Most of us want to be remembered. But, depending on their past, some people want to be forgotten – or at least they want some of their past deeds to be forgotten. But do you have a right to be forgotten? In the United States, the answer is . . . “maybe, depending on where and how old you are.” If you’re in Europe, it appears that there is a growing consensus that the answer is “definitely.”
The cross-continent debate started in 2010, but it has recently heated up. In order to understand the arguments, some background is helpful.
European Union Member States of the EU must implement the current version of the EU’s 1995 Data Protection Directive. Article 12 of the Directive outlines a data subject’s “right of access.”
Member States shall guarantee every data subject the right to obtain from the controller : … (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.
The broad implications of this right can only be appreciated in the context of two other inter-related Articles. Under Article 6, the requirement exists that personal data must be:
- (a) processed fairly and lawfully;
- (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
- (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
- (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.
Further, Article 7 provides that, without the data subject’s consent, personal data may be processed only for certain specified reasons, including where “processing is necessary for the performance of a task carried out in the public interest” or “is necessary for the purposes of the legitimate interests pursued by the controller . . . except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection . . . .”
For many years, there has been some idea in Europe that individuals have a right, not only to privacy, but to be forgotten. The idea is that an individual has the right to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past.” Along these lines, Great Britain enacted the “Rehabilitation of Offenders Act” in 1974. France has long referred to the concept as “the right of oblivion.” The right is different from the right to privacy. The right to privacy relates generally to information that is not publicly known. In contrast, the right to be forgotten generally involves the right to limit access to publicly available information after a certain period of time.
But the existence of such a right under the EU Data Protection Directive had never been decided until 2010, when a Spanish citizen lodged a complaint with the Spanish Data Protection Agency and against a Spanish newspaper, Google Spain, and Google Inc. The citizen complained that an auction notice on his repossessed home showing as a search result on Google unnecessary because the proceedings had been resolved for a number of years. He requested that the newspaper remove or alter its webpages containing the data and that Google Spain or Google Inc. be required to remove the data from Google’s search engine.
The citizen’s case was referred to the Court of Justice of the European Union to resolve three issues: (1) Whether the EU Data Protection Directive applied to search engines such as Google; (2) whether the Directive applied to Google Spain, given that its data processing server was in the United States; and, (3) whether an individual citizen has the right to request that his personal data be removed from a search engine such as Google – in other words, the right to be forgotten. The Court responded in the affirmative to all three questions.
Since the ruling in 2014, Google has implemented a system through which any citizen of any member of the EU may fill out a form and request the URLs containing personal or private information be removed from Google’s website. How Google evaluates such a request is not yet known to the public, although EU regulators released guidelines in November 2014 that Google may now be following. What is known is that Google is not removing results from its non-EU domains such as Google.com. Rather, Google limits link deletions to results shown on its European sub domains, such as Google.fr or Google.co.uk. In addressing questions regarding this practice, Google has explained that it uses the tactic of link removals, as opposed to deleting the information entirely, because it considers the right to be forgotten to be an entirely European concept.
Google’s position has generated great controversy in Europe, and some European officials are trying to flex their muscle in an effort to change Google’s mind. France’s data-privacy regulator, the Commission Nationale de I’Informatique et des Libertes issued an order to Google this month attempting to require Google to honor requests to remove information by removing it from all of its domains. The French Commission did not provide great detail about its ruling but stated it believes that for a search result to truly be forgotten, its removal should extend worldwide. The Commission gave Google 15 days to comply and threatened sanctions should it refuse. Google’s response is certainly an important decision for the U.S. tech giant.
It bears noting that, even in Europe, there is not universal agreement. Since 2012, the European Parliament has been struggling to modernize the EU’s data protection scheme by adopting something to be known as the General Data Protection Regulation. The GDRP’s include, in essence, a codification of the right to be forgotten. But the European Commission, which first proposed a modernization of the Data Protective Directive, cited as primary considerations the fact that the 1995 directive does not consider sufficiently important aspects like globalization and technological developments like social networks and cloud computing.
The tension here is obvious. In the U.S., the right to be forgotten would undoubtedly and very often bump directly into the First Amendment’s protections of free speech and a free press. But whether a U.S. right to be forgotten law would pass constitutional muster is not just a theoretical question. California has already passed a right to be forgotten measure that is limited to minors. California’s law has yet to be challenged constitutionally. There is no question, however, that a decision by a foreign court, half a world away, has caused “the most important right you’ve never heard of” to begin to creep into U.S. law and U.S. boardrooms. How the debate ultimately shakes out – both in Europe and the U.S. – remains to be seen.