1  

Behind closed doors? Justifying what’s off limits online. An examination of the application of privacy laws online, particularly in

the context of the EU’s Right To Be Forgotten.

By Emma Fitzsimons

Abstract

The European Commission’s proposal of a new ‘right to be forgotten,’ contained in

the Draft General Data Regulation, sparked much controversy among US and

European commentators, suggesting a more fundamental conceptual gulf between the

two jurisdictions. For privacy advocates, the Commission’s proposal is to be

welcomed, as it may represent a first step towards a recalibration of the data

imbalance precipitated by the Internet, in favour of the individual, and away from the

State and private enterprise. This article sets out the Commission’s proposal and

examines the American objections to the right. It also sets out potential normative

justifications for a new EU protection of data. Finally, it attempts to reconcile the two

perspectives by reference to the functioning of the right in practice.

Introduction

The right to be forgotten emerged in 2013 as a hot topic in the legal world, achieving

its own hashtag on Twitter1, an appropriate feat for legal discussion in the digital

zeitgeist. If online trends are indicative of anything, it is usually the perforation of an

issue into the general online psyche, and this trend shows Internet users are becoming

savvier in their calls for greater privacy protection.

Unsurprising, given that 2013 was the year of Edward Snowden2, Twitter libel

lawsuits3, revelations that Facebook tracks unpublished posts4 and the horrifying

                                                                                                               1 The use of a hashtag symbol (#) on the social media platform Twitter allows users to make their ‘Tweets,’ searchable. In this way, comments can be shared globally, and the use of hashtags denotes a topic trending in discussion. As of January 2014, it was possible to view online discussion via #RighttoForget on Twitter. 2 Glenn Greenwald, Ewen MacAskill and Laura Poitras, ‘Edward Snowden: the whistleblower behind the NSA surveillance revelations,’ The Guardian (London, 10 June 2013)

  2  

phenomenon of online ‘slut shaming’ evidenced by the #SlaneGirl controversy5. Yet,

for legal academics, the real controversy was sparked not by revelations of mass

surveillance but the comments of an EU official calling for greater online privacy

protection for individuals.

In January 2012, the European Commissioner for Justice, Fundamental Rights and

Citizenship, Viviane Reding, announced the European Commission’s plans for a right

to be forgotten6. It prompted an almost hysterical reaction from some American

scholars, crystallising a clear conceptual divide between American and European

perspectives on the balance between privacy and freedom of expression.

Those criticisms seemingly operate in a vacuum, paying little regard to the genuine

concerns of consumers, who increasingly are opting for privacy-compliant products7,

as well as a significant constituency of human rights lawyers, concerned about the

implications of mass surveillance on liberty at large8. The fears of some US

commentators indicate an almost irrational reverence for a notion of free speech,

which fails to take account of the factual realities of the Internet: an enormous wealth

of personal data is held by corporate giants, susceptible to the prying eyes of hackers9

and state surveillance agencies10, with minimal oversight11.

                                                                                                                                                                                                                                                                                                                             3 Kundal Dutta, ‘Lord McAlphine libel row with Sally Bercow settled in High Court,’ The Independent (London, 22 October 2013) 4 Jennifer Golbeck, ‘On Second Thought…Facebook wants to know why you didn’t publish that status update you started writing,’ Slate.com (New York, 13 December 2013), available at: http://www.slate.com/articles/technology/future_tense/2013/12/facebook_self_censorship_what_happens_to_the_posts_you_don_t_publish.html 5 Carl O’Brien, ‘Slane sex act photos: a salutary lesson of how social media can exploit and abuse,’ The Irish Times (Dublin, 21 August 2013) 6 Viviane Reding, Vice President, European Commission, The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age 5 (22 January 2012), available at: http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/12/26&format=PDF 7 See, for example, “DeleteMe—Protect Your Personal Data and Reputation Online,” Abine Inc., available at: https://www.abine.com/deleteme/landing.php. Steve Henn, “Fixing Your Online Reputation: There’s An Industry for That,” NPR (29 May 2013), available at: http://www.npr.org/blogs/alltechconsidered/2013/05/29/187080236/Online-Reputation 8 Jef Ausloos, ‘The “Right to be Forgotten” - Worth Remembering’ (2012) 28 Computer Law and Security Review 7; Richard Cumbley and Peter Church, ‘Is “Big Data” Creepy’ (2013) 29 Computer Law and Security Review 601; and Fred H. Cate, ‘The Growing Importance and Irrelevance of International Data Protection Law’ (LCIL Snyder Lecture, Cambridge, 2012). 9 Daniel Johnson, ‘More than two million web accounts hacked,’ The Daily Telegraph (London, 5 December 2013) 10 Barton Gellman and Ashkan Soltani, ‘NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say,’ Washington Post (Washington DC, 30 October 2013)

  3  

This essay argues for reconsideration of the right to be forgotten in light of changes in

human behaviour and technology, arguing that our American cousins may be

sacrificing their real liberty in favour of a phony notion of an Internet free from

regulation, whilst their every move12, thought13 and purchase14 remains held on a

server somewhere, waiting to come back to haunt them.

Part I of this essay considers the draft EU Data Protection Regulation, containing a

right to be forgotten. Part II discusses the American objections to the right. Part III

sets out the normative justifications in favour of a right to be forgotten. Part IV

outlines how American and European perspectives might be reconciled with reference

to the operation of the right in practice.

I. The draft EU Data Protection Regulation

In January 2012, Commissioner Viviane Reding outlined the aims of draft EU Data

Regulation, stating that individuals should have “better control over their own data”15.

She indicated that the proposed new rules would provide not only “easier access to

one’s own data”16 but also that “people shall have the right – and not only the

‘possibility’ – to withdraw their consent to the processing of the personal data they

have give out themselves”17. Such a right is not absolute: newspaper archives were

cited as a potential legitimate and legally justified exception to the right. Accordingly,

the right “cannot amount to a right of the total erasure of history,”18 and needs to be

balanced against freedom of expression.

                                                                                                                                                                                                                                                                                                                             11  Linda Sandler, ‘In California, one judge may upend how Internet giants use data gleaned from users,’ Chicago Tribune (Chicago, 4 January 2013)  12 Noam Cohen, ‘It’s Tracking Your Every Move and You May Not Even Know,’ The New York Times (New York, 26 March 2011) 13 Megan Carpentier, ‘What Your Search History Says About You (and How to Shut It Up),’ Huffington Post (New York, 31 October 2013) 14 Elizabeth Dwoskin and Greg Bensinger, ‘Tracking Technology Sheds Light on Shopper Habits,’ Wall Street Journal (New York, 9 December 2013) 15 Supra fn 6 16 Ibid 17 Ibid 18 Ibid

  4  

Article 17 of the draft Regulation contains a right to erasure19: it is enforceable against

the data controller on request by the data subject. The right to request deletion of all

personal data held by the controller is exercisable in four circumstances:

(i) The data is no longer necessary in relation to the purposes for which it

was collected or otherwise processed;

(ii) The data subject withdraws consent;

(iii) A court or regulatory authority based in the EU has ruled as final and

absolute that the data must be erased; or

(iv) The data has been unlawfully processed.

The draft Regulation provides for the seven exceptional circumstances in which the

controller is permitted not to delete the data. Article 17 provides that the data

controller may be allowed to retain and not delete the data if any of the following

apply:

(a) For exercising the right of freedom of expression with Article 80;

(b) For reasons of public interest in the area of public health in accordance

with Article 81;

(c) For historical, statistical and scientific research purposes in accordance

with Article 83;

(d) For compliance with legal retention obligations;

(e) The retention is necessary for the performance of a contract;

(f) The data has to be maintained for future purposes of proof;

(g) The particular type of storage technology does not allow for deletion and

has been installed before the Regulation entered into force.

Finally, the right to erasure does not apply in the context of national security issues or

criminal investigations20.

Despite its recent emergence in EU matters, the right to be forgotten is not a new

                                                                                                               19 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), at 9, COM (2012) 11 final (25 January 2012). 20 Meg Leta Ambrose, ‘A Digital Dark Age and the Right to be Forgotten,’ (2013) 17 Journal of Internet Law 3, 10

  5  

concept, having its origins in the French and Italian legal systems, in their concepts of

a right to oblivion,‘droit à l’oubi’ or ‘diritto al’obli.’ It operates as “the right to

silence on past events in life that are no longer occurring21,” usually in the context of

criminal convictions, or sensitive information, as seen in the recent French case,

Mosley c. Google Inc et Google France22 in which Google was ordered to filter out

hyperlinks to images of the former F1 boss in an allegedly Nazi-themed orgy.

As Bernale23 points out, the version mooted by the Commission would not operate

like continental domestic versions, but rather would be more appropriately referred to

as a ‘right to delete.’ In this respect, it does not have the same chilling effect

implications that may be raised in cases concerning silence about the past, such as the

challenge to Wikipedia’s publication by two Germans convicted of murdering a

famous actor of their criminal history24.

For the avoidance of doubt, it should be noted that the existing state of EU data

protection law is being litigated in Google Spain v AEPD25. The case concerns an

individual’s request to remove information relating to his financial history from

Google’s search engine, and raises a question pertinent to this paper: whether the

current EU data protection law provides a right to be forgotten. The Advocate

General’s opinion, though not binding on the Court, provides that existing Data

Protection Directive 1995 does not envisage a right to be forgotten, even when read in

light of the Charter of Fundamental Rights of the European Union.

This author submits that the Advocate General’s opinion must be correct for the

following reasons: (i) if the protection already existed under the Directive, it would be

unnecessary for the Commission to propose new legislation; (ii) the Charter itself

cannot be used to create new substantive right, again if the protection already existed

under the Directive, it would be unnecessary for the Commission to propose new

                                                                                                               21 Giorgio Pino, ‘The Right to Personal Identity in Italian Private Law: Constitutional Interpretation and Judge-Made Rights,’ in Mark Van Hoecke & François Ost (eds.) The Harmonisation of European Private Law (Hart 2000) 237 22 TGI Paris, 17e ch., 6 novembre 2013, RG 11/07970, Max Mosley c. Google Inc et Google France. 23 Paul A. Bernal, ‘A Right to Delete?’ (2011) 2 European Journal of Law and Technology 24 John Schwartz, ‘Two German Killers Demanding Anonymity Sue Wikipedia’s Parent,’ New York Times (New York, 12 November 2009) 25 Case C-131/12 Google Spain v AEPD, Opinion of AG Jääskinen, delivered on 25 June 2013.

  6  

legislation; (ii) the Charter itself cannot be used to create new substantive right, again

suggesting that legislative reform would be necessary, consistent with the

Commission’s course of action to date; (iii) the existing Directive dates back to 1995,

before the Internet accounted for 97% of the world’s telecommunications traffic and

so is unlikely to envisage the need for such a right; (iv) the Commission’s choice of

instrument for the new draft Data Protection Regulation is significant, suggesting it

intends to secure a new legal protection homogenously across the EU, indicative of an

existing gap in protection or practice; and (v) the Commissioner’s communications

emphasise ‘new’ protections. Nonetheless, the opinion does not bind the Court, and it

remains to be seen how it shall rule on the matter.

However, caution should be exercised here not to conflate the European Court of

Justice’s forthcoming pronouncement on the state of existing privacy protection with

the Commission’s proposal of a new right to be forgotten. Some commentators have

strayed dangerously, using the Advocate General’s opinion as a means of ending the

debate on the advisability of a right to be forgotten26. Respectfully, that misses the

issue: the vital matter for consideration is whether, going forward, EU law should

include a right to be forgotten.

II. American objections to the Right

These developments have not been welcomed in all quarters. Even a cursory

inspection of the literature reveals a transatlantic gulf27 in perspectives of American

and European scholars. Two of the harshest critics, Rosen28 and Fleischer29, have

                                                                                                               26 Orla Lynskey, ‘Time to Forget the ‘Right to be Forgotten’? Advocate General Jääskinen’s Opinion in C-131/12 Google Spain v AEPD,’ (3 July 2013), available at: http://europeanlawblog.eu/?p=1818 27 Before embarking on an exposition of the mainstream ‘American’ view here, I use the term ‘American’ to connote a traditional view of the primacy of free speech over privacy. Of course there are American academics more in favour of greater protection: an example of this is Justin Brockman, ‘Europe Revisiting Privacy Law is Opportunity, not Catastrophe,’ Center for Democracy & Technology (12 November 2010). Rosen and Fleischer’s views substantiate the proposition that the traditional American reading of free speech trumps privacy, given the absolutist nature of the First Amendment. Further support for the proposition that there is indeed a US-Europe divide is provided by Steven C. Bennett, ‘The Right to Be Forgotten: Reconciling EU and US Perspectives’ (2012) 30 Berkeley Journal of International Law 161 28 Jeffrey Rosen, ‘The Right to Be Forgotten’ (2012) 64 Stanford Law Review Online 88. See also by Rosen: ‘The Deciders: The Future of Privacy and Free Speech in the Age of Facebook and Google,’ (2012) 80 Fordham Law Review 1525; ‘Free Speech. Privacy, and the Web That Never Forgets,’ (2011) 9 Journal of Telecommunications and High Technology Law 345 29 Peter Fleischer, ‘Foggy Thinking About the Right to Oblivion,’ (9 March 2011), available at: http://peterfleischer.blogspot.ie/2011/03/foggy-thinking-about-right-to-oblivion.html

  7  

dismissed the right as “the biggest threat to free speech on the Internet in the coming

decade”30 and “foggy thinking,”31 incongruous with the fundamental American value

of free speech. For the sake of conciseness, their views will be used in this paper as an

example of the concerns of privacy sceptics at large - the rationale being that if such

views represent the most critical in the literature, and they can be undermined here,

the onus should shift back to the sceptics to defend their reluctance to expand privacy

protection.

Fleischer, Counsel for Privacy at Google32, outlines three potential scenarios in which

a right to forget may operate:

(i) A right to access and rectify one’s personal data, which represents a mere

rebranding of existing laws on data protection;

(ii) A new right to delete information about oneself, even if published by a

third party;

(iii) A new right to delete, exercisable not just against the publisher of the

content, but also search engines and other hosting platforms.

Given Google’s potential liability as a co-defendant, Fleischer’s concern is with the

third category. The question then becomes is it fair to impose liability on search

engines in this third category? As Fleischer concedes, there can be no hard and fast

answer to this: he notes that such a dispute would require judicial resolution, being the

classic challenge between freedom of expression and privacy. It is not possible to

provide a rule on liability in abstracto, particularly when the stakes are so high for the

individual and their personality, reputation and private life. Rosen is also deeply

concerned with the third scenario, stating that it “raises the most serious concerns

about free expression,”33 but cites nothing more that the First Amendment as authority

for his justification.

Rosen is quick to dismiss privacy concerns as little more than the revelation of

                                                                                                               30 Supra fn 34 at 88 31 Supra fn 35 32 Whilst Fleischer arguments are representative of his own views only, it is submitted that his professional experience no doubt colours his perspective.  33 Supra fn 34 at 91

  8  

“embarrassing information,”34 without much consideration of what really is at stake

here for individuals. An Argentinean case, Da Cunha v Yahoo and Google35,

illustrates both the problems inherent in the current unregulated Internet model, as

well as an example of a legitimate basis for the right to operate.

Da Cunha, an Argentine pop singer, brought a claim against the search engines upon

discovering that her name and photographs appeared in search results linked to sexual

content, pornography and escorts. She claimed this was done without her permission,

and moreover, the linking of her name and person to such material seriously harmed

her reputation and career. The search engines argued she failed to establish any

wrongdoing on their part, showing no causal link between their activities and the

harm suffered.

Da Cuhna’s claim prevailed at trial but was later overturned on appeal. Yet, the facts

at least show that there may be some merit in affording individuals a right to control

the use of their image or their data online. Rosen’s treatment of Da Cuhna is

deliberately selective36: he refers only to the fact that the claimant had posed for

lingerie pictures in her youth; he makes no reference to the fact that such pictures

were being used without her consent, to promote prostitution and escort agencies. No

doubt this is to trivialise the potential harm here, and substantiate his view that the

right represents a major assault on free speech.

Yet, what chilling effect is there here to fear? A false representation, suggesting this

individual is associated with illegal activity. That surely cannot be said to be a

justifiable use of the First Amendment – a perpetuation of a damaging and untruthful

association about an individual surely cannot be objectively justified as

                                                                                                               34 Ibid 35 ' Leo González Pérez, ‘La pelea entre modelos y buscadores sumó otro round,’ CLARÍN (23 August 2010), available at: http://www.clarin.com/sociedad/pelea-modelos-buscadores-sumo-round_0_322167828.html. 36 For a more balanced treatment of the Da Cuha litigation, as well as the reasoning of the appeal judges, see, Edward L. Carter, ‘Argentina’s Right to Be Forgotten,’ (2013) 27 Emory International Law Review 23

  9  

‘newsworthy’37 even by high watermark US decisions38.

Another concern common in Rosen and Fleischer’s work is that EU law may now

bind American corporations. Unfortunately, that is a harsh reality of the economic

market: if Google and Yahoo wish to operate in Europe, in a jurisdiction which is

more privacy-concerned, in both laws and attitudes, then they must operate in

accordance with local laws. Rosen offers no other principled objection except that in

the American context, the First Amendment protects all content disseminating truthful

but embarrassing information, as long as the information was legally acquired39.

Rosen’s critique fails to take account of the different standard afforded to privacy in

Europe, as well as ignoring US case law on the First Amendment’s limited

international reach. In Yahoo! Inc. v La Ligue Contre Le Racisme Et

L’Antisemitisme40, the Ninth Circuit held that the First Amendment is of less

importance in the context of international communications. That case concerned a

challenge to the enforceability of a French court’s order compelling Yahoo to refrain

from selling Nazi memorabilia on its website, as the sale of such material is illegal in

France. The Ninth Circuit held,

“…the extent of First Amendment protection of speech accessible solely by

those outside the United States is a difficult and, to some degree, unresolved

issue.”41

Rosen’s core critique is that the emergence of this right represents a fundamentally

                                                                                                               37 For discussion on inability to reconcile traditional First Amendment jurisprudence with a right to be forgotten, see Jasmine E. McNealy, ‘The Emerging Conflict between Newsworthiness and the Right to be Forgotten,’ (2012) 39 Northern Kentucky Law Review 119. 38 For US case law on First Amendment protection, see, for example, New York Times Co. v. Sullivan, 376 U.S. 254 (1964): held that actual malice is required for claimant to establish liability for defamation claims; Curtis Publishing Co. v. Butts, 388 U.S. 130 (1967): held that public figures who are not public officials may still sue news organisations if they disseminate information about them which is recklessly gathered and unchecked; Gertz v. Robert Welch, Inc., 418 U.S. 323 (1974): actual malice not necessary for defamation of private person if negligence is present; Westmoreland v. CBS (1982): reaffirmed New York Times Co. v. Sullivan rule. C.f. English defamation law has typically been viewed as more claimant-friendly, leading to the label of London as the ‘libel tourism capital,’ as discussed by Gavin Phillipson, ‘London: the capital of libel tourism?’ The Guardian (London, 29 March 2010) 39 Supra fn 31 40 Yahoo! Inc. v La Ligue Contre Le Racisme Et L’Antisemitisme 433 F. 3d. 1199 (9th Cir. 2006) 41 Ibid at 1217

  10  

different weighting of two competing norms, privacy and expression. That is not an

argument; that is a fact. European laws on privacy are different because

fundamentally, European sensitivities are different; both EU law and the European

Convention on Human Rights (ECHR) favour a balance between the two competing

interests42. Rosen articulates no cogent reason for Europeans to abandon their

balancing approach in favour of an absolutist view of free speech. No evidence is

offered to suggest that European existing privacy law, either ECHR or EU, inhibit

expression to the detriment of the exchange of ideas or broader notions of liberty.

Indeed, as a European pro-privacy advocate, this author would submit that this gulf in

perspective not only represents a cultural clash of two views of free speech, but a

power struggle between American corporations and European regulators. It will be

interesting to see if the European Commission holds it nerve in forthcoming

negotiations with the Internet giants.

III. Normative justifications in favour of the Right

Having considered the weaknesses in the American perspective, it is submitted that

there are four substantive arguments in favour of the right:

§ The autonomy argument;

§ The behavioural argument;

§ The evolutionary argument; and

§ The utilitarian argument.

1. The Autonomy Argument: Individuals should be able to assert control over their

personal data

The strongest argument in favour of the right is clearly that any real understanding of

autonomy should include an individual’s ability to assert control over their data. It is

submitted that if US commentators engaged in an autonomy analysis, it might

alleviate any concerns that the creation of such a right would, in practice, relinquish

control of the Internet to the State. That concern, for all its paranoia, overlooks the

                                                                                                               42 The European Convention on Human Rights protects the right to respect for private and family life in Article 8 and the Charter of Fundamental Rights of the European Union grants the respect for private and family life in Article 7. The Charter provides additional protection for personal data in Article 8.

  11  

fact that current control of data already vests with corporate giants and the State43.

Surely, the law could redress this seismic power imbalance by providing the

individual with the right to control their data online.

As Bernale explains, the right is not an “instrument of censorship”44 but a right with

potential positive impact in terms of recalibrating the data balance. Bernale argues

that the right would not only empower individuals but may initiate a change in data

collection practices, by making Internet companies justify the need for retention45.

That would help achieve a more privacy-compliant Internet, as corporations would no

longer be able to justify mass surveillance – even if only for economic profiling46 – of

innocent individuals accused of no crime.

2. The Behavioural Argument: Participation in an online community need not need

entail forfeiture of an expectation of privacy

Ultimately, the Internet has triggered a paradigm shift in behaviour. In their seminal

article from 1890, Warren and Brandeis pointed to the absence of any mechanism in

American law which would compel an individual to divulge information about his

private life and thoughts, save for the witness stand as justification for privacy.47 It is

striking that their concern focused on the forced or compelled expression of one’s

thoughts and feelings, particularly in the digital age when millions of social media

users catalogue their every thought and photograph every aspect of their life.

It may be argued then, that the advent of social media has changed behaviour forever:

for example, Snapchat, a mobile app that allows users to send photos that disappear in

10 seconds, distributes 200 million images a day48. Should the law change to reflect

behavioural changes? For support for such a proposition, we need not look any further

that Warren and Brandeis themselves, who argued that “political, social, and                                                                                                                43 Barton Gellman and Ashkan Soltani, ‘NSA “hacked Google and Yahoo’s data centre links,” Snowden documents say,’ The Independent (London, 30 October 2013) 44 Supra fn 25  45 Supra fn 25 46 Ramnath K. Chellappa and Raymond G. Sin, ‘Personalization versus Privacy: An Empirical Examination of the Consumer’s Online Dilemma,’ (2005) 6 Information Technology and Management 181 47 Samuel D. Warren and Louis D. Brandeis, ‘The Right to Privacy,’ (1890) 4 Harvard Law Review 193, at 198 48  Meg Leta Ambrose, ‘A Digital Dark Age and the Right to be Forgotten,’ (2013) 17 Journal of Internet Law 3, at 9  

  12  

economic changes entail the recognition of new rights.”49 If that position can be

invoked to argue for the creation of a general right to privacy, why can it not also

support a revised understanding of privacy law in light of substantial behavioural

change?

Hughes50 has argued for a re-conceptualisation of privacy in light of behavioural

understandings, and in particular, the social interaction theory promulgated by

Altman51. Altman describes privacy as “selective control of access to the self or one’s

group,”52 a useful definition applicable to social media, given the varying levels of

privacy protection available to users53.

A constant refrain from privacy sceptics is that as nothing online is truly private, the

only way to guarantee privacy is to get offline54. This fails to take account of the

sophisticated nature of the Internet, ignoring the multi-faceted nature of digital

communications, as well as both societal and individual responses to the web. The

Internet is sui generis: it does not reconcile easily with orthodox notions of spatial55

and structural56 limits of privacy. It has become ubiquitous and indispensable to

modern life, and even if one keeps off social network, an enormous amount of data

about individuals still remains in the hands of digital giants57.

                                                                                                               49 Supra fn 48 at 193 50 Kirsty Hughes, ‘A Behavioural Understanding of Privacy and its Implications for Privacy,’ (2012) 75:5 Modern Law Review 806 51 Irwin Altman, The Environment and Social Behavior: Privacy, Personal Space, Territory and Crowding (Cole Publishing Company, 1975). 52 Ibid at 18 53 Facebook enables individual users to modify their privacy settings, even allowing for the creation of settings, which provide for publication of content to selective audiences, allowing the individual user the autonomy to decide whether posts are intended for global publication. 54 Shane Gibson, ‘Get Off the Internet – My Thoughts on the US Government, Google, Facebook and Privacy – Privacy is a Myth on the Internet,’ ClosingBigger.Net (3 June 2013) available at: http://closingbigger.net/2013/06/get-off-the-internet-my-thoughts-on-the-us-government-google-facebook-and-privacy/ 55 For discussion of the traditional characteristics and limits of the concept of privacy, see Ruth Gavison, ‘Privacy and the Limits of the Law,’ (1980) Yale Law Journal 421, at 422 - 439 56 Ibid 57 Even if an individual does not use a social networking website, a huge amount of data on that individual can be collected and stored by search engines, via products like Google Analytics, which help track web surfers via page tags. Most web surfers are not even aware that the websites they browse use Google analytics to monitor and track their habits. See, inter alia, Raizel Liebler and Keidra Chaney, ‘Google Analytics: Analyzing the Latest Wave of Legal Concerns in the US and the EU,’ (2010) 7 Buffalo Intellectual Property Law Journal 135

  13  

Calling for non-participation as a means of procuring privacy (i) fundamentally

misunderstands the nature of the digital age, (ii) ignores the fact that mere access to

Broadband technologies has been gaining traction as a human right in and of itself58,

and (iii) is an unsatisfactory response in terms of legal scholarship. With respect, the

views of such sceptics provide little by way of substantive contribution or workable

solutions for the digital age. Simply calling for the return of Pandora’s demons into

the box will not help.

Furthermore, calls for non-participation misses a fundamental aspect of the Internet:

informed consent is not always provided. To invoke the dangerous mindset from

Lochner v New York59, suggesting that individuals have some opportunity to opt out

or negotiate with Internet giants operates on a flawed assumption that assumes equal

bargaining power between the parties.

Hughes’ argument that behaviour should help our understanding of how privacy law

should develop60 therefore gains real currency in a world where behaviour is changing.

The ‘micro’ problems with consent should be addressed so as to make agreement to

terms and conditions more transparent, and the ‘macro’ problems of defining privacy

should address the complexities of 21st century behaviour. A right to merely be left

alone61 no longer seems sufficient in light of exponential growth of the Internet: a

more sophisticated right, which can invoke different expectations based on context,

and where consent is retractable is more desirable than simply calling for non-

participation online.

3. The Evolutionary Argument: Forgetting is good for humans

                                                                                                               58 See, for example, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, 16 May 2011  59 Lochner v. New York, 198 U.S. 45 (1905) The lamentable decision of the US Supreme Court has been criticised for starting from a flawed premise which ignored the fact that employees in 20th century New York had zero bargaining power to assert better conditions, thus the ‘freedom of contract’ analysis adopted by the Court is deployed defectively, since one of the fundamental requisites, the equal bargaining power of the parties, was completely absent from the bargain. Support for this analysis is contained in Paul Kens, ‘Lockner v New York: Tradition or Change in Constitutional Law?’ (2005) 1 New York University Journal of Law & Liberty 404 60 Supra fn 53 61 As first discussed by Thomas Cooley, A Treatise on the Law of Torts (Callaghan and Company, 1888), and developed by Samuel D. Warren and Louis D. Brandeis, ‘The Right to Privacy,’ (1890) 4 Harvard Law Review 193

  14  

Ironically, one argument absent from the literature is the importance of forgetting.

Mayer-Schönberger62 has written extensively on this: drawing on Schachter’s work on

the psychological mechanics of memory, he explains how human forgetfulness

actually serves an important social function, which could influence how digital

memory is addressed in future.

Schachter proposes that as the human brain constantly reconfigures memory, based on

preferences and needs, memory is a living, evolving construct63. Empirical research

shows that human memory does not have a mere “simply decay function,”64 and

memory is fallible to suggestion from external influence, and cannot therefore always

be reliable. Yet, Schachter argues this vulnerability of memory is not a defect of

natural selection, but rather a necessary attribute for human experience: modified

memories help humans “reason swiftly and economically, to abstract and generalise,

and to act in time, rather than remain caught up in conflicting recollections”65.

Despite human efforts to achieve perfect memory, from the time of the papyrus scroll

through to the invention of the camera, Mayer-Schönberger argues “forgetting has

remained just a bit easier and cheaper than remembering”66. If forgetting has

remained in spite of two millennia of technological attempts to remember, then there

may well be evolutionary benefits in forgetting. Our ability to forget is an important

tool for survival and social growth, enabling us “to unburden ourselves from the

shackles of our past, and to live in the present”67.

4. The Utilitarian Argument: Forgetting is important for society

If Mayer-Schönberger’s premise is accepted, then it may be assumed forgetting will

trigger societal benefits, offering a utilitarian justification for the right, in line with the

greater happiness principle68.

                                                                                                               62 Viktor Mayer-Schönberger, Delete: The Virtue of Forgetting in the Digital Age, (Princeton University Press, 2009) Chpt 2 63 Ibid 64 Supra fn 58 65 Ibid 66 Ibid 67 Ibid 68 John Stuart Mill, Utilitarianism (Dover Publications, 2007), Chpt 2  

  15  

Indeed, Mill’s very benefits of free speech – no core monopoly on truth69; recognition

of the individual’s right to develop his thoughts and ideas70 – are the same benefits

brought by forgetting. To leave behind adolescent immaturities undoubtedly helps not

only the individual, but cultivates a happier community, by enabling society a whole

to release itself from youthful shackles.

The very act of digitalisation of information threatens such development.

Condemning individuals to stagnate, in the indiscretions of youth, broadcast

unwittingly online, will have negative implications for society generally. If the

common goal for free speech enthusiasts and privacy advocates is that individuals

should be free to determine their own progression and development, then surely the

right to forget is a corollary to expression in the 21st century.

IV. Reconciling the two perspectives in practice

Whilst some academics like Bennett71 have attempted to reconcile the US-EU divide

by reference to features of US law that protect past matters, like bankruptcy law,

credit reporting and criminal law72, it is submitted that seeking doctrinal harmony

between the two jurisdictions should not be the focus of future scholarship, but rather,

how practically a right to be forgotten could operate in Europe whilst guaranteeing

freedom of expression.

The real problem for those like Fleischer is pragmatic: they fear the imposition of

liability on innocent search engines as if they were data processors in the conventional

sense. However, that is a question of applicability and scope; it is not a concern that

justifies wholesale rejection of the right.

Google operates by way of algorithm73, and so logically, cannot be expected to police

search results of all potentially sensitive material. The only reasonable way in which

search engines could be caught was if they were notified – in other words, they must

                                                                                                               69 John Stuart Mill, On Liberty, (JW Parker & Son, 1859), Chpt 2 70 Ibid, Chpt 3  71  Steven C. Bennett, ‘The Right to Be Forgotten: Reconciling EU and US Perspectives’ (2012) 30 Berkeley Journal of International Law 161 72 Ibid at 167 73 For an explanation of the algorithm method, see: http://www.google.com/intl/en_us/insidesearch/howsearchworks/algorithms.html

  16  

have actual knowledge via the classic notice-and-take-down mechanism, already used

extensively for defamation and discussed at length by the European Court of Human

Rights in Delfi AS v Estonia74.

Indeed, the solution for Google may not be so alien at all, and is already present in

section 512 of the Digital Millennium Copyright Act75. Section 512 of this American

statute provides that hosting services are exempt from liability if they respond

expeditiously to notice of copyright infringement by removing hosted content or

hyperlinks. Had Da Cuhna benefitted from such a right, she could have notified

Google of the damaging association incurred, and they could have responded by

blocking search results in much the same way they do with pirated media files. Little

in the literature discusses the viability of notice-and-takedown in this context, or

explains why it may be perfectly workable model for intellectual property rights, but

not personality or privacy rights76.

That is not to say the Commission’s proposal is perfect: indeed, as McGoldrick77

identifies, there remain three key areas in need of further consideration:

(i) Ensuring the role of the press as watchdog is upheld is extremely

pertinent to the operation of the Regulation’s exceptions;

(ii) Specificity in remedial orders from domestic courts so Internet

companies are given sufficient guidance; and

(iii) Exploration of ‘contextualisation’ over erasure - it may be that some

claims only require a pop-up notification that the content or data was

subject to legal proceedings, or outcome of such proceedings, to

vindicate the privacy rights of the individual.                                                                                                                74 Delfi AS v Estonia (App. No 64569/09). The case concerned the liability of the biggest Internet news portal in Estonia, for the comments made by its readers on a thread at the end of an online news article. The Court held that a fine imposed on the portal by the Estonian courts for defamation proceedings was a justified and proportionate interference with the portal’s right to freedom of expression. In particular, the Court noted that had the portal availed of a notice-and-takedown notification system, it may have affected its liability at first instance; as it stood, the portal had completely failed to police the comments, whilst profiting from the traffic on its comment threads, and therefore the subsequent domestic proceedings were justified. 75 Digital Millennium Copyright Act, 17 U.S.C. § 512 (2011) 76 Google already publishes its response to copyright infringement requests, for example: http://www.google.com/transparencyreport/removals/copyright/ 77 Dominic McGoldrick, ‘Developments in the Right to be Forgotten,’ (2013) 13:4 Human Rights Law Review 761, at 774 – 775

  17  

If this can be resolved, albeit with “sophisticated lawyering,”78 it will not trigger the

total erosion of free speech as is feared, but rather, provide individuals with a remedy

to control their data, privacy and personality rights online. Thus, the development of

this right recognises that the digitisation of information does not necessitate the

abandonment of important socio-legal values like privacy.

On a more pragmatic level, it should be noted that the EU has already recognised the

legal and cultural significance of the First Amendment, for American corporations

operating outside of the USA, via the creation of the ‘Safe Harbor’ Framework.

As a result of the introduction of the existing Data Protection Directive in 1998, the

European Commission negotiated with the US Department of Commerce so as to

develop a Safe Habor Framework, the purpose of which is to enable American

companies to process data from EU countries, in a streamlined way. American

organisations are therefore able to self-certify that their processes and procedures

meet the ‘adequacy’ of protection imposed by the Directive. In practical terms, a

certification of ‘adequacy’ will usually protect an American company from

interruptions to business or prosecution, so long as it complies with the relevant data

protection principles - notice, choice, onward transfer, access, security, data integrity

and enforcement – and can demonstrate its privacy policy is in compliance with the

US-EU Safe Harbor Framework.

The mechanism does appear to work fairly effectively79, despite low rates of uptake,

and even imposes some US sanctions for non-compliance, as advice from the US

Department of Commerce indicates,

“If an organization persistently fails to comply with the U.S.-EU Safe Harbor

Framework requirements, it is no longer entitled to benefit from the U.S.-EU

Safe Harbor. Persistent failure to comply arises where an organization refuses                                                                                                                78 Supra fn 72 at 775 per McGoldrick 79 See, for example, Virginia Boyd, Financial Privacy In The United States And The European Union: A Path To Trans-Atlantic Regulatory Harmonization, 24 Berkeley Journal of International Law 939, 969 (2006) (summarizing development of Safe Harbor program); Alexander Zinser, The Safe Harbor Solution: Is It An Effective Mechanism For International Data Transfers Between The United States And The European Union? 1 Oklahoma Journal of Law and Technology 11 (2004)

  18  

to comply with a final determination by any self-regulatory or government

body or where such a body determines that an organization frequently fails to

comply with the requirements to the point where its claim to comply is no

longer credible. In these cases, the organization must promptly notify the

Department of Commerce of such facts. Failure to do so may be actionable

under the False Statements Act (18 U.S.C. § 1001)”80.

If it is already the case that Internet giants, like Google, do comply with the EU data

protection principles, it seems artificial to now suggest that an introduction of a new

protection will somehow jeopardise the delicate interplay between US free speech and

European privacy laws: respectfully, those concerns are already adequately managed

via the safe habor framework. If those concerns were borne out in practice, it would

be difficult to comprehend why exactly the US Department of Commerce consented

to the introduction of liability for persistent non-compliance. It has also been

suggested by some that the Framework has been somewhat successful at harmonizing

US and EU data protection standards81, a vital consideration going forward, given the

ubiquitous, non-territorial nature of the Internet.

It therefore appears to reinforce the case that the real objection for the likes of Google

is one based on cost and resource, and not on a genuine concern for the erosion of free

speech.

Conclusion

Despite the vehement rejection by some commentators, it is perhaps Solove, an

American, who provides the clearest articulation of the dangers of an unbalanced,

unregulated digital archive:

                                                                                                               80 US Department of Commerce, US-EU Safe Harbor Overview, accessed online via http://export.gov/safeharbor/eu/eg_main_018476.asp  81 Peter P. Swire, Elephants And Mice Revisited: Law And Choice Of Law On The Internet, 153 University of Pennsylvania Law Review, 1975, 1986-87 (2005) (Safe Harbor has produced a “limited, but significant, degree of harmonization of privacy standards” between the United States and the European Union, and has “been fairly successful at meeting two strategic goals: avoiding a trans-Atlantic trade war and providing a reasonable baseline for privacy protection in trans-border activities”)

  19  

“We’re heading toward a world where an extensive trail of information

fragments about us will be forever preserved on the Internet, displayed

instantly in a Google search…This data can often be of dubious reliability; it

can be false and defamatory; or it can be true but deeply humiliating or

discrediting…Ironically, the unconstrained flow of information on the Internet

might impede our freedom.”82

Whereas privacy has previously been the bulwark of liberal commentators,

conservative legal philosophers are advised to mobilise behind the privacy movement,

because if the Internet has taught us anything, it is that anyone, anywhere can upload

an inappropriate blog post or be the subject of salacious comment. We are all

susceptible to momentary lapses of judgement online, and therefore anyone with an

online persona is vulnerable to resurfacing of problematic material.

It is this danger – condemning individuals to mistakes, misrepresentations and

momentary lapses of judgment – that justifies the need for a new form of right over

the Internet. Four years ago, Facebook CEO, Mark Zuckerberg suggested privacy was

no longer a social norm83. If the reaction to this right proves anything, it is that the

jury is still out.

                                                                                                               82 Daniel J. Solove, ‘The future of reputation: gossip, rumor, and privacy on the internet,’ (Yale University Press, 2008) at 117 83 Bobbie Johnson, ‘Privacy no longer a social norm, says Facebook founder,’ The Guardian (London, 11 January 2010)