The ‘Right to Be Forgotten’: Ten Reasons Why It Should Be Forgotten
© Springer Science+Business Media Dordrecht 2015
Serge Gutwirth, Ronald Leenes and Paul de Hert (eds.)Reforming European Data Protection LawLaw, Governance and Technology Series2010.1007/978-94-017-9385-8_88. The ‘Right to Be Forgotten’: Ten Reasons Why It Should Be Forgotten
(1)
European University Cyprus, Nicosia, Cyprus
Abstract
This paper looks at the right to data erasure contained in Article 17 of the Draft Data Protection Regulation and challenges the choice to label it as a right ‘to be forgotten’. It first explains what this right entails and why it is necessary particularly in the online world. It then puts forward ten reasons why its labeling as a ‘right to be forgotten’ does no good while it may cause harm. It shows that it does not tell the truth and is difficult to justify even if one is willing to think outside the strict boundaries of plain speech. It can mislead individuals as to its exact reach and as a result, unnecessarily trouble data controllers and eventually also frustrate the expectations of data subjects. The relevant label does not take into account the multi-purpose nature of the right (in a rapidly evolving online world), which necessitates a name that is both accurate and flexible. Fortunately, the ‘to be forgotten’ label can easily be omitted from the final text of the Regulation without necessitating any other change to the wording of Article 17. The right should simply be called a ‘right to erasure’, which cannot validly be subjected to similar objections. In general, the paper looks the right through the ‘lens’ of its label and offers an alternative introduction to the right and some of the issues pertaining to it.
8.1 Introduction
It is certainly not innovative to begin a piece on the now infamous ‘right to be forgotten’ by referring to Stacy Snyder. Miss Snyder is the young woman from the US who was denied a degree in education because of a picture she posted on MySpace, a social network website showing her wearing a pirate hat and drinking alcohol at a party. That picture was discovered by her supervisor and the Dean of the University, who thought that she did not deserve to be a teacher.1 The story is very often mentioned in the literature on “the web that never forgets”2 and on the so called ‘right to be forgotten’.3 The first chapter of ‘Delete’, the book that has been described as “the most comprehensive discussion of the right to be forgotten in academic literature”4 is named after the case of Miss Snyder.5
More generally, there has been an increasing tendency towards comparing the storage capabilities of the web with those of the human brain and emphasizing the fact that whereas human memory has limitations mirrored in human forgetfulness, the web “records everything and forgets nothing”.6 The relevant line of thinking continues by pointing towards the usefulness of human forgetfulness7 and calling for imputing the web with an analogous process, thereby correcting the ‘(un)forgetfulness’ deficiency of the web ‘brain’: “…the inability of computers to forget can at times be viewed as a bug, and not a feature”.8 The introduction of a legal ‘right to be forgotten’ can be seen as an important step towards ‘fixing that bug’. By having a right to require erasure of their personal data on the web, individuals can in a way ‘force’ the web to forget it. Such legal right will in turn encourage the development of ‘technologies of erasure’ (or of forgetfulness), the result ultimately being the technical introduction of forgetfulness into the ‘brain’ of the web.
It is not entirely clear if it is the ‘human-web memory’ analogy that inspired the labeling of this ‘erasure’ right in ‘forgetfulness’ terms or if it is the vice versa. The concept of a ‘right to be forgotten’ has appeared in the literature more than 20 years ago.9 Also, as early as in the 1970s, Westin and Baker, talking about data erasure, referred to a choice to be made by society between “forgive-and-forget” and “preserve and evaluate”.10 Yet, online privacy and data protection were not very often discussed in terms of web non-forgetfulness in subsequent literature. It is therefore the recent re-surfacing of the concept of a ‘right to be forgotten’ by the European Commission11 which must be the culprit behind this increasing emphasis on the need for the web to ‘forget’ comparably to how the human brain functions.
The ‘forgotten’ label however, may be fallible as may be the ‘human-web memory’ analogy that explains it. The fact that the case of Stacey Snyder has been epitomizing the particular right and its usefulness is similarly problematic. It may therefore be unsurprising that a right, which is not totally new, has provoked much controversy and criticism12 mainly relating to its inconsistency with free speech13 and the difficulties in its implementation.14 This paper will first explain the basics of the right to be forgotten and acknowledge its importance in the online world where individuals constantly disclose personal data. Then it will explore the problems inherent in the chosen label through listing ten reasons why it is inappropriate. More specifically, it will arise that it does not make sense in plain speech in the particular context. Furthermore, the analogy it uses between web and human brain (or the way it uses it) is weak and cannot serve as an adequate explanation for the term. This is because contrary to the position inherent in the chosen label, the web may in many cases actually forget analogously to how the human brain does. Also, whereas the right provides for data erasure, human forgetting does not constitute data erasure from the brain in most cases. Apart from that, the particular label is both over-inclusive and under-inclusive, thus depicting a misleading picture of the actual reach of the right. The paper also rejects the alternative ‘right to delete’ label and concludes that the right should simply be referred to as a right to erasure. Thus, the compromise amendments recently voted by LIBE, the EU Parliamentary Committee on Civil Liberties, Justice and Home Affairs15 which remove all references to a ‘right to be forgotten’ and rename the right to a ‘right to erasure’ should be welcomed and find representation in the final Regulation.
8.2 The Basics of the Right to Be Forgotten
In the Regulation as proposed by the Commission in 2012, the right appears in Article 17(1) which provides the following:
The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies: (a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data; (c) the data subject objects to the processing of personal data pursuant to Article 19; (d) the processing of the data does not comply with this Regulation for other reasons.
Apart from having to erase personal data following a request by the data subject, the data controller must, under Article 17(2), “take all reasonable steps” to inform third parties who are processing any data made public by the controller “that a data subject requests them to erase any links to, or copy or replication of that personal data”. Recognizing that it may be impossible to locate all such third parties, this additional obligation on the data controller is rightly limited to him making reasonable attempts to inform third parties. It is however a problem that third parties are not made subject to an obligation to satisfy any erasure requests.16
One can see that despite its somewhat ‘mysterious’ label, the right to be forgotten is essentially a right to have one’s data erased. Such erasure right is not a total novelty. Since 1995 and the coming into being of the Data Protection Directive (DPD),17 individuals have had under Article 12(b) “the right to obtain from the controller… the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data”.18 Furthermore, the DPD, specifically Article 6(e) obliges data controllers to keep personal data “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed”. This obligation could be translated into a right vested on data subjects to have their data deleted or at least anonymized when its purposes have been fulfilled.19 As regards the obligation to inform third parties in Article 17(2) of the Proposed Regulation, Article 12(c) of the DPD similarly provides that the data subject has the right to obtain from the data controller “notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort”.
These provisions of the DPD have been described as “diluted ‘right to be forgotten’ provisions”20 and have been referred to as “means of enhancing control over one’s own data” in a Communication published by the Commission in 2010.21 It was actually in that context that the Commission first utilized the concept of ‘a right to be forgotten’ making it clear that it was not intended as anything dramatically new but simply as a clarification of the already existing ‘data erasure’ rights: “The Commission will…examine ways of… clarifying the so-called ‘right to be forgotten’, i.e. the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes”.22
That the ‘right to be forgotten’ is essentially a synonym of the ‘right to erasure’ is reinforced in the Proposed Regulation published by the Commission 2 years later. Indeed, in Recital 53, the reference to the rights to rectification and erasure appearing in Article 12(b) of the DPD23 are replaced by “…the right to have personal data…rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation.” Thus, the ‘right to erasure’ is replaced by the ‘right to be forgotten’, which is later in the Recital expanded upon in terms of data erasure. Rather confusingly, Article 17 of the Proposed Regulation is titled as “Right to be forgotten and to erasure” suggesting that the two rights may be different. However, the actual provision is formulated only in ‘erasure’ terms containing no reference to the ‘forgotten’ word and rightly making commentators wonder: “could it be true that ‘the right to be forgotten’, as presented in the new EU proposed Regulation, does not in fact add much more than a ‘shiny’ title to Article 17”?24
Having said that the right to be forgotten is essentially a right to erasure, a look at Article 17(1) reveals that a main clarification (and sort of innovation) appears in paragraph (b), which renders the right exercisable on the ground of withdrawal of consent.25 Whereas the consent of the data subject to data processing has always been a ground legitimizing that processing,26 a right to withdraw previously-given consent does not expressly appear in the text of the DPD. As a result, the assertions of the Data Protection Working Party (DPWP) that it already exists implicitly27 are unconvincing. Indeed, given that “personal data has become the currency on the Internet”28 and the web default is that of data amassing, it may be naïve to expect that online businesses will readily comply with legal rules that restrain ‘personal data’ collection. It is noteworthy that the recently-amended legal provision on cookies, a notorious data-collecting technology, explicitly requires prior consumer consent to their use by websites.29 Yet, it has met with strong resistance by online businesses, which, in many cases, continue to use cookies to collect data without securing consent.30 One can imagine ‘the luck’ of rights and obligations that do not arise explicitly and are hidden ‘behind the lines’ of relevant laws.31
Unsurprisingly therefore, there have been initiatives emphasizing the absence of a right to revoke consent from the privacy-related legal regime and calling for the filling in of the relevant gap.32 Article 7(3) of the Proposed Regulation, which explicitly provides for the right of individuals to withdraw consent coupled with Article 17(1)(b), which allows individuals to require erasure of data in relation to which they have withdrawn consent, may be seen as the Commission’s response to these voices and should definitely be welcomed. Indeed, ‘consent-as-permanent-permission’ is not consistent with the ability to exercise meaningful control over one’s own data. This is true especially given that “…individuals are ill-placed to make responsible decisions about their personal data given, on the one hand, well-documented cognitive biases, and on the other hand the increasing complexity of the information ecosystem.”33 Several decisions to give consent may therefore prove wrong, unintended and eventually be regretted. As a result, there has to be a way to reverse them (and also ‘take back’ any submitted data) so that individuals are not ‘locked’ in unwanted services and do not have to worry about whether a controller will indeed refrain from using it. As Fazlioglu acknowledges “The appeal of trading a phone number for a $5 coffee may in a sense be what the right to be forgotten seeks to shield us from”.34
Another notable clarification is contained in Article 17(1)(c). Under Article 15 of the DPD, individuals already have the right to object to profiling, that is, the taking of automated decisions affecting them based on automated evaluations of, amongst others, their performance at work or reliability. Because of Article 17(1)(c) of the Proposed Regulation, they will also have the right to require that their data be erased and does not therefore remain in the possession of the data controller. That this enhances protection is indisputable. Individuals are best protected against the dangers of profiling and more generally, of any other data processing when data controllers have no data to process. Indeed, as Bernal states “Ultimately, wherever data exists, it is vulnerable – so the only way that data can really not be vulnerable is for it not to exist”.35
More generally, by listing specific circumstances under which the right can be exercised, the Proposed Regulation breaks free from the possible objections against the current DPD right, which is exercisable solely on the vaguely-worded and perhaps inappropriately restrictive36 ground that the data processing “does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data”.37 By the same token, the newly-formulated right can be a handy way of exercising other important rights since by requesting erasure of his data, one effectively withdraws his consent under Article 7(3) of the Proposed Regulation or objects to profiling, thus exercising his right not be profiled conferred under Article 19.
It follows that EU officials are right to claim that the right to be forgotten clarifies and strengthens the existing ‘erasure’ right.38 The fact that the EU legislator has paid attention to this right should also be applauded as erasure rights can greatly complement a consent-based data protection regime, thus bringing about better privacy.39 Indeed, as data erasure means data extinction, Bernal is right to see in such rights the way to put individuals in control of data minimization and in effect, achieve a paradigm shift in privacy away from data amassing, which is the current default.40 But did the right have to be called a ‘right to be forgotten’? Indeed, it seems difficult to understand “[…] why it was necessary to create a new right under a new name”.41 The advantages of the new provision could be achieved (perhaps more successfully) by retaining the ‘right to erasure’ label and without resorting to the additional reference to a ‘right to be forgotten’, which is inappropriate for several reasons.
8.3 Ten Reasons Why the ‘Forgotten’ Label Should Be Forgotten
8.3.1 Reason One: The Exercise of the Right Does Not Cause One to Be Forgotten
There have been several proposals regarding the technical implementation of the right,42 many of them basically enabling the disappearance or removal of personal information from the web. The simplest one, at least in cases such as where data is disclosed and/or processed with the consent of the data subject, would be a ‘delete’ button, which embodies the “manual ability to delete records”43 proposed by Conley. As individuals can place information on the web (and ‘in the hands’ of online businesses) through mere clicks, they must be able to ‘take it back’ with comparable ease. This kind of implementation is obviously consistent with the very purpose of the right as a ‘control-on-personal-data’ enhancer.
The important question arising is the following: If Miss Snyder could ‘click and delete’ the harmful picture from MySpace, would her supervisor and any other person who got to see it, forget about it? The answer is negative of course. Human forgetting is a psychological process on which the subsequent removal of the picture can have little effect. As the supervisor would still remember what he saw, the picture did not just enter his short memory, which only lasts for 20–30 s.44 It was transferred into his long term memory, which “can hold information over lengthy periods of time”45 and even “the course of a life-span”.46 More generally, any harmful consequences normally arise very soon after the information has been viewed and therefore, before any question of forgetting it can naturally arise. Also, given the vastness of the web audience, information that goes online is probably bound to be viewed by somebody immediately. Anyone who gets to see it may pass it to others even if the information disappears from the web very soon after it has been posted. Indeed, the right is widely acknowledged as only operating ex post, that is, after the harm has occurred and thus, as only capable of preventing future or further harm.47
Therefore, if Miss Snyder could ‘click and delete’ the picture, thus exercising a ‘right to be forgotten’, she would still not be forgotten. Accordingly, the ‘forgotten’ label of the right to erasure does not tell the truth. Moreover, while the benefit of preventing further harm is invaluable and should not be underestimated, that benefit is best reflected in a ‘right not be seen’ or ‘not to be discovered’ label, not a ‘right to be forgotten’ one.
8.3.2 Reason Two: You Cannot Sue One Because One Did Not Forget
Miss Snyder sued the university but failed in her action alleging a violation of her freedom of speech because her post was not considered protected speech.48 Still, apart from the technical ‘click and delete’ implementation of the right, private legal action based on a violation of the right apparently comprises a powerful and also, logical mode of enforcement. This is true especially given that the right can be seen as an aspect of privacy, which is recognized as a human right in the EU, specifically by Article 8 of the European Convention of Human Rights and Article 7 of the Charter of Fundamental Rights of the EU.49 Moreover, Article 77 of the Proposed Regulation confers on data subjects the right to claim compensation from data controllers or processors if they act in breach of the Regulation. Thus, Miss Snyder could sue MySpace on the ground that she was not given the opportunity to delete the picture or that she requested the website to erase the picture without success.
Yet again, the possibility of such private legal action does not render the chosen label sensible. Right on the contrary, since a psychological process, such as forgetting, cannot be forced or imposed and given also that one cannot voluntarily forget a piece of information,50 no one can logically be sued for failing to forget. By the same token, no law can appropriately be formulated in terms that appear to prescribe that one has to forget whereas the ‘forgotten’ label does exactly this. Indeed, Xanthoulis writes that the right “…seems to take the perspective of third parties who are invited to take measures so as not to be able to remember/refer to certain aspects of an individual’s past”.51 Other commentators also accuse the chosen label of “artificially re-creat(ing) a natural phenomenon”.52 This recreation will inevitably lead to lawsuits against parties on the ground that they omitted to forget, whereas parties can sensibly be sued on the ground of their failure to erase data, not their failure to forget.
8.3.3 Reason Three: The Right Cannot Retroactively Achieve the Results of Forgetfulness
One could argue that the word ‘forgotten’ is not intended to be given its ordinary meaning and that therefore, it is simply a parallelism or a metaphor based on the ‘human-web memory’ analogy. Koops indeed notes that the term “is not primarily meant psychologically (since forgetting is generally presented as a natural function of the human brain, which does not need reinforcement as such) but rather has social and legal implications: the right not to be confronted with your past…”53 Admittedly, if the exercise of the right to be forgotten (or private action based on its violation) could correct all harms, the ‘forgotten’ label could be justified on the ground that the right can achieve the results of forgetfulness albeit retroactively. More specifically, the result of Miss Snyder having her degree eventually been awarded or being compensated for her losses would be ‘as if’ Miss Snyder had been forgotten. Yet, a total restoration of damage is impossible. Even if Miss Snyder could recover some of her damage, she would still suffer some reputational harm at the very least. Her interest in not being confronted with that information cannot possibly fully be served. The right cannot therefore achieve retroactive forgetfulness, which could somewhat explain the chosen label.
8.3.4 Reason Four: ‘Forgetting’ Ordinarily Refers to Old or Outdated Data
The chosen label is also problematic because of the ordinary connotations of the ‘forgotten’ word regarding the type of information that is at stake. More specifically, one normally expects old or outdated information to be forgotten. Apart from information that never makes it to one’s long term memory,54 information that is new, recent or just learned is not supposed to be forgotten. Thus, a right called a ‘right to be forgotten’ may be perceived as referring to outdated information such as past convictions or ‘wild’ university years. After all, the right has its roots in rights vested on ex-convicts to have the details of their convictions withdrawn from the public domain.55 Such connotations were reinforced by Article 17(1) of the Proposed Regulation which specifically referred to information that one has disclosed while being a child56 and are also mirrored in the various definitions of the right often found in the literature. As Koops confirms, “there seems to be a considerable common denominator in the literature about a “right to be forgotten”, namely that someone has a significant interest (possibly to be protected in the form of a legal right) in not being confronted by others with elements of her past, more in particular with data from the (more remote) past that are not relevant for present-day decisions or views about her.”57
Yet, the relevant right must be able to prove useful (also) in relation to information that is not old or outdated because “it is not only outdated data that can be detrimental to data subjects…”58 Indeed, when online merchants or network advertising agencies process (clickstream) data derived from the browsing activity of individuals, they do not process outdated data. That data is normally recent and relevant to current personal circumstances, preferences and characteristics. Yet, individuals may have sufficient grounds for not wanting such businesses to process or even possess that information relating to them59 and indeed, commentators have seen the right to be of particular usefulness in relation to such profiling/advertising data.60 The same is true of social networking posts. The picture of Miss Snyder could not be regarded as outdated data two days after it has been posted for example. Yet, Miss Snyder could very well want to remove that picture on the ground that it was harming her identity by painting an untrue and damaging picture of her character. As De Andrade explains, “…the right to personal identity concerns the correct image that one wants to project in society”.61 The particular commentator emphasizes the role of the right in protecting one’s identity which can be harmed by de-contextualized data, that is, information or “…personal facts – whether truthful or not – which are capable of falsifying or transmitting a wrong image of one’s identity”.62 Importantly however, such identity-harming information need not be information of some age. Sure enough, Miss Snyder would argue that the picture mirrored a de-contextualized, distorted and untruthful description of her character from the very moment it was taken and uploaded on MySpace. Indeed, there are moments in our life that are de-contextualized or identity-distorting themselves. The digital capture of such moments inevitably leads to data that is new, yet de-contextualized, which one may very well want to erase.
In this respect, the right to be forgotten should not be about the age of the data and fortunately, as already seen, Article 17(1) does not limit its reach to old or outdated data but extends it to any data in relation to which the data subject has withdrawn his consent. As Xanthoulis observes “most authors agree that a right to oblivion in the digital world aims in principle to grant an individual control not only of data related to unfortunate past events or the ability to prevent the publication of data in libel cases, but in fact to all data in the digital world…”63
The fact that the right has nevertheless been labeled in terms of forgetfulness naturally tied to old and/or outdated data may cause problems. First of all, such misleadingly under-inclusive label64 can lower the expectations of individuals regarding what they can achieve through its exercise, specifically by causing them to believe that they cannot utilize it in relation to data that has only recently been placed online. As a result, it can effectively reduce its practical relevance to old data, thus undermining its effectiveness.
Strikingly, the natural associations of the ‘forgotten’ term with dated information can also lead to the equally undesirable (opposite) result, namely over-inclusiveness.65 More specifically, it can cause people to believe that they can get rid of their history, whether criminal, credit or otherwise, something which may be at odds with the freedom of speech66 and generally, the public interest. Even though these interests can be safeguarded by the exceptions to the right laid down in Article 17(3) of the PDRP,67 the numerous voices about a clash between the right to be forgotten and free speech serve as proof of the misleading over-inclusiveness of the label. Recall that an erasure right, which has not been called a ‘right to be forgotten’ exists since 1995 and has not attracted similar reactions. Though much of the literature on the relevant clash comes from Americans, who are notoriously free speech ‘fanatics’,68 the EU commission also felt the need to publish on its website a “myth-busting”69 document clarifying that “The right to be forgotten is not about rewriting history”70 and reassuring that “The Commission’s proposal protects freedom of expression and the freedom of the media, as well as historical and scientific research”.71 Such misunderstandings over the exact reach of the right can result in individuals ‘bombarding’ businesses with unfounded ‘erasure’ requests, thus placing an unnecessary burden on them and eventually also frustrate individual expectations. Moreover, as Bernal rightly points out, most of the Internet giants such as Google and Facebook are based in the ‘free speech’-sensitive jurisdiction of the US. They are therefore likely to oppose the right, something which may have repercussions on its effectiveness all over the world.72 Clearly therefore the ‘forgotten’ label may harm the right and undermine its effectiveness in multiple ways.