The document summarizes a report analyzing the European Union's proposed "right to be forgotten" policy. The policy would allow individuals to request the deletion of personal information online if there are no legitimate grounds for retaining it. While strengthening data protection, the policy faces challenges in its broad scope, vague terminology, and lack of clarity around responsibilities. To be effective, the policy requires revisions to narrow its focus, better define key terms, and specify the duties of data controllers with respect to deletion requests. Concerns also exist that the policy could unintentionally curb freedom of expression unless implemented carefully.
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
Right to be forgotten final paper
1.
The
EU’s
“right
to
be
forgotten”:
A
first
step
towards
greater
personal
data
protection
Alyah
Khan
SIS
645
International
Communication
&
Cultural
Policy
Summer
2012
EXECUTIVE
SUMMARY
In January 2012, the European Commission proposed a “right to be forgotten” as part of its
comprehensive data protection reform. The right would allow an individual to delete personal
information online if there are no legitimate grounds for retaining it. The proposed policy would
greatly advance users’ rights, but it also presents practical difficulties. In order to achieve its desired
effect of strengthening personal data control, the policy must be revised to reflect a more limited
scope, well-defined terminology and a clearer delineation of data controllers’ responsibilities. If these
improvements are made, the EU policy will set a new global standard for the protection of personal
data.
2.
Alyah Khan
SIS 645-Summer 2012
Preface
The European Commission proposed an overhaul of its 1995 data protection rules earlier
this year. The comprehensive reform package includes several changes intended to strengthen
online privacy rights and enhance Europe’s digital economy. The reform also aims to unify the
enforcement of data protection laws among the European Union’s 27 member states. One of the
most controversial provisions of the Commission’s proposed data protection regulation is Article
17, the “right to be forgotten and to erasure.” The purpose of this report is to analyze the
feasibility and effectiveness of the “right to be forgotten.” The writings of academic scholars,
privacy experts and high-ranking EU officials informed the analysis.
This report was conducted on behalf of European Digital Rights (EDRi), an
international advocacy group headquartered in Brussels, Belgium. EDRi consists of 32 privacy
and civil rights organizations based in 20 different European countries. The nonprofit’s goal is to
protect digital civil rights in the information society.
Introduction
Technology and data processing play a major role in the life of the individual and society.
In the coming years, scholars expect that the collection and sharing of personal information
through technology will become even more prevalent (Hallinan, Friedewald & McCarthy, 2012).
As a result, personal data is considered the “currency of the Internet. It is collected, stored and
used in an ever-increasing variety of ways by a countless amount of different users” (Ausloos,
2012, p. 143). Further, although some scholars consider privacy a fundamental human right, it is
also referred to as a “moving target” (Friedewald, Wright, Gutwirth & Mordini, 2010, p. 61).
Privacy is a difficult concept to define (Solove, 2008). This reality has made data privacy and
protection an inevitable policy battleground in countries around the world. At the forefront of
2
3.
Alyah Khan
SIS 645-Summer 2012
this ongoing debate is the European Union, which considers itself a key player in setting the
standards for personal data protection (Reding, 2011). The EU has a history of strong data
protection standards, which are bolstered by the European Charter’s “explicit provisions
upholding data protection as a fundamental right” (Rodriguez, 2011).
Reform of the EU’s data protection rules has been a topic of discussion for the last few
years. Near the end of 2010, Viviane Reding, European Commissioner of Justice, Fundamental
Rights and Citizenship, made a case for the reform. She cited three main trends that pose a
challenge to the protection of personal data in the future: “the astounding capabilities of modern
technologies; the increased globalization of data flows; and access to personal data by law
enforcement authorities that is greater than ever” (Reding, 2011, p. 3). She also acknowledged
the growing collection and processing of personal data by data controllers, such as search
engines, service providers and social networks. However, data protection rules are often unclear
and non-transparent, leaving individuals in the dark about how to maintain control over their
personal information.
Reding announced the comprehensive (and ambitious) overhaul of the EU’s existing data
protection rules in January 2012. Speaking in Brussels on January 25, Reding said the following:
“The protection of personal data is a fundamental right for all Europeans, but citizens do not
always feel in full control of their personal data. My proposals will build trust in online services
because people will be better informed about their rights and in more control of their
information” (European Commission, 2012a).
One of the reform’s most hotly contested changes is the “right to be forgotten.” The right
aims to help people better manage their data protection risks online by allowing them the ability
to delete their data (such as photos posted on Facebook, among other types) if there are no
“legitimate grounds for retaining it” (European Commission, 2012a). The “right to be forgotten
3
4.
Alyah Khan
SIS 645-Summer 2012
and to erasure” is laid out in Section 3, Article 17 of the European Commission’s proposal for a
regulation of the European Parliament and of the Council “on the protection of individuals with
regard to the processing of personal data and on the free movement of such data.” The regulation
sets out the general legal framework for EU data protection. The Commission’s proposal has
been passed on to the European Parliament and the EU member states for discussion. It will take
effect two years after it has been adopted.
This report will focus specifically on the “right to be forgotten” as drafted in the proposed
regulation. The report will begin with a brief overview of the policy, followed by an analysis of
its scope and application. Next, the report will examine the concern of some scholars that the
“right to be forgotten” threatens freedom of speech. Finally, the report will conclude with
recommendations on how to enhance the policy prior to implementation. Overall, this report
supports the position that the “right to be forgotten” in its current form is a positive first step but
substantial revisions to its scope and terminology are required if the policy is to meet its goal of
strengthening personal data protection online. This position aligns with and builds upon EDRi’s
initial comments on the data protection regulation, which concluded that Article 17 was “not
particularly well drafted” (European Digital Rights, 2012).
Policy Overview
The “right to be forgotten” is a complex policy. It includes a variety of situations where
erasure is allowed, when exemptions must be made and when data would be restricted, but not
erased. The following section provides an overview of the policy’s most noteworthy language.
To begin, it helps to understand what information qualifies as “personal data.” The regulation
defines this term very broadly as “any information relating to a data subject.” In terms of
erasure, Article 17 of the proposed regulation states,
“The data subject shall have the right to obtain from the controller the erasure of personal
data relating to them and the abstention from further dissemination of such data, especially in
4
5.
Alyah Khan
SIS 645-Summer 2012
relation to personal data which are made available by the data (subject) while he or she was a
child, where one of the following grounds applies: the data are no longer necessary in relation to
the purposes for which they were collected or otherwise processed; the data subject withdraws
consent on which the processing is based according to point (a) of Article 6(1), or when the
storage period consented to has expired, and where there is no other legal ground for the
processing of the data; the data subject objects to the processing of personal data pursuant to
Article 19 (“right to object”); the processing of the data does not comply with this regulation for
other reasons” (European Commission, 2012b, p. 51).
This section represents the core of the policy.
Another important aspect of the policy is the responsibility assigned to data controllers,
which the regulation defines as “the natural or legal person, public authority, agency or any other
body which alone or jointly with others determines the purposes, conditions and means of the
processing of personal data.” The policy instructs data controllers (such as Google and
Facebook) to “take all reasonable steps, including technical measures” to inform third parties that
a data subject has requested data be erased (p. 51). This applies to links to the data, as well as
copies or replications of the data.
Further, the provision requires the controller to carry out the erasure without delay unless
the retention of the personal data is necessary, “for exercising the right of freedom of expression”
(p. 52). This means that the processing of personal data must be retained if it was carried out
solely for journalistic purposes or the purpose of artistic or literary expression in order to,
“reconcile the right to protection of personal data with the rules governing freedom of
expression” (p. 93). Additionally, the provision calls for controllers to restrict the processing of
personal data when the data subject contests its accuracy for a period in order to verify its
accuracy.
Analysis
Technology has rapidly evolved in the 17 years since the EU’s 1995 data protection rules
were adopted. New communication tools, such as online social networks, have drastically
changed the way people share information about themselves. As stated earlier, personal data is
5
6.
Alyah Khan
SIS 645-Summer 2012
now considered the Internet’s currency. This is certainly true in the EU, where more than half of
Europeans feel that they must disclose personal information if they want to obtain products or
services. Yet, only 26 percent of social network users and 18 percent of online shoppers feel in
complete control of their data, according to a survey of EU citizens’ attitudes on data protection
and identity released in 2011 (European Commission, 2012c). These findings are unfortunate
because EU citizens allocate significant importance to data privacy and protection (Hallinan et
al., 2012). The implication then is that users’ needs are not being met by the existing data
protection structure.
The “right to be forgotten” policy presents a way for Internet users to regain control of
their personal information. It is one possible solution to the conundrum of how to protect privacy
online. In other words, the policy is about “empowering the individual, not about erasing past
events or restricting freedom of the press” (European Commission, 2012c). Whether the policy
achieves this goal will be examined in the subsequent sections.
Scope and Applicability
In theory, the “right to be forgotten” makes a great deal of sense. People are disclosing
more personal information online than ever before and they deserve the right to control the
information they share. The right allows a data subject the ability to delete information if it is no
longer relevant, if it is inaccurate or if he/she proposes a justified objection. However,
implementing the “right to be forgotten” presents obstacles.
First, the scope of the proposed policy is incredibly broad, which is likely to make
uniform enforcement across EU member states a challenging task. The “right to be forgotten” is
defined in vague terms and the policy does not reference the types of situations where the
enforcement of this policy would be appropriate. The changing nature of technology prevents the
Commission from being too specific, but the current language leaves much of the policy open to
6
7.
Alyah Khan
SIS 645-Summer 2012
interpretation. This could cause enforcement discrepancies among countries, potentially to the
detriment of citizens.
Additionally, since “personal data” in the policy refers to any information related to a
data subject, it seems that national data protection authorities could be flooded with requests for
erasure without proper justification. It is unclear, based on the policy in its current form, to what
extent users would have to prove data should be erased. This brings up the issue of the burden of
proof. Koops explained that the right would, “require data subjects to substantiate there are
compelling legitimate grounds to stop data processing, which puts a significant burden of proof
on users and leaves large discretionary power with the data controller” (2011, p. 240). The policy
mistakenly places the onus on the users by not detailing the materials or information required to
request erasure.
The policy also does not account for anonymized data, or data that has been stripped of
identifying information. Ausloos (2012) wrote that, “Many data controllers invoke the
anonymization-argument as their major line of defense” (p. 146). The thinking here is that if
people cannot recognize their data, how can they request it be erased? It is unclear if such data-
mining practices are meant to fall under the scope of this policy.
Related to this point are the practical difficulties in applying the policy. Information that
has been cross-posted to multiple sites will be difficult to track down (Ausloos, 2012; Koops,
2011). With this in mind, will it be up to the user to ensure that this information is completely
removed from all of the sites through separate erasure requests? Again, the policy in its current
form fails to address this issue with any clarity. It appears that the policy has, in many ways,
overlooked the complexity of the Internet’s interconnected nature.
Finally, there is the issue of accountability. According to the policy, data controllers must
“take all reasonable steps” to ensure data held by third parties is erased. However, there is no
7
8.
Alyah Khan
SIS 645-Summer 2012
explanation of what constitutes “reasonable steps.” Some data controllers, such as Google, have
expressed disagreement with the “right to be forgotten” as it is currently articulated. Peter
Fleischer (2012), Google’s Global Privacy Counsel, argued that the “responsibility for deleting
content published online should lie with the person or entity who published it” and not search
engines. It might be worthwhile for the Commission to seek the input of data controllers while
revising the policy. Stakeholder buy-in could improve the effectiveness of the policy overall.
Impact on Freedom of Speech
One of the biggest concerns experts have about the “right to be forgotten” is its potential
to negatively impact freedom of speech. In fact, Rosen (2012, p. 88) wrote that the policy
represents the “biggest threat to free speech on the Internet in the coming decade.” EDRi also
took issue with the policy, although not in such extreme terms, by stating that it could have
serious (if unintended) implications for freedom of speech. The advocacy group added that the
provision must be “carefully drafted to avoid its potential misuse as a tool for censorship”
(European Digital Rights, 2012). Despite Hendel’s (2012) reassurance that the media need not
fear the “right to be forgotten,” the policy in its current form lacks the specificity needed to
prevent undue erasure.
Rosen, for example, has argued that the policy could result in a “dramatic clash between
European and American conceptions of the proper balance between privacy and free speech,
leading to a far less open Internet” (2012, p. 88). Werro (2009) similarly recognized the
likelihood of a transatlantic clash over the “right to be forgotten.” Experts have also suggested
that the fines imposed on data controllers who fail to take action could lead to “deletion in
ambiguous cases, producing a serious chilling effect” (Rosen, 2012, p. 91). Others scholars have
said that it is hard to predict what information will be useful in the future. As Ausloos eloquently
stated, “Culture is memory” (2012, p. 146).
8
9.
Alyah Khan
SIS 645-Summer 2012
These views indicate a number of important issues. First, there is a divide between the
policy approaches of the U.S. and Europe. Generally, the U.S. applies the Liberal Market Model,
whereas the EU applies a Public Service Model in which the state determines citizens’
information needs (Venturelli, 2012). The proposed data protection reform and the “right to be
forgotten” align with the EU’s historically tougher stance on individual privacy rights. In
comparison, the U.S. has weaker data protection and privacy laws. Although the “right to be
forgotten” policy has exemptions related to freedom of expression, the EU seems to believe that
users’ rights take precedent in certain situations. It is unknown at this point how the EU will
enforce the “right to be forgotten” policy and if it will actually impede freedom of speech. The
outcome of this policy in the EU will likely determine its consideration in other countries, such
as the U.S.
As for the suspected “chilling effect,” the Commission can combat this by making the
responsibilities of the data controller less obtuse. Data controllers should have a clear picture of
what steps they are required to take and what will happen if those steps are not taken. The culture
issue raised by Ausloos (2012) is far more complicated. The “right to be forgotten” ultimately
leaves it up to individuals to determine what information they share should remain available
online. In the most serious circumstances, this could make vital information disappear, break
connections among people or even alter a part of cultural history. One way to minimize possible
negative effects is to limit the scope of the policy so that it only applies to data that users have
consented to, instead of any information related to a data subject.
Conclusion
The EU’s proposed data protection reform represents an unprecedented step forward for
users’ rights in the information society. At its core, the “right to be forgotten” is about
strengthening people’s ability to control their personal information. However, the current draft of
9
10.
Alyah Khan
SIS 645-Summer 2012
the policy must be significantly improved in order to achieve its goal. Based on this report’s
analysis, the policy should be revised in the following ways:
i. Limit the scope of the policy so that it applies only to data that users have
consented to.
ii. Define the right to be forgotten in specific terms by clearly articulating situations
where erasure is appropriate.
iii. Explain the materials or information (i.e. the proof) required to request erasure.
iv. Address the issue of data cross-posted on multiple platforms and whether it is up
to users to ensure erasure is carried out to the fullest extent.
v. State as explicitly as possible the responsibilities of data controllers (the
“reasonable steps”) in terms of fulfilling an erasure request.
The Commission should also consider the views of data controllers as revisions are made
to the proposed regulation. By making the suggested revisions and seeking the input of data
controllers, the policy stands a greater chance of succeeding in the future. If the “right to be
forgotten” is effectively implemented across Europe, a new global standard will emerge for the
protection of personal data. The balance of power will shift in favor of individuals. It remains to
be seen whether other countries, such as the U.S., will consider a similar policy.
10
11.
Alyah Khan
SIS 645-Summer 2012
References
Ausloos, J. (2012). The 'right to be forgotten' - Worth remembering? Computer Law and Security
Review, (28), 143-152.
European Commission (2012a, January 25). Commission proposes a comprehensive reform of
data protection rules to increase users' control of their data and to cut costs for businesses.
Retrieved from
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/46&format=HTML&age
d=0&language=EN&guiLanguage=en
European Commission. (2012b). Proposal for a regulation of the European Parliament and of
the Council on the protection of individuals with regard to the processing of personal
data and on the free movement of such data (general data protection regulation).
Retrieved from website: http://ec.europa.eu/justice/newsroom/data-
protection/news/120125_en.htm
European Commission. (2012c). How does the data protection reform strengthen citizens’
rights? Retrieved from website: http://ec.europa.eu/justice/newsroom/data-
protection/news/120125_en.htm
European Digital Rights (2012, February 1). EDRi’s initial comments on the Data Protection
Regulation. Retrieved from http://www.edri.org/edrigram/number10.2/edri-comments-
on-data-retention
Fleischer, P. (2012, February 16). Our thoughts on the right to be forgotten [Web log message].
Retrieved from http://googlepolicyeurope.blogspot.com/2012/02/our-thoughts-on-right-
to-be-forgotten.html
Friedewald, M., Wright, D., Gutwirth, S., & Mordini, E. (2010). Privacy, data protection and
11
12.
Alyah Khan
SIS 645-Summer 2012
emerging sciences and technologies: towards a common framework. Innovation – The
European Journal of Social Science Research, 23(1), 61-67.
Hallinan, D., Friedewald, M., & McCarthy, P. (2012). Citizens’ perceptions of data protection
and privacy in Europe. Computer Law and Security Review, (28), 263-272
Hendel, J. (2012, January 25). Why journalists shouldn't fear Europe's 'right to be forgotten' The
Atlantic, Retrieved from http://www.theatlantic.com/technology/archive/2012/01/why-
journalists-shouldnt-fear-europes-right-to-be-forgotten/251955/
Koops, B. (2011). Forgetting footprints, shunning shadows: A critical analysis of the 'right to be
forgotten' in big data practice. SCRIPTed, 8(3), p. 229-256.
Reding, V. (2011). The upcoming data protection reform for the European Union. International
Data Privacy Law, 1(1), 3-5.
Rodriguez, K. (2011, December 22). Data Protection Regulation and the Politics of
Interoperability [Web log message]. Retrieved from
https://www.eff.org/deeplinks/2011/12/data-protection-regulation-and-politics-
interoperability
Rosen, J. (2012). The right to be forgotten. Stanford Law Review, 64, 88-92. Retrieved from
http://www.stanfordlawreview.org/online/privacy-paradox/right-to-be-forgotten
Solove, D. (2008). Understanding privacy. The George Washington University Law School
Public Law and Legal Theory Working Paper No. 420, Retrieved from
http://ssrn.com/abstract=1127888
Venturelli, S. (2012). Global communication policy models. (PowerPoint, American University).
Werro, F. (2009). The right to inform v. the right to be forgotten: A transatlantic clash.
Georgetown Public Law Research Paper No. 2. Retrieved from
http://ssrn.com/abstract=1401357
12