The Right to be Forgotten

Dr Paul Bernal provides clarification on what the Right to be Forgotten means and what the issues are.

Image: CC-BY-NC-ND 2.0 Barry Hoggard

A lot has been said and written about the ‘right to be forgotten’ over the last year or two, and yet it doesn’t seem as though many people really know what they’re talking or writing about. So what is the right to be forgotten? How could it work – if it could work? Is it something to be supported or something to be feared? Why is it such a bone of contention? This article will try to start answering some of these questions.

What is the right to be forgotten?

Technically, the right to be forgotten is part of the proposed ‘data protection regulation’ – the revision of the data protection regime currently under discussion in Europe. The relevant section of the proposed regulation puts it like thi

“The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention of further dissemination of such data.”

The right is primarily intended to be used in two situations: when the data is no longer ‘needed’, and when the data subject ‘withdraws consent’ for the data to be used. It is a little more complex than that, but the essence is simple: if you don’t want people to hold your data, or the reason they held it is no longer valid, you should have the right to have that data deleted.

That much is relatively simple – and does not, on the surface, seem to have much to do with being ‘forgotten’. It’s much more about deleting of data held about you – which is why a number of people (including the author) have been suggesting for some time that it would be better to call it the ‘right to delete’ than the right to be forgotten.

Deleting data held about you

The idea that we should be able to delete data that others hold about us is one that seems, at least on the surface, to make a lot of sense. Indeed, it is important to understand where the original drive for this right came from: the amount of data being held about us, particularly by commercial operators, and the trouble that we have in deleting it. One specific trigger was the difficulty that people have had until recently in deleting their Facebook accounts. Shouldn’t we have the right to do that?

So where are the problems?

The first problem is the name – even mentioning a ‘right to be forgotten’ starts people thinking about the rewriting of history, of Stalin deleting people’s faces from photographs, of censorship. As noted above, that’s not really what the right is about – and indeed the right has a clumsily written exemption for data processed ‘solely for journalistic purposes or the purpose of artistic or literary expression’ – but it is easy to see how the right might be viewed in this way. Moreover, as legal rights often are, there may be the potential for it to be misused or manipulated in this way – or even simply misunderstood so that unwinnable lawsuits are entered into. According to their Global Privacy Counsel, Peter Fleischer, speaking at a recent symposium on the subject,  Google are already facing in excess of a hundred suits in Spain alone, on the basis of what people ‘think’ is their right to be forgotten. The term itself raises expectations that could be impossible to meet.

The second is a practical issue: can it be made to work at all? The right not only asks a data holder to delete data, but if they’ve made it public, to ‘take all reasonable steps’ to track down and delete copies and links to the data. Could this work? What kind of a burden would this place on intermediaries like Google and Facebook? Would it have some kind of chilling effect?

The EU, the US and the UK…

The third problem is perhaps more fundamental: the cultural differences in attitudes to privacy and free speech in the EU and the US. In the EU, and particularly in Germany, privacy is taken very seriously, and the rights that people have over data are considered crucial. In the US, privacy very much takes second place to free speech – anything that can even slightly infringe on free speech is likely to face short shrift. The right to be forgotten has been very actively opposed in the US on those grounds – Jeffrey Rosen in the Stanford Law Review calling it the ‘biggest threat to free speech on the internet in the coming decade’.

Who is right? Neither, really. The right is not what its more active opponents in the US think it is – but neither has it been written tightly enough and carefully enough to provide the kind of practical, realisable right to delete personal data that the EU would like to see.

There IS a problem that needs addressing

This is the first thing that needs to be recognised. For individual autonomy – and individual rights – there needs to be something to rein in the data gathering, and cut down the amount of data held. With more careful writing, the right to be forgotten could play a part in bringing this about, particularly if the big businesses of the internet – the Googles and Facebooks – come on board.

Shaping their business models is the key – if they make things work, the law won’t need to be so harsh, and won’t represent any real kind of threat. The Commission is taking the heavy-handed approach mostly because businesses haven’t shown much sign of addressing the issue by themselves. There is some sign of movement, prompted perhaps by this approach. Facebook is making it easier to delete profiles. Google seem to be beginning to understand privacy a little better. Has the approach of the Commission played a part in that? I’m sure they think so.  Can the right to be forgotten help? I’m sure they think that too. They may even be right.


Dr Paul Bernal is a lecturer in IT, IP and Media Law at the UEA. He researches into privacy and human rights, particularly on the internet. He blogs at:http://paulbernal.wordpress.com/ and tweets as @paulbernalUK

Share this article

Google+ Delicious Digg Facebook Google LinkedIn StumbleUpon Twitter Reddit Newsvine E-mail

Comments

Comments (3)

  1. 10com:
    May 24, 2012 at 01:31 PM

    "When a search-engine can find it, it can be deleted"

    In other words: it's technically very well possible to execute the "Right to be Forgotten".

    10com proposes to 'tag' personal data, like content can be tagged with a Creative Commons License. Google is able to offer users all images that have a "Creative Commons" License. In the same way it is possible, to make data 'track-backable' and deleteable. The EU should not only create a rule here, but combine it with a tagging system comparable to Creative Commons.

  2. Mike farrell:
    May 29, 2012 at 10:39 AM

    Exellent article Paul

  3. Craig:
    May 30, 2012 at 09:08 PM

    The issue shouldn't be about the right to be forgotten, but rather about control over the content you post. How many poeople actually want to delete their history of online content and social media posts? What we really want, is a way to archive old posts away where only WE can see it, or where we can control who else has access.

    Stronger privacy solutions like the scrambls.com plug-in are the better solution for the future -- allowing us all to keep our content, with more control over who can see it so a private message isn't publicly archived.

This thread has been closed from taking new comments.

By Dr Paul Bernal on May 23, 2012

Featured Article

Schmidt Happens

Wendy M. Grossman responds to "loopy" statements made by Google Executive Chairman Eric Schmidt in regards to censorship and encryption.

ORGZine: the Digital Rights magazine written for and by Open Rights Group supporters and engaged experts expressing their personal views

People who have written us are: campaigners, inventors, legal professionals , artists, writers, curators and publishers, technology experts, volunteers, think tanks, MPs, journalists and ORG supporters.

ORG Events