Post on 26-Jan-2023
1
Behind closed doors? Justifying what’s off limits online. An examination of the application of privacy laws online, particularly in
the context of the EU’s Right To Be Forgotten.
By Emma Fitzsimons
Abstract
The European Commission’s proposal of a new ‘right to be forgotten,’ contained in
the Draft General Data Regulation, sparked much controversy among US and
European commentators, suggesting a more fundamental conceptual gulf between the
two jurisdictions. For privacy advocates, the Commission’s proposal is to be
welcomed, as it may represent a first step towards a recalibration of the data
imbalance precipitated by the Internet, in favour of the individual, and away from the
State and private enterprise. This article sets out the Commission’s proposal and
examines the American objections to the right. It also sets out potential normative
justifications for a new EU protection of data. Finally, it attempts to reconcile the two
perspectives by reference to the functioning of the right in practice.
Introduction
The right to be forgotten emerged in 2013 as a hot topic in the legal world, achieving
its own hashtag on Twitter1, an appropriate feat for legal discussion in the digital
zeitgeist. If online trends are indicative of anything, it is usually the perforation of an
issue into the general online psyche, and this trend shows Internet users are becoming
savvier in their calls for greater privacy protection.
Unsurprising, given that 2013 was the year of Edward Snowden2, Twitter libel
lawsuits3, revelations that Facebook tracks unpublished posts4 and the horrifying
1 The use of a hashtag symbol (#) on the social media platform Twitter allows users to make their ‘Tweets,’ searchable. In this way, comments can be shared globally, and the use of hashtags denotes a topic trending in discussion. As of January 2014, it was possible to view online discussion via #RighttoForget on Twitter. 2 Glenn Greenwald, Ewen MacAskill and Laura Poitras, ‘Edward Snowden: the whistleblower behind the NSA surveillance revelations,’ The Guardian (London, 10 June 2013)
2
phenomenon of online ‘slut shaming’ evidenced by the #SlaneGirl controversy5. Yet,
for legal academics, the real controversy was sparked not by revelations of mass
surveillance but the comments of an EU official calling for greater online privacy
protection for individuals.
In January 2012, the European Commissioner for Justice, Fundamental Rights and
Citizenship, Viviane Reding, announced the European Commission’s plans for a right
to be forgotten6. It prompted an almost hysterical reaction from some American
scholars, crystallising a clear conceptual divide between American and European
perspectives on the balance between privacy and freedom of expression.
Those criticisms seemingly operate in a vacuum, paying little regard to the genuine
concerns of consumers, who increasingly are opting for privacy-compliant products7,
as well as a significant constituency of human rights lawyers, concerned about the
implications of mass surveillance on liberty at large8. The fears of some US
commentators indicate an almost irrational reverence for a notion of free speech,
which fails to take account of the factual realities of the Internet: an enormous wealth
of personal data is held by corporate giants, susceptible to the prying eyes of hackers9
and state surveillance agencies10, with minimal oversight11.
3 Kundal Dutta, ‘Lord McAlphine libel row with Sally Bercow settled in High Court,’ The Independent (London, 22 October 2013) 4 Jennifer Golbeck, ‘On Second Thought…Facebook wants to know why you didn’t publish that status update you started writing,’ Slate.com (New York, 13 December 2013), available at: http://www.slate.com/articles/technology/future_tense/2013/12/facebook_self_censorship_what_happens_to_the_posts_you_don_t_publish.html 5 Carl O’Brien, ‘Slane sex act photos: a salutary lesson of how social media can exploit and abuse,’ The Irish Times (Dublin, 21 August 2013) 6 Viviane Reding, Vice President, European Commission, The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age 5 (22 January 2012), available at: http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/12/26&format=PDF 7 See, for example, “DeleteMe—Protect Your Personal Data and Reputation Online,” Abine Inc., available at: https://www.abine.com/deleteme/landing.php. Steve Henn, “Fixing Your Online Reputation: There’s An Industry for That,” NPR (29 May 2013), available at: http://www.npr.org/blogs/alltechconsidered/2013/05/29/187080236/Online-Reputation 8 Jef Ausloos, ‘The “Right to be Forgotten” - Worth Remembering’ (2012) 28 Computer Law and Security Review 7; Richard Cumbley and Peter Church, ‘Is “Big Data” Creepy’ (2013) 29 Computer Law and Security Review 601; and Fred H. Cate, ‘The Growing Importance and Irrelevance of International Data Protection Law’ (LCIL Snyder Lecture, Cambridge, 2012). 9 Daniel Johnson, ‘More than two million web accounts hacked,’ The Daily Telegraph (London, 5 December 2013) 10 Barton Gellman and Ashkan Soltani, ‘NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say,’ Washington Post (Washington DC, 30 October 2013)
3
This essay argues for reconsideration of the right to be forgotten in light of changes in
human behaviour and technology, arguing that our American cousins may be
sacrificing their real liberty in favour of a phony notion of an Internet free from
regulation, whilst their every move12, thought13 and purchase14 remains held on a
server somewhere, waiting to come back to haunt them.
Part I of this essay considers the draft EU Data Protection Regulation, containing a
right to be forgotten. Part II discusses the American objections to the right. Part III
sets out the normative justifications in favour of a right to be forgotten. Part IV
outlines how American and European perspectives might be reconciled with reference
to the operation of the right in practice.
I. The draft EU Data Protection Regulation
In January 2012, Commissioner Viviane Reding outlined the aims of draft EU Data
Regulation, stating that individuals should have “better control over their own data”15.
She indicated that the proposed new rules would provide not only “easier access to
one’s own data”16 but also that “people shall have the right – and not only the
‘possibility’ – to withdraw their consent to the processing of the personal data they
have give out themselves”17. Such a right is not absolute: newspaper archives were
cited as a potential legitimate and legally justified exception to the right. Accordingly,
the right “cannot amount to a right of the total erasure of history,”18 and needs to be
balanced against freedom of expression.
11 Linda Sandler, ‘In California, one judge may upend how Internet giants use data gleaned from users,’ Chicago Tribune (Chicago, 4 January 2013) 12 Noam Cohen, ‘It’s Tracking Your Every Move and You May Not Even Know,’ The New York Times (New York, 26 March 2011) 13 Megan Carpentier, ‘What Your Search History Says About You (and How to Shut It Up),’ Huffington Post (New York, 31 October 2013) 14 Elizabeth Dwoskin and Greg Bensinger, ‘Tracking Technology Sheds Light on Shopper Habits,’ Wall Street Journal (New York, 9 December 2013) 15 Supra fn 6 16 Ibid 17 Ibid 18 Ibid
4
Article 17 of the draft Regulation contains a right to erasure19: it is enforceable against
the data controller on request by the data subject. The right to request deletion of all
personal data held by the controller is exercisable in four circumstances:
(i) The data is no longer necessary in relation to the purposes for which it
was collected or otherwise processed;
(ii) The data subject withdraws consent;
(iii) A court or regulatory authority based in the EU has ruled as final and
absolute that the data must be erased; or
(iv) The data has been unlawfully processed.
The draft Regulation provides for the seven exceptional circumstances in which the
controller is permitted not to delete the data. Article 17 provides that the data
controller may be allowed to retain and not delete the data if any of the following
apply:
(a) For exercising the right of freedom of expression with Article 80;
(b) For reasons of public interest in the area of public health in accordance
with Article 81;
(c) For historical, statistical and scientific research purposes in accordance
with Article 83;
(d) For compliance with legal retention obligations;
(e) The retention is necessary for the performance of a contract;
(f) The data has to be maintained for future purposes of proof;
(g) The particular type of storage technology does not allow for deletion and
has been installed before the Regulation entered into force.
Finally, the right to erasure does not apply in the context of national security issues or
criminal investigations20.
Despite its recent emergence in EU matters, the right to be forgotten is not a new
19 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), at 9, COM (2012) 11 final (25 January 2012). 20 Meg Leta Ambrose, ‘A Digital Dark Age and the Right to be Forgotten,’ (2013) 17 Journal of Internet Law 3, 10
5
concept, having its origins in the French and Italian legal systems, in their concepts of
a right to oblivion,‘droit à l’oubi’ or ‘diritto al’obli.’ It operates as “the right to
silence on past events in life that are no longer occurring21,” usually in the context of
criminal convictions, or sensitive information, as seen in the recent French case,
Mosley c. Google Inc et Google France22 in which Google was ordered to filter out
hyperlinks to images of the former F1 boss in an allegedly Nazi-themed orgy.
As Bernale23 points out, the version mooted by the Commission would not operate
like continental domestic versions, but rather would be more appropriately referred to
as a ‘right to delete.’ In this respect, it does not have the same chilling effect
implications that may be raised in cases concerning silence about the past, such as the
challenge to Wikipedia’s publication by two Germans convicted of murdering a
famous actor of their criminal history24.
For the avoidance of doubt, it should be noted that the existing state of EU data
protection law is being litigated in Google Spain v AEPD25. The case concerns an
individual’s request to remove information relating to his financial history from
Google’s search engine, and raises a question pertinent to this paper: whether the
current EU data protection law provides a right to be forgotten. The Advocate
General’s opinion, though not binding on the Court, provides that existing Data
Protection Directive 1995 does not envisage a right to be forgotten, even when read in
light of the Charter of Fundamental Rights of the European Union.
This author submits that the Advocate General’s opinion must be correct for the
following reasons: (i) if the protection already existed under the Directive, it would be
unnecessary for the Commission to propose new legislation; (ii) the Charter itself
cannot be used to create new substantive right, again if the protection already existed
under the Directive, it would be unnecessary for the Commission to propose new
21 Giorgio Pino, ‘The Right to Personal Identity in Italian Private Law: Constitutional Interpretation and Judge-Made Rights,’ in Mark Van Hoecke & François Ost (eds.) The Harmonisation of European Private Law (Hart 2000) 237 22 TGI Paris, 17e ch., 6 novembre 2013, RG 11/07970, Max Mosley c. Google Inc et Google France. 23 Paul A. Bernal, ‘A Right to Delete?’ (2011) 2 European Journal of Law and Technology 24 John Schwartz, ‘Two German Killers Demanding Anonymity Sue Wikipedia’s Parent,’ New York Times (New York, 12 November 2009) 25 Case C-131/12 Google Spain v AEPD, Opinion of AG Jääskinen, delivered on 25 June 2013.
6
legislation; (ii) the Charter itself cannot be used to create new substantive right, again
suggesting that legislative reform would be necessary, consistent with the
Commission’s course of action to date; (iii) the existing Directive dates back to 1995,
before the Internet accounted for 97% of the world’s telecommunications traffic and
so is unlikely to envisage the need for such a right; (iv) the Commission’s choice of
instrument for the new draft Data Protection Regulation is significant, suggesting it
intends to secure a new legal protection homogenously across the EU, indicative of an
existing gap in protection or practice; and (v) the Commissioner’s communications
emphasise ‘new’ protections. Nonetheless, the opinion does not bind the Court, and it
remains to be seen how it shall rule on the matter.
However, caution should be exercised here not to conflate the European Court of
Justice’s forthcoming pronouncement on the state of existing privacy protection with
the Commission’s proposal of a new right to be forgotten. Some commentators have
strayed dangerously, using the Advocate General’s opinion as a means of ending the
debate on the advisability of a right to be forgotten26. Respectfully, that misses the
issue: the vital matter for consideration is whether, going forward, EU law should
include a right to be forgotten.
II. American objections to the Right
These developments have not been welcomed in all quarters. Even a cursory
inspection of the literature reveals a transatlantic gulf27 in perspectives of American
and European scholars. Two of the harshest critics, Rosen28 and Fleischer29, have
26 Orla Lynskey, ‘Time to Forget the ‘Right to be Forgotten’? Advocate General Jääskinen’s Opinion in C-131/12 Google Spain v AEPD,’ (3 July 2013), available at: http://europeanlawblog.eu/?p=1818 27 Before embarking on an exposition of the mainstream ‘American’ view here, I use the term ‘American’ to connote a traditional view of the primacy of free speech over privacy. Of course there are American academics more in favour of greater protection: an example of this is Justin Brockman, ‘Europe Revisiting Privacy Law is Opportunity, not Catastrophe,’ Center for Democracy & Technology (12 November 2010). Rosen and Fleischer’s views substantiate the proposition that the traditional American reading of free speech trumps privacy, given the absolutist nature of the First Amendment. Further support for the proposition that there is indeed a US-Europe divide is provided by Steven C. Bennett, ‘The Right to Be Forgotten: Reconciling EU and US Perspectives’ (2012) 30 Berkeley Journal of International Law 161 28 Jeffrey Rosen, ‘The Right to Be Forgotten’ (2012) 64 Stanford Law Review Online 88. See also by Rosen: ‘The Deciders: The Future of Privacy and Free Speech in the Age of Facebook and Google,’ (2012) 80 Fordham Law Review 1525; ‘Free Speech. Privacy, and the Web That Never Forgets,’ (2011) 9 Journal of Telecommunications and High Technology Law 345 29 Peter Fleischer, ‘Foggy Thinking About the Right to Oblivion,’ (9 March 2011), available at: http://peterfleischer.blogspot.ie/2011/03/foggy-thinking-about-right-to-oblivion.html
7
dismissed the right as “the biggest threat to free speech on the Internet in the coming
decade”30 and “foggy thinking,”31 incongruous with the fundamental American value
of free speech. For the sake of conciseness, their views will be used in this paper as an
example of the concerns of privacy sceptics at large - the rationale being that if such
views represent the most critical in the literature, and they can be undermined here,
the onus should shift back to the sceptics to defend their reluctance to expand privacy
protection.
Fleischer, Counsel for Privacy at Google32, outlines three potential scenarios in which
a right to forget may operate:
(i) A right to access and rectify one’s personal data, which represents a mere
rebranding of existing laws on data protection;
(ii) A new right to delete information about oneself, even if published by a
third party;
(iii) A new right to delete, exercisable not just against the publisher of the
content, but also search engines and other hosting platforms.
Given Google’s potential liability as a co-defendant, Fleischer’s concern is with the
third category. The question then becomes is it fair to impose liability on search
engines in this third category? As Fleischer concedes, there can be no hard and fast
answer to this: he notes that such a dispute would require judicial resolution, being the
classic challenge between freedom of expression and privacy. It is not possible to
provide a rule on liability in abstracto, particularly when the stakes are so high for the
individual and their personality, reputation and private life. Rosen is also deeply
concerned with the third scenario, stating that it “raises the most serious concerns
about free expression,”33 but cites nothing more that the First Amendment as authority
for his justification.
Rosen is quick to dismiss privacy concerns as little more than the revelation of
30 Supra fn 34 at 88 31 Supra fn 35 32 Whilst Fleischer arguments are representative of his own views only, it is submitted that his professional experience no doubt colours his perspective. 33 Supra fn 34 at 91
8
“embarrassing information,”34 without much consideration of what really is at stake
here for individuals. An Argentinean case, Da Cunha v Yahoo and Google35,
illustrates both the problems inherent in the current unregulated Internet model, as
well as an example of a legitimate basis for the right to operate.
Da Cunha, an Argentine pop singer, brought a claim against the search engines upon
discovering that her name and photographs appeared in search results linked to sexual
content, pornography and escorts. She claimed this was done without her permission,
and moreover, the linking of her name and person to such material seriously harmed
her reputation and career. The search engines argued she failed to establish any
wrongdoing on their part, showing no causal link between their activities and the
harm suffered.
Da Cuhna’s claim prevailed at trial but was later overturned on appeal. Yet, the facts
at least show that there may be some merit in affording individuals a right to control
the use of their image or their data online. Rosen’s treatment of Da Cuhna is
deliberately selective36: he refers only to the fact that the claimant had posed for
lingerie pictures in her youth; he makes no reference to the fact that such pictures
were being used without her consent, to promote prostitution and escort agencies. No
doubt this is to trivialise the potential harm here, and substantiate his view that the
right represents a major assault on free speech.
Yet, what chilling effect is there here to fear? A false representation, suggesting this
individual is associated with illegal activity. That surely cannot be said to be a
justifiable use of the First Amendment – a perpetuation of a damaging and untruthful
association about an individual surely cannot be objectively justified as
34 Ibid 35 ' Leo González Pérez, ‘La pelea entre modelos y buscadores sumó otro round,’ CLARÍN (23 August 2010), available at: http://www.clarin.com/sociedad/pelea-modelos-buscadores-sumo-round_0_322167828.html. 36 For a more balanced treatment of the Da Cuha litigation, as well as the reasoning of the appeal judges, see, Edward L. Carter, ‘Argentina’s Right to Be Forgotten,’ (2013) 27 Emory International Law Review 23
9
‘newsworthy’37 even by high watermark US decisions38.
Another concern common in Rosen and Fleischer’s work is that EU law may now
bind American corporations. Unfortunately, that is a harsh reality of the economic
market: if Google and Yahoo wish to operate in Europe, in a jurisdiction which is
more privacy-concerned, in both laws and attitudes, then they must operate in
accordance with local laws. Rosen offers no other principled objection except that in
the American context, the First Amendment protects all content disseminating truthful
but embarrassing information, as long as the information was legally acquired39.
Rosen’s critique fails to take account of the different standard afforded to privacy in
Europe, as well as ignoring US case law on the First Amendment’s limited
international reach. In Yahoo! Inc. v La Ligue Contre Le Racisme Et
L’Antisemitisme40, the Ninth Circuit held that the First Amendment is of less
importance in the context of international communications. That case concerned a
challenge to the enforceability of a French court’s order compelling Yahoo to refrain
from selling Nazi memorabilia on its website, as the sale of such material is illegal in
France. The Ninth Circuit held,
“…the extent of First Amendment protection of speech accessible solely by
those outside the United States is a difficult and, to some degree, unresolved
issue.”41
Rosen’s core critique is that the emergence of this right represents a fundamentally
37 For discussion on inability to reconcile traditional First Amendment jurisprudence with a right to be forgotten, see Jasmine E. McNealy, ‘The Emerging Conflict between Newsworthiness and the Right to be Forgotten,’ (2012) 39 Northern Kentucky Law Review 119. 38 For US case law on First Amendment protection, see, for example, New York Times Co. v. Sullivan, 376 U.S. 254 (1964): held that actual malice is required for claimant to establish liability for defamation claims; Curtis Publishing Co. v. Butts, 388 U.S. 130 (1967): held that public figures who are not public officials may still sue news organisations if they disseminate information about them which is recklessly gathered and unchecked; Gertz v. Robert Welch, Inc., 418 U.S. 323 (1974): actual malice not necessary for defamation of private person if negligence is present; Westmoreland v. CBS (1982): reaffirmed New York Times Co. v. Sullivan rule. C.f. English defamation law has typically been viewed as more claimant-friendly, leading to the label of London as the ‘libel tourism capital,’ as discussed by Gavin Phillipson, ‘London: the capital of libel tourism?’ The Guardian (London, 29 March 2010) 39 Supra fn 31 40 Yahoo! Inc. v La Ligue Contre Le Racisme Et L’Antisemitisme 433 F. 3d. 1199 (9th Cir. 2006) 41 Ibid at 1217
10
different weighting of two competing norms, privacy and expression. That is not an
argument; that is a fact. European laws on privacy are different because
fundamentally, European sensitivities are different; both EU law and the European
Convention on Human Rights (ECHR) favour a balance between the two competing
interests42. Rosen articulates no cogent reason for Europeans to abandon their
balancing approach in favour of an absolutist view of free speech. No evidence is
offered to suggest that European existing privacy law, either ECHR or EU, inhibit
expression to the detriment of the exchange of ideas or broader notions of liberty.
Indeed, as a European pro-privacy advocate, this author would submit that this gulf in
perspective not only represents a cultural clash of two views of free speech, but a
power struggle between American corporations and European regulators. It will be
interesting to see if the European Commission holds it nerve in forthcoming
negotiations with the Internet giants.
III. Normative justifications in favour of the Right
Having considered the weaknesses in the American perspective, it is submitted that
there are four substantive arguments in favour of the right:
§ The autonomy argument;
§ The behavioural argument;
§ The evolutionary argument; and
§ The utilitarian argument.
1. The Autonomy Argument: Individuals should be able to assert control over their
personal data
The strongest argument in favour of the right is clearly that any real understanding of
autonomy should include an individual’s ability to assert control over their data. It is
submitted that if US commentators engaged in an autonomy analysis, it might
alleviate any concerns that the creation of such a right would, in practice, relinquish
control of the Internet to the State. That concern, for all its paranoia, overlooks the
42 The European Convention on Human Rights protects the right to respect for private and family life in Article 8 and the Charter of Fundamental Rights of the European Union grants the respect for private and family life in Article 7. The Charter provides additional protection for personal data in Article 8.
11
fact that current control of data already vests with corporate giants and the State43.
Surely, the law could redress this seismic power imbalance by providing the
individual with the right to control their data online.
As Bernale explains, the right is not an “instrument of censorship”44 but a right with
potential positive impact in terms of recalibrating the data balance. Bernale argues
that the right would not only empower individuals but may initiate a change in data
collection practices, by making Internet companies justify the need for retention45.
That would help achieve a more privacy-compliant Internet, as corporations would no
longer be able to justify mass surveillance – even if only for economic profiling46 – of
innocent individuals accused of no crime.
2. The Behavioural Argument: Participation in an online community need not need
entail forfeiture of an expectation of privacy
Ultimately, the Internet has triggered a paradigm shift in behaviour. In their seminal
article from 1890, Warren and Brandeis pointed to the absence of any mechanism in
American law which would compel an individual to divulge information about his
private life and thoughts, save for the witness stand as justification for privacy.47 It is
striking that their concern focused on the forced or compelled expression of one’s
thoughts and feelings, particularly in the digital age when millions of social media
users catalogue their every thought and photograph every aspect of their life.
It may be argued then, that the advent of social media has changed behaviour forever:
for example, Snapchat, a mobile app that allows users to send photos that disappear in
10 seconds, distributes 200 million images a day48. Should the law change to reflect
behavioural changes? For support for such a proposition, we need not look any further
that Warren and Brandeis themselves, who argued that “political, social, and 43 Barton Gellman and Ashkan Soltani, ‘NSA “hacked Google and Yahoo’s data centre links,” Snowden documents say,’ The Independent (London, 30 October 2013) 44 Supra fn 25 45 Supra fn 25 46 Ramnath K. Chellappa and Raymond G. Sin, ‘Personalization versus Privacy: An Empirical Examination of the Consumer’s Online Dilemma,’ (2005) 6 Information Technology and Management 181 47 Samuel D. Warren and Louis D. Brandeis, ‘The Right to Privacy,’ (1890) 4 Harvard Law Review 193, at 198 48 Meg Leta Ambrose, ‘A Digital Dark Age and the Right to be Forgotten,’ (2013) 17 Journal of Internet Law 3, at 9
12
economic changes entail the recognition of new rights.”49 If that position can be
invoked to argue for the creation of a general right to privacy, why can it not also
support a revised understanding of privacy law in light of substantial behavioural
change?
Hughes50 has argued for a re-conceptualisation of privacy in light of behavioural
understandings, and in particular, the social interaction theory promulgated by
Altman51. Altman describes privacy as “selective control of access to the self or one’s
group,”52 a useful definition applicable to social media, given the varying levels of
privacy protection available to users53.
A constant refrain from privacy sceptics is that as nothing online is truly private, the
only way to guarantee privacy is to get offline54. This fails to take account of the
sophisticated nature of the Internet, ignoring the multi-faceted nature of digital
communications, as well as both societal and individual responses to the web. The
Internet is sui generis: it does not reconcile easily with orthodox notions of spatial55
and structural56 limits of privacy. It has become ubiquitous and indispensable to
modern life, and even if one keeps off social network, an enormous amount of data
about individuals still remains in the hands of digital giants57.
49 Supra fn 48 at 193 50 Kirsty Hughes, ‘A Behavioural Understanding of Privacy and its Implications for Privacy,’ (2012) 75:5 Modern Law Review 806 51 Irwin Altman, The Environment and Social Behavior: Privacy, Personal Space, Territory and Crowding (Cole Publishing Company, 1975). 52 Ibid at 18 53 Facebook enables individual users to modify their privacy settings, even allowing for the creation of settings, which provide for publication of content to selective audiences, allowing the individual user the autonomy to decide whether posts are intended for global publication. 54 Shane Gibson, ‘Get Off the Internet – My Thoughts on the US Government, Google, Facebook and Privacy – Privacy is a Myth on the Internet,’ ClosingBigger.Net (3 June 2013) available at: http://closingbigger.net/2013/06/get-off-the-internet-my-thoughts-on-the-us-government-google-facebook-and-privacy/ 55 For discussion of the traditional characteristics and limits of the concept of privacy, see Ruth Gavison, ‘Privacy and the Limits of the Law,’ (1980) Yale Law Journal 421, at 422 - 439 56 Ibid 57 Even if an individual does not use a social networking website, a huge amount of data on that individual can be collected and stored by search engines, via products like Google Analytics, which help track web surfers via page tags. Most web surfers are not even aware that the websites they browse use Google analytics to monitor and track their habits. See, inter alia, Raizel Liebler and Keidra Chaney, ‘Google Analytics: Analyzing the Latest Wave of Legal Concerns in the US and the EU,’ (2010) 7 Buffalo Intellectual Property Law Journal 135
13
Calling for non-participation as a means of procuring privacy (i) fundamentally
misunderstands the nature of the digital age, (ii) ignores the fact that mere access to
Broadband technologies has been gaining traction as a human right in and of itself58,
and (iii) is an unsatisfactory response in terms of legal scholarship. With respect, the
views of such sceptics provide little by way of substantive contribution or workable
solutions for the digital age. Simply calling for the return of Pandora’s demons into
the box will not help.
Furthermore, calls for non-participation misses a fundamental aspect of the Internet:
informed consent is not always provided. To invoke the dangerous mindset from
Lochner v New York59, suggesting that individuals have some opportunity to opt out
or negotiate with Internet giants operates on a flawed assumption that assumes equal
bargaining power between the parties.
Hughes’ argument that behaviour should help our understanding of how privacy law
should develop60 therefore gains real currency in a world where behaviour is changing.
The ‘micro’ problems with consent should be addressed so as to make agreement to
terms and conditions more transparent, and the ‘macro’ problems of defining privacy
should address the complexities of 21st century behaviour. A right to merely be left
alone61 no longer seems sufficient in light of exponential growth of the Internet: a
more sophisticated right, which can invoke different expectations based on context,
and where consent is retractable is more desirable than simply calling for non-
participation online.
3. The Evolutionary Argument: Forgetting is good for humans
58 See, for example, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, 16 May 2011 59 Lochner v. New York, 198 U.S. 45 (1905) The lamentable decision of the US Supreme Court has been criticised for starting from a flawed premise which ignored the fact that employees in 20th century New York had zero bargaining power to assert better conditions, thus the ‘freedom of contract’ analysis adopted by the Court is deployed defectively, since one of the fundamental requisites, the equal bargaining power of the parties, was completely absent from the bargain. Support for this analysis is contained in Paul Kens, ‘Lockner v New York: Tradition or Change in Constitutional Law?’ (2005) 1 New York University Journal of Law & Liberty 404 60 Supra fn 53 61 As first discussed by Thomas Cooley, A Treatise on the Law of Torts (Callaghan and Company, 1888), and developed by Samuel D. Warren and Louis D. Brandeis, ‘The Right to Privacy,’ (1890) 4 Harvard Law Review 193
14
Ironically, one argument absent from the literature is the importance of forgetting.
Mayer-Schönberger62 has written extensively on this: drawing on Schachter’s work on
the psychological mechanics of memory, he explains how human forgetfulness
actually serves an important social function, which could influence how digital
memory is addressed in future.
Schachter proposes that as the human brain constantly reconfigures memory, based on
preferences and needs, memory is a living, evolving construct63. Empirical research
shows that human memory does not have a mere “simply decay function,”64 and
memory is fallible to suggestion from external influence, and cannot therefore always
be reliable. Yet, Schachter argues this vulnerability of memory is not a defect of
natural selection, but rather a necessary attribute for human experience: modified
memories help humans “reason swiftly and economically, to abstract and generalise,
and to act in time, rather than remain caught up in conflicting recollections”65.
Despite human efforts to achieve perfect memory, from the time of the papyrus scroll
through to the invention of the camera, Mayer-Schönberger argues “forgetting has
remained just a bit easier and cheaper than remembering”66. If forgetting has
remained in spite of two millennia of technological attempts to remember, then there
may well be evolutionary benefits in forgetting. Our ability to forget is an important
tool for survival and social growth, enabling us “to unburden ourselves from the
shackles of our past, and to live in the present”67.
4. The Utilitarian Argument: Forgetting is important for society
If Mayer-Schönberger’s premise is accepted, then it may be assumed forgetting will
trigger societal benefits, offering a utilitarian justification for the right, in line with the
greater happiness principle68.
62 Viktor Mayer-Schönberger, Delete: The Virtue of Forgetting in the Digital Age, (Princeton University Press, 2009) Chpt 2 63 Ibid 64 Supra fn 58 65 Ibid 66 Ibid 67 Ibid 68 John Stuart Mill, Utilitarianism (Dover Publications, 2007), Chpt 2
15
Indeed, Mill’s very benefits of free speech – no core monopoly on truth69; recognition
of the individual’s right to develop his thoughts and ideas70 – are the same benefits
brought by forgetting. To leave behind adolescent immaturities undoubtedly helps not
only the individual, but cultivates a happier community, by enabling society a whole
to release itself from youthful shackles.
The very act of digitalisation of information threatens such development.
Condemning individuals to stagnate, in the indiscretions of youth, broadcast
unwittingly online, will have negative implications for society generally. If the
common goal for free speech enthusiasts and privacy advocates is that individuals
should be free to determine their own progression and development, then surely the
right to forget is a corollary to expression in the 21st century.
IV. Reconciling the two perspectives in practice
Whilst some academics like Bennett71 have attempted to reconcile the US-EU divide
by reference to features of US law that protect past matters, like bankruptcy law,
credit reporting and criminal law72, it is submitted that seeking doctrinal harmony
between the two jurisdictions should not be the focus of future scholarship, but rather,
how practically a right to be forgotten could operate in Europe whilst guaranteeing
freedom of expression.
The real problem for those like Fleischer is pragmatic: they fear the imposition of
liability on innocent search engines as if they were data processors in the conventional
sense. However, that is a question of applicability and scope; it is not a concern that
justifies wholesale rejection of the right.
Google operates by way of algorithm73, and so logically, cannot be expected to police
search results of all potentially sensitive material. The only reasonable way in which
search engines could be caught was if they were notified – in other words, they must
69 John Stuart Mill, On Liberty, (JW Parker & Son, 1859), Chpt 2 70 Ibid, Chpt 3 71 Steven C. Bennett, ‘The Right to Be Forgotten: Reconciling EU and US Perspectives’ (2012) 30 Berkeley Journal of International Law 161 72 Ibid at 167 73 For an explanation of the algorithm method, see: http://www.google.com/intl/en_us/insidesearch/howsearchworks/algorithms.html
16
have actual knowledge via the classic notice-and-take-down mechanism, already used
extensively for defamation and discussed at length by the European Court of Human
Rights in Delfi AS v Estonia74.
Indeed, the solution for Google may not be so alien at all, and is already present in
section 512 of the Digital Millennium Copyright Act75. Section 512 of this American
statute provides that hosting services are exempt from liability if they respond
expeditiously to notice of copyright infringement by removing hosted content or
hyperlinks. Had Da Cuhna benefitted from such a right, she could have notified
Google of the damaging association incurred, and they could have responded by
blocking search results in much the same way they do with pirated media files. Little
in the literature discusses the viability of notice-and-takedown in this context, or
explains why it may be perfectly workable model for intellectual property rights, but
not personality or privacy rights76.
That is not to say the Commission’s proposal is perfect: indeed, as McGoldrick77
identifies, there remain three key areas in need of further consideration:
(i) Ensuring the role of the press as watchdog is upheld is extremely
pertinent to the operation of the Regulation’s exceptions;
(ii) Specificity in remedial orders from domestic courts so Internet
companies are given sufficient guidance; and
(iii) Exploration of ‘contextualisation’ over erasure - it may be that some
claims only require a pop-up notification that the content or data was
subject to legal proceedings, or outcome of such proceedings, to
vindicate the privacy rights of the individual. 74 Delfi AS v Estonia (App. No 64569/09). The case concerned the liability of the biggest Internet news portal in Estonia, for the comments made by its readers on a thread at the end of an online news article. The Court held that a fine imposed on the portal by the Estonian courts for defamation proceedings was a justified and proportionate interference with the portal’s right to freedom of expression. In particular, the Court noted that had the portal availed of a notice-and-takedown notification system, it may have affected its liability at first instance; as it stood, the portal had completely failed to police the comments, whilst profiting from the traffic on its comment threads, and therefore the subsequent domestic proceedings were justified. 75 Digital Millennium Copyright Act, 17 U.S.C. § 512 (2011) 76 Google already publishes its response to copyright infringement requests, for example: http://www.google.com/transparencyreport/removals/copyright/ 77 Dominic McGoldrick, ‘Developments in the Right to be Forgotten,’ (2013) 13:4 Human Rights Law Review 761, at 774 – 775
17
If this can be resolved, albeit with “sophisticated lawyering,”78 it will not trigger the
total erosion of free speech as is feared, but rather, provide individuals with a remedy
to control their data, privacy and personality rights online. Thus, the development of
this right recognises that the digitisation of information does not necessitate the
abandonment of important socio-legal values like privacy.
On a more pragmatic level, it should be noted that the EU has already recognised the
legal and cultural significance of the First Amendment, for American corporations
operating outside of the USA, via the creation of the ‘Safe Harbor’ Framework.
As a result of the introduction of the existing Data Protection Directive in 1998, the
European Commission negotiated with the US Department of Commerce so as to
develop a Safe Habor Framework, the purpose of which is to enable American
companies to process data from EU countries, in a streamlined way. American
organisations are therefore able to self-certify that their processes and procedures
meet the ‘adequacy’ of protection imposed by the Directive. In practical terms, a
certification of ‘adequacy’ will usually protect an American company from
interruptions to business or prosecution, so long as it complies with the relevant data
protection principles - notice, choice, onward transfer, access, security, data integrity
and enforcement – and can demonstrate its privacy policy is in compliance with the
US-EU Safe Harbor Framework.
The mechanism does appear to work fairly effectively79, despite low rates of uptake,
and even imposes some US sanctions for non-compliance, as advice from the US
Department of Commerce indicates,
“If an organization persistently fails to comply with the U.S.-EU Safe Harbor
Framework requirements, it is no longer entitled to benefit from the U.S.-EU
Safe Harbor. Persistent failure to comply arises where an organization refuses 78 Supra fn 72 at 775 per McGoldrick 79 See, for example, Virginia Boyd, Financial Privacy In The United States And The European Union: A Path To Trans-Atlantic Regulatory Harmonization, 24 Berkeley Journal of International Law 939, 969 (2006) (summarizing development of Safe Harbor program); Alexander Zinser, The Safe Harbor Solution: Is It An Effective Mechanism For International Data Transfers Between The United States And The European Union? 1 Oklahoma Journal of Law and Technology 11 (2004)
18
to comply with a final determination by any self-regulatory or government
body or where such a body determines that an organization frequently fails to
comply with the requirements to the point where its claim to comply is no
longer credible. In these cases, the organization must promptly notify the
Department of Commerce of such facts. Failure to do so may be actionable
under the False Statements Act (18 U.S.C. § 1001)”80.
If it is already the case that Internet giants, like Google, do comply with the EU data
protection principles, it seems artificial to now suggest that an introduction of a new
protection will somehow jeopardise the delicate interplay between US free speech and
European privacy laws: respectfully, those concerns are already adequately managed
via the safe habor framework. If those concerns were borne out in practice, it would
be difficult to comprehend why exactly the US Department of Commerce consented
to the introduction of liability for persistent non-compliance. It has also been
suggested by some that the Framework has been somewhat successful at harmonizing
US and EU data protection standards81, a vital consideration going forward, given the
ubiquitous, non-territorial nature of the Internet.
It therefore appears to reinforce the case that the real objection for the likes of Google
is one based on cost and resource, and not on a genuine concern for the erosion of free
speech.
Conclusion
Despite the vehement rejection by some commentators, it is perhaps Solove, an
American, who provides the clearest articulation of the dangers of an unbalanced,
unregulated digital archive:
80 US Department of Commerce, US-EU Safe Harbor Overview, accessed online via http://export.gov/safeharbor/eu/eg_main_018476.asp 81 Peter P. Swire, Elephants And Mice Revisited: Law And Choice Of Law On The Internet, 153 University of Pennsylvania Law Review, 1975, 1986-87 (2005) (Safe Harbor has produced a “limited, but significant, degree of harmonization of privacy standards” between the United States and the European Union, and has “been fairly successful at meeting two strategic goals: avoiding a trans-Atlantic trade war and providing a reasonable baseline for privacy protection in trans-border activities”)
19
“We’re heading toward a world where an extensive trail of information
fragments about us will be forever preserved on the Internet, displayed
instantly in a Google search…This data can often be of dubious reliability; it
can be false and defamatory; or it can be true but deeply humiliating or
discrediting…Ironically, the unconstrained flow of information on the Internet
might impede our freedom.”82
Whereas privacy has previously been the bulwark of liberal commentators,
conservative legal philosophers are advised to mobilise behind the privacy movement,
because if the Internet has taught us anything, it is that anyone, anywhere can upload
an inappropriate blog post or be the subject of salacious comment. We are all
susceptible to momentary lapses of judgement online, and therefore anyone with an
online persona is vulnerable to resurfacing of problematic material.
It is this danger – condemning individuals to mistakes, misrepresentations and
momentary lapses of judgment – that justifies the need for a new form of right over
the Internet. Four years ago, Facebook CEO, Mark Zuckerberg suggested privacy was
no longer a social norm83. If the reaction to this right proves anything, it is that the
jury is still out.
82 Daniel J. Solove, ‘The future of reputation: gossip, rumor, and privacy on the internet,’ (Yale University Press, 2008) at 117 83 Bobbie Johnson, ‘Privacy no longer a social norm, says Facebook founder,’ The Guardian (London, 11 January 2010)