TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | How does California's Erasure Law stack up against the EU's right to be forgotten Related reading: NTIA releases comments on consumer privacy framework

rss_feed
PrivacyTraining_ad300x250.Promo1-01
GDPR-Ready_300x250-Ad

""

While most are familiar with the European Union’s right to be forgotten, fewer are aware that in 2015, California enacted the Online Eraser Law, which many are touting as the “Right To Be Forgotten Lite” as it allows minors to “erase” their content online. But, is California’s law actually RTBF Lite? Here’s how it stacks up against the European Union’s right to be forgotten.

The European right to be forgotten is grounded in the belief that individuals should have autonomy over their online presence without being repeatedly stigmatized as a consequence of a specific action performed in the past. The right’s emergence, and what many consider its foundational beginnings, was Article 12 of the Data Protection Directive (95/46/EC) where a data subject’s right to request and obtain access to personal data and object to its processing were first recognized.

It became the topic of international news, and of concern to American companies that process the personal data of private citizens of the EU, in 2014 when the Court of Justice of the European Union took up the Google v. Costeja case. The case stemmed from a Spanish newspaper, La Vanguardia, publishing announcements in 1998 regarding the forced sale of properties arising from social security debts, which it eventually put online. In 2009, one of the property owners, Mario Costeja Gonzalez, lodged official complaints against La Vanguardia and Google, arguing that the forced sale had been years ago and was no longer relevant, therefore the data and links should be removed. The complaint against La Vanguardia was rejected, but upheld against Google Spain and Google and ended up in the CJEU.

The CJEU ruled that a search engine must, upon the data subject’s request, eliminate from the results of a search of their name any links that are no longer relevant. Now, most notably, the right has been officially codified as Article 17, “The Right to Erasure,” of the European Union’s General Data Protection Regulation, which goes into effect May 25, affecting a multitude of companies — no matter where they are based — that process the personal information of individuals in the EU.

California’s Online Erasure law took effect Jan. 1, 2015. The purpose of the law is to protect children and young adults online by providing them with an “online eraser.” The law requires any operator of a website, online service, online application or mobile application to permit a minor who is a registered user of the service to remove, or to request and obtain removal of, content or information that was posted on the operator’s service by the minor. Yes, you read that correctly. The law only allows removal of content that the user has posted. Thus, should a minor attempt to request deletion of third-party content concerning them, the law would not cover such a scenario, and the minor would have no recourse. 

The California law is simply legislating a delete button for minors. However, considering that most every website, web service, web application, or mobile application already permits users to delete information they themselves have posted, regardless of the user’s age, the law seems inconsequential. Additionally, removing the original copy of the content would only accomplish the goal of the law if it were the only copy online. Given how often publicly available information gets copied and shared (think retweets on Twitter and post shares on Facebook), this law only gives minors the illusion of control, not actual control, over their content.

In addition, the law is ambiguous. It is not clear whether only those under age 18 can request removal or whether the allowance extends to people of any age, but only for posts made while a minor — making it difficult for operators, if they are even aware of the law, to decipher what content they are actually required to delete.

In comparison, under the EU right to be forgotten, any data subject in the European Union, regardless of age, may ask an entity to confirm whether it is processing personal data related to them and, if so, to provide a copy of such data to the data subject. Further, the data subject may then object to the processing or request removal of all their personal data. It should be noted that this is not just data posted directly by the data subject, but any personal data that concerns the data subject. Meaning, a data subject may request removal of third-party content if the content concerns them. However, requesting removal does not mean automatic deletion unless the lawful basis for the processing of such data is consent. Instead, the data controller will weigh and balance the data controller’s legitimate interest or the public’s interest in having access to the information versus the data subject’s fundamental right to privacy (assuming the lawful basis for processing is either legitimate interest for the controller or public interest). Should the scales tip in the data subject’s favor, the data must be removed.

Sizing up the laws side-by-side, it is apparent the California Online Erasure law is not the right to be forgotten lite — it is just not the right to be forgotten at all. The California legislature fell short in its quest for online protection for minors. At best, legislators have codified the right to a delete button for minors, at worst they have enacted a law that is a series of smoke and mirrors that only provides the illusion of protection for California minors.

To be fair, California’s legislature is up against a tough fight. There is opposition to recognition of the right to be forgotten in the United States. Critics argue that it would contravene the right to freedom of speech and expression and will constitute censorship. These criticisms are consistent with the proposal that the only information that can be removed by a user is content they uploaded themselves. Right in line with what the California Online Erasure law provides.

On the flip side, those in favor of an American right to be forgotten argue that without it, laws that require adverse information to be removed from credit reports after a period of time, and that allow the sealing or expunging of criminal records are effectively undermined by the ability of prospective lenders and employers to find removed information within seconds by simply doing a Google search.

While opinions remain divided in the U.S., one survey in 2015 revealed that 9 out of 10 Americans want some form of the right to be forgotten, and the consumer rights organization Consumer Watchdog has filed a complaint with the Federal Trade Commission for Americans to obtain the right as well. In addition, tides are changing in the United States concerning privacy. With a new data breach in the news each day, and the current Facebook-Cambridge Analytica scandal unfolding, Americans are being forced to reconsider their data, their rights, and their privacy in a way they have not before. Time will tell if Americans will ever receive a right to be forgotten, but for now California’s attempt falls short of doing much of anything.

photo credit: MPD01605 EU Flagga via photopin (license)

Comments

If you want to comment on this post, you need to login.