The Right to Be Forgotten

At the end of January, the European Commissioner for Justice, Fundamental Rights, and Citizenship, Viviane Reding, announced the European Commission's proposal to create a sweeping new privacy right-the "right to be forgotten."

The right, which has been hotly debated in Europe for the past few years, has finally been codified as part of a broad new proposed data protection regulation. Although Reding depicted the new right as a modest expansion of existing data privacy rights, in fact it represents the biggest threat to free speech on the Internet in the coming decade. The right to be forgotten could make Facebook and Google, for example, liable for up to two percent of their global income if they fail to remove photos that people post about themselves and later regret, even if the photos have been widely distributed already. Unless the right is defined more precisely when it is promulgated over the next year or so, it could precipitate a dramatic clash between European and American conceptions of the proper balance between privacy and free speech, leading to a far less open Internet.

In theory, the right to be forgotten addresses an urgent problem in the digital age: it is very hard to escape your past on the Internet now that every photo, status update, and tweet lives forever in the cloud. But Europeans and Americans have diametrically opposed approaches to the problem. In Europe, the intellectual roots of the right to be forgotten can be found in French law, which recognizes le droit à l'oubli-or the "right of oblivion"-a right that allows a convicted criminal who has served his time and been rehabilitated to object to the publication of the facts of his conviction and incarceration. In America, by contrast, publication of someone's criminal history is protected by the First Amendment, leading Wikipedia to resist the efforts by two Germans convicted of murdering a famous actor to remove their criminal history from the actor's Wikipedia page.

European regulators believe that all citizens face the difficulty of escaping their past now that the Internet records everything and forgets nothing-a difficulty that used to be limited to convicted criminals. When Commissioner Reding announced the new right to be forgotten on January 22, she noted the particular risk to teenagers who might reveal compromising information that they would later come to regret. She then articulated the core provision of the "right to be forgotten": "If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system."

In endorsing the new right, Reding downplayed its effect on free speech. "It is clear that the right to be forgotten cannot amount to a right of the total erasure of history," she said. And relying on Reding's speeches, press accounts of the newly proposed right to be forgotten have been similarly reassuring about its effect on free speech. In a post at the Atlantic.com, Why Journalists Shouldn't Fear Europe's ‘Right to be Forgotten,' John Hendel writes that although the original proposals a year ago "would have potentially given people the ability to cull any digital reference-from the public record, journalism, or social networks-they deemed irrelevant and unflattering," Reding had proposed a narrower definition of data that people have the right to remove: namely "personal data [people] have given out themselves." According to Hendel "[t]his provision is key. The overhaul insists that Internet users control the data they put online, not the references in media or anywhere else."

But Hendel seems not to have parsed the regulations that were actually proposed three days later on January 25. They are not limited to personal data that people "have given out themselves"; instead, they create a new right to delete personal data, defined broadly as "any information relating to a data subject." For this reason, they arguably create a legally enforceable right to demand the deletion of any photos or data that I post myself, even after they've gone viral, not to mention unflattering photos that include me or information about me that others post, whether or not it is true.

In a widely cited blog post last March, Peter Fleischer, chief privacy counsel of Google, notes that the right to be forgotten, as discussed in Europe, often covers three separate categories, each of which proposes progressively greater threats to free speech. And the right to be forgotten, as proposed at the end of January, arguably applies in all three of Fleischer's categories.

The first category is the least controversial: "If I post something online, do I have the right to delete it again?" This involves cases where I post a photo on Facebook and later think better of it and want to take it down. Since Facebook and other social networking sites already allow me to do this, creating a legally enforceable right here is mostly symbolic and entirely unobjectionable. As proposed, the European right to be forgotten would also usefully put pressure on Facebook to abide by its own stated privacy policies by allowing users to confirm that photos and other data have been deleted from its archives after they are removed from public display.

But the right to delete data becomes far more controversial when it involves Fleischer's second category: "If I post something, and someone else copies it and re-posts it on their own site, do I have the right to delete it?" Imagine a teenager regrets posting a picture of herself with a bottle of beer on her own site and after deleting it, later discovers that several of her friends have copied and reposted the picture on their own sites. If she asks them to take down the pictures, and her friends refuse or cannot be found, should Facebook be forced to delete the picture from her friends' albums without the owners' consent based solely on the teenager's objection?

According to the proposed European Right to Forget, the default answer is almost certainly yes. According to the regulation, when someone demands the erasure of personal data, an Internet Service Provider "shall carry out the erasure without delay," unless the retention of the data is "necessary" for exercising "the right of freedom of expression," as defined by member states in their local laws. In another section, the regulation creates an exemption from the duty to remove data for "the processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression." Essentially, this puts the burden on Facebook to prove to a European commission authority that my friend's publication of my embarrassing picture is a legitimate journalistic (or literary or artistic) exercise. If I contact Facebook, where I originally posted the embarrassing picture, it must take "all reasonable steps" on its own to identify any relevant third parties and secure the takedown of the content. At the very least, Facebook will have to engage in the kinds of difficult line-drawing exercises previously performed by courts. And the prospect of ruinous monetary sanctions for any data controller that "does not comply with the right to be forgotten or to erasure"-a fine up to 1,000,000 euros or up to two percent of Facebook's annual worldwide income-could lead data controllers to opt for deletion in ambiguous cases, producing a serious chilling effect.

For a preview of just how chilling that effect might be, consider the fact that the right to be forgotten can be asserted not only against the publisher of content (such as Facebook or a newspaper) but against search engines like Google and Yahoo that link to the content. The Spanish Data Protection authority, for example, has sued Google to force it to delete links to embarrassing newspaper articles that are legal under Spanish law. And suits against third party intermediaries are also threatening freedom of speech in Argentina, as the case of Virginia Da Cunha shows. The Argentine pop star had posed for racy pictures when she was young, but recently sued Google and Yahoo to take them down, arguing that they violated the Argentine version of the "right to be forgotten." Google replied that it could not comply technologically with a broad legal injunction demanding the removal of the pictures, and Yahoo said that the only way to comply would be to block all sites referring to Da Cunha for its Yahoo search engines. Nevertheless, an Argentine judge sided with Da Cunha and after fining Google and Yahoo, ordered them to remove all sites containing sexual images that contained her name. The decision was overturned on appeal, on the grounds that Google and Yahoo could only be held liable if they knew content was defamatory and negligently failed to remove it. But there are at least one hundred and thirty similar cases pending in Argentine courts demanding removal of photos and user-generated content, mostly brought by entertainers and models. The plaintiffs include the Sports Illustrated swimsuit model Yesica Toscanini; when a user of Yahoo Argentina plugs her name into the Yahoo search engine, the result is a blank page.

Finally, there is Fleischer's third category of takedown requests: "If someone else posts something about me, do I have a right to delete it?" This, of course, raises the most serious concerns about free expression. The U.S. Supreme Court has held that states cannot pass laws restricting the media from disseminating truthful but embarrassing information-such as the name of a rape victim-as long as the information was legally acquired.

The proposed European regulation, however, treats takedown requests for truthful information posted by others identically to takedown requests for photos I've posted myself that have then been copied by others: both are included in the definition of personal data as "any information relating" to me, regardless of its source. I can demand takedown and the burden, once again, is on the third party to prove that it falls within the exception for journalistic, artistic, or literary exception. This could transform Google, for example, into a censor-in-chief for the European Union, rather than a neutral platform. And because this is a role Google won't want to play, it may instead produce blank pages whenever a European user types in the name of someone who has objected to a nasty blog post or status update.

It's possible, of course, that although the European regulation defines the right to be forgotten very broadly, it will be applied more narrowly. Europeans have a long tradition of declaring abstract privacy rights in theory that they fail to enforce in practice. And the regulation may be further refined over the next year or so, as the European Parliament and the Council of Ministers hammer out the details. But in announcing the regulation, Reding said she wanted it to be ambiguous so that it could accommodate new technologies in the future. "This regulation needs to stand for 30 years-it needs to be very clear but imprecise enough that changes in the markets or public opinion can be maneuvered in the regulation," she declared ominously. Once the regulation is promulgated, moreover, it will instantly become law throughout the European Union, and if the E.U. withdraws from the safe harbor agreement that is currently in place, the European framework could be imposed on U.S. companies doing business in Europe as well. It's hard to imagine that the Internet that results will be as free and open as it is now.

This article, by Jeffrey Rosen, was originally published on Stanford Law Review Online