A “right to be forgotten” coming up?

Posted on 20. April 2013

by Elias Vartio

elias-vartio-modifiedFor more than a hundred years ago – in 1890 two American attorneys  Samuel D. Warren and Louis D. Brandeis proclaimed that a right to privacy is needed for the protection of the individual from the intrusion of the public into their private lives. Special caution was already then given to technological developments of the time – such as the telegram and the camera by which private matters could easily be documented and spread to the greater public. The reasoning sounds quite similar as today when the need for data protection and the “right to be forgotten” will be discussed and voted upon by the European committee on Civil Liberties, Justice and Home Affairs (LIBE) next Wednesday on the 24th of April.

The development and societal concerns  in the late 19th century and the early 21st century are perhaps not entirely different after all. Again the technological developments – or at least the applications of thereof – have revolutionized the way we interact with each other, maintain our friendships and conduct our business. While everything has become much more efficient and convenient, we have also become more vulnerable. Today nearly everyone carries some sort of camera along with him or her and nearly everyone at least in the developed world can easily upload the content online. Images and motion pictures from both funny – but at times embarrassing – can easily be uploaded to sites such as Youtube or Facebook. The dark side of this development is that while injustices and oppressive governments can be exposed, also individuals reputation and lives can easily be ruined. A damaging rumour or an image creating ridicule can easily exclude an individual from being able to fully take part in the society. Hence, it is not surprising that the right for an individual to control information possessed about him has gained so much importance in the last few years.

Being subjected to public ridicule, cyber-bullying or an angry online mob has on several occasions led to personal tragedies for those getting all the unwanted attention. There are known cases where young people have taken drastic measures in their lives such as quitting school, attempting suicide or just excluded themselves from their former lives. Even if the person would be unaware and hence seemingly unaffected by (dis)information circulating about him or her, she may easily loose many opportunities when she is not getting a fair judgment in different situations such as when she applying for a job. Cyber-bullying can affect both adults, children and adolescents. However, it has the potential to be much more worse and devastating  than the conventional form of bullying happening in the classroom, school yards and coffee rooms. Why is this? First of all, the bully can easily remain anonymous and undetected, which again lowers the barrier of being nasty and also makes the possibility of reconciliation between the bully and the victim more difficult. Secondly, what is once posted online does have a tendency to stay online. (Even removed webpages or images can often be found by an easy Google search. For better or worse, much of the deleted material can often be found in the search engines cachememory). While the bullying-experience has perhaps earlier been possible to isolate in the school or work environment, defamatory material online can potentially reach a very wide audience once it has gone viral. Could the new data directive then be an answer  to this problem?

“Perhaps”, “yes” and “no” would all be legitimate answers. The new data directive that  will reviewed by the European parliament Committee on Civil Liberties, Justice and Home Affairs in the upcoming week has some considerable strength but also a few quite remarkable challenges. First of all, as discussed above, there is a real and legitimate need to protect individuals from being haunted online. Secondly, as far I’ve understood  the proposal, the revised directive would not give an individual an uncontested right to remove any disturbing content on him or her online, only a right to have personal data erased from certain internet service providers databases, hence “the right to be forgotten”. Hence, it would seem that the provision would not jeopardize the freedom of speech by for instance granting politicians and persons in power a right to remove articles about former scandals. The following amendment would effectively give a right to be forgotten – at least within the jurisdiction of the EU:

(45a) The right to the protection of personal data is based on the right of the data subject to exert the control over the personal data that are being processed. To this end the data subject should be granted clear and unambiguous rights to the provision of transparent, clear and easily understandable information regarding the processing of his or her personal data, the right of access, rectification and erasure of their personal data (…)

While the limitation envisioned on disseminating and storing personal data seems to be both legitimate and proportionate to the aims pursued, one may question if the new right would really be effective? The proverb from the information age states that what is once posted online stays online. This may however start to be less and less true.  For instance  in Finland there was a case in where images of a suspected telephone thief (that had then photographed himself with the stolen phone) were posted on Facebook and shared to thousands of users. Once the phone was found and the problem resolved, the original image of the suspected thief was removed and all the shared images disappeared all at once. The lesson of the story being that the technology and the applications to provide services which take copyright and privacy issues into account is possible already today. Hence, while technology certainly has its limitations one cannot deny that also the political will to protect the privacy of the individual plays a crucial part.

The other question concerning the effectivity of the data protection is the territorial scope of the regulation. In a global world there are countless examples of internet service users using for instance a serviced by a U.S. based company, which occasionally may have its servers in yet a third country. Which jurisdiction should then apply and can the Internet service providers be persuaded to respect the data protection laws of Europe. There is an interesting precedent from 2011, when the Austrian law student Max Schreims requested Facebook to provide him with all the information that had been collected on him, basing his request to the  EU data protection directive. He did then in fact get a cd with a pdf-file containing 1222 pages of information about him. Some of the information he received was even content that he thought that he had already deleted from the system previously. Albeit not necessary easy, it has been possible to access the data collected even under the current legislative framework. But is the right of reviewing data collected and the right of having it erased two different things? Probably. On one hand, the data could easily be erased from internet servers within the territorial jurisdiction of the EU. Yet, on the other hand, it still remains to be seen whether global internet service providers genuinely delete the erased content, or if the information is just made inaccessible from Europe and stored elsewhere. Seeking legal remedies to protect one’s online reputation within the U.S. jurisdiction for instance could be very difficult as the section 230 of the Communication Decency Act – enacted in the 1990s – provides Internet Service Providers immunity against defamation civil proceedings. The main difference between the European perspective and the US perspective on data protection is that while the later seems to insist that information can be collected unless the individual later prohibits this, the former seems to propose that all information collecting activities should require always an explicit permission from the individual. These discrepancies between the U.S. and EU data protection policies are perhaps the reason why it has even been suggested that the new data protection act would start a trade war between the U.S and the EU. Furthermore, even if the legal framework could be harmonized between the U.S. and the EU on this issue, this would still leave  some 150 jurisdictions providing more potential loopholes. This development could even potentially lead to a situation where “databank paradises” akin to the tax paradises -troubling many public economies- would be formed in the future.  If many international companies do not have any issues with using the loopholes in international taxation, will the situation be any different if there is an interest to exploit the loopholes of data protection regulation in international private and public law?

Summing it up, while the right to be forgotten might be a weak right in the beginning,  it seems to definitely be a first step to the right direction. Outright negative aspects are hard to find; at the moment for instance it does not appear to jeopardize the principle of freedom of expression, although this potential risk should always acknowledged. Enshrining the right to have ones data erased in an EU directive would  by the very least  allow individuals legal tools to claim better privacy from internet service providers. It would level the playing field between the often resourceful public and private organisations on one hand and ordinary citizen on one hand. The more established this norm becomes legally, the better it will also be accounted for when services will be created and there will probably be more privacy enhancing solutions available to everyone of us. While the “right to be forgotten” may be perceived as somewhat weak from the outset, it may nevertheless very well evolve over the years to a stronger norm that has also received more universal recognition. After all, many other basic human rights norms such as the  abolition of slavery, prohibition of torture and the right to privacy have all taken decades if not centuries to mature  before achieving the status they have today.

A vote on the draft report on ” the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD))” by rapporteur Jan Philipp Albrecht is scheduled to be held on Wednesday 24th of April.