Amid the increasing availability of personal information on the Internet and what some call archaic laws governing how long data can be kept and if/when it should be removed, the European Commissioner is seeking to give people “the right to be forgotten.”
This “right” is a proposed privacy law that would improve upon the 1995 Data Protection Directive in the European Union, giving citizens more control over their information on the Internet. Ars Technica explained that the ”‘right to be forgotten’ [would] allow people to demand that organizations that hold their data delete that data, as long as there is no legitimate grounds to hold it.”
(Related: Does 25-year-old legislation adequately protect internet privacy?)
Jeffery Rosen, a law professor at George Washington University, gives this example in the Stanford Law Review of how the right to be forgotten could affect certain websites:
The right to be forgotten could make Facebook and Google, for example, liable for up to two percent of their global income if they fail to remove photos that people post about themselves and later regret, even if the photos have been widely distributed already.
Watch this news clip about the proposed right to privacy:
In an age where data collection is considered more extensive and the lines of personal privacy rights are blurred more frequently, the “right to be forgotten” sounds like an attractive measure. Ars Technica reports Christian Toon, who leads information security at a firm called Iron Mountain, as saying:
“Many businesses of all sizes are falling short of what is required to manage information responsibly. […] Regardless of turnover, sector or country of operation, making sure that employee and customer information is protected should be common practice, not a reaction to new legislation.”
But some see this law as imposing a form of censorship. Rosen explains that there is a difference between European and American view of the balance between privacy and free speech. He offers this example:
In theory, the right to be forgotten addresses an urgent problem in the digital age: it is very hard to escape your past on the Internet now that every photo, status update, and tweet lives forever in the cloud. But Europeans and Americans have diametrically opposed approaches to the problem. In Europe, the intellectual roots of the right to be forgotten can be found in French law, which recognizes le droit à l’oubli-or the “right of oblivion”-a right that allows a convicted criminal who has served his time and been rehabilitated to object to the publication of the facts of his conviction and incarceration. In America, by contrast, publication of someone’s criminal history is protected by the First Amendment, leading Wikipedia to resist the efforts by two Germans convicted of murdering a famous actor to remove their criminal history from the actor’s Wikipedia page.
Rosen goes on to point out that such a law would place a burden on several parties involved:
According to the regulation, when someone demands the erasure of personal data, an Internet Service Provider “shall carry out the erasure without delay,“ unless the retention of the data is ”necessary“ for exercising ”the right of freedom of expression,” as defined by member states in their local laws. In another section, the regulation creates an exemption from the duty to remove data for “the processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression.” Essentially, this puts the burden on Facebook to prove to a European commission authority that my friend’s publication of my embarrassing picture is a legitimate journalistic (or literary or artistic) exercise. If I contact Facebook, where I originally posted the embarrassing picture, it must take “all reasonable steps” on its own to identify any relevant third parties and secure the takedown of the content. At the very least, Facebook will have to engage in the kinds of difficult line-drawing exercises previously performed by courts. And the prospect of ruinous monetary sanctions for any data controller that “does not comply with the right to be forgotten or to erasure”-a fine up to 1,000,000 euros or up to two percent of Facebook’s annual worldwide income-could lead data controllers to opt for deletion in ambiguous cases, producing a serious chilling effect.
David Lindsay, an associate law professor at Monash University in Australia, understands there is a “complex relationship” between online privacy and freedom of speech but he believes the proposed regulation would “level the playing field,“ giving consumers who may not understand ”the consequences of surrendering their information” the opportunity to backtrack. Lindsay writes, acknowledging that it would be difficult to implement the law in some cases with the viral nature of the Internet, that he doesn’t see it as “cure-all“ but as a ”check on some of the most harmful online practices.”
In the United States, a piece of 25-year-old legislation called the Electronic Communications Privacy Act governs much of our digital privacy. In terms of the potential for seeing a similar proposed privacy update as that of the “right to be forgotten” in the U.S., Reuters reports in a recent Q&A that several “do-not-track“ bills were seen in 2011 but they are expected to be ”watered down” and could potentially take a while before being passed.