‘Do We Need a ‘Right to Be Forgotten’ ?
Note: This Essay was written as part of my BA in Journalism and Media (2014–17) at Birkbeck, University of London, for the Module of Media Law and Regulation.
Introduction
This essay attempts to tackle the pre-set question: “Do we need a ‘right to be forgotten’?”.
The essay is structured in several sections and subjections in order to facilitate an effective analysis of the concept at hand.
The first section aims at exploring the older concept of the ‘droit à l’oubli’, as the propeller that led to today’s version of the Right to be Forgotten.
Furthermore, the second section concerns itself with establishing a Eurocentric legal framework, and it is divided into three subsections: Present legislation (Data Protection Directive of 1995); Legal precedent (Google Spain SL, Google Inc. V Agencia Española de Protección de Datos (AEPD), Mario Costeja González); And future legislation (General Data Protection Regulation). Once the legal applicabilities are established, the essay progresses onto its last section, with will focus on the theoretical assessment of the Right to be Forgotten.
Overall, this essay attempts to explore the Right to be Forgotten from two different, but equally relevant, sides: legislative and theoretical.
Conceptual Framework: Droit à L’oubli
The original concept behind the Right to be Forgotten is usually traced back to French law. Preceding the emergence of the Internet, generally speaking, the “droit à l’oubli (right to oblivion) has historically been applied in exceptional cases involving an individual who has served a criminal sentence and wishes to no longer be associated with the criminal actions” (Ambrose et al. 2013:1).
This idea of returning citizen’s agency over their own past, present, and future, is parallel to contemporary issues relating to the usage of personal information by third parties; The main difference lying in the way that technologies are shaping social interactions and blurring the lines between public and private areas.
Therefore, this interaction between three disparate temporal dimensions (past, present and future) of a single individual, ultimately culminates in the factor of agency and evolution of self, in the sense that an individual should be allowed to re-invent himself as he/she goes through life without the shackles of the past impeding him/her to do so.
The sentiment lying behind the droit à l’oubli is “that someone has a significant interest (possibly to be protected in the form of a legal right) in not being confronted by others with elements of her past (…) [especially those] that are not relevant for present-day decisions or views about her” (Koops 2011:8). This particularly resonates with criminals whom have served their sentences, because to perpetually consider their crimes as part of their identities might lead to a lifetime of discrimination in the form of social or professional ostracisation, and ultimately, failure in rehabilitating them as active citizens.
In a summarised manner, the concept of the droit à l’oubli concerns itself with granting citizens with the freedom to reinvent themselves throughout life, without being negatively impacted by their past. In other words, it acknowledges citizen’s capability to learn — and consequently improve themselves — from their experiences, without socially constricting their growth as human beings based on past mistakes. The droit à l’oubli offers individuals the possibility to reclaim their future, by detaching it from the past.
Legal Framework: Present, Precedent, and Future
Present — European Parliament and Council Directive 95/46/EC of 24 October 1995
The Data Protection Directive (DPD) of 1995 is the contemporarily active legal framework that defines the legislative landscape of personal data within the European Union (EU).
Ever since its conception in 1995, the Directive has been revised, amended and corrected, but still remains a European “regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data” (EUR-Lex 2014).
The Directive is aligned with the aforementioned concept of the droit à l’oubli, which has been contemporarily re-contextualised, and extended, towards the digital realm of personal data. Popularly known as the Right to be Forgotten, this expansion of the droit à l’oubli towards the digital world concerns itself with information collected and made available online (via the Internet), which may not always be of a criminal nature but may have further implications on an individual’s social or professional future.
The Right to be Forgotten will be explored in further detail on the last section of the essay.
The most relevant Article of the Directive in relation to the Right to be Forgotten is Article 12 (Right of Access), Section V (The Data Subject’s Right to Access Data). Article 12’s first paragraph demands from the data controller to confirm “whether or not data relating to him are being processed (…) the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed”, adding that “the data undergoing processing and (…) any available information [and] their source” must be communicated, and also grant the subject “knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions” (EU Law and Publications 2003); All of which must be enacted by all EU Member States “without constraint at reasonable intervals and without excessive delay or expense” (EU Law and Publications 2003).
This paragraph can be interpreted as granting EU citizens the right to demand transparency from data controllers, whom have to give full account of the ways in which individual’s information is being used, by whom it is used, to whom it is being made available to, and (if applicable) how do automated services handle such data.
The second paragraph of the article allows for “the rectification, erasure or blocking of data [if] the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data” (EU Law and Publications 2003).
In other words, an individual may ask the data controller to correct, or even remove, personal information if it fails to accurately represent him/her.
The third and last paragraph of the Section demands data controllers to notify “third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort” (EU Law and Publications 2003).
This paragraph requires the data controller to inform any third parties — to whom it might have transmitted any personal information — of the alterations made as a result of an individual exercising his right outlined in the second paragraph.
Overall, Article 12 of the Directive grants individuals the right to have detailed knowledge of all information a data controller might have on him/her. Furthermore, citizens have the power to rectify or erase any false or inaccurate information about themselves; Such alteration or deletion not being exclusively applied to the data controller in question, but also to any other parties that might have acquired such information from said data controller.
Precedent — Google Spain SL, Google Inc. V Agencia Española de Protección de Datos (AEPD), Mario Costeja González
In 2014 Mario Costeja González pursued legal action against Google (see CURIA 2014), because whenever his name was typed into the search engine a news article from 1998 that “said his home was being repossessed to pay off debts” (Ball 2014) would appear.
González, alongside with the Spanish Data Protection Agency (AEPD), wanted to stop the story from being displayed on Google whenever the plaintiff’s name was searched, since his financial situation “had been fully resolved for a number of years and hence the reference to these was entirely irrelevant” (European Commission 2014:1).
The case was originally brought forth in a Spanish court, but was eventually referred to the Court of Justice of the European Union, which ruled in favour of Mr. González and the AEPD.
The European Court’s ruling was highly covered across several media outlets (see, for example, BBC, Newsweek, Irish Independent, etc.), and was seen as a significant step towards the materialisation of the Right to be Forgotten. In a press release the European Court claimed that an “internet search engine operator is responsible for the processing that it carries out of personal data which appear on web pages published by third parties” (CURIA 2014:1), this meant that the Data Protection Directive of 1995 was applicable to Google, especially the previously defined Article 12.
The Court’s decision opened a legal precedent with respect to the Right to be Forgotten, because it clarified that the power over an individual citizen’s personal data should be, at least partially, under his/her control. The Court also explained that the right to be forgotten was not a ““super right” trumping other fundamental rights, such as the freedom of expression or the freedom of the media” (European Commission 2014:4).
Furthermore, the Court ruled that Google would have to “assess deletion requests on a case-by-case basis and to apply the criteria mentioned in EU law and the European Court’s judgment”, adding that, the “criteria relate to the accuracy, adequacy, relevance — including time passed — and proportionality of the links, in relation to the purposes of the data processing” (European Commission 2014:4).
In summary, the case opened a legal precedent within EU law but was felt beyond European borders, because it showed that a Right to be Forgotten could be legally employed, elevating it, therefore, from its previous status of a rhetorical concept rooted in ancient legislations.
Future — General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) was adopted by the European Parliament and Council on April 27th 2016, and it will replace the aforementioned DPD from May 25th 2018. The GDPR is innovative because it cements the existence of a Right to be Forgotten, by referring it by name in Chapter 3, Article 17 (“Right to erasure (‘right to be forgotten’)”) (GDPR 2016).
In other words, whereas the DPD granted citizens the legal tools to possibly enact a Right to be Forgotten, Article 17 eliminates subjective doubt by being specifically named after the right it aims at protecting.
The first paragraph of Article 17 gives individuals the right to request data controllers for the erasure of information if: “(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed”; “(b) the data subject withdraws consent on which the processing is based (…) and where there is no other legal ground for the processing”; “(c) the data subject objects to the processing (…) and there are no overriding legitimate grounds for the processing (…)”; “(d) the personal data have been unlawfully processed”; “(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject”; “(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) [processing data of minors under 16 years old]” (GDPR 2016).
The second paragraph claims that the data controller should “inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data” (GDPR 2016).
Finally, the third paragraph lays down the scenarios in which the former paragraphs will not be applicable. In other words, data processing is lawfully justified: “(a) for exercising the right of freedom of expression and information”; “(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”; “(c) for reasons of public interest in the area of public health (…)”; “(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (…) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing”; “(e) for the establishment, exercise or defence of legal claims” (GDPR 2016).
Overall, GDPR’s Section 17 will be a meaningful piece of legislature with regards to shifting the power over personal data away from data controllers and towards data subjects. This grants individuals the autonomy to decide whether if their personal information should be kept by third parties, or if it should be erased or modified.
Furthermore, Article 17 does not ignore nor disrupt, the essential right to Freedom of Speech, because it provides a solid set of contexts under which individual’s personal data can be pertinently collected and used, such as the public interest, scientific advancements or national interests, and freedom of expression and information; Sheltering, therefore, the media, individual opinions, and state authority, from being unreasonably targeted.
“Do we need a ‘right to be forgotten’?”
The above sections and subsections were aimed at giving a broad introduction to the meaning and sentiment behind the Right to be Forgotten, while simultaneously demonstrating (from a Eurocentric perspective) that such a right can, and will, be materialised in the form of active legislation.
Contemporarily, companies like Google and Facebook have become commercial giants dealing in the currency of personal information collected from their users. Such information existing in the form of photographs, searches, geographic locations, purchases, or news articles (among many others), and accessed and shared via digital platforms.
The undefined storage and control of information by data companies consequently opens up the need for a “right to be forgotten [to address] an urgent problem in the digital age: it is very hard to escape [one’s] past on the Internet” (Rosen 2012:88). Furthermore, as citizens become more knowledgeable about the workings of data companies, a consequential call for a “right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes” (Ausloos 2012:144) will inevitably emerge.
From digital companies’s viewpoint data, is simultaneously synonymous with money (e.g. by selling it to marketing companies) and power, more specifically “a predictive power that gives its wielder prior knowledge about future developments of society, politics and market” (Mantelero 2013:134); In other words, by harvesting large amounts of data, companies have access to behavioural trends of vast numbers of people who use their service.
Consequently, the Right to be Forgotten threatens companies’s predictive power, since this can be “clearly undermined by any attempt to reduce the amount of data collected” (Mantelero 2013:134). From this perspective, the Right to be Forgotten becomes necessary to restore “the autonomy of an individual(…) [as] a rightholder of personal information” (Weber 2011:121).
Moreover, issues of privacy arise when dealing with personal data since “[i]information privacy is an evolving concept and access to old personal information may be a privacy violation or form of information injustice” (Ambrose 2013:371). In this sense, old information (e.g. an embarrassing photograph) “may be judged not only by our present peers, but also by our future ones” (Mayer-Schönberger 2009:11).
An individual’s ““private life” is determined by opposition with public life and the public side of the professional life” (Chelaru et al 2013:2), but the lines become blurred when it comes to the online sphere. An example of this emerged in 2006 when a woman was “denied a teaching degree just days before graduating (…) because of a photo she posted onto” (Krebs 2008) a social media website (MySpace); The photograph depicted her drinking with a juxtaposed caption that read “Drunken Pirate”.
The example demonstrates that even an event photographed on post-working hours, published on a ‘personal space’ online can have negative repercussions on an individual’s ‘public’ and professional lives, which means that “changes in the substantive standards standards for privacy appear almost inevitable” (Bennett 2012:178) in such a mutable social terrain.
Furthermore, while “[p]rivacy issues often only become apparent when its already too late” (Ausloos 2012:144), in such cases the Right to be Forgotten— with regards to erasure or even inaccessibility of data — would allow for “an individual to determine the development of his life in an autonomous way, without being perpetually or periodically stigmatised as a consequence of a specific action performed in the past (…) [which does] not have any relationship with the contemporary context” (Mantelero 2013:230). Such a point remains valid even after a negative repercussion arises, since it will allow for an individual to prevent similar consequences to arise from the same piece of derogatory information.
Paradoxically, the Right to be Forgotten may, arguably, “conflict with other rights such as free speech and other privileges related to the free use of the web” (Weber 2011:122), under which the right to a free press is also included. But, according to the precedent described earlier, such conflicts will hardly occur.
In his first attempt to pursue legal action, Mr González had called for the online newspaper that published the story about his debts to delete it altogether, an attempt that was rejected even before reaching the European Court. Mr González’s failure to pursue legal action against the newspaper demonstrates that “the right of the individual to prevent others from communicating his association with his (…) past is balanced against the public’s right to access the information, which may or may nor remain newsworthy” (Ambrose et al 2013:2). Furthermore, the Right to be Forgotten does not apply to the media, since it is not considered to be a data controller and has its own established legislature.
Overall, the Right to be Forgotten is a necessary instrument “to shift the power between data users and collectors” (Ambrose et al 2013:15), supposed to balance the current “tendency to make information of all kinds public, [which puts] privacy (…) at risk” (Weber 2011:127). The Right to be Forgotten is an essential tool to protect individuals who “face the difficulty of escaping their past now that the Internet records everything and forgets nothing — a difficulty that used to be limited to convicted criminals” (Rosen 2012:89).
Some criticise the Right to be Forgotten on the grounds “that it would constitute a concealed form of censorship” (Ausloos 2012:146), but as demonstrated in the González precedent– where the article remained, but the search engine links to it were deleted — and the GDPR, the courts will ultimately aim at striking a balance between freedom of speech and press, and individual privacy and freedoms.
Ultimately, as society and technology become increasingly entwined, a Right to be Forgotten that grants “‘ownership’ over one’s personal data and more importantly implies a certain ‘control-right’ of the data subject”(Ausloos 2012:144) is not only needed, is indispensable. Furthermore, the current and future EU legal frameworks prove that a Right to be Forgotten can be applied in courts across different nations– Although, given the mutative nature of both society and technology, such a right will have to be legally supervised thoroughly in order to maintain its rigour and effectiveness.
Conclusion
In conclusion, the essay attempted to explore the complex intricacies of the right to be forgotten.
Starting from a legislative point, the essay established the concept and its legal framework by defining current legislation, relevant precedent, and future legislation. The essay then progressed into a theoretical assessment of the wider implications (positive or negative) that may arise from the right to be forgotten.
Overall, by balancing legislative frameworks against theoretical issues of privacy, freedom of speech and public interest, this essay showed that a Right to be Forgotten is indeed necessary to preserve citizens’s autonomy over their lives; Although, such a right must always be delicately handled in order not to trump over the indispensable democratic principles of free press, and free speech.
Bibliography
• Mayer-Schönberger, V. (2009) “Delete: The Virtue of Forgetting in the Digital Age”. New Jersey: Princeton University Press.
