The Right to be Forgotten

Aleksander WiatrowskiUniversity of Lapland

The Right to be Forgotten


The right of individuals to have their data no longer precessed and

deleted when they are no longer needed for legitimate purpose.

European Commision - Review of the data protection legal framework

Definition


There is a need to introduce a right to be forgotten as new human right. Individuals should have the right to make potentially damaging information disappear after a certain time has elapsed. Such new right, however, can come in conflict with the principle of free speech. Therefore, its scope needs to be evaluated in the light of appropriate data protection rules. Insofar, a more user-centered approach is to be realized. “Delete” can not be a value as such, but must be balanced within a new legal framework.

Rolf H. Weber, The Right to Be Forgotten. More Than a Pandora’s Box?

Right to be Forgotten


- Right to privacy constitutes information that is not publicly known, whereas the right to be forgotten involves removing information that was publicly known at a certain time and not allowing third parties to access the information;

- Limited jurisdiction - inability to require removal of information held by companies outside the jurisdiction;

- No global legal framework to allow individuals control over their online image.

Right to be Fogotten and Right to Privacy


Directive 95/46/EC The data subject’s right of access to dataArticle 12 : Right of access

Member States shall guarantee every data subject the right to obtain from the controller : (…)(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

Legal framework


General Data Protection RegulationSection 3: Rectification and erasure

Article 17 provides the data subject's right to be forgotten and to erasure. It further elaborates and specifies the right of erasure provided for in Article 12(b) of Directive 95/46/EC and provides the conditions of the right to be forgotten, including the obligation of the controller which has made the personal data public to inform third parties on the data subject's request to erase any links to, or copy or replication of that personal data. It also integrates the right to have the processing restricted in certain cases, avoiding the ambiguous terminology “blocking”.

Legal framework


The right to be forgotten would be an empty shell if EU data protection rules were not to apply to non-European companies and to search engines. The proposed data protection Regulation, for the first time, leaves no legal doubt that no matter where the physical server of a company processing data is located, non-European companies, when offering services to European consumers, must apply European rules.

Legal framework


To make the right to be forgotten more effective for individuals, the Commission has proposed reversing the burden of proof: it is for the company - and not the individual - to prove that the data cannot be deleted because it is still needed or it is relevant.

The proposed Data Protection Regulation creates an obligation for a controller who has made the personal data public to take reasonable steps to inform third parties of the fact the individual want the data to be deleted. There is even an obligation for the controller to ensure an erasure of these data. It also adds that individuals have the right to erasure where a court or regulatory authority based in the Union has ruled as final and absolute that the data concerned must be erased.

Legal framework


The proposed Data Protection Regulation allows data protection authorities to impose fines of up to 2% of annual worldwide turnover where companies do not respect the rights of citizens, such as the right to be forgotten.

The proposed Data Protection Regulation is also specific as to the reasons of public interest that would justify keeping data online - the limitations of the right to be forgotten. These include the exercise of the right of freedom of expression, the interests of public health as well as cases in which data is processed for historical, statistical and scientific purposes.

Legal framework


*Spanish Data Protection Agency

Timeline:1998: a newspaper in Spain published in its printed edition two announcements concerning a real-estate auction connected with attachment proceedings prompted by social security debts. Later an electronic version of the newspaper was made available online.

2009: Mario González contacted the publisher of the newspaper asserting that, when his name were entered in the Google search engine, a reference appeared to pages of the newspaper with the announcements concerning the real-estate auction.

2010: Mario González contacted Google Spain and requested that the search results should not show any links to the newspaper when his name were entered in the Google search engine. Google Spain forwarded the request to Google Inc., whose registered office is in California, United States.

Mario González subject lodged a complaint with the AEPD.

APED determined that Google should remove or otherwise prevent those results appearing when a search was carried out on the complainant’s name.

Google Spain and Google Inc. brought actions against APED’s decision. Spain’s National High Court referred a number of questions about the interpretation of Directive 95/46/EC to the Court of Justice of the European Union (CJEU).

Google Spain v AEPD* and Mario Costeja González


In summary, the CJEU held that:1. the operator of a search engine processes personal data when it retrieves such

data from crawling the internet and thereafter indexes, temporarily stores, organises and ultimately displays those data to users by way of search results.

2. a search engine operator is a data controller because it “determines the purpose and means of the processing” of the data is collects and deploys and that is the definition of a controller in Art 2(d).

3. Directive 95/46/EC applies to a search engine operator which is owned by an entity located outside the EU if it has a subsidiary in the relevant Member State’s territory which carries out activities which are inextricably linked to the search function.

4. search engines must satisfy the conditions for lawful processing. This means that processing must be necessary for the “legitimate interests” of the data controller or a third party, unless the interests of the data subject override those interests.

5. if the personal data generated by way of search results is no longer relevant, or is excessive with respect to the purpose it was originally processed, the search engine operator must remove them unless retaining the results is otherwise justified.

6. Mario Gonzalez had a right to require the removal of the two webpages from search results on his name.

Google Spain v AEPD and Mario Costeja González


The Court points out that the data subject may address such a request directly to the operator of the search engine (the controller) which must then duly examine its merits. Where the controller does not grant the request, the data subject may bring the matter before the supervisory authority or the judicial authority so that it carries out the necessary checks and orders the controller to take specific measures accordingly.

Google Spain v AEPD and Mario Costeja González


Google:Google, which set up its removal request form in May, said that since the CJEU ruling, it has received over 70,000 take-down requests covering more than 250,000 Web pages.

Microsoft’s Bing:Microsoft does not guarantee removal of links after they are submitted for removal through the form. It will also consider other sources of information to verify or supplement what is provided in the form.The information provided will help the company “consider the balance” between the applicant’s individual privacy interest and the public interest in protecting free expression and the free availability of information, in line with European law.

What about Yahoo!, Duckduckgo, Yandex or Baidu?


The right to be forgotten ruling makes the adoption of the data protection reform more, not less urgent!

The Court ruling and Data Protection reform


US commentators, accused EU regulators of "foggy thinking" inconsistent with fundamental US values (such as freedom of expression and of the press).

“Sometimes, the right to information ought to outweigh the right to privacy. What incentive will there ever be for a journalist to rake muck if the information can simply be taken down upon request?”

Timothy Ryan, The Right To Be Forgotten: Questioning The Nature Of Online Privacy, May 2, 2011

“In the United States, we have a very strong tradition of free speech [and] freedom of expression. We would strongly caution against any interpretation of the right to be forgotten that infringes upon that.”

Justin Brookman, Center for Democracy and Technology, Privacy Project

“Any regulation to keep personal information confidential quickly runs up against other rights, such as free speech, and many privileges, from free Web search to free email.”

L. Gordon Crovitz, Forget Any “Right To Be Forgotten”, Nov. 19, 2010

"Regulators have no reason to dictate one right answer to these balancing acts among interests that consumers are fully capable of making for themselves.”

L. Gordon Crovitz, Get Used To It—The Internet Is Forever, Nov. 10, 2010

US critique


A representative of Facebook, suggested that the EU approach was to “shoot the messenger,” in that the “source of the content” rather than the “places where the content is shared,” should be the focus of any efforts to promote privacy controls.


Sorry, but there’s no online ‘right to be forgotten’

Ann Cavoukian strongly supports rights to protect an individual’s reputation and to guard against illegal and abusive behaviour in cases were illegal defamatory content is posted about data subject, but posit that empowering individuals to demand the removal of links to unflattering, but accurate, information arguably goes far beyond protecting privacy.

Ontario’s Privacy Commissioner Ann Cavoukian:


There is a balance between the right to the protection of personal data and freedom of expression when it comes to the Right to be Forgotten, both in The Court ruling and in the future Data Protection Regulation.

The Right to be Forgotten and freedom of expression and the media


The Right to be Forgotten in NOT a super right:The Court in its judgment did not elevate the right to be forgotten to a “super right” trumping other fundamental rights, such as the freedom of expression or the freedom of the media.

The Court confirmed that the right to get your data erased is not absolute and has clear limits. The request for erasure has to be assessed on a case-by-case basis. It only applies where personal data storage is no longer necessary or is irrelevant for the original purposes of the processing for which the data was collected. Removing irrelevant and outdated links is not tantamount to deleting content.



The Court rule lays within the spirit of the proposed EU Data Protection Regulation:

Empowering individuals to manage their personal data while explicitly protecting the freedom of expression and of the media.

Article 80 of the proposed Regulation includes a specific clause which obliges Member States to pass national legislation to reconcile data protection with the right to freedom of expression, including the processing of data for journalistic purposes. The clause specifically asks for the type of balancing that the Court outlined in its ruling whereas today’s 1995 Directive is silent implying that data protection could rank above freedom of the media. The Commission proposes to strengthen freedom of expression and of the media through the revision of Europe’s data protection rules.



Limited version of the right to be forgotten, for example: children should have the ability to erase information posted improvidently, out of youthful lack of judgment.

Concept of “data minimization” (a form of the right to be forgotten - Data minimization refers to the policy of gathering the least amount of personal information necessary to perform a given function.) has long been a central element of “fair information practices” under various US laws, and could be expanded.

US approach


Case approach, no general provisions. Examples:Melvin v. ReidAny person living a life of rectitude has that right to happiness which includes a freedom from unnecessary attacks on his character, social standing or reputation.

Sidis v. FR Publishing Corp.There are limits to the right to control one's life and facts about oneself, and held that there is social value in published facts, and that a person cannot ignore their celebrity status merely because they want to.

US approach


Who and what deserves to be forgotten?

•The Politician Who Behaved BadlyA former politician seeks to have links removed about his behavior while in office — presumably unflattering behavior.

•The Doctor With Poor ReviewsA physician wants links to a review site removed, again, presumably reviews that aren’t positive.

•The Convicted PedophileA man convicted of having child pornography wants links to information about his conviction expunged.

•The Celebrity Child’s Criminal PastThe child of a celebrity wants news articles about a criminal conviction removed. Presumably, this is an adult child, as articles commonly aren’t written that name minors.

•The Business With Bad ReviewsA company accused of ripping off consumers wants links to forum discussions about this removed.

•The Actor’s AffairAn actor seeks to have articles about an affair with a teenager removed.

•The Attempted MurdererSomeone who tried to murder his family wants a news article about the incident dropped.

•The Suspended University InstructorA university instructor who was suspended wants articles about the action removed.

•The Cyberstalker Seeks PrivacyA convicted cyberstalker named in an article about cyberstalking laws wants a link to it removed.

•The Tax DodgerA tax scammer would like to remove all links to content connecting him to his crime.

Who wants to be forgotten?


Ask NSA and dozen more surveillance agencies,but the unswer is:

What is once put in the Web, will never be forgotten.

PRISM, Tempora, XKeyscore: XKeyscore is the "widest reaching" system for developing intelligence from the Internet. The program gives analysts the ability to search through the entire database of your information without any prior authorization — no warrant, no court clearance, no signature on a dotted line. An analyst must simply complete a simple onscreen form, and seconds later, your online history is no longer private. The agency claims that XKeyscore covers "nearly everything a typical user does on the Internet."

What (probably) will not be forgotten?


Some facts:

• 99,97% of the Internet is inaccessible by standard search engines. It is mostly Deep Web (Invisible Web or Hidden Web): content that is not part of the Surface Web, which is indexed by standard search engines.

• Dark Internet or Lost Web: the Internet that can no longer be accessed through conventional means.

Where the Right to be Forgotten is effective?


• Darknet: any kind of a private network where connections are made only between trusted peers – for example – The Tor Project, and part of it Silk Road.

• Freenet: is a peer-to-peer platform for censorship-resistant communication.

Seeking Privacy and Right to not be Remembered


The NSA has been revealed to mark and consider potential “extremists” all users of the internet anonymizer service Tor.

The FBI is tracking Tor users with spyware.


• Still no legislation

• Based on broad interpretation

• Question of acceptance by companies

• Some risks in what and who can potentially by forgotten

• Mass surveillance as an obstacle

The Bad behind Right to be Forgotten


• Well balanced

• Application to companies located outside of EU

• Broad interpretation of old and outdated Directive

• Proving that Data Protection Regulation is needed

• Approach for data protection

• Complying with the freedom of speech

• Case by case approach

The Good behind Right to be Forgotten


Contact:

Aleksander [email protected]

Documents

The Right to be Forgotten