SlideShare a Scribd company logo

Right to be forgotten final paper

R
reporter1120

The document summarizes a report analyzing the European Union's proposed "right to be forgotten" policy. The policy would allow individuals to request the deletion of personal information online if there are no legitimate grounds for retaining it. While strengthening data protection, the policy faces challenges in its broad scope, vague terminology, and lack of clarity around responsibilities. To be effective, the policy requires revisions to narrow its focus, better define key terms, and specify the duties of data controllers with respect to deletion requests. Concerns also exist that the policy could unintentionally curb freedom of expression unless implemented carefully.

1 of 12
  The  EU’s  “right  to  be  forgotten”:   A  first  step  towards  greater  personal  data  protection   Alyah  Khan     SIS  645  International  Communication  &  Cultural  Policy   Summer  2012   EXECUTIVE  SUMMARY   In January 2012, the European Commission proposed a “right to be forgotten” as part of its comprehensive data protection reform. The right would allow an individual to delete personal information online if there are no legitimate grounds for retaining it. The proposed policy would greatly advance users’ rights, but it also presents practical difficulties. In order to achieve its desired effect of strengthening personal data control, the policy must be revised to reflect a more limited scope, well-defined terminology and a clearer delineation of data controllers’ responsibilities. If these improvements are made, the EU policy will set a new global standard for the protection of personal data.  
    Alyah Khan SIS 645-Summer 2012 Preface The European Commission proposed an overhaul of its 1995 data protection rules earlier this year. The comprehensive reform package includes several changes intended to strengthen online privacy rights and enhance Europe’s digital economy. The reform also aims to unify the enforcement of data protection laws among the European Union’s 27 member states. One of the most controversial provisions of the Commission’s proposed data protection regulation is Article 17, the “right to be forgotten and to erasure.” The purpose of this report is to analyze the feasibility and effectiveness of the “right to be forgotten.” The writings of academic scholars, privacy experts and high-ranking EU officials informed the analysis. This report was conducted on behalf of European Digital Rights (EDRi), an international advocacy group headquartered in Brussels, Belgium. EDRi consists of 32 privacy and civil rights organizations based in 20 different European countries. The nonprofit’s goal is to protect digital civil rights in the information society. Introduction Technology and data processing play a major role in the life of the individual and society. In the coming years, scholars expect that the collection and sharing of personal information through technology will become even more prevalent (Hallinan, Friedewald & McCarthy, 2012). As a result, personal data is considered the “currency of the Internet. It is collected, stored and used in an ever-increasing variety of ways by a countless amount of different users” (Ausloos, 2012, p. 143). Further, although some scholars consider privacy a fundamental human right, it is also referred to as a “moving target” (Friedewald, Wright, Gutwirth & Mordini, 2010, p. 61). Privacy is a difficult concept to define (Solove, 2008). This reality has made data privacy and protection an inevitable policy battleground in countries around the world. At the forefront of   2  
    Alyah Khan SIS 645-Summer 2012 this ongoing debate is the European Union, which considers itself a key player in setting the standards for personal data protection (Reding, 2011). The EU has a history of strong data protection standards, which are bolstered by the European Charter’s “explicit provisions upholding data protection as a fundamental right” (Rodriguez, 2011). Reform of the EU’s data protection rules has been a topic of discussion for the last few years. Near the end of 2010, Viviane Reding, European Commissioner of Justice, Fundamental Rights and Citizenship, made a case for the reform. She cited three main trends that pose a challenge to the protection of personal data in the future: “the astounding capabilities of modern technologies; the increased globalization of data flows; and access to personal data by law enforcement authorities that is greater than ever” (Reding, 2011, p. 3). She also acknowledged the growing collection and processing of personal data by data controllers, such as search engines, service providers and social networks. However, data protection rules are often unclear and non-transparent, leaving individuals in the dark about how to maintain control over their personal information. Reding announced the comprehensive (and ambitious) overhaul of the EU’s existing data protection rules in January 2012. Speaking in Brussels on January 25, Reding said the following: “The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will build trust in online services because people will be better informed about their rights and in more control of their information” (European Commission, 2012a). One of the reform’s most hotly contested changes is the “right to be forgotten.” The right aims to help people better manage their data protection risks online by allowing them the ability to delete their data (such as photos posted on Facebook, among other types) if there are no “legitimate grounds for retaining it” (European Commission, 2012a). The “right to be forgotten   3  
    Alyah Khan SIS 645-Summer 2012 and to erasure” is laid out in Section 3, Article 17 of the European Commission’s proposal for a regulation of the European Parliament and of the Council “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.” The regulation sets out the general legal framework for EU data protection. The Commission’s proposal has been passed on to the European Parliament and the EU member states for discussion. It will take effect two years after it has been adopted. This report will focus specifically on the “right to be forgotten” as drafted in the proposed regulation. The report will begin with a brief overview of the policy, followed by an analysis of its scope and application. Next, the report will examine the concern of some scholars that the “right to be forgotten” threatens freedom of speech. Finally, the report will conclude with recommendations on how to enhance the policy prior to implementation. Overall, this report supports the position that the “right to be forgotten” in its current form is a positive first step but substantial revisions to its scope and terminology are required if the policy is to meet its goal of strengthening personal data protection online. This position aligns with and builds upon EDRi’s initial comments on the data protection regulation, which concluded that Article 17 was “not particularly well drafted” (European Digital Rights, 2012). Policy Overview The “right to be forgotten” is a complex policy. It includes a variety of situations where erasure is allowed, when exemptions must be made and when data would be restricted, but not erased. The following section provides an overview of the policy’s most noteworthy language. To begin, it helps to understand what information qualifies as “personal data.” The regulation defines this term very broadly as “any information relating to a data subject.” In terms of erasure, Article 17 of the proposed regulation states, “The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in   4  
    Alyah Khan SIS 645-Summer 2012 relation to personal data which are made available by the data (subject) while he or she was a child, where one of the following grounds applies: the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data; the data subject objects to the processing of personal data pursuant to Article 19 (“right to object”); the processing of the data does not comply with this regulation for other reasons” (European Commission, 2012b, p. 51). This section represents the core of the policy. Another important aspect of the policy is the responsibility assigned to data controllers, which the regulation defines as “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data.” The policy instructs data controllers (such as Google and Facebook) to “take all reasonable steps, including technical measures” to inform third parties that a data subject has requested data be erased (p. 51). This applies to links to the data, as well as copies or replications of the data. Further, the provision requires the controller to carry out the erasure without delay unless the retention of the personal data is necessary, “for exercising the right of freedom of expression” (p. 52). This means that the processing of personal data must be retained if it was carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to, “reconcile the right to protection of personal data with the rules governing freedom of expression” (p. 93). Additionally, the provision calls for controllers to restrict the processing of personal data when the data subject contests its accuracy for a period in order to verify its accuracy. Analysis Technology has rapidly evolved in the 17 years since the EU’s 1995 data protection rules were adopted. New communication tools, such as online social networks, have drastically changed the way people share information about themselves. As stated earlier, personal data is   5  
    Alyah Khan SIS 645-Summer 2012 now considered the Internet’s currency. This is certainly true in the EU, where more than half of Europeans feel that they must disclose personal information if they want to obtain products or services. Yet, only 26 percent of social network users and 18 percent of online shoppers feel in complete control of their data, according to a survey of EU citizens’ attitudes on data protection and identity released in 2011 (European Commission, 2012c). These findings are unfortunate because EU citizens allocate significant importance to data privacy and protection (Hallinan et al., 2012). The implication then is that users’ needs are not being met by the existing data protection structure. The “right to be forgotten” policy presents a way for Internet users to regain control of their personal information. It is one possible solution to the conundrum of how to protect privacy online. In other words, the policy is about “empowering the individual, not about erasing past events or restricting freedom of the press” (European Commission, 2012c). Whether the policy achieves this goal will be examined in the subsequent sections. Scope and Applicability In theory, the “right to be forgotten” makes a great deal of sense. People are disclosing more personal information online than ever before and they deserve the right to control the information they share. The right allows a data subject the ability to delete information if it is no longer relevant, if it is inaccurate or if he/she proposes a justified objection. However, implementing the “right to be forgotten” presents obstacles. First, the scope of the proposed policy is incredibly broad, which is likely to make uniform enforcement across EU member states a challenging task. The “right to be forgotten” is defined in vague terms and the policy does not reference the types of situations where the enforcement of this policy would be appropriate. The changing nature of technology prevents the Commission from being too specific, but the current language leaves much of the policy open to   6  
    Alyah Khan SIS 645-Summer 2012 interpretation. This could cause enforcement discrepancies among countries, potentially to the detriment of citizens. Additionally, since “personal data” in the policy refers to any information related to a data subject, it seems that national data protection authorities could be flooded with requests for erasure without proper justification. It is unclear, based on the policy in its current form, to what extent users would have to prove data should be erased. This brings up the issue of the burden of proof. Koops explained that the right would, “require data subjects to substantiate there are compelling legitimate grounds to stop data processing, which puts a significant burden of proof on users and leaves large discretionary power with the data controller” (2011, p. 240). The policy mistakenly places the onus on the users by not detailing the materials or information required to request erasure. The policy also does not account for anonymized data, or data that has been stripped of identifying information. Ausloos (2012) wrote that, “Many data controllers invoke the anonymization-argument as their major line of defense” (p. 146). The thinking here is that if people cannot recognize their data, how can they request it be erased? It is unclear if such data- mining practices are meant to fall under the scope of this policy. Related to this point are the practical difficulties in applying the policy. Information that has been cross-posted to multiple sites will be difficult to track down (Ausloos, 2012; Koops, 2011). With this in mind, will it be up to the user to ensure that this information is completely removed from all of the sites through separate erasure requests? Again, the policy in its current form fails to address this issue with any clarity. It appears that the policy has, in many ways, overlooked the complexity of the Internet’s interconnected nature. Finally, there is the issue of accountability. According to the policy, data controllers must “take all reasonable steps” to ensure data held by third parties is erased. However, there is no   7  
    Alyah Khan SIS 645-Summer 2012 explanation of what constitutes “reasonable steps.” Some data controllers, such as Google, have expressed disagreement with the “right to be forgotten” as it is currently articulated. Peter Fleischer (2012), Google’s Global Privacy Counsel, argued that the “responsibility for deleting content published online should lie with the person or entity who published it” and not search engines. It might be worthwhile for the Commission to seek the input of data controllers while revising the policy. Stakeholder buy-in could improve the effectiveness of the policy overall. Impact on Freedom of Speech One of the biggest concerns experts have about the “right to be forgotten” is its potential to negatively impact freedom of speech. In fact, Rosen (2012, p. 88) wrote that the policy represents the “biggest threat to free speech on the Internet in the coming decade.” EDRi also took issue with the policy, although not in such extreme terms, by stating that it could have serious (if unintended) implications for freedom of speech. The advocacy group added that the provision must be “carefully drafted to avoid its potential misuse as a tool for censorship” (European Digital Rights, 2012). Despite Hendel’s (2012) reassurance that the media need not fear the “right to be forgotten,” the policy in its current form lacks the specificity needed to prevent undue erasure. Rosen, for example, has argued that the policy could result in a “dramatic clash between European and American conceptions of the proper balance between privacy and free speech, leading to a far less open Internet” (2012, p. 88). Werro (2009) similarly recognized the likelihood of a transatlantic clash over the “right to be forgotten.” Experts have also suggested that the fines imposed on data controllers who fail to take action could lead to “deletion in ambiguous cases, producing a serious chilling effect” (Rosen, 2012, p. 91). Others scholars have said that it is hard to predict what information will be useful in the future. As Ausloos eloquently stated, “Culture is memory” (2012, p. 146).   8  
    Alyah Khan SIS 645-Summer 2012 These views indicate a number of important issues. First, there is a divide between the policy approaches of the U.S. and Europe. Generally, the U.S. applies the Liberal Market Model, whereas the EU applies a Public Service Model in which the state determines citizens’ information needs (Venturelli, 2012). The proposed data protection reform and the “right to be forgotten” align with the EU’s historically tougher stance on individual privacy rights. In comparison, the U.S. has weaker data protection and privacy laws. Although the “right to be forgotten” policy has exemptions related to freedom of expression, the EU seems to believe that users’ rights take precedent in certain situations. It is unknown at this point how the EU will enforce the “right to be forgotten” policy and if it will actually impede freedom of speech. The outcome of this policy in the EU will likely determine its consideration in other countries, such as the U.S. As for the suspected “chilling effect,” the Commission can combat this by making the responsibilities of the data controller less obtuse. Data controllers should have a clear picture of what steps they are required to take and what will happen if those steps are not taken. The culture issue raised by Ausloos (2012) is far more complicated. The “right to be forgotten” ultimately leaves it up to individuals to determine what information they share should remain available online. In the most serious circumstances, this could make vital information disappear, break connections among people or even alter a part of cultural history. One way to minimize possible negative effects is to limit the scope of the policy so that it only applies to data that users have consented to, instead of any information related to a data subject. Conclusion The EU’s proposed data protection reform represents an unprecedented step forward for users’ rights in the information society. At its core, the “right to be forgotten” is about strengthening people’s ability to control their personal information. However, the current draft of   9  
    Alyah Khan SIS 645-Summer 2012 the policy must be significantly improved in order to achieve its goal. Based on this report’s analysis, the policy should be revised in the following ways: i. Limit the scope of the policy so that it applies only to data that users have consented to. ii. Define the right to be forgotten in specific terms by clearly articulating situations where erasure is appropriate. iii. Explain the materials or information (i.e. the proof) required to request erasure. iv. Address the issue of data cross-posted on multiple platforms and whether it is up to users to ensure erasure is carried out to the fullest extent. v. State as explicitly as possible the responsibilities of data controllers (the “reasonable steps”) in terms of fulfilling an erasure request. The Commission should also consider the views of data controllers as revisions are made to the proposed regulation. By making the suggested revisions and seeking the input of data controllers, the policy stands a greater chance of succeeding in the future. If the “right to be forgotten” is effectively implemented across Europe, a new global standard will emerge for the protection of personal data. The balance of power will shift in favor of individuals. It remains to be seen whether other countries, such as the U.S., will consider a similar policy.   10  
    Alyah Khan SIS 645-Summer 2012 References Ausloos, J. (2012). The 'right to be forgotten' - Worth remembering? Computer Law and Security Review, (28), 143-152. European Commission (2012a, January 25). Commission proposes a comprehensive reform of data protection rules to increase users' control of their data and to cut costs for businesses. Retrieved from http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/46&format=HTML&age d=0&language=EN&guiLanguage=en European Commission. (2012b). Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (general data protection regulation). Retrieved from website: http://ec.europa.eu/justice/newsroom/data- protection/news/120125_en.htm European Commission. (2012c). How does the data protection reform strengthen citizens’ rights? Retrieved from website: http://ec.europa.eu/justice/newsroom/data- protection/news/120125_en.htm European Digital Rights (2012, February 1). EDRi’s initial comments on the Data Protection Regulation. Retrieved from http://www.edri.org/edrigram/number10.2/edri-comments- on-data-retention Fleischer, P. (2012, February 16). Our thoughts on the right to be forgotten [Web log message]. Retrieved from http://googlepolicyeurope.blogspot.com/2012/02/our-thoughts-on-right- to-be-forgotten.html Friedewald, M., Wright, D., Gutwirth, S., & Mordini, E. (2010). Privacy, data protection and   11  
    Alyah Khan SIS 645-Summer 2012 emerging sciences and technologies: towards a common framework. Innovation – The European Journal of Social Science Research, 23(1), 61-67. Hallinan, D., Friedewald, M., & McCarthy, P. (2012). Citizens’ perceptions of data protection and privacy in Europe. Computer Law and Security Review, (28), 263-272 Hendel, J. (2012, January 25). Why journalists shouldn't fear Europe's 'right to be forgotten' The Atlantic, Retrieved from http://www.theatlantic.com/technology/archive/2012/01/why- journalists-shouldnt-fear-europes-right-to-be-forgotten/251955/ Koops, B. (2011). Forgetting footprints, shunning shadows: A critical analysis of the 'right to be forgotten' in big data practice. SCRIPTed, 8(3), p. 229-256. Reding, V. (2011). The upcoming data protection reform for the European Union. International Data Privacy Law, 1(1), 3-5. Rodriguez, K. (2011, December 22). Data Protection Regulation and the Politics of Interoperability [Web log message]. Retrieved from https://www.eff.org/deeplinks/2011/12/data-protection-regulation-and-politics- interoperability Rosen, J. (2012). The right to be forgotten. Stanford Law Review, 64, 88-92. Retrieved from http://www.stanfordlawreview.org/online/privacy-paradox/right-to-be-forgotten Solove, D. (2008). Understanding privacy. The George Washington University Law School Public Law and Legal Theory Working Paper No. 420, Retrieved from http://ssrn.com/abstract=1127888 Venturelli, S. (2012). Global communication policy models. (PowerPoint, American University). Werro, F. (2009). The right to inform v. the right to be forgotten: A transatlantic clash. Georgetown Public Law Research Paper No. 2. Retrieved from http://ssrn.com/abstract=1401357   12  

Recommended

Right to be forgotten presentation
Right to be forgotten presentationRight to be forgotten presentation
Right to be forgotten presentationreporter1120
 
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)The Right to be Forgotten - It's About Time, or is it? (CPDP2014)
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)Jausloos
 
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...ioannis iglezakis
 
The Right to Be Forgotten: Remarks on Its Impact on Free Speech and Right of ...
The Right to Be Forgotten: Remarks on Its Impact on Free Speech and Right of ...The Right to Be Forgotten: Remarks on Its Impact on Free Speech and Right of ...
The Right to Be Forgotten: Remarks on Its Impact on Free Speech and Right of ...Kinfe Micheal Yilma
 
IT Governance: Privacy and Intellectual Property
IT Governance: Privacy and Intellectual PropertyIT Governance: Privacy and Intellectual Property
IT Governance: Privacy and Intellectual PropertyCharles Mok
 
Hannes astok data protection agency
Hannes astok data protection agencyHannes astok data protection agency
Hannes astok data protection agencyE-Government Center Moldova
 
The Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsThe Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsblogzilla
 
Ubicomp challenges for privacy law
Ubicomp challenges for privacy lawUbicomp challenges for privacy law
Ubicomp challenges for privacy lawblogzilla
 

Recommended

Right to be forgotten presentation
Right to be forgotten presentationRight to be forgotten presentation
Right to be forgotten presentationreporter1120
 
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)The Right to be Forgotten - It's About Time, or is it? (CPDP2014)
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)Jausloos
 
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...ioannis iglezakis
 
The Right to Be Forgotten: Remarks on Its Impact on Free Speech and Right of ...
The Right to Be Forgotten: Remarks on Its Impact on Free Speech and Right of ...The Right to Be Forgotten: Remarks on Its Impact on Free Speech and Right of ...
The Right to Be Forgotten: Remarks on Its Impact on Free Speech and Right of ...Kinfe Micheal Yilma
 
IT Governance: Privacy and Intellectual Property
IT Governance: Privacy and Intellectual PropertyIT Governance: Privacy and Intellectual Property
IT Governance: Privacy and Intellectual PropertyCharles Mok
 
Hannes astok data protection agency
Hannes astok data protection agencyHannes astok data protection agency
Hannes astok data protection agencyE-Government Center Moldova
 
The Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsThe Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsblogzilla
 
Ubicomp challenges for privacy law
Ubicomp challenges for privacy lawUbicomp challenges for privacy law
Ubicomp challenges for privacy lawblogzilla
 
Reconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data ProtectionReconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data ProtectionDavid Erdos
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeGDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeDavid Erdos
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk- Mark - Fullbright
 
Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...David Erdos
 
Box 11
Box 11Box 11
Box 11OmPrakash63906
 
Dead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDavid Erdos
 
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?David Erdos
 
Regulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data ProtectionRegulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data ProtectionDavid Erdos
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Data Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeData Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeDavid Erdos
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONSaurabh Pandey
 
European Data Protection and Social Networking
European Data Protection and Social NetworkingEuropean Data Protection and Social Networking
European Data Protection and Social NetworkingDavid Erdos
 
Constitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EUConstitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EUDavid Erdos
 
Key principles for data protection & lawful protection in GDPR
Key principles for data protection & lawful protection in GDPRKey principles for data protection & lawful protection in GDPR
Key principles for data protection & lawful protection in GDPRDr. Marinos Papadopoulos
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
TDM of National Libraries in the EU.pptx
TDM of National Libraries in the EU.pptxTDM of National Libraries in the EU.pptx
TDM of National Libraries in the EU.pptxDr. Marinos Papadopoulos
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Axon Lawyers
 
The Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanThe Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanKrowdthink
 
Victoria Cetinkaya - Research Integrity: Legal and policy obligations to shar...
Victoria Cetinkaya - Research Integrity: Legal and policy obligations to shar...Victoria Cetinkaya - Research Integrity: Legal and policy obligations to shar...
Victoria Cetinkaya - Research Integrity: Legal and policy obligations to shar...Jisc
 
Policy Brief on Europe's "Right to be Forgotten"
Policy Brief on Europe's "Right to be Forgotten"Policy Brief on Europe's "Right to be Forgotten"
Policy Brief on Europe's "Right to be Forgotten"William Nyikuli
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018Altimeter, a Prophet Company
 

More Related Content

What's hot

Reconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data ProtectionReconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data ProtectionDavid Erdos
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeGDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeDavid Erdos
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk- Mark - Fullbright
 
Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...David Erdos
 
Dead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDavid Erdos
 
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?David Erdos
 
Regulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data ProtectionRegulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data ProtectionDavid Erdos
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Data Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeData Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeDavid Erdos
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONSaurabh Pandey
 
European Data Protection and Social Networking
European Data Protection and Social NetworkingEuropean Data Protection and Social Networking
European Data Protection and Social NetworkingDavid Erdos
 
Constitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EUConstitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EUDavid Erdos
 
Key principles for data protection & lawful protection in GDPR
Key principles for data protection & lawful protection in GDPRKey principles for data protection & lawful protection in GDPR
Key principles for data protection & lawful protection in GDPRDr. Marinos Papadopoulos
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Axon Lawyers
 
The Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanThe Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanKrowdthink
 
Victoria Cetinkaya - Research Integrity: Legal and policy obligations to shar...
Victoria Cetinkaya - Research Integrity: Legal and policy obligations to shar...Victoria Cetinkaya - Research Integrity: Legal and policy obligations to shar...
Victoria Cetinkaya - Research Integrity: Legal and policy obligations to shar...Jisc
 

What's hot (20)

Reconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data ProtectionReconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data Protection
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)
 
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeGDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk
 
Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...
 
Box 11
Box 11Box 11
Box 11
 
Dead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection Law
 
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
 
Regulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data ProtectionRegulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data Protection
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
 
Data Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeData Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing Landscape
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
 
European Data Protection and Social Networking
European Data Protection and Social NetworkingEuropean Data Protection and Social Networking
European Data Protection and Social Networking
 
Constitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EUConstitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EU
 
Key principles for data protection & lawful protection in GDPR
Key principles for data protection & lawful protection in GDPRKey principles for data protection & lawful protection in GDPR
Key principles for data protection & lawful protection in GDPR
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
TDM of National Libraries in the EU.pptx
TDM of National Libraries in the EU.pptxTDM of National Libraries in the EU.pptx
TDM of National Libraries in the EU.pptx
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics'
 
The Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth BoardmanThe Privacy Advantage 2016 - Ruth Boardman
The Privacy Advantage 2016 - Ruth Boardman
 
Victoria Cetinkaya - Research Integrity: Legal and policy obligations to shar...
Victoria Cetinkaya - Research Integrity: Legal and policy obligations to shar...Victoria Cetinkaya - Research Integrity: Legal and policy obligations to shar...
Victoria Cetinkaya - Research Integrity: Legal and policy obligations to shar...
 

Similar to Right to be forgotten final paper

Policy Brief on Europe's "Right to be Forgotten"
Policy Brief on Europe's "Right to be Forgotten"Policy Brief on Europe's "Right to be Forgotten"
Policy Brief on Europe's "Right to be Forgotten"William Nyikuli
 
Christopher Millard Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard Legally Compliant Use Of Personal Data In E Social ScienceChristopher Millard Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard Legally Compliant Use Of Personal Data In E Social ScienceChristopher Millard
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiThe Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiKrowdthink
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Right to be forgotten presentation
Right to be forgotten presentationRight to be forgotten presentation
Right to be forgotten presentationreporter1120
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security PrinciplesLisa Catanzaro
 
Data science and privacy regulation
Data science and privacy regulationData science and privacy regulation
Data science and privacy regulationblogzilla
 
Transatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
Transatlantic Data Privacy - From Safe Harbor to Privacy SheidlTransatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
Transatlantic Data Privacy - From Safe Harbor to Privacy SheidlDaniel Parziale, CIPP/US
 
GDPR A Privacy Regime
GDPR A Privacy RegimeGDPR A Privacy Regime
GDPR A Privacy Regimeijtsrd
 
Constitutional law project (1)
Constitutional law project (1)Constitutional law project (1)
Constitutional law project (1)PreetPatel74
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELEugene Lee
 
Track H - Cristina Dos Santos
Track H - Cristina Dos SantosTrack H - Cristina Dos Santos
Track H - Cristina Dos SantosePSI Platform
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingJes Breslaw
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...Konstantinos Demertzis
 
PLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalPLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalSofie van der Meulen
 
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...DamaineFranklinMScBE
 

Similar to Right to be forgotten final paper (20)

Policy Brief on Europe's "Right to be Forgotten"
Policy Brief on Europe's "Right to be Forgotten"Policy Brief on Europe's "Right to be Forgotten"
Policy Brief on Europe's "Right to be Forgotten"
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 
1st draft
1st draft1st draft
1st draft
 
Christopher Millard Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard Legally Compliant Use Of Personal Data In E Social ScienceChristopher Millard Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard Legally Compliant Use Of Personal Data In E Social Science
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiThe Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech Wiewiorowski
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
Right to be forgotten presentation
Right to be forgotten presentationRight to be forgotten presentation
Right to be forgotten presentation
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
 
Data science and privacy regulation
Data science and privacy regulationData science and privacy regulation
Data science and privacy regulation
 
Transatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
Transatlantic Data Privacy - From Safe Harbor to Privacy SheidlTransatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
Transatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
 
GDPR A Privacy Regime
GDPR A Privacy RegimeGDPR A Privacy Regime
GDPR A Privacy Regime
 
Constitutional law project (1)
Constitutional law project (1)Constitutional law project (1)
Constitutional law project (1)
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
 
Data Portability and Interoperability – OECD DIGITAL ECONOMY POLICY DIVISION ...
Data Portability and Interoperability – OECD DIGITAL ECONOMY POLICY DIVISION ...Data Portability and Interoperability – OECD DIGITAL ECONOMY POLICY DIVISION ...
Data Portability and Interoperability – OECD DIGITAL ECONOMY POLICY DIVISION ...
 
Track H - Cristina Dos Santos
Track H - Cristina Dos SantosTrack H - Cristina Dos Santos
Track H - Cristina Dos Santos
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
 
PLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalPLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics final
 
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
 

Right to be forgotten final paper

  • 1.   The  EU’s  “right  to  be  forgotten”:   A  first  step  towards  greater  personal  data  protection   Alyah  Khan     SIS  645  International  Communication  &  Cultural  Policy   Summer  2012   EXECUTIVE  SUMMARY   In January 2012, the European Commission proposed a “right to be forgotten” as part of its comprehensive data protection reform. The right would allow an individual to delete personal information online if there are no legitimate grounds for retaining it. The proposed policy would greatly advance users’ rights, but it also presents practical difficulties. In order to achieve its desired effect of strengthening personal data control, the policy must be revised to reflect a more limited scope, well-defined terminology and a clearer delineation of data controllers’ responsibilities. If these improvements are made, the EU policy will set a new global standard for the protection of personal data.  
  • 2.     Alyah Khan SIS 645-Summer 2012 Preface The European Commission proposed an overhaul of its 1995 data protection rules earlier this year. The comprehensive reform package includes several changes intended to strengthen online privacy rights and enhance Europe’s digital economy. The reform also aims to unify the enforcement of data protection laws among the European Union’s 27 member states. One of the most controversial provisions of the Commission’s proposed data protection regulation is Article 17, the “right to be forgotten and to erasure.” The purpose of this report is to analyze the feasibility and effectiveness of the “right to be forgotten.” The writings of academic scholars, privacy experts and high-ranking EU officials informed the analysis. This report was conducted on behalf of European Digital Rights (EDRi), an international advocacy group headquartered in Brussels, Belgium. EDRi consists of 32 privacy and civil rights organizations based in 20 different European countries. The nonprofit’s goal is to protect digital civil rights in the information society. Introduction Technology and data processing play a major role in the life of the individual and society. In the coming years, scholars expect that the collection and sharing of personal information through technology will become even more prevalent (Hallinan, Friedewald & McCarthy, 2012). As a result, personal data is considered the “currency of the Internet. It is collected, stored and used in an ever-increasing variety of ways by a countless amount of different users” (Ausloos, 2012, p. 143). Further, although some scholars consider privacy a fundamental human right, it is also referred to as a “moving target” (Friedewald, Wright, Gutwirth & Mordini, 2010, p. 61). Privacy is a difficult concept to define (Solove, 2008). This reality has made data privacy and protection an inevitable policy battleground in countries around the world. At the forefront of   2  
  • 3.     Alyah Khan SIS 645-Summer 2012 this ongoing debate is the European Union, which considers itself a key player in setting the standards for personal data protection (Reding, 2011). The EU has a history of strong data protection standards, which are bolstered by the European Charter’s “explicit provisions upholding data protection as a fundamental right” (Rodriguez, 2011). Reform of the EU’s data protection rules has been a topic of discussion for the last few years. Near the end of 2010, Viviane Reding, European Commissioner of Justice, Fundamental Rights and Citizenship, made a case for the reform. She cited three main trends that pose a challenge to the protection of personal data in the future: “the astounding capabilities of modern technologies; the increased globalization of data flows; and access to personal data by law enforcement authorities that is greater than ever” (Reding, 2011, p. 3). She also acknowledged the growing collection and processing of personal data by data controllers, such as search engines, service providers and social networks. However, data protection rules are often unclear and non-transparent, leaving individuals in the dark about how to maintain control over their personal information. Reding announced the comprehensive (and ambitious) overhaul of the EU’s existing data protection rules in January 2012. Speaking in Brussels on January 25, Reding said the following: “The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will build trust in online services because people will be better informed about their rights and in more control of their information” (European Commission, 2012a). One of the reform’s most hotly contested changes is the “right to be forgotten.” The right aims to help people better manage their data protection risks online by allowing them the ability to delete their data (such as photos posted on Facebook, among other types) if there are no “legitimate grounds for retaining it” (European Commission, 2012a). The “right to be forgotten   3  
  • 4.     Alyah Khan SIS 645-Summer 2012 and to erasure” is laid out in Section 3, Article 17 of the European Commission’s proposal for a regulation of the European Parliament and of the Council “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.” The regulation sets out the general legal framework for EU data protection. The Commission’s proposal has been passed on to the European Parliament and the EU member states for discussion. It will take effect two years after it has been adopted. This report will focus specifically on the “right to be forgotten” as drafted in the proposed regulation. The report will begin with a brief overview of the policy, followed by an analysis of its scope and application. Next, the report will examine the concern of some scholars that the “right to be forgotten” threatens freedom of speech. Finally, the report will conclude with recommendations on how to enhance the policy prior to implementation. Overall, this report supports the position that the “right to be forgotten” in its current form is a positive first step but substantial revisions to its scope and terminology are required if the policy is to meet its goal of strengthening personal data protection online. This position aligns with and builds upon EDRi’s initial comments on the data protection regulation, which concluded that Article 17 was “not particularly well drafted” (European Digital Rights, 2012). Policy Overview The “right to be forgotten” is a complex policy. It includes a variety of situations where erasure is allowed, when exemptions must be made and when data would be restricted, but not erased. The following section provides an overview of the policy’s most noteworthy language. To begin, it helps to understand what information qualifies as “personal data.” The regulation defines this term very broadly as “any information relating to a data subject.” In terms of erasure, Article 17 of the proposed regulation states, “The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in   4  
  • 5.     Alyah Khan SIS 645-Summer 2012 relation to personal data which are made available by the data (subject) while he or she was a child, where one of the following grounds applies: the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data; the data subject objects to the processing of personal data pursuant to Article 19 (“right to object”); the processing of the data does not comply with this regulation for other reasons” (European Commission, 2012b, p. 51). This section represents the core of the policy. Another important aspect of the policy is the responsibility assigned to data controllers, which the regulation defines as “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data.” The policy instructs data controllers (such as Google and Facebook) to “take all reasonable steps, including technical measures” to inform third parties that a data subject has requested data be erased (p. 51). This applies to links to the data, as well as copies or replications of the data. Further, the provision requires the controller to carry out the erasure without delay unless the retention of the personal data is necessary, “for exercising the right of freedom of expression” (p. 52). This means that the processing of personal data must be retained if it was carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to, “reconcile the right to protection of personal data with the rules governing freedom of expression” (p. 93). Additionally, the provision calls for controllers to restrict the processing of personal data when the data subject contests its accuracy for a period in order to verify its accuracy. Analysis Technology has rapidly evolved in the 17 years since the EU’s 1995 data protection rules were adopted. New communication tools, such as online social networks, have drastically changed the way people share information about themselves. As stated earlier, personal data is   5  
  • 6.     Alyah Khan SIS 645-Summer 2012 now considered the Internet’s currency. This is certainly true in the EU, where more than half of Europeans feel that they must disclose personal information if they want to obtain products or services. Yet, only 26 percent of social network users and 18 percent of online shoppers feel in complete control of their data, according to a survey of EU citizens’ attitudes on data protection and identity released in 2011 (European Commission, 2012c). These findings are unfortunate because EU citizens allocate significant importance to data privacy and protection (Hallinan et al., 2012). The implication then is that users’ needs are not being met by the existing data protection structure. The “right to be forgotten” policy presents a way for Internet users to regain control of their personal information. It is one possible solution to the conundrum of how to protect privacy online. In other words, the policy is about “empowering the individual, not about erasing past events or restricting freedom of the press” (European Commission, 2012c). Whether the policy achieves this goal will be examined in the subsequent sections. Scope and Applicability In theory, the “right to be forgotten” makes a great deal of sense. People are disclosing more personal information online than ever before and they deserve the right to control the information they share. The right allows a data subject the ability to delete information if it is no longer relevant, if it is inaccurate or if he/she proposes a justified objection. However, implementing the “right to be forgotten” presents obstacles. First, the scope of the proposed policy is incredibly broad, which is likely to make uniform enforcement across EU member states a challenging task. The “right to be forgotten” is defined in vague terms and the policy does not reference the types of situations where the enforcement of this policy would be appropriate. The changing nature of technology prevents the Commission from being too specific, but the current language leaves much of the policy open to   6  
  • 7.     Alyah Khan SIS 645-Summer 2012 interpretation. This could cause enforcement discrepancies among countries, potentially to the detriment of citizens. Additionally, since “personal data” in the policy refers to any information related to a data subject, it seems that national data protection authorities could be flooded with requests for erasure without proper justification. It is unclear, based on the policy in its current form, to what extent users would have to prove data should be erased. This brings up the issue of the burden of proof. Koops explained that the right would, “require data subjects to substantiate there are compelling legitimate grounds to stop data processing, which puts a significant burden of proof on users and leaves large discretionary power with the data controller” (2011, p. 240). The policy mistakenly places the onus on the users by not detailing the materials or information required to request erasure. The policy also does not account for anonymized data, or data that has been stripped of identifying information. Ausloos (2012) wrote that, “Many data controllers invoke the anonymization-argument as their major line of defense” (p. 146). The thinking here is that if people cannot recognize their data, how can they request it be erased? It is unclear if such data- mining practices are meant to fall under the scope of this policy. Related to this point are the practical difficulties in applying the policy. Information that has been cross-posted to multiple sites will be difficult to track down (Ausloos, 2012; Koops, 2011). With this in mind, will it be up to the user to ensure that this information is completely removed from all of the sites through separate erasure requests? Again, the policy in its current form fails to address this issue with any clarity. It appears that the policy has, in many ways, overlooked the complexity of the Internet’s interconnected nature. Finally, there is the issue of accountability. According to the policy, data controllers must “take all reasonable steps” to ensure data held by third parties is erased. However, there is no   7  
  • 8.     Alyah Khan SIS 645-Summer 2012 explanation of what constitutes “reasonable steps.” Some data controllers, such as Google, have expressed disagreement with the “right to be forgotten” as it is currently articulated. Peter Fleischer (2012), Google’s Global Privacy Counsel, argued that the “responsibility for deleting content published online should lie with the person or entity who published it” and not search engines. It might be worthwhile for the Commission to seek the input of data controllers while revising the policy. Stakeholder buy-in could improve the effectiveness of the policy overall. Impact on Freedom of Speech One of the biggest concerns experts have about the “right to be forgotten” is its potential to negatively impact freedom of speech. In fact, Rosen (2012, p. 88) wrote that the policy represents the “biggest threat to free speech on the Internet in the coming decade.” EDRi also took issue with the policy, although not in such extreme terms, by stating that it could have serious (if unintended) implications for freedom of speech. The advocacy group added that the provision must be “carefully drafted to avoid its potential misuse as a tool for censorship” (European Digital Rights, 2012). Despite Hendel’s (2012) reassurance that the media need not fear the “right to be forgotten,” the policy in its current form lacks the specificity needed to prevent undue erasure. Rosen, for example, has argued that the policy could result in a “dramatic clash between European and American conceptions of the proper balance between privacy and free speech, leading to a far less open Internet” (2012, p. 88). Werro (2009) similarly recognized the likelihood of a transatlantic clash over the “right to be forgotten.” Experts have also suggested that the fines imposed on data controllers who fail to take action could lead to “deletion in ambiguous cases, producing a serious chilling effect” (Rosen, 2012, p. 91). Others scholars have said that it is hard to predict what information will be useful in the future. As Ausloos eloquently stated, “Culture is memory” (2012, p. 146).   8  
  • 9.     Alyah Khan SIS 645-Summer 2012 These views indicate a number of important issues. First, there is a divide between the policy approaches of the U.S. and Europe. Generally, the U.S. applies the Liberal Market Model, whereas the EU applies a Public Service Model in which the state determines citizens’ information needs (Venturelli, 2012). The proposed data protection reform and the “right to be forgotten” align with the EU’s historically tougher stance on individual privacy rights. In comparison, the U.S. has weaker data protection and privacy laws. Although the “right to be forgotten” policy has exemptions related to freedom of expression, the EU seems to believe that users’ rights take precedent in certain situations. It is unknown at this point how the EU will enforce the “right to be forgotten” policy and if it will actually impede freedom of speech. The outcome of this policy in the EU will likely determine its consideration in other countries, such as the U.S. As for the suspected “chilling effect,” the Commission can combat this by making the responsibilities of the data controller less obtuse. Data controllers should have a clear picture of what steps they are required to take and what will happen if those steps are not taken. The culture issue raised by Ausloos (2012) is far more complicated. The “right to be forgotten” ultimately leaves it up to individuals to determine what information they share should remain available online. In the most serious circumstances, this could make vital information disappear, break connections among people or even alter a part of cultural history. One way to minimize possible negative effects is to limit the scope of the policy so that it only applies to data that users have consented to, instead of any information related to a data subject. Conclusion The EU’s proposed data protection reform represents an unprecedented step forward for users’ rights in the information society. At its core, the “right to be forgotten” is about strengthening people’s ability to control their personal information. However, the current draft of   9  
  • 10.     Alyah Khan SIS 645-Summer 2012 the policy must be significantly improved in order to achieve its goal. Based on this report’s analysis, the policy should be revised in the following ways: i. Limit the scope of the policy so that it applies only to data that users have consented to. ii. Define the right to be forgotten in specific terms by clearly articulating situations where erasure is appropriate. iii. Explain the materials or information (i.e. the proof) required to request erasure. iv. Address the issue of data cross-posted on multiple platforms and whether it is up to users to ensure erasure is carried out to the fullest extent. v. State as explicitly as possible the responsibilities of data controllers (the “reasonable steps”) in terms of fulfilling an erasure request. The Commission should also consider the views of data controllers as revisions are made to the proposed regulation. By making the suggested revisions and seeking the input of data controllers, the policy stands a greater chance of succeeding in the future. If the “right to be forgotten” is effectively implemented across Europe, a new global standard will emerge for the protection of personal data. The balance of power will shift in favor of individuals. It remains to be seen whether other countries, such as the U.S., will consider a similar policy.   10  
  • 11.     Alyah Khan SIS 645-Summer 2012 References Ausloos, J. (2012). The 'right to be forgotten' - Worth remembering? Computer Law and Security Review, (28), 143-152. European Commission (2012a, January 25). Commission proposes a comprehensive reform of data protection rules to increase users' control of their data and to cut costs for businesses. Retrieved from http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/46&format=HTML&age d=0&language=EN&guiLanguage=en European Commission. (2012b). Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (general data protection regulation). Retrieved from website: http://ec.europa.eu/justice/newsroom/data- protection/news/120125_en.htm European Commission. (2012c). How does the data protection reform strengthen citizens’ rights? Retrieved from website: http://ec.europa.eu/justice/newsroom/data- protection/news/120125_en.htm European Digital Rights (2012, February 1). EDRi’s initial comments on the Data Protection Regulation. Retrieved from http://www.edri.org/edrigram/number10.2/edri-comments- on-data-retention Fleischer, P. (2012, February 16). Our thoughts on the right to be forgotten [Web log message]. Retrieved from http://googlepolicyeurope.blogspot.com/2012/02/our-thoughts-on-right- to-be-forgotten.html Friedewald, M., Wright, D., Gutwirth, S., & Mordini, E. (2010). Privacy, data protection and   11  
  • 12.     Alyah Khan SIS 645-Summer 2012 emerging sciences and technologies: towards a common framework. Innovation – The European Journal of Social Science Research, 23(1), 61-67. Hallinan, D., Friedewald, M., & McCarthy, P. (2012). Citizens’ perceptions of data protection and privacy in Europe. Computer Law and Security Review, (28), 263-272 Hendel, J. (2012, January 25). Why journalists shouldn't fear Europe's 'right to be forgotten' The Atlantic, Retrieved from http://www.theatlantic.com/technology/archive/2012/01/why- journalists-shouldnt-fear-europes-right-to-be-forgotten/251955/ Koops, B. (2011). Forgetting footprints, shunning shadows: A critical analysis of the 'right to be forgotten' in big data practice. SCRIPTed, 8(3), p. 229-256. Reding, V. (2011). The upcoming data protection reform for the European Union. International Data Privacy Law, 1(1), 3-5. Rodriguez, K. (2011, December 22). Data Protection Regulation and the Politics of Interoperability [Web log message]. Retrieved from https://www.eff.org/deeplinks/2011/12/data-protection-regulation-and-politics- interoperability Rosen, J. (2012). The right to be forgotten. Stanford Law Review, 64, 88-92. Retrieved from http://www.stanfordlawreview.org/online/privacy-paradox/right-to-be-forgotten Solove, D. (2008). Understanding privacy. The George Washington University Law School Public Law and Legal Theory Working Paper No. 420, Retrieved from http://ssrn.com/abstract=1127888 Venturelli, S. (2012). Global communication policy models. (PowerPoint, American University). Werro, F. (2009). The right to inform v. the right to be forgotten: A transatlantic clash. Georgetown Public Law Research Paper No. 2. Retrieved from http://ssrn.com/abstract=1401357   12