Right to be forgotten final paper


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Right to be forgotten final paper

  1. 1.  The  EU’s  “right  to  be  forgotten”:  A  first  step  towards  greater  personal  data  protection  Alyah  Khan    SIS  645  International  Communication  &  Cultural  Policy  Summer  2012  EXECUTIVE  SUMMARY  In January 2012, the European Commission proposed a “right to be forgotten” as part of itscomprehensive data protection reform. The right would allow an individual to delete personalinformation online if there are no legitimate grounds for retaining it. The proposed policy wouldgreatly advance users’ rights, but it also presents practical difficulties. In order to achieve its desiredeffect of strengthening personal data control, the policy must be revised to reflect a more limitedscope, well-defined terminology and a clearer delineation of data controllers’ responsibilities. If theseimprovements are made, the EU policy will set a new global standard for the protection of personaldata.  
  2. 2.     Alyah Khan SIS 645-Summer 2012Preface The European Commission proposed an overhaul of its 1995 data protection rules earlierthis year. The comprehensive reform package includes several changes intended to strengthenonline privacy rights and enhance Europe’s digital economy. The reform also aims to unify theenforcement of data protection laws among the European Union’s 27 member states. One of themost controversial provisions of the Commission’s proposed data protection regulation is Article17, the “right to be forgotten and to erasure.” The purpose of this report is to analyze thefeasibility and effectiveness of the “right to be forgotten.” The writings of academic scholars,privacy experts and high-ranking EU officials informed the analysis. This report was conducted on behalf of European Digital Rights (EDRi), aninternational advocacy group headquartered in Brussels, Belgium. EDRi consists of 32 privacyand civil rights organizations based in 20 different European countries. The nonprofit’s goal is toprotect digital civil rights in the information society.Introduction Technology and data processing play a major role in the life of the individual and society.In the coming years, scholars expect that the collection and sharing of personal informationthrough technology will become even more prevalent (Hallinan, Friedewald & McCarthy, 2012).As a result, personal data is considered the “currency of the Internet. It is collected, stored andused in an ever-increasing variety of ways by a countless amount of different users” (Ausloos,2012, p. 143). Further, although some scholars consider privacy a fundamental human right, it isalso referred to as a “moving target” (Friedewald, Wright, Gutwirth & Mordini, 2010, p. 61).Privacy is a difficult concept to define (Solove, 2008). This reality has made data privacy andprotection an inevitable policy battleground in countries around the world. At the forefront of   2  
  3. 3.     Alyah Khan SIS 645-Summer 2012this ongoing debate is the European Union, which considers itself a key player in setting thestandards for personal data protection (Reding, 2011). The EU has a history of strong dataprotection standards, which are bolstered by the European Charter’s “explicit provisionsupholding data protection as a fundamental right” (Rodriguez, 2011). Reform of the EU’s data protection rules has been a topic of discussion for the last fewyears. Near the end of 2010, Viviane Reding, European Commissioner of Justice, FundamentalRights and Citizenship, made a case for the reform. She cited three main trends that pose achallenge to the protection of personal data in the future: “the astounding capabilities of moderntechnologies; the increased globalization of data flows; and access to personal data by lawenforcement authorities that is greater than ever” (Reding, 2011, p. 3). She also acknowledgedthe growing collection and processing of personal data by data controllers, such as searchengines, service providers and social networks. However, data protection rules are often unclearand non-transparent, leaving individuals in the dark about how to maintain control over theirpersonal information. Reding announced the comprehensive (and ambitious) overhaul of the EU’s existing dataprotection rules in January 2012. Speaking in Brussels on January 25, Reding said the following:“The protection of personal data is a fundamental right for all Europeans, but citizens do notalways feel in full control of their personal data. My proposals will build trust in online servicesbecause people will be better informed about their rights and in more control of theirinformation” (European Commission, 2012a). One of the reform’s most hotly contested changes is the “right to be forgotten.” The rightaims to help people better manage their data protection risks online by allowing them the abilityto delete their data (such as photos posted on Facebook, among other types) if there are no“legitimate grounds for retaining it” (European Commission, 2012a). The “right to be forgotten   3  
  4. 4.     Alyah Khan SIS 645-Summer 2012and to erasure” is laid out in Section 3, Article 17 of the European Commission’s proposal for aregulation of the European Parliament and of the Council “on the protection of individuals withregard to the processing of personal data and on the free movement of such data.” The regulationsets out the general legal framework for EU data protection. The Commission’s proposal hasbeen passed on to the European Parliament and the EU member states for discussion. It will takeeffect two years after it has been adopted. This report will focus specifically on the “right to be forgotten” as drafted in the proposedregulation. The report will begin with a brief overview of the policy, followed by an analysis ofits scope and application. Next, the report will examine the concern of some scholars that the“right to be forgotten” threatens freedom of speech. Finally, the report will conclude withrecommendations on how to enhance the policy prior to implementation. Overall, this reportsupports the position that the “right to be forgotten” in its current form is a positive first step butsubstantial revisions to its scope and terminology are required if the policy is to meet its goal ofstrengthening personal data protection online. This position aligns with and builds upon EDRi’sinitial comments on the data protection regulation, which concluded that Article 17 was “notparticularly well drafted” (European Digital Rights, 2012).Policy Overview The “right to be forgotten” is a complex policy. It includes a variety of situations whereerasure is allowed, when exemptions must be made and when data would be restricted, but noterased. The following section provides an overview of the policy’s most noteworthy language. To begin, it helps to understand what information qualifies as “personal data.” The regulationdefines this term very broadly as “any information relating to a data subject.” In terms oferasure, Article 17 of the proposed regulation states, “The data subject shall have the right to obtain from the controller the erasure of personaldata relating to them and the abstention from further dissemination of such data, especially in   4  
  5. 5.     Alyah Khan SIS 645-Summer 2012relation to personal data which are made available by the data (subject) while he or she was achild, where one of the following grounds applies: the data are no longer necessary in relation tothe purposes for which they were collected or otherwise processed; the data subject withdrawsconsent on which the processing is based according to point (a) of Article 6(1), or when thestorage period consented to has expired, and where there is no other legal ground for theprocessing of the data; the data subject objects to the processing of personal data pursuant toArticle 19 (“right to object”); the processing of the data does not comply with this regulation forother reasons” (European Commission, 2012b, p. 51).This section represents the core of the policy. Another important aspect of the policy is the responsibility assigned to data controllers,which the regulation defines as “the natural or legal person, public authority, agency or any otherbody which alone or jointly with others determines the purposes, conditions and means of theprocessing of personal data.” The policy instructs data controllers (such as Google andFacebook) to “take all reasonable steps, including technical measures” to inform third parties thata data subject has requested data be erased (p. 51). This applies to links to the data, as well ascopies or replications of the data. Further, the provision requires the controller to carry out the erasure without delay unlessthe retention of the personal data is necessary, “for exercising the right of freedom of expression”(p. 52). This means that the processing of personal data must be retained if it was carried outsolely for journalistic purposes or the purpose of artistic or literary expression in order to,“reconcile the right to protection of personal data with the rules governing freedom ofexpression” (p. 93). Additionally, the provision calls for controllers to restrict the processing ofpersonal data when the data subject contests its accuracy for a period in order to verify itsaccuracy.Analysis Technology has rapidly evolved in the 17 years since the EU’s 1995 data protection ruleswere adopted. New communication tools, such as online social networks, have drasticallychanged the way people share information about themselves. As stated earlier, personal data is   5  
  6. 6.     Alyah Khan SIS 645-Summer 2012now considered the Internet’s currency. This is certainly true in the EU, where more than half ofEuropeans feel that they must disclose personal information if they want to obtain products orservices. Yet, only 26 percent of social network users and 18 percent of online shoppers feel incomplete control of their data, according to a survey of EU citizens’ attitudes on data protectionand identity released in 2011 (European Commission, 2012c). These findings are unfortunatebecause EU citizens allocate significant importance to data privacy and protection (Hallinan etal., 2012). The implication then is that users’ needs are not being met by the existing dataprotection structure. The “right to be forgotten” policy presents a way for Internet users to regain control oftheir personal information. It is one possible solution to the conundrum of how to protect privacyonline. In other words, the policy is about “empowering the individual, not about erasing pastevents or restricting freedom of the press” (European Commission, 2012c). Whether the policyachieves this goal will be examined in the subsequent sections.Scope and Applicability In theory, the “right to be forgotten” makes a great deal of sense. People are disclosingmore personal information online than ever before and they deserve the right to control theinformation they share. The right allows a data subject the ability to delete information if it is nolonger relevant, if it is inaccurate or if he/she proposes a justified objection. However,implementing the “right to be forgotten” presents obstacles. First, the scope of the proposed policy is incredibly broad, which is likely to makeuniform enforcement across EU member states a challenging task. The “right to be forgotten” isdefined in vague terms and the policy does not reference the types of situations where theenforcement of this policy would be appropriate. The changing nature of technology prevents theCommission from being too specific, but the current language leaves much of the policy open to   6  
  7. 7.     Alyah Khan SIS 645-Summer 2012interpretation. This could cause enforcement discrepancies among countries, potentially to thedetriment of citizens. Additionally, since “personal data” in the policy refers to any information related to adata subject, it seems that national data protection authorities could be flooded with requests forerasure without proper justification. It is unclear, based on the policy in its current form, to whatextent users would have to prove data should be erased. This brings up the issue of the burden ofproof. Koops explained that the right would, “require data subjects to substantiate there arecompelling legitimate grounds to stop data processing, which puts a significant burden of proofon users and leaves large discretionary power with the data controller” (2011, p. 240). The policymistakenly places the onus on the users by not detailing the materials or information required torequest erasure. The policy also does not account for anonymized data, or data that has been stripped ofidentifying information. Ausloos (2012) wrote that, “Many data controllers invoke theanonymization-argument as their major line of defense” (p. 146). The thinking here is that ifpeople cannot recognize their data, how can they request it be erased? It is unclear if such data-mining practices are meant to fall under the scope of this policy. Related to this point are the practical difficulties in applying the policy. Information thathas been cross-posted to multiple sites will be difficult to track down (Ausloos, 2012; Koops,2011). With this in mind, will it be up to the user to ensure that this information is completelyremoved from all of the sites through separate erasure requests? Again, the policy in its currentform fails to address this issue with any clarity. It appears that the policy has, in many ways,overlooked the complexity of the Internet’s interconnected nature. Finally, there is the issue of accountability. According to the policy, data controllers must“take all reasonable steps” to ensure data held by third parties is erased. However, there is no   7  
  8. 8.     Alyah Khan SIS 645-Summer 2012explanation of what constitutes “reasonable steps.” Some data controllers, such as Google, haveexpressed disagreement with the “right to be forgotten” as it is currently articulated. PeterFleischer (2012), Google’s Global Privacy Counsel, argued that the “responsibility for deletingcontent published online should lie with the person or entity who published it” and not searchengines. It might be worthwhile for the Commission to seek the input of data controllers whilerevising the policy. Stakeholder buy-in could improve the effectiveness of the policy overall. Impact on Freedom of Speech One of the biggest concerns experts have about the “right to be forgotten” is its potentialto negatively impact freedom of speech. In fact, Rosen (2012, p. 88) wrote that the policyrepresents the “biggest threat to free speech on the Internet in the coming decade.” EDRi alsotook issue with the policy, although not in such extreme terms, by stating that it could haveserious (if unintended) implications for freedom of speech. The advocacy group added that theprovision must be “carefully drafted to avoid its potential misuse as a tool for censorship”(European Digital Rights, 2012). Despite Hendel’s (2012) reassurance that the media need notfear the “right to be forgotten,” the policy in its current form lacks the specificity needed toprevent undue erasure. Rosen, for example, has argued that the policy could result in a “dramatic clash betweenEuropean and American conceptions of the proper balance between privacy and free speech,leading to a far less open Internet” (2012, p. 88). Werro (2009) similarly recognized thelikelihood of a transatlantic clash over the “right to be forgotten.” Experts have also suggestedthat the fines imposed on data controllers who fail to take action could lead to “deletion inambiguous cases, producing a serious chilling effect” (Rosen, 2012, p. 91). Others scholars havesaid that it is hard to predict what information will be useful in the future. As Ausloos eloquentlystated, “Culture is memory” (2012, p. 146).   8  
  9. 9.     Alyah Khan SIS 645-Summer 2012 These views indicate a number of important issues. First, there is a divide between thepolicy approaches of the U.S. and Europe. Generally, the U.S. applies the Liberal Market Model,whereas the EU applies a Public Service Model in which the state determines citizens’information needs (Venturelli, 2012). The proposed data protection reform and the “right to beforgotten” align with the EU’s historically tougher stance on individual privacy rights. Incomparison, the U.S. has weaker data protection and privacy laws. Although the “right to beforgotten” policy has exemptions related to freedom of expression, the EU seems to believe thatusers’ rights take precedent in certain situations. It is unknown at this point how the EU willenforce the “right to be forgotten” policy and if it will actually impede freedom of speech. Theoutcome of this policy in the EU will likely determine its consideration in other countries, suchas the U.S. As for the suspected “chilling effect,” the Commission can combat this by making theresponsibilities of the data controller less obtuse. Data controllers should have a clear picture ofwhat steps they are required to take and what will happen if those steps are not taken. The cultureissue raised by Ausloos (2012) is far more complicated. The “right to be forgotten” ultimatelyleaves it up to individuals to determine what information they share should remain availableonline. In the most serious circumstances, this could make vital information disappear, breakconnections among people or even alter a part of cultural history. One way to minimize possiblenegative effects is to limit the scope of the policy so that it only applies to data that users haveconsented to, instead of any information related to a data subject.Conclusion The EU’s proposed data protection reform represents an unprecedented step forward forusers’ rights in the information society. At its core, the “right to be forgotten” is aboutstrengthening people’s ability to control their personal information. However, the current draft of   9  
  10. 10.     Alyah Khan SIS 645-Summer 2012the policy must be significantly improved in order to achieve its goal. Based on this report’sanalysis, the policy should be revised in the following ways: i. Limit the scope of the policy so that it applies only to data that users have consented to. ii. Define the right to be forgotten in specific terms by clearly articulating situations where erasure is appropriate. iii. Explain the materials or information (i.e. the proof) required to request erasure. iv. Address the issue of data cross-posted on multiple platforms and whether it is up to users to ensure erasure is carried out to the fullest extent. v. State as explicitly as possible the responsibilities of data controllers (the “reasonable steps”) in terms of fulfilling an erasure request. The Commission should also consider the views of data controllers as revisions are madeto the proposed regulation. By making the suggested revisions and seeking the input of datacontrollers, the policy stands a greater chance of succeeding in the future. If the “right to beforgotten” is effectively implemented across Europe, a new global standard will emerge for theprotection of personal data. The balance of power will shift in favor of individuals. It remains tobe seen whether other countries, such as the U.S., will consider a similar policy.   10  
  11. 11.     Alyah Khan SIS 645-Summer 2012 ReferencesAusloos, J. (2012). The right to be forgotten - Worth remembering? Computer Law and Security Review, (28), 143-152.European Commission (2012a, January 25). Commission proposes a comprehensive reform of data protection rules to increase users control of their data and to cut costs for businesses. Retrieved from http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/46&format=HTML&age d=0&language=EN&guiLanguage=enEuropean Commission. (2012b). Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (general data protection regulation). Retrieved from website: http://ec.europa.eu/justice/newsroom/data- protection/news/120125_en.htmEuropean Commission. (2012c). How does the data protection reform strengthen citizens’ rights? Retrieved from website: http://ec.europa.eu/justice/newsroom/data- protection/news/120125_en.htmEuropean Digital Rights (2012, February 1). EDRi’s initial comments on the Data Protection Regulation. Retrieved from http://www.edri.org/edrigram/number10.2/edri-comments- on-data-retentionFleischer, P. (2012, February 16). Our thoughts on the right to be forgotten [Web log message]. Retrieved from http://googlepolicyeurope.blogspot.com/2012/02/our-thoughts-on-right- to-be-forgotten.htmlFriedewald, M., Wright, D., Gutwirth, S., & Mordini, E. (2010). Privacy, data protection and   11  
  12. 12.     Alyah Khan SIS 645-Summer 2012 emerging sciences and technologies: towards a common framework. Innovation – The European Journal of Social Science Research, 23(1), 61-67.Hallinan, D., Friedewald, M., & McCarthy, P. (2012). Citizens’ perceptions of data protection and privacy in Europe. Computer Law and Security Review, (28), 263-272Hendel, J. (2012, January 25). Why journalists shouldnt fear Europes right to be forgotten The Atlantic, Retrieved from http://www.theatlantic.com/technology/archive/2012/01/why- journalists-shouldnt-fear-europes-right-to-be-forgotten/251955/Koops, B. (2011). Forgetting footprints, shunning shadows: A critical analysis of the right to be forgotten in big data practice. SCRIPTed, 8(3), p. 229-256.Reding, V. (2011). The upcoming data protection reform for the European Union. International Data Privacy Law, 1(1), 3-5.Rodriguez, K. (2011, December 22). Data Protection Regulation and the Politics of Interoperability [Web log message]. Retrieved from https://www.eff.org/deeplinks/2011/12/data-protection-regulation-and-politics- interoperabilityRosen, J. (2012). The right to be forgotten. Stanford Law Review, 64, 88-92. Retrieved from http://www.stanfordlawreview.org/online/privacy-paradox/right-to-be-forgottenSolove, D. (2008). Understanding privacy. The George Washington University Law School Public Law and Legal Theory Working Paper No. 420, Retrieved from http://ssrn.com/abstract=1127888Venturelli, S. (2012). Global communication policy models. (PowerPoint, American University).Werro, F. (2009). The right to inform v. the right to be forgotten: A transatlantic clash. Georgetown Public Law Research Paper No. 2. Retrieved from http://ssrn.com/abstract=1401357   12