Channeling similar sentiment in Warren and Brandeis’ argument for the right to be left alone, EU Justice Commissioner Viviane Reding, Vice President of the European Commission, proposed a new law increasing data protection policy that would give people greater control of their personal information on January 25, 2012 at the Digital-Life-Design Conference in Munich. Within the parameters of the proposal, an individual has the “right to be forgotten” and can request their personal information be removed from a company’s records. Unless there are legitimate grounds for retention, the company is required to comply. If the company does not comply, the EU has the power to fine 0.5-2% of the company’s global turnover. Other components of the proposal include a demand for greater transparency on what, how, and when a company uses personal data. If a security breach occurs, companies would be required to inform their users as soon as possible and ask for and receive rather than assume consent from the individual to use their personal information.
The new proposal expands and clarifies on the rights granted an individual on the collection, maintenance, and dissemination of their personal information as established by the EU’s 1995 Data Protection Directive. The new proposal updates the 1995 Data Protection Directive in that it takes into account the vast technological strides that have occurred since 1995 and for the exponential increase of information that is exchanged online by insisting on greater transparency from companies. Reding claims her proposals will “build trust in online services because people will be better informed about their rights and more in control of their information.” Despite its good intentions, the “right to be forgotten” has received mixed reaction from companies within and doing business with the EU. James Lovegrove, managing director, of TechAmerica Europe voiced the company’s hesitation to fully support the proposal by stating that “the real concern is that many of the proposed rules will inhibit the free flow of information globally and make it difficult for global business to operate and invest in Europe due to greater legal uncertainty, increased administrative burdens, and the risk of fines.” In addition, if the proposal is approved, it will have a global impact that affects American companies such as Amazon, Netflix, and Facebook. American companies that operate in Europe would be required to comply with EU’s new law, changing their established data protection and privacy laws.
Despite these concerns and others like it, Reding says her proposal actually makes good business sense: “A strong clear, and uniform legal framework at EU level will help to unleash the potential of the digital single market and foster economic growth.” However, it is clear that TechAmerica Europe and companies like it require further discussion on the implementation and implications of the proposal before they can endorse it.
Initially, I thought the EU Commission’s proposal an excellent idea. It sounds so appealing: the ability to delete embarrassing or outdated personal information; a request that the company in question is required to comply with unless they want to pay a fine. Yes please, I will take that photograph of me back, thank you.
However, I have to admit the more I learn about the proposal the less enthusiastic I become. I still like the idea of ensuring greater transparency and control for the user’s benefit, but I’m not sure if the cost outweighs the benefits. I like the concept but not the execution. At this point, until there is further clarification, I am unable to agree with the EU’s proposal. For example, in regards to the impact on American companies that operate within the EU, would those companies only change their privacy for some (those in the EU) rather than all of their users? In addition to this question, I have others. Such as: what qualifies as a “legitimate” reason to retain personal data? What is the implementation strategy? How much money will that cost? And what process would an individual have to go through to get their personal data removed? Frankly, the more forms that need to be filled out the less likely I am to request a company remove all my personal data from their files.
However, unlike Jerry Brito and Jeff Jarvis, who see the proposal as nothing but censorship on a large scale and infringement on freedom of speech, I see potential in the idea of the “right to be forgotten.” The right to delete my information from a company’s records should be my decision. However, while the single legal framework may work for the EU as they have been operating under something similar with the 1995 Data Protection Directive that same execution will not work for the US. As mentioned previously, the US has not had, nor (as I suspect) will it have one law that rules them all in terms of data protection. Rather, it would be up to the company to make the decision to allow “the right to be forgotten.” It’s not perfect, but it’s a step, I think, in the right direction.
If you would like to watch a very brief video on EU’s data protection proposal, you can do so here, courtesy of YouTube.