by Daniel J. Solove
In a momentous decision, the EU Court of Justice has ruled in favor of a Spanish man who sought to have links to his personal data removed from Google search results. Under what has become known as the “right to be forgotten,” EU citizens have a right to the deletion of certain personal data under the EU Data Protection Directive.
The EU Court of Justice has concluded that “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”
This is quite a breathtaking ruling, and it has enormous implications and raises many questions.
Here are a few thoughts about the case:
1. The right to be forgotten now appears to be a full-fledged right in the EU.
Before this case, there had been debate about the recognition of a right to be forgotten in connection with proposed new EU legislation. The so-called “right to be forgotten” is the right of people to have their personal data deleted from various record systems.
The decision now appears to be more than just a proposal, as the court held that the EU Data Protection Directive already protects this right.
2. The right to be forgotten is not just an EU right — it also exists in US law.
Although some might think that a right to be forgotten is so at odds with US privacy law and would only fly in the EU, they are wrong. US privacy law does recognize in limited contexts a right to be forgotten. For example, the Children’s Online Privacy Protection Act provides for a right to delete personal data. The Fair Credit Reporting Act restricts the ability of consumer reporting agencies to report on bankruptcies and criminal proceedings that are beyond a certain number of years old.
Although recognized in US law, the right to be forgotten only exists in a few pockets of the law and is nothing compared to the rather dramatic ruling of the EU Court.
I’m certain that the EU court decision will be heavily criticized in the US, and I have a number of criticisms and questions below. But what we shouldn’t lose sight of is that there are important privacy considerations. People can really be harmed by the ready availability of information about them online. Even if one thinks the court went too far here, one should not just dismiss the right to be forgotten wholesale. There are still many circumstances where we might want to protect a right to be forgotten.
3. The details about how the right to be forgotten would work remain fuzzy.
How exactly with the right to be forgotten from search engine results be implemented? That isn’t clear. The court just articulated broad principles. Indeed, the court noted that freedom of speech and the public interest in obtaining information are also considerations that are to be considered in the balance.
The court noted that the invasion of privacy search engines create for individuals “cannot be justified by merely the economic interest which the operator of such an engine has in that processing.” Moreover, the court noted that “the removal of links from the list of results could, depending on the information at issue, have effects upon the legitimate interest of internet users potentially interested in having access to that information.” Thus, the court stated, “a fair balance should be sought in particular between that interest and the data subject’s fundamental [privacy] rights.” The court went on to state: “Whilst it is true that the data subject’s rights protected by those articles also override, as a general rule, that interest of internet users, that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.”
But who does the balancing? A search engine? How is it to weigh all these things?
When is the search engine’s purpose solely “economic interest”? Newspaper companies sell newspapers and access to their sites. They have ads on their sites. With many things, there are economic interests as well as other interests too.
And is it practical? Can a right to be forgotten readily be done on a large scale?
4. When it comes to privacy, EU law focuses more on declaring fundamental principles; US law is more focused on balancing and practicalities.
In the EU, there is great concern over articulating first principles – a broad statement of fundamental rights.
The US approach to privacy is pragmatic in that it reflects a balancing of privacy with other interests. It is much less concerned with articulating first principles.
The problem with the US approach is that the law is a total mess. There are countless laws at the federal and state level, and they are very different. There are a lot of gaps and areas where people aren’t adequately protected.
The problem with the EU approach is that it is hard to figure out how it will work in practice. For example, the EU court held, for example, that “links concerned in the list of results must be erased” when the information is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine.” But what is “irrelevant”? What are the “purposes of the processing” involved in a search? These issues depend upon who is searching and for what. These determinations are hard to make in the abstract, and search engines cannot know the precise purposes and circumstances behind every search query.
5. The EU court decision would raise serious First Amendment freedom of speech issues in the US.
The EU court decision would raise big free speech problems. It is hard to provide a quick opinion here because the way the First Amendment would work here depend upon the circumstances. For example, there is a clear protection for speaking about any public record. Other things will vary, such as a photo of a person, as copyright law can force a takedown. The other wrinkle is the fact that the EU court decision involves linking to information posted by others. To what extent does providing a link trigger liability? To what extent does the First Amendment protect linking to information, especially when those links are generated by a computer algorithm? Lots of difficult questions here.
6. There is an interesting irony in the EU court decision — it includes personal data about the plaintiff.
The EU court decision mentions the name of the individual who sought to remove the data from Google’s search results. It also discusses how the results linked to newspaper articles mentioning the plaintiff’s name that “appeared for a real-estate auction connected with attachment proceedings for the recovery of social security debts.”
Does the plaintiff here have a right to ask the EU Court to remove his name from the decision, as it reveals that he had debts?
And under the ruling, could he restrict Google from linking to the search results containing the opinion or any news articles about the opinion?
If this were the case, how would the opinion be found?
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter
Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security