Policy Brief on Europe's "Right to be Forgotten"


Published on

This policy brief is an overview of the European Union's proposed policies on digital privacy as announced on January 25, 2012. It has been prepared for the benefit of US business interests as represented by the US Chamber of Commerce

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Policy Brief on Europe's "Right to be Forgotten"

  1. 1. EUROPE'S RIGHT-TO-BE-FORGOTTEN by William A. Nyikuli June 28, 2013 This policy brief is an overview of the European Union's proposed policies on digital privacy as announced on January 25, 2012. It has been prepared for the benefit of US business interests as represented by the US Chamber of Commerce The brief provides the following information:  Key facts and goals of the proposed legislation.  Assumptions that may have shaped the way proposed legislation is framed.  A brief assessment of the proposed legislation's strengths and its policy gaps.  A few suggestions for how an entity like the US Chamber of Commerce can engage with Europe on this matter.
  2. 2. Introduction It has become a widely accepted truism that the internet complicates international and domestic public policy. One aspect of that is the availability and use of vast amounts of demographical, biographical and usage information left behind by internet activity—often referred to as ‘big data’. Along with the new importance of big data comes worries of surveillance, privacy, cyber-security, etc. In Europe, these issues came to a head when they announced a directive in January 2012, proposing a right-to-be-forgotten, the idea that individuals deserve a say in the usage and effects of their online imprint. There have been several official reports on the impact of data and technology, some predating the internet. This brief analyzes one of those reports, the European Union (EU)’s proposal to their parliament titled, Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century of January 25, 2012 (henceforth, “the EU document”). 1 The analysis is presented to identify broader trends in European internet policy with a focus on data privacy. This is an important communication policy that touches on issues of internet freedom, network access and intellectual property rights. The findings in this brief can inform the interaction of American business interests and corporations, such as the US Chamber of Commerce (henceforth, "the chamber"), in their interaction with the EU. COM(2012) 9 : Key facts and proposals about the legislation The EU document begins by recognizing that “personal data has become an asset for many businesses. Collecting, aggregating and analyzing the data of potential customers is often an important part of their activities” (European Commission 2012, 2).2 The EU document acknowledges existing directives but notes that that there has been no update for today’s environment—the EU’s previous treatment on personal data and its free movement (95/46/EC) was in 1995. Furthermore, that directive was not uniformly applied across states, which is now necessary with a single European market. Lastly, it 1 ‘COM(2012) 9 final’ is the official report number assigned to the document. 2 The European Commission is the executive entity of the European Union (source: http://europa.eu/about-eu/institutions- bodies/index_en.htm)
  3. 3. 2 is reported that both European citizens and businesses want comprehensive reform, with over 70% of European internet users fearing that their personal data is accessed by other parties without authorization (European Commission 2012, 4). The broad policy goal of these reforms are to put individuals in control of their personal data and to strengthen national data protection authorities so that they can implement those protections. More specifically, the proposed reform in the EU document has the following goals:  an explicit requirement that obliges online social networking services (and all other data controllers) to minimize the volume of users' personal data that they collect and process;  a requirement that the default settings ensure that data is not made public; and  an explicit obligation for data controllers to delete an individual's personal data if that person explicitly requests deletion and where there is no other legitimate reason to retain it. (European Commission 2012, 5) Concrete provisions for action promote individual control, data security & accountability, facilitating a single market, synchronize law enforcement and address other countries. Some examples follow:  Facilitating individual control: Opt-in rather than opt-out mechanisms for data privacy agreements and a mandated right to have data deleted if consent is withdrawn.  Data security and corporate accountability: Requiring that each large internet company of over 250 employees employ a senior data protection officer, and also legal requirements for privacy by design.  Consistent enforcement: Laying down protection rules at EU level through a regulation directly applicable in all member states to put an end to cumulative and simultaneous application of different national data protection laws, and also further enhancing the independence and powers of national data protection authorities with a requirement to oblige member states to provide resources and facilitate that independence.  Law enforcement: Providing for minimum harmonized criteria, and addressing rights of individuals to be informed when police and authorities handle or access their data. Background & Framework Action items in the EU document are underpinned by certain assumptions about privacy. The EU document emphasizes early that, “individuals have the right to enjoy effective control over their personal information” (European Commission 2012, 2). Furthermore, data privacy is a fundamental right in Europe that is enshrined in Article 8 of the Charter of Fundamental Rights of the European Union and
  4. 4. 3 in Article 16(1) of the Treaty on the Functioning of the European Union. Europe is a trendsetter in the area of digital privacy for consumers, and the issue of privacy is a very heavily developed area of law relative to the rest of the world. Europe has discussed data initiatives for a while, even in the 1990s when the internet was relatively new. The prominence of individual privacy rights is part of the EU’s efforts to include internet policies into a broader European agenda.3 Emphasis on data control by the individual can be understood as a philosophical difference in American and European conceptions of privacy. In the USA, privacy is about minimizing government interference in one's affairs, while in Europe it is about protecting one's public reputation (Whitman 2004). In Europe, dignity is elevated to the level of freedom and equality as seen in how the EU charter’s first statement is that, “human dignity is inviolable. It must be respected and protected” and in further early statements protecting even mental dignity (European Union 2000).4 This confirms the preceding observation on European privacy assumptions and hence privacy data protections can then be understood as a matter of dignity. The elevation of dignity is seen in the variety of libel and slander laws in Europe which protect reputation. 5 Therefore, there is a clash of world views in which American internet corporations and business interests, as represented by the chamber, would view the right-to be-forgotten legislation as invasive, whereas European citizens might see the same legislation as protecting against invasiveness. As far as the EU document’s framework, it can be categorized as what international communication experts would refer to as a public-interest model. Communication policy models are the foundation of understanding official legislation in the field. Understanding Europe as operating in a public-interest model would reveal why Europeans approach legislation on communication infrastructure prioritizing consumer and citizen rights over corporations, at least relative to a liberal- 3 The broad agenda is spelt out in the Stockholm Program which is a roadmap for EU work in the area of justice, freedom and security for the period 2010-14. (source: http://europa.eu/legislation_summaries/human_rights/fundamental_rights_within_european_union/jl0036_en.htm) 4 Article I, Chapter I of the Charter of Fundamental Rights of the European Union. 5 The Organization for Security and Cooperation in Europe has a comprehensive catalogue of libel/slander laws in Europe that can be accessed at http://www.osce.org/fom/41958.
  5. 5. 4 market model. The public-interest model is premised on a communication policy for the communal greater good and not just for private business entities (Venturelli 1998, 188-195). Conversely, the liberal- market model is premised on a laissez-faire approach to communication policy in which the market is allowed to operate with minimal government interference (Venturelli 1998). In the EU document and other referenced work, even when reports and expert recommendations are couched in language of entrepreneurship and free markets, their solutions are based on supranational and centralized top- down solutions. Furthermore, there is always a justification that policies will simplify the public sector (European Commission 2012, 12). Policy Strengths One area that the EU document is strong is that it addresses the concerns about regulation, arguing why these regulations will reduce red tape and make operating in Europe easier. The EU document pledges that in order to enhance the single market dimension of data protection they would, “ lay down data protection rules at EU level through a regulation directly applicable in all member states which will put an end to the cumulative and simultaneous application of different national data protection laws,” leading to private sector savings of € 2.3 billion annually or simplifying the regulatory environment by drastically cutting red tape and doing away with formalities leading to net savings of € 130 million a year in just of administrative burdens (European Commission 2012, 7). In identifying and offering concrete savings, they address opposing arguments usually raised by entrepreneurial business advocates. Under the reformed regulatory framework, the EU can make the case to customers that they are promoting best business practices, and that a confidence in the integrity of their personal data can be transferred to confidence in the operations of companies which is good for the industry. With the proposals in the EU document, citizen’s trust in a robust regulatory regime arguably becomes an asset
  6. 6. 5 for service providers and an incentive for investors looking for optimal conditions when locating services—arguments which the EU document makes (European Commission 2012, 8). Policy Gaps Areas where the EU document is weak is in the absence of technical details and instruction, its nature as supranational document, addressing jurisdiction, and in its handling of freedom of speech rights. First, the technical aspect is unaddressed. A study presented to the European Network on Informational and Security Agency on the eve of the unveiling of the EU document voiced such concerns (Druschel, Backes and Rodica 2012). Second, there is an ambiguity between the EU as a supranational entity and the authority if its member states. This is evident when consistent enforcement of data protection rules across Europe are addressed; and also where some reforms for joint activity on use of data in police and criminal justice cooperation seem to run afoul of those on data protection rules for the digital single market. The EU document states that, “data protection requirements and safeguards will be set out in an EU Regulation with direct application throughout the Union” yet, “only the data protection authority where the company has its main establishment will be responsible for deciding whether the company is acting within the law“ (European Commission 2012, 7). With state-centric language in a supranational document it can be unclear who is intended to be the ultimate enforcer. Third is the problem of jurisdiction, another area which is vague and solutions are not really put forward. For example the Supreme Court in Florida vs. BFJF affirms free expression—in the USA states cannot pass laws restricting the media from disseminating truthful but embarrassing information as long as the information is legally acquired (Rosen 2012, 91, Florida Star v. B.J.F. 1989). So this could present US- based corporations with a legal dilemma, which actually leads into the biggest lost opportunity. Towards the end of the EU document, assurances are made that other rights such as freedom of expression and information, or a right to conduct a business would be respected (European Commission 2012, 12). However, that is mentioned in passing, and no examples of situational conflicts are given as
  7. 7. 6 the document does for other areas of the legislation. Those freedoms are the crux of the argument against the right-to-be-forgotten. That argument has been encapsulated by Jeffrey Rosen, an influential US-based legal commentator that argued that, “although Redding depicted the new right as a modest expansion of existing data privacy rights, in fact it represents the biggest threat to free speech on the internet in the coming decade" (Rosen 2012, 8). Facebook says that, “The right to be forgotten needs very careful consideration. As drafted it raises major concerns with the right of others to remember and of freedom of expression on the internet “ (Facebook 2012); and Google is insisting that they “support the right to be forgotten, and [we] think there are ways to apply it to intermediaries like search engines in a way that protects both the right to privacy and the right to free expression” (Reuters 2012).This communication does not specifically address these freedom of expression concerns. Speech is a policy sector that forms the basis of all communication policy and law—with internet speech rights of such importance that even the United Nations has designated online expression as a fundamental right (United Nations 2012). Due to the many interpretations of 'freedom of speech' the EU document would have benefited from exploring the issue in more depth like it does with the regulation issue. Recommendations: Approaching the EU To navigate this policy, the chamber and its constituents should reach out to the United Kingdom (UK), while at the same time bearing in mind European history and viewing Europe as one entity. To the extent that there may be crack in European unity it is from the British who may have chosen to opt out of the right-to-be-forgotten (Bowcott 2013). Efforts to stop the impending legislation can therefore be channeled through the UK where the chamber and likeminded organizations would find sympathetic interests to partner with. The UK has long had a historical special relationship with the USA in which their global interests have usually aligned. Furthermore, the current timing is advantageous as the UK is openly reassessing its relationship with the EU and proposing to cede less power to them (Cameron 2013).
  8. 8. 7 Conversely, in an admittedly contradictory approach to one targeting the UK, a helpful frame could be to view Europe as one entity rather than a collection of countries. From this perspective the EU Document's proposed legislation need not be antagonistic to corporate interests. For two decades, the EU has spoken favorably about using market mechanisms as motive power and fostering entrepreneurial mentality and a common regulatory approach and warning (High-Level Group on the Information Society 1994, 3). However their solutions are premised on supranational action. For example they have usually recommended a union wide approach to legal security for privacy (High-Level Group on the Information Society 1994, 3). This is because of their aforementioned communication model, but from an economic perspective it also highlights the importance of understanding the economic self-interest motivations of a common European market. In addition there is the political reality of a EU that wishes to project European resolve in a world that is increasingly being dominated by the USA and emerging economies such as China (Renard 2012). Essentially, it is not out of the question that the EU is seeking to maximize economic gains, which suggests there is an opening to align interests or for the chamber to engage on more familiar terrain. In addition to the single market, identity and history matter and therefore a thorough understanding of European history and the ideational forces that led to the creation of the EU should also be considered. Communication policy is influenced by national political logics or mentalities of governing meaning that “the deployment of governmental power within specific political and cultural contexts gives rise to different governance systems” (Eko, Kumar and Yao 2011, 3). European internet policies are historically and socially constructed. Although nationalism still exists, there has been a social conception of a 'European identity' that has paralleled the political strengthening of the EU over the years. Consequently, this can provide an understanding into why internet legislation is being addressed at a supranational level (EU) rather than by individual countries. On a related note, looking over at the net-neutrality debate, one sees that overburdening regulation is not always the modus operandi in Europe, as there the focus is on transparency. In Europe, strict regulation of internet service providers is
  9. 9. 8 avoided, and instead full disclosure of network management practices is required (Stover 2010, 80-81). This might explain the desire for opt-in (as opposed to opt out) measures seen in the EU document which US-based companies tend to oppose (Facebook 2012). Conclusion: Global implications Legislation proposed in the EU document will go in effect in 2014 pending European Parliament approval. Brussels will be inundated with representatives from various stakeholders edging for their position. Convergence of issues and technologies ensure that the right-to-be-forgotten has implications for international relations. For one, other countries are looking to the EU for leadership, and there is a good chance that whatever comes out of the EU will become a basis for how countries model their legislation, from diverse areas like South Africa and the Middle East—and the legislation could even influence US law (Kanter and Sengupta 2013, Shaffer 2000). Developments in the United States in June of 2013 on data privacy and the ongoing transatlantic trade negotiations between the United States and the EU have made the right-to- be-forgotten an even more prominent issue for diplomats.6 Data privacy for example, will have to be discussed in the context of the trade negotiations, and then there have been proposals in Europe for an internet tax. All these issues are beyond the scope of this brief, but are worth exploring separately as they are connected to the ultimate resolution of digital data privacy in Europe. 6 On June 5, 2013 The Guardian and Washington Post reported that a secret US national security program (PRISM) had direct access to servers of internet firms including Apple and Facebook (source: http://www.guardian.co.uk/world/2013/jun/06/us- tech-giants-nsa-data; http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet- companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html)
  10. 10. 9 Bibliography Bowcott, Owen. "Britain seeks opt-out of new European social media privacy laws." The Guardian. April 4, 2013. http://www.guardian.co.uk/technology/2013/apr/04/britain-opt-out-right-to-be-forgotten-law (accessed 5 2013, June). Cameron, David. "Speech to the European Union." Transcript. London, January 22, 2013. Druschel, Peter, Michael Backes, and Tirteria Rodica. The right to be forgotten - between expectations and practice. ENISA, Brussels: , 2012. Eko, Lyombe, Anup Kumar, and Qingjiang Yao. "Google This: The Great Firewall of China, the IT Wheel of India, Google Inc., and Internet Regulation." Journal of Internet Law (Aspen Publisher Inc.), 2011: 3-14. European Commission. Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century. Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, European Union, Brussels: European Union, 2012. European Union. "Charter of Fundamental Rights of the European Union." Official Journal of the European Communities, 2000. Facebook. "Facebook’s views on the proposed data protection regulation." europe-v-facebook.org. March 30, 2012. http://www.europe-v-facebook.org/FOI_Facebook_Lobbying.pdf (accessed June 17, 2013). Florida Star v. B.J.F. 491 U.S. 524 (US Supreme Court, June 21, 1989). High-Level Group on the Information Society. "Recommendations to the European Council: Europe and the global information society." Brussels, May 26, 1994. Kanter, James, and Somini Sengupta. "Europe Continues Wrestling With Online Privacy Rules." New York Times. June 6, 2013. http://www.nytimes.com/2013/06/07/technology/europe-still-wrangling-over- online-privacy-rules.html?src=recg (accessed June 21, 2013). Renard, Thomas. The European Union and Emerging Powers in the 21st Century: Hwo Europe Can Shape a New Global Order. Surrey, England: Ashgate, 2012. Reuters. Spain refers Google privacy complaints to EU's top court. March 2, 2012. http://www.reuters.com/article/2012/03/02/us-eu-google-idUSTRE8211DP20120302 (accessed June 17, 2013). Rosen, Jeffrey. "The Right to be Forgotten." Stanford Law Review , no. 64 (February 2012): 88-92. Shaffer, Gregory. "Globilization and Social Protection: The Impact of EU and International Rules in the Ratcheting up of US Data Privacy Standards." Yale Journal of International Law, Winter 2000.
  11. 11. 10 Stover, Christine M. "Network Neutrality: A Thematic Analysis of Policy Perspectives Across the Globe." Global Media Journal 3, no. 1 (2010): 75-86. United Nations. The promotion, protection and enjoyment of human rights on the internet. UNHCR, New York: United Nations, 2012. Venturelli, Shalini. Liberalizing the European Media. New York: Oxford, 1998. Whitman, James Q. "The Two Western Cultures of Privacy: Dignty versus Liberty." The Yale Law Journal, 2004: 1151-1221.