The Right to be Forgotten

Viviane Reding proposed the Right to be Forgotten January 25, 2012. Photo courtesy of Huffington Post

Channeling similar sentiment in Warren and Brandeis’ argument for the right to be left alone, EU Justice Commissioner Viviane Reding, Vice President of the European Commission, proposed a new law increasing data protection policy that would give people greater control of their personal information on January 25, 2012 at the Digital-Life-Design Conference in Munich. Within the parameters of the proposal, an individual has the “right to be forgotten” and can request their personal information be removed from a company’s records. Unless there are legitimate grounds for retention, the company is required to comply. If the company does not comply, the EU has the power to fine 0.5-2% of the company’s global turnover. Other components of the proposal include a demand for greater transparency on what, how, and when a company uses personal data. If a security breach occurs, companies would be required to inform their users as soon as possible and ask for and receive rather than assume consent from the individual to use their personal information.

The new proposal expands and clarifies on the rights granted an individual on the collection, maintenance, and dissemination of their personal information as established by the EU’s 1995 Data Protection Directive. The new proposal updates the 1995 Data Protection Directive in that it takes into account the vast technological strides that have occurred since 1995 and for the exponential increase of information that is exchanged online by insisting on greater transparency from companies.  Reding claims her proposals will “build trust in online services because people will be better informed about their rights and more in control of their information.” Despite its good intentions, the “right to be forgotten” has received mixed reaction from companies within and doing business with the EU. James Lovegrove, managing director, of TechAmerica Europe voiced the company’s hesitation to fully support the proposal by stating that “the real concern is that many of the proposed rules will inhibit the free flow of information globally and make it difficult for global business to operate and invest in Europe due to greater legal uncertainty, increased administrative burdens, and the risk of fines.” In addition, if the proposal is approved, it will have a global impact that affects American companies such as Amazon, Netflix, and Facebook. American companies that operate in Europe would be required to comply with EU’s new law, changing their established data protection and privacy laws.

Photo by Heather Robbins

Despite these concerns and others like it, Reding says her proposal actually makes good business sense: “A strong clear, and uniform legal framework at EU level will help to unleash the potential of the digital single market and foster economic growth.” However, it is clear that TechAmerica Europe and companies like it require further discussion on the implementation and implications of the proposal before they can endorse it.

The contention voiced by EU companies over the policy stems not from the fact that there is one basic law for a multitude of companies but from the economic and fiscal ramifications. If something similar were proposed in the US, if reaction by one American journalist, Jerry Brito, to the EU proposal is anything to go by, there would be serious debate about a single legal framework of a data protection privacy due to possible conflicts with freedom of speech, censorship, and economic repercussions. Currently, the US does not have a comparable data protection plan to EU’s Data Protection Directive. Instead, as Helen Nissenbaum points out “in the United States legal landscape, sensitive information is accorded special cognition through a series of key privacy statues that impose restrictions on explicitly identified categories of sensitive information.” For the most part, the US leaves data protection and privacy policy primarily to the self-regulation of companies and defines how personal data should be collected, maintained, and disseminated for federal agencies or with narrowly defined laws as the need arises. For example, the Children’s Online Privacy Protection Act (COPPA) was established in 1998 to protect the privacy of children under the age of 13 and the Privacy Act of 1974  was established to state that an individual must give consent to the federal agency in question to disclose or disseminate their personal information outside of government agency or law enforcement purposes. According to James Nehf, the privacy and data protection policies that have developed in the US are due in large part to company market strategy. It helps to be, or to appear to be, concerned about customer privacy and to develop privacy policy accordingly. For that reason, privacy policy has been primarily established and implemented at the company level rather than at the government level.

Initially, I thought the EU Commission’s proposal an excellent idea. It sounds so appealing: the ability to delete embarrassing or outdated personal information; a request that the company in question is required to comply with unless they want to pay a fine. Yes please, I will take that photograph of me back, thank you.

However, I have to admit the more I learn about the proposal the less enthusiastic I become. I still like the idea of ensuring greater transparency and control for the user’s benefit, but I’m not sure if the cost outweighs the benefits. I like the concept but not the execution. At this point, until there is further clarification, I am unable to agree with the EU’s proposal. For example, in regards to the impact on American companies that operate within the EU, would those companies only change their privacy for some (those in the EU) rather than all of their users? In addition to this question, I have others. Such as: what qualifies as a “legitimate” reason to retain personal data? What is the implementation strategy? How much money will that cost? And what process would an individual have to go through to get their personal data removed? Frankly, the more forms that need to be filled out the less likely I am to request a company remove all my personal data from their files.

Laptop privacy sweater, photo courtesy of geek-ware.blogspot.com

However, unlike Jerry Brito and Jeff Jarvis, who see the proposal as nothing but censorship on a large scale and infringement on freedom of speech, I see potential in the idea of the “right to be forgotten.” The right to delete my information from a company’s records should be my decision. However, while the single legal framework may work for the EU as they have been operating under something similar with the 1995 Data Protection Directive that same execution will not work for the US. As mentioned previously, the US has not had, nor (as I suspect) will it have one law that rules them all in terms of data protection. Rather, it would be up to the company to make the decision to allow “the right to be forgotten.” It’s not perfect, but it’s a step, I think, in the right direction.

If you would like to watch a very brief video on EU’s data protection proposal, you can do so here, courtesy of YouTube.

All Sources PDF