several comprehensive privacy framework bills, the 112th Congress is unlikely to pass such legislation. This reflects the traditional approach of the United States Congress, which generally values a balance between the competing concerns of entrepreneurship with data protection. American courts are also hesitant to tighten control on voluntarily disclosed personal information, and have consistently favored the First Amendment’s right to free speech when faced with requests to remove true but unflattering information from publications.
Under United States law, consumer information generally may be kept by companies that process it. This creates an incentive for Internet companies to base their operations in the United States. The clear disconnect between the two cultures has caused some European observers, like Professor Franz Werro of Georgetown University, to find what he characterized in a Feb. 3, 2011 interview with The Atlantic as an American “fetishization” of the constitutional First Amendment right of free speech.
“As a general matter, companies in the United States don’t have to recognize your right to be deleted,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, in an interview for an Aug. 20, 2011 story in The New York Times. “They may choose to accommodate you, but they are not required to.”
The removal practices in place at journalism think tank The Poynter Institute, which is reluctant to modify or redact its own content, illustrate this point. In Bill Mitchell’s March 3, 2011 story, “Removing Content: When to Unring the Bell,” he expressed concern with “the potential erosion of a body of work that others have read and, in some cases, referred to in their own feedback comments posted to the site.”
Mitchell cites as an example the dilemma faced by The New York Times and its Public Editor Clark Hoyt. As newspapers try to push their articles to the top of search engine results, long-buried information takes on a new life. As a result, Mitchell writes, Times editors receive an average of one removal request per day from people complaining that “they are being embarrassed, are worried about losing or not getting jobs, or may be losing customers because of the sudden prominence of old news articles that contain errors or were never followed up.” Though the newspaper takes such requests seriously, it has yet to find a satisfactory solution to the dilemma of deletion or preservation. Mitchell wrote that Poynter itself considers amending or editing a story for accuracy when faced with such requests, but that removal of the original material is “usually among the last alternatives we consider as opposed to the first.”
By contrast, French President Nicolas Sarkozy characterized the European position on the issue in a speech delivered at the French embassy in Vatican City in October 2010 following a meeting with Pope Benedict XVI. Sarkozy declared that correction of “excesses and abuses that come from the total absence of rules” on the Internet to be a “moral imperative.” This sentiment permeates the European population as well, as The New York Times reported in its Aug. 9, 2011 story. A European Union poll found that three-fourths of its respondents were worried about how Internet companies use their information and that 90 percent supported the “right to be forgotten.” Similarly, the Spanish Data Protection Agency reported a 75 percent increase in privacy complaints targeting Internet companies like Facebook and Google from 2009 to 2010.
The European Perspective in Action
Even before the EU announced its intent to pursue the right to be forgotten, European countries enacted legislation attempting to clarify the right, or recognized it without any specific enumeration.
After France’s Secretary of State in Charge of the Digital Economy Nathalie Kosciusko-Morizet campaigned for the right to be forgotten in 2009, the country began implementing its Code of Practice on the Right to Be Forgotten on Social Networks and Search Engines in October 2010. The code of good practice stops short of mandating a total right to be forgotten like that proposed by the EU. Nonetheless, it requires its voluntary adherents, which include social networks, content service providers and search engine operators, to safeguard individuals’ rights to control personal data and respect their choice to wholly opt out of data processing. Search engines must also disclose to individuals at the time their data is stored and indexed. Kosciusko-Morizet contends that such commitments “could be the starting point for a future international agreement.”
In January 2011, the Agencia Española de Protección de Datos(AEPD), Spain’s data protection agency, ordered Google to cease indexing information on 90 citizens who filed complaints requesting removal of their personal information. The dispute came two years after the archives of Spain’s weekly official government gazette, a publication containing information ranging from bankruptcy auctions to criminal pardons, were published online in order to foster transparency. This caused centuries of information once confined to physical documents to become easily accessible through Google’s search engine, forcing individuals to confront potentially damaging or inaccurate information from their past.
According to a Jan. 20, 2011 BBC News story, the AEPD asserted in its orders that Google violated Spain’s right to be forgotten by denying individuals control of their information. Google filed suit challenging the orders in the Spanish National Court in January 2011, but was rebuffed by a Spanish judge. Arguing that its role as a search engine makes it a fundamental part of the information society, Google sought to overturn five adjudications already made in the case by arguing that Spain’s actions violate of freedom of expression. Confronted with possible liability for providing access to materials generated by its others, Google once again argued that its actions classify it as a distributor of the information, rather than a publisher. “Spanish and European law rightly hold the publisher of material responsible for its content,” said Google’s Director of External Relations Peter Barron in a statement prior to its January challenge to the orders in the Spanish National Court. “Requiring intermediaries like search engines to censor material published by others would have a profound chilling effect on free expression without protecting people’s privacy.”
American policymakers urge careful deliberation. “In the United States we have a very strong tradition of free speech freedom of expression. We would strongly caution against any interpretation of the right to be forgotten that infringes upon that,” said Justin Brookman, director of the Center for Democracy and Technology’s Privacy Project to the Associated Press in April 2011.
A final decision on the case could take months or years depending on the appeal process, but Spain remains resolute and intent on meeting the expectations of its citizens. “This is just the beginning, this right to be forgotten, but it’s going to be much more important in the future,” said Artemi Rallo, director of the AEPD. “Google is just 15 years old, the Internet is barely a generation old and they are beginning to detect problems that affect privacy. More and more people are going to see things on the Internet that they don’t want to be there.”
In response, Peter Fleischer argued that targeting search engines is the wrong tactic. “These cases are not about deleting or ‘forgetting’ content, but just about making it harder to find content,” he wrote on his blog. Fleischer argued that holding search engines responsible for infringing content instead of the content’s creators further complicates the dichotomy between privacy and freedom of expression. “There are better ways to protect privacy online, by remembering that it should be the publisher of content who is responsible for it.” The full entry can be found at http://peterfleischer.blogspot.com/2011/09/right-to-be-forgotten-seen-from-spain.html.
– Mikel J. Sporer
Silha Research Assistant
