Right to be forgotten final paper

The
EU’s
“right
to
be
forgotten”:

A
first
step
towards
greater
personal
data
protection

Alyah
Khan

SIS
645
International
Communication
&
Cultural
Policy

Summer
2012

EXECUTIVE
SUMMARY

In January 2012, the European Commission proposed a “right to be forgotten” as part of its
comprehensive data protection reform. The right would allow an individual to delete personal
information online if there are no legitimate grounds for retaining it. The proposed policy would
greatly advance users’ rights, but it also presents practical difficulties. In order to achieve its desired
effect of strengthening personal data control, the policy must be revised to reflect a more limited
scope, well-defined terminology and a clearer delineation of data controllers’ responsibilities. If these
improvements are made, the EU policy will set a new global standard for the protection of personal
data.

Alyah Khan
SIS 645-Summer 2012

Preface

The European Commission proposed an overhaul of its 1995 data protection rules earlier

this year. The comprehensive reform package includes several changes intended to strengthen

online privacy rights and enhance Europe’s digital economy. The reform also aims to unify the

enforcement of data protection laws among the European Union’s 27 member states. One of the

most controversial provisions of the Commission’s proposed data protection regulation is Article

17, the “right to be forgotten and to erasure.” The purpose of this report is to analyze the

feasibility and effectiveness of the “right to be forgotten.” The writings of academic scholars,

privacy experts and high-ranking EU officials informed the analysis.

This report was conducted on behalf of European Digital Rights (EDRi), an

international advocacy group headquartered in Brussels, Belgium. EDRi consists of 32 privacy

and civil rights organizations based in 20 different European countries. The nonprofit’s goal is to

protect digital civil rights in the information society.

Introduction

Technology and data processing play a major role in the life of the individual and society.

In the coming years, scholars expect that the collection and sharing of personal information

through technology will become even more prevalent (Hallinan, Friedewald & McCarthy, 2012).

As a result, personal data is considered the “currency of the Internet. It is collected, stored and

used in an ever-increasing variety of ways by a countless amount of different users” (Ausloos,

2012, p. 143). Further, although some scholars consider privacy a fundamental human right, it is

also referred to as a “moving target” (Friedewald, Wright, Gutwirth & Mordini, 2010, p. 61).

Privacy is a difficult concept to define (Solove, 2008). This reality has made data privacy and

protection an inevitable policy battleground in countries around the world. At the forefront of

2

Alyah Khan
SIS 645-Summer 2012
this ongoing debate is the European Union, which considers itself a key player in setting the

standards for personal data protection (Reding, 2011). The EU has a history of strong data

protection standards, which are bolstered by the European Charter’s “explicit provisions

upholding data protection as a fundamental right” (Rodriguez, 2011).

Reform of the EU’s data protection rules has been a topic of discussion for the last few

years. Near the end of 2010, Viviane Reding, European Commissioner of Justice, Fundamental

Rights and Citizenship, made a case for the reform. She cited three main trends that pose a

challenge to the protection of personal data in the future: “the astounding capabilities of modern

technologies; the increased globalization of data flows; and access to personal data by law

enforcement authorities that is greater than ever” (Reding, 2011, p. 3). She also acknowledged

the growing collection and processing of personal data by data controllers, such as search

engines, service providers and social networks. However, data protection rules are often unclear

and non-transparent, leaving individuals in the dark about how to maintain control over their

personal information.

Reding announced the comprehensive (and ambitious) overhaul of the EU’s existing data

protection rules in January 2012. Speaking in Brussels on January 25, Reding said the following:

“The protection of personal data is a fundamental right for all Europeans, but citizens do not

always feel in full control of their personal data. My proposals will build trust in online services

because people will be better informed about their rights and in more control of their

information” (European Commission, 2012a).

One of the reform’s most hotly contested changes is the “right to be forgotten.” The right

aims to help people better manage their data protection risks online by allowing them the ability

to delete their data (such as photos posted on Facebook, among other types) if there are no

“legitimate grounds for retaining it” (European Commission, 2012a). The “right to be forgotten

3

Alyah Khan
SIS 645-Summer 2012
and to erasure” is laid out in Section 3, Article 17 of the European Commission’s proposal for a

regulation of the European Parliament and of the Council “on the protection of individuals with

regard to the processing of personal data and on the free movement of such data.” The regulation

sets out the general legal framework for EU data protection. The Commission’s proposal has

been passed on to the European Parliament and the EU member states for discussion. It will take

effect two years after it has been adopted.

This report will focus specifically on the “right to be forgotten” as drafted in the proposed

regulation. The report will begin with a brief overview of the policy, followed by an analysis of

its scope and application. Next, the report will examine the concern of some scholars that the

“right to be forgotten” threatens freedom of speech. Finally, the report will conclude with

recommendations on how to enhance the policy prior to implementation. Overall, this report

supports the position that the “right to be forgotten” in its current form is a positive first step but

substantial revisions to its scope and terminology are required if the policy is to meet its goal of

strengthening personal data protection online. This position aligns with and builds upon EDRi’s

initial comments on the data protection regulation, which concluded that Article 17 was “not

particularly well drafted” (European Digital Rights, 2012).

Policy Overview

The “right to be forgotten” is a complex policy. It includes a variety of situations where

erasure is allowed, when exemptions must be made and when data would be restricted, but not

erased. The following section provides an overview of the policy’s most noteworthy language.

To begin, it helps to understand what information qualifies as “personal data.” The regulation

defines this term very broadly as “any information relating to a data subject.” In terms of

erasure, Article 17 of the proposed regulation states,

“The data subject shall have the right to obtain from the controller the erasure of personal
data relating to them and the abstention from further dissemination of such data, especially in

4

Alyah Khan
SIS 645-Summer 2012
relation to personal data which are made available by the data (subject) while he or she was a
child, where one of the following grounds applies: the data are no longer necessary in relation to
the purposes for which they were collected or otherwise processed; the data subject withdraws
consent on which the processing is based according to point (a) of Article 6(1), or when the
storage period consented to has expired, and where there is no other legal ground for the
processing of the data; the data subject objects to the processing of personal data pursuant to
Article 19 (“right to object”); the processing of the data does not comply with this regulation for
other reasons” (European Commission, 2012b, p. 51).

This section represents the core of the policy.

Another important aspect of the policy is the responsibility assigned to data controllers,

which the regulation defines as “the natural or legal person, public authority, agency or any other

body which alone or jointly with others determines the purposes, conditions and means of the

processing of personal data.” The policy instructs data controllers (such as Google and

Facebook) to “take all reasonable steps, including technical measures” to inform third parties that

a data subject has requested data be erased (p. 51). This applies to links to the data, as well as

copies or replications of the data.

Further, the provision requires the controller to carry out the erasure without delay unless

the retention of the personal data is necessary, “for exercising the right of freedom of expression”

(p. 52). This means that the processing of personal data must be retained if it was carried out

solely for journalistic purposes or the purpose of artistic or literary expression in order to,

“reconcile the right to protection of personal data with the rules governing freedom of

expression” (p. 93). Additionally, the provision calls for controllers to restrict the processing of

personal data when the data subject contests its accuracy for a period in order to verify its

accuracy.

Analysis

Technology has rapidly evolved in the 17 years since the EU’s 1995 data protection rules

were adopted. New communication tools, such as online social networks, have drastically

changed the way people share information about themselves. As stated earlier, personal data is

5

Alyah Khan
SIS 645-Summer 2012
now considered the Internet’s currency. This is certainly true in the EU, where more than half of

Europeans feel that they must disclose personal information if they want to obtain products or

services. Yet, only 26 percent of social network users and 18 percent of online shoppers feel in

complete control of their data, according to a survey of EU citizens’ attitudes on data protection

and identity released in 2011 (European Commission, 2012c). These findings are unfortunate

because EU citizens allocate significant importance to data privacy and protection (Hallinan et

al., 2012). The implication then is that users’ needs are not being met by the existing data

protection structure.

The “right to be forgotten” policy presents a way for Internet users to regain control of

their personal information. It is one possible solution to the conundrum of how to protect privacy

online. In other words, the policy is about “empowering the individual, not about erasing past

events or restricting freedom of the press” (European Commission, 2012c). Whether the policy

achieves this goal will be examined in the subsequent sections.

Scope and Applicability

In theory, the “right to be forgotten” makes a great deal of sense. People are disclosing

more personal information online than ever before and they deserve the right to control the

information they share. The right allows a data subject the ability to delete information if it is no

longer relevant, if it is inaccurate or if he/she proposes a justified objection. However,

implementing the “right to be forgotten” presents obstacles.

First, the scope of the proposed policy is incredibly broad, which is likely to make

uniform enforcement across EU member states a challenging task. The “right to be forgotten” is

defined in vague terms and the policy does not reference the types of situations where the

enforcement of this policy would be appropriate. The changing nature of technology prevents the

Commission from being too specific, but the current language leaves much of the policy open to

6

Alyah Khan
SIS 645-Summer 2012
interpretation. This could cause enforcement discrepancies among countries, potentially to the

detriment of citizens.

Additionally, since “personal data” in the policy refers to any information related to a

data subject, it seems that national data protection authorities could be flooded with requests for

erasure without proper justification. It is unclear, based on the policy in its current form, to what

extent users would have to prove data should be erased. This brings up the issue of the burden of

proof. Koops explained that the right would, “require data subjects to substantiate there are

compelling legitimate grounds to stop data processing, which puts a significant burden of proof

on users and leaves large discretionary power with the data controller” (2011, p. 240). The policy

mistakenly places the onus on the users by not detailing the materials or information required to

request erasure.

The policy also does not account for anonymized data, or data that has been stripped of

identifying information. Ausloos (2012) wrote that, “Many data controllers invoke the

anonymization-argument as their major line of defense” (p. 146). The thinking here is that if

people cannot recognize their data, how can they request it be erased? It is unclear if such data-

mining practices are meant to fall under the scope of this policy.

Related to this point are the practical difficulties in applying the policy. Information that

has been cross-posted to multiple sites will be difficult to track down (Ausloos, 2012; Koops,

2011). With this in mind, will it be up to the user to ensure that this information is completely

removed from all of the sites through separate erasure requests? Again, the policy in its current

form fails to address this issue with any clarity. It appears that the policy has, in many ways,

overlooked the complexity of the Internet’s interconnected nature.

Finally, there is the issue of accountability. According to the policy, data controllers must

“take all reasonable steps” to ensure data held by third parties is erased. However, there is no

7

Alyah Khan
SIS 645-Summer 2012
explanation of what constitutes “reasonable steps.” Some data controllers, such as Google, have

expressed disagreement with the “right to be forgotten” as it is currently articulated. Peter

Fleischer (2012), Google’s Global Privacy Counsel, argued that the “responsibility for deleting

content published online should lie with the person or entity who published it” and not search

engines. It might be worthwhile for the Commission to seek the input of data controllers while

revising the policy. Stakeholder buy-in could improve the effectiveness of the policy overall.

Impact on Freedom of Speech

One of the biggest concerns experts have about the “right to be forgotten” is its potential

to negatively impact freedom of speech. In fact, Rosen (2012, p. 88) wrote that the policy

represents the “biggest threat to free speech on the Internet in the coming decade.” EDRi also

took issue with the policy, although not in such extreme terms, by stating that it could have

serious (if unintended) implications for freedom of speech. The advocacy group added that the

provision must be “carefully drafted to avoid its potential misuse as a tool for censorship”

(European Digital Rights, 2012). Despite Hendel’s (2012) reassurance that the media need not

fear the “right to be forgotten,” the policy in its current form lacks the specificity needed to

prevent undue erasure.

Rosen, for example, has argued that the policy could result in a “dramatic clash between

European and American conceptions of the proper balance between privacy and free speech,

leading to a far less open Internet” (2012, p. 88). Werro (2009) similarly recognized the

likelihood of a transatlantic clash over the “right to be forgotten.” Experts have also suggested

that the fines imposed on data controllers who fail to take action could lead to “deletion in

ambiguous cases, producing a serious chilling effect” (Rosen, 2012, p. 91). Others scholars have

said that it is hard to predict what information will be useful in the future. As Ausloos eloquently

stated, “Culture is memory” (2012, p. 146).

8

Alyah Khan
SIS 645-Summer 2012
These views indicate a number of important issues. First, there is a divide between the

policy approaches of the U.S. and Europe. Generally, the U.S. applies the Liberal Market Model,

whereas the EU applies a Public Service Model in which the state determines citizens’

information needs (Venturelli, 2012). The proposed data protection reform and the “right to be

forgotten” align with the EU’s historically tougher stance on individual privacy rights. In

comparison, the U.S. has weaker data protection and privacy laws. Although the “right to be

forgotten” policy has exemptions related to freedom of expression, the EU seems to believe that

users’ rights take precedent in certain situations. It is unknown at this point how the EU will

enforce the “right to be forgotten” policy and if it will actually impede freedom of speech. The

outcome of this policy in the EU will likely determine its consideration in other countries, such

as the U.S.

As for the suspected “chilling effect,” the Commission can combat this by making the

responsibilities of the data controller less obtuse. Data controllers should have a clear picture of

what steps they are required to take and what will happen if those steps are not taken. The culture

issue raised by Ausloos (2012) is far more complicated. The “right to be forgotten” ultimately

leaves it up to individuals to determine what information they share should remain available

online. In the most serious circumstances, this could make vital information disappear, break

connections among people or even alter a part of cultural history. One way to minimize possible

negative effects is to limit the scope of the policy so that it only applies to data that users have

consented to, instead of any information related to a data subject.

Conclusion

The EU’s proposed data protection reform represents an unprecedented step forward for

users’ rights in the information society. At its core, the “right to be forgotten” is about

strengthening people’s ability to control their personal information. However, the current draft of

9

Alyah Khan
SIS 645-Summer 2012
the policy must be significantly improved in order to achieve its goal. Based on this report’s

analysis, the policy should be revised in the following ways:

i. Limit the scope of the policy so that it applies only to data that users have

consented to.

ii. Define the right to be forgotten in specific terms by clearly articulating situations

where erasure is appropriate.

iii. Explain the materials or information (i.e. the proof) required to request erasure.

iv. Address the issue of data cross-posted on multiple platforms and whether it is up

to users to ensure erasure is carried out to the fullest extent.

v. State as explicitly as possible the responsibilities of data controllers (the

“reasonable steps”) in terms of fulfilling an erasure request.

The Commission should also consider the views of data controllers as revisions are made

to the proposed regulation. By making the suggested revisions and seeking the input of data

controllers, the policy stands a greater chance of succeeding in the future. If the “right to be

forgotten” is effectively implemented across Europe, a new global standard will emerge for the

protection of personal data. The balance of power will shift in favor of individuals. It remains to

be seen whether other countries, such as the U.S., will consider a similar policy.

10

Alyah Khan
SIS 645-Summer 2012
References

Ausloos, J. (2012). The 'right to be forgotten' - Worth remembering? Computer Law and Security

Review, (28), 143-152.

European Commission (2012a, January 25). Commission proposes a comprehensive reform of

data protection rules to increase users' control of their data and to cut costs for businesses.

Retrieved from

http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/46&format=HTML&age

d=0&language=EN&guiLanguage=en

European Commission. (2012b). Proposal for a regulation of the European Parliament and of

the Council on the protection of individuals with regard to the processing of personal

data and on the free movement of such data (general data protection regulation).

Retrieved from website: http://ec.europa.eu/justice/newsroom/data-

protection/news/120125_en.htm

European Commission. (2012c). How does the data protection reform strengthen citizens’

rights? Retrieved from website: http://ec.europa.eu/justice/newsroom/data-

protection/news/120125_en.htm

European Digital Rights (2012, February 1). EDRi’s initial comments on the Data Protection

Regulation. Retrieved from http://www.edri.org/edrigram/number10.2/edri-comments-

on-data-retention

Fleischer, P. (2012, February 16). Our thoughts on the right to be forgotten [Web log message].

Retrieved from http://googlepolicyeurope.blogspot.com/2012/02/our-thoughts-on-right-

to-be-forgotten.html

Friedewald, M., Wright, D., Gutwirth, S., & Mordini, E. (2010). Privacy, data protection and

11

Alyah Khan
SIS 645-Summer 2012
emerging sciences and technologies: towards a common framework. Innovation – The

European Journal of Social Science Research, 23(1), 61-67.

Hallinan, D., Friedewald, M., & McCarthy, P. (2012). Citizens’ perceptions of data protection

and privacy in Europe. Computer Law and Security Review, (28), 263-272

Hendel, J. (2012, January 25). Why journalists shouldn't fear Europe's 'right to be forgotten' The

Atlantic, Retrieved from http://www.theatlantic.com/technology/archive/2012/01/why-

journalists-shouldnt-fear-europes-right-to-be-forgotten/251955/

Koops, B. (2011). Forgetting footprints, shunning shadows: A critical analysis of the 'right to be

forgotten' in big data practice. SCRIPTed, 8(3), p. 229-256.

Reding, V. (2011). The upcoming data protection reform for the European Union. International

Data Privacy Law, 1(1), 3-5.

Rodriguez, K. (2011, December 22). Data Protection Regulation and the Politics of

Interoperability [Web log message]. Retrieved from

https://www.eff.org/deeplinks/2011/12/data-protection-regulation-and-politics-

interoperability

Rosen, J. (2012). The right to be forgotten. Stanford Law Review, 64, 88-92. Retrieved from

http://www.stanfordlawreview.org/online/privacy-paradox/right-to-be-forgotten

Solove, D. (2008). Understanding privacy. The George Washington University Law School

Public Law and Legal Theory Working Paper No. 420, Retrieved from

http://ssrn.com/abstract=1127888

Venturelli, S. (2012). Global communication policy models. (PowerPoint, American University).

Werro, F. (2009). The right to inform v. the right to be forgotten: A transatlantic clash.

Georgetown Public Law Research Paper No. 2. Retrieved from

http://ssrn.com/abstract=1401357

12

Right to be forgotten final paper

More Related Content

What's hot

Similar to Right to be forgotten final paper

Right to be forgotten final paper