It is a telling—but overlooked—fact that during the current EU legislative process regarding the data protection reform, one of the few things the European Parliament and the Council of Ministers are in agreement on, before they have even met, is the so-called "right to be forgotten." But only in the sense that both Parliament (Amendments 27, 28, 91, 112 and 188, for those keeping score) and Council either have strong reservations or want to do away with the concept.
So there was some irony when the European Court of Justice's now infamous ruling was rendered and at least partly made the "right to be forgotten" into a treaty-based law, thereby both overtaking and overruling the democratically accountable co-legislature. But, even when putting the issue of judicial activism to one side, the "right" still has flaws.
Without violating my duty of confidentiality as a former civil servant, I can also say that many of the member state experts in the DAPIX working party, where all the grunt work is carried out within council, were fairly unimpressed by the proposed "right to be forgotten" when the new regulation was first proposed.
But is the "right to be forgotten" not one of the cornerstones of the proposed new rules? Is it not a basic necessity for the people of Europe in the new Digital Age? And are any detractors not just trying to "distort the debate"?
Well, maybe not.
What's in a name?
The most pressing issue is the one that both Parliament and Council appear likely to agree on. When legislating within the area of fundamental rights law, it is one of the more central points to only call something a "right" if it can be invoked with any real effect. Take, for instance, the right to peaceably assemble. People may reasonably expect to be able to exercise this right without interference from the state, and if not, then it will generally be possible to seek, e.g., judicial remedy in order to either establish that the right was violated or to help ensure that interference does not happen again.
Now take these concepts and apply them to the "right to be forgotten." Assume a client or acquaintance outside of the privacy profession has heard of this right and wants to have something about him "forgotten," maybe pictures that future employers may not appreciate. First thing you should do is, of course, make sure he understands that this "right" only applies in the digital world. What may or may not be remembered outside of the digital realm the powers that be have, at least so far, not claimed to have a solution for.
Once this is clear, you might want to explain that the right only applies in the EU and that even people in the EU can't invoke it in regard to most businesses outside of the EU. Now this might make sense in the physical world, but, since we have the Internet, your client/acquaintance might well point out that if anyone outside of the EU can still find those embarrassing photos online, then what good is the "right"?
At this point you might choose to add that actually invoking the "right" does not really make anything go away on the Internet; it just means that when someone searches for his name—most likely on some localized version of Google's search engine—the photos in question just won't appear in the search result. And, while that is great, it helps little if those searching have just a basic understanding of how the Internet works and thus are able to use the Google.com search function via an IP address pretending to be based outside the EU. In fact, you might as well inform him that as you speak, recruitment firms are most likely making sure that people within the EU that are trying to have data "forgotten" and hidden from employers, recruiters, etc., are being subjected to "enhanced" searches via Google.com—for a reasonable fee of course.
Then you should mention that the current legislative deliberations in the EU have identified at least six grounds (see Article 17(3)) why, even if this "right" is invoked, data should still not be "forgotten"—including "freedom of expression" grounds, "compliance with a legal obligation," "public health" grounds and the not-very-narrow "establishment, exercise or defence of legal claims" ground.
And when he now looks at you glossy-eyed and bereft of belief in the sanity of humanity, just comfort him by underlining that any refusal by a data controller to "forget" his picture, within the EU, can be brought before the competent data protection authority for timely and competent adjudication.
Looking forward
But what is my point anyway? Should we just give up and allow the Internet to hold people in a permanent vice of their past mistakes without any hope of redress? Not quite, but let's also not give people the impression that invoking some "right" will somehow make the Internet manageable.
Legislating to create rights that cause unrealistic expectations or simple confusion is not good law, and it is not helpful for the advancement of the already-complicated area of data protection/privacy law.
If we are to regulate these issues—and I do think we should—let's try to narrow the scope to things that do actual harm, like slandering blogs or data that have been found libelous but outside of the reach of friendly courts, etc. Let's leave as wide a berth as possible between data protection law and any risk of interfering with the freedom of expression and the Internet, in general.
And let's avoid building a Kafkaesque Internet sanitization system where people are told they might have a right to get—in the words of the court—"irrelevant" data removed, Especially, when the main arbiter of the "right to be forgotten" is likely to be private businesses, because the one thing someone trying to be forgotten wants to do is file a complaint with a public authority that is subject to freedom of information requests and possible judicial review.
Which leads to my favourite—and the most ironic—part of the ECJ verdict: Guess who won't be forgotten, ever, even though he really wanted to be? One Mr. Costeja González, who filed the original request to be forgotten with the Spanish DPA. Forget about the Streisand effect. The González effect plucks you from obscurity and makes you truly unforgettable.
Comments
If you want to comment on this post, you need to login.