Tracing the Right to Be Forgotten in the Short History of Data Protection Law: The “New Clothes” of an Old Right
© Springer Science+Business Media Dordrecht 2015
Serge Gutwirth, Ronald Leenes and Paul de Hert (eds.)Reforming European Data Protection LawLaw, Governance and Technology Series2010.1007/978-94-017-9385-8_99. Tracing the Right to Be Forgotten in the Short History of Data Protection Law: The “New Clothes” of an Old Right
(1)
Brussels, Belgium
Gabriela ZanfirLegal Officer, European Data Protection Supervisor
Abstract
When the European Commission (EC) published its draft Data Protection Regulation (DPR) in early 2012, a swirl of concern hit data controllers regarding the introduction of a sophisticated “right to be forgotten” in the proposal for the future DPR, which was considered to unprecedentedly impact the internet and its economics. Critics and advocates of the right to be forgotten engaged in consistent theoretical debates, doubled by the technical discourse about its (un)feasibility. This paper “deconstructs” the right to be forgotten into the individual prerogatives which are in fact granted to persons. It shows that those prerogatives already exist to an extended degree in EU law, and have existed in the first data protection laws enforced in Europe. In addition, the controversial obligation to inform third parties about the erasure request is a “duty of best efforts” which pertains to controllers and which is significantly different than a duty to achieve a result. Recourse will be made to private law theory to underline this difference.
Keywords
The right to be forgottenData protectionPrivacyDuty of best effortsThis paper was submitted for publication before the author joined the EDPS. The opinions expressed in the paper pertain exclusively to the author and do not engage in any way the EDPS.
9.1 Setting the Scene – The Exponential Growth of the Digital Universe and Its Legal Consequences
It is impossible in general to remove data from the internet once it was published, according to a report released by the European Network and Information Security Agency.1 This statement alone weakens the effectiveness of both existing and future privacy and data protection laws, as they fundamentally presuppose control of information and autonomy of the individual with regard to the informational self-determination.2 One of the incurring problems brought by this fact is that, as Mayer-Schönberger explained, comprehensive digital memory makes it possible for our words and deeds to be judged not only by our present peers, but also by all our future ones.3 This trans-temporal “judge” will have access to unimagined amount of data. In 2007, 2.4 × 1021 bits were stored by humanity in all of its technological devices, a figure which is approaching an order of magnitude of the roughly 1023 bits stored in the DNA of a human adult.4 The estimated pace of growth of stored information in the digital universe is exponential: from 2005 to 2020, the digital universe will grow by a factor of 300, from 130 exabytes to 40,000 exabytes, or 40 trillion gigabytes.5 This is only one of the reasons why legislators face great challenges.
The challenges are to become even greater, as it is predicted that the space-based web we currently have will gradually be replaced by a time-based worldstream, with all the information on the internet becoming a time-based structure – dynamic, always flowing, like time itself.6 This mutation will impact even greater fundamental values such as privacy, and the legal instruments accorded to individuals must be proper and proportionate to the challenge. The development of Information Technology puts once again legislators in a sensitive position, similar to the one they faced in the late 1960s and early 1970s, after the appearance of the computer and the first computerized databases. Then, legislators found difficulties to regulate the emerging technology and the connected services, including massive data storage. Hondius wrote in 1975 that “[t]he first difficulty is their own and the public’s unfamiliarity with computers and electronic data processing. It is this unfamiliarity, among other things, which prompted the demand for legislation. In the face of a powerful and ubiquitous computer, the public wanted a legal reassurance that this medium would not turn its unknown capacities against them. Governments were obliged to take this mood into account”.7
Legislators in present time face similar challenges, only augmented by the ever-growing capacities of technology to store and process data. It is the development of internet what prompted the European Commission (EC) to start the reform process of the data protection regime existing in the European Union.8 The declared purpose of the reform is to put individuals in control of their own data, while providing for strong enforcement of the data protection framework in the EU.9 To this end, the draft proposal for a data protection regulation (DPR) enshrines a “right to be forgotten” in Article 17, according to which the person whose data are processed (the data subject) has the right to obtain from the controller the erasure of personal data relating to her, under certain conditions. The publication of the draft DPR generated responses such as the right to be forgotten “represents the biggest threat to free speech on the Internet in the coming decade”.10
However, data subjects already had a right to ask for the deletion of processed personal information under Article 12 (b) of the Data Protection Directive (DPD),11 which, if corroborated with the right to object to the processing of data, under Article 14 DPD, could amount to a right to be forgotten. In fact, the right to erasure as enshrined in the DPD merely aims at harmonizing the already existing provisions with regard to such a right in the first data protection laws enacted in Europe in the 1970s and 1980s.12 The safeguard created in the 1970s for individuals and updated in 1995 in the DPD with regard to the deletion of their data from databases further developed in the complex “right to be forgotten”, following the design of the regulated phenomenon itself.13
The draft DPR adds complexity to the content of the right, attempting to make it feasible in the current state of the digital environment by also imposing an obligation de moyens (duty of means) to controllers to make sure that the third parties that copied the targeted data acknowledge the deletion request. As it will be shown, not even this particular duty of means is all new in the European data protection law. This paper will decompose the right to be forgotten, as it is enshrined in the draft DPR, into tangible prerogatives, first by making a comprehensive analysis of its content (2). It will further analyze the duty of best efforts provided in the content of Article 17 DPR, showing why its execution is significantly different than the execution of a duty to achieve a result, with recourse to private law theory (3). Then, it will reveal why the content of the right to be forgotten is, in fact, old, by looking into the first data protection laws in Europe (4) and the current EU legislation (5). The conclusions will show that the right to be forgotten is the result of a natural evolution of an old right of the data subject (6).
9.2 A Closer Look upon the Content of the Right to Be Forgotten in the Draft DPR
9.2.1 The Right to Be Forgotten Does Not Mention Forgetting
The right to be forgotten, in conjunction with the clearer rules of jurisdiction with regard to processing data of citizens of the EU14 are one of the reasons for which 2013 began with references to a US-EU “trade war”15 originating in the data protection reform package.
Article 17 of the draft regulation, “the right to be forgotten and to erasure”, is one of the most complex provisions in the DPR proposal, being expanded in the original version of the draft DPR on over 9 paragraphs.16
The first observation regarding the content of Article 17 of the draft DPR is that the provision itself does not mention the word “forget” or any of its derivates, but it refers to “erasure” and “abstention from further dissemination”.
Moreover, the Civil Liberties Committee of the European Parliament,17 following the Report by Jan Philipp Albrecht18 – the Rapporteur MEP for the DPR proposal, changed the title of Article 17 into “Right to erasure”, in the context of the vote on its final position concerning the DPR proposal. This form of the proposal was kept in the final version adopted in March 2014 by the plenary of the European Parliament (EP). Thus, the EP will engage in negotiations with the Council for the final text of the regulation with a “right to erasure” mandate. In fact, ‘right to be forgotten’ was already considered in the literature to be an “emotive and misleading label”19; by renaming it ‘right to erasure’, “the emphasis would be on data rather than stories”,20 which would probably contribute to a less aggressive freedom of speech discourse against its enforcement.
While the concepts of “erasure of data” and “abstention for further dissemination” put together can be confusing, as erased data could not physically be disseminated, they do make sense in the digital processing of data, where the possibility to definitively erase information is still under debate.21
In an attempt to avoid this confusion, the Working Party on Information Exchange and Data Protection of the European Council (WP IEDP), in a revised version of the draft DPR, erased the “abstention” provision from Article 17 and created Article 17a, “the right to restriction of processing”, according to which the data subject has the right “to obtain from the controller the restriction of the processing of personal data” for short term, if the accuracy of the data is contested or the data subject exercised the right to object to the data processing – until the requests are considered, or for a longer term, if the controller no longer needs the personal data, but they are required by the data subject for the establishment, exercise or defense of legal claims.22 By restriction of processing, WP IEDP means that the data “may, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest” (Article 17a(3)). It should be mentioned that the LIBE text does not contain further clarification on this matter.
The second observation regarding Article 17 of the draft DPR is that the provision is highly technical, without making any references to the fundaments of a right to be forgotten, merely proposing an instrument which would give effect to any of such possible fundaments. In this regard, Koops has identified three guises of the right to be forgotten that are featured in the literature: a right to have data deleted in due time, a claim on a clean slate, and the right to unrestrained individual expression here and now.23 In another opinion regarding the fundaments of the right enshrined in Article 17 of the DPR proposal, it was stated that “as currently framed, the European right to be forgotten may be viewed as affording protection for one’s reputation rather than privacy”24 – which resembles the “claim on a clean slate” fundament. A better fitting approach to the procedural characteristic previously underlined is that even though the right to be forgotten “may be conceived as a legal right, de lege lata, it can also be seen as a value or interest worthy of protection or a policy goal to be achieved by some means or other, whether through law or through other regulatory mechanism”,25 meaning that it can be used to protect any of the personality rights of the data subject – privacy, dignity and so forth.
The third observation is that Article 17(1) of the DPR proposal does not refer to inaccurate data, but clearly links the quality of the data to be erased to the purpose limitation principle. Hence, all the data which are no longer necessary in relation to the purposes for which they were collected or processed must be erased, on the request of the data subject.
The fourth observation is that the new provision makes a clear link between the right to object and the right to erasure, by stating that erasure may be obtained when the data subject objects to the processing of personal data pursuant to Article 19 (the right to object). The WP IEDP added to point (c) of Article 17(1) DPR that the data should be erased in this situation only if “there are no overriding legitimate grounds for the processing or the data subject objects to the processing of personal data pursuant to Article 19(2)”. As the effect of the right to object is not necessarily the erasure of data, in order to obtain it, the data subject, apparently, must make a specific request in this regard, alongside with her objection.
Last, the right to erasure becomes effective when the processing of data does not comply with the proposed regulation “for other reasons”, which could mean, for instance, that their processing is not based on any of the six legal grounds for processing or that the principles of fair processing, and the rules regarding the security of data are not observed.
9.2.2 Freedom of Expression, an Express Exception of the Right to Be Forgotten
According to Article 17(3) of the DPR proposal, the primary exception for the right to erasure is freedom of expression. It is expected that the clash between freedom of expression and the right to be forgotten, in conjunction with the overextended jurisdiction of the data protection provisions, will generate overriding problems in the application of the future DPR. The key issue in this matter appears not to be the fundamentally different conception of privacy in the US and EU,26 but the fundamentally different understanding of the right to free speech and its limitations. McNealy explained that it is difficult, if not virtually impossible, for American courts, at the current state of the development of the newsworthiness exception in US tort law regarding the protection of privacy, to admit requests for a right to erase private information made public.27
On the contrary, in the European culture of the protection of fundamental rights, the courts – national or supranational, always strike a balance between two conflicting rights and decide on the merits of each particular case,28 taking into account the principle of proportionality or pivoting around the concept of human dignity.29
The “balance of rights” approach in the tension of the right to be forgotten and freedom of expression is even more encouraged by the recognition of the fundamental right to the protection of personal data in Article 8 of the European Charter of Fundamental Rights of the EU (the Charter), which entered into force in 2009, as it places data protection in the realm of fundamental rights, where proportionality and necessity have a sine qua non status in the exercise of rights. Article 52(2) of the Charter itself states that limitations to the rights it provides for are “subject to the principle of proportionality” and “may be made only if they are necessary and genuinely meet objectives of general interest recognized by the Union or need to protect the rights and freedoms of others” (emphasis of the author). Moreover, Article 54 of the Charter prohibits “the abuse of rights”, providing that “nothing in this Charter shall be interpreted as implying any right to engage in any activity or to perform any act aimed at the destruction of any of the rights and freedoms recognized in this Charter or at their limitation to a greater extent than is provided therein.” Therefore, the right to the protection of personal data must not be interpreted as aiming to disregard or to limit to an extensive degree the right to freedom of expression or information (Article 11 of the Charter), freedom of thought (Article 10), or even freedom to conduct a business (Article 16).
In this regard, the Court of Justice of the European Union already underlined in its Schecke judgment that “the right to the protection of personal data is not, however, an absolute right, but must be considered in relation to its function in society”30 (emphasis of the author). The Court added that “the limitations which may lawfully be imposed on the right to the protection of personal data correspond to those tolerated in relation to Article 8 of the Convention”,31 paving thus the way for the case-law of the European Court of Human Rights under Article 8 of the Convention to be taken into account whenever at least one other right will counterbalance the right to personal data protection.
As for the locus standi of the right to ask the erasure of data within the right to personal data protection, it was previously argued that, similar to the other ‘rights of the data subject’, it represents a prerogative of the substantive right to personal data protection.32
AG Jääskinen considered that “this fundamental right (to personal data protection – n.n.), being a restatement of the European Union and Council of Europe acquis in this field, emphasizes the importance of protection of personal data, but it does not as such add any significant new elements to the interpretation of the Directive (95/46 – n.n.)”.33 A similar point of view was taken by AG Sharpston, with regard to the right to access personal data, when she argued that Article 8 of the Charter “does not articulate a separate standard governing the form in which access must be made available”34 than the one established by Article 12 DPD. Therefore, the exercise of the right to be forgotten, or the right to erasure, applied in the context of a fundamental rights “dispute”, will be guided by the provisions of the secondary legislation regarding personal data protection. In this context, it is without doubt that the Data Protection Directive, which will be replaced by the DPR, contains “conditions and limitations for the exercise of the right to the protection of personal data”.35
However, as it was already underlined in the literature, in practice it might prove to be difficult for data controllers to make decisions which imply assessing to what extent the request for erasure of data falls under any of the exceptions of the right to be forgotten.36 Indeed, pragmatic and swift support from national data protection authorities might alleviate these issues to some extent.37 The national courts will also have an important part in striking the balance between the right to be forgotten and the other rights or values.
9.3 The Duty of Best Efforts (Obligation de moyens) Correlative to the Proposed Right to Be Forgotten
Article 17(2) is the provision which generated much of the discussions surrounding the right to be forgotten, because it entails an obligation of the controller “to take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data”. The provision makes it clear that a controller is considered responsible for the publication of data “where the controller has authorized a third party publication”.
The distinction between the duty to achieve a specific result (obligation de resultat) and the duty of best efforts (obligation de moyens) is a matter of Contract law and is mostly used in civil law systems, in particular under French law. Nevertheless, an echo of this distinction can be found in some international and EU texts.38 A comparison between Contract law obligations and the provisions of the DPR proposal, even though unnatural due to the private law/public law dichotomy, can prove to be useful in the terms of establishing the situation in which a controller can be held liable for not complying with the provisions enshrined in Article 17(2) of the DPR proposal. This provision is construed as a duty of best efforts.
According to Article 5.1.4 of the UNIDROIT Principles,39 in the presence of a duty to achieve a specific result, the party “is bound to achieve that result”, whereas in the presence of a duty of best efforts in the performance of an activity, the party “is bound to make such efforts as would be made by a reasonable person of the same kind in the same circumstances”. This distinction is very important because the degree of diligence required of a party in the performance of an obligation varies considerably depending upon the nature of the obligation incurred.40
The assessment of non-performance of an obligation of best efforts calls for a less severe judgment, based on a comparison with the efforts a reasonable person of the same kind would have made in similar circumstances.41 In other words, if the debtor was obliged to fulfill an obligation de resultat, it falls on the obligée only to prove that the result owed was not achieved. If the debtor however was only obliged to fulfill an obligation de moyens, the obligée has to prove that the debtor a été défaillant dans l’emploi des moyens (has failed in the use of best efforts).42 This reflects the concept which underpins French law: the objective finding that the result is not achieved suffices to establish a failure in the case of a duty to achieve a specific result, whereas evidence of the obligor’s fault must be shown in the case of a duty of best efforts.43 Also, it must be observed that the defaulting obligor’s conduct is assessed in relation to an objective standard,44 the good pater familias criterion.
The criterion which is most commonly acknowledged for the determination of the nature of an obligation is that of the “aleatory or otherwise character of the debtor’s undertaking”: if the promised performance can in the ordinary course of events be expected to be achieved, the obligation is de resultat; if not, it is an obligation de moyens. 45 Transposing this rule into the paradigm of the right to be forgotten, the nature of the obligation of the controller enshrined in Article 17(2) becomes obvious.
With regard to the correlative obligations of the right to be forgotten enshrined in Article 17, they are complex. On one hand, Article 17(1) entails a duty to achieve a specific result – the erasure of personal data on the given legal grounds, whereas Article 17(2) entails a duty of best efforts – to take all reasonable steps to inform third parties which are processing data that a data subject requests them to erase any links to, or copy or replication of that personal data. This is not an unusual situation, as Lando explained referring to contracts: “In some contracts part of a party’s obligation is one of resultat and part of it one of moyens. A party, who has undertaken to deliver a computer with a programme which is aimed at performing certain functions, is strictly liable for the defects in the hardware but, unless he has warranted that the software can perform the desired functions, he is only obliged to make his best efforts to achieve that result”.46
Therefore, the non-compliance of a controller with regard to the correlative obligations of the right to be forgotten will be established taking into account, on one hand the failure itself to erase data, pursuant to the duty to achieve a specific result in Article 17(1), and, on the other hand, the insufficient efforts to inform the third parties of the request to erase personal data made by the data subject, pursuant to the duty of best efforts in Article 17(2). This means that the controller will not be held liable under Article 17 of the DPR every time it fails to inform a third party of the erasure request.
With regard to the controller-processor differentiation,47 even in the case of the existence of a processor, the responsible party for non-compliance with the duties enshrined in Article 17 remains the controller. For instance, in the French legal system, the principle which applies under Contract law is that the debtor of a duty is also liable for non-fulfillment of his obligations if the non-fulfillment is caused by a person the debtor has employed to fulfill his obligations.48 Such a principle can be used as an interpretative tool in the hypothesis of the liability of the controller whenever the data protection law does not provide otherwise. In the situation of the duty of best efforts, the data subject must prove that the “executant (processor) has made an error”49 conducting the duty to inform third parties in order to engage the accountability of the controller.
The WP IEDP rephrased in its revision of the draft DPR the content of Article 17(2), maintaining nevertheless the character of a duty of best efforts: “Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the data, that a data subject requests them to erase any links to, or copy or replication of that personal data”. The question of the authorization is no longer at issue, the publication of the data being sufficient for the controller to know that it has to inform the subsequent controllers of that data. In addition, some criteria are added to assess whether the efforts of the controller were reasonable – “available technology” and “cost of implementation”.
Article 17 of the draft DPR suffered modifications also in the LIBE compromise text. Article 17(1) provides that the data subject also “has the right to obtain from third parties the erasure of any links to, or copy or replication of the data”. This obligation seems to be one of resultat, but it pertains to the third parties directly, and not to the data controller.
Article 17(2), in the LIBE text amending the DPR proposal, states that where the controller “made the personal data public without a justification based on Article 6(1), it shall take all reasonable steps to have the data erased, including by third parties, without prejudice to Article 77”. There are three obvious differences compared to the correspondent text proposed by the EC. First, controllers are subject to this obligation only if they unlawfully made the personal data public – and not in all the cases. Second, the obligation envisages not only the information of third parties about the erasure request, but the erasure itself of data processed by third parties. And third, it specifies that the data subject shall further have the right to ask for damages in Court, even if the data will be erased by the controller and the third parties.
The norm still has the form of a duty of best efforts – “shall take all reasonable steps”, but now it seems that even the obligation of the controller to erase personal data is an obligation of means whenever the data were made public – “to have the data erased, including by third parties”. In the form adopted by LIBE, the matrix of correlative obligations for the right to erasure becomes even more complex, being enriched with an obligation of resultat for third parties and another obligation of moyens for the data controller.
Last, it must be underlined that not only the civil law systems distinguish between duties to achieve a result and duties of best efforts. In parallel, some common law provisions mirror the French distinction between these obligations, setting down for instance that a person who provides a service within his professional activity implicitly undertakes to provide the said service “with reasonable care and skill”.50 , 51 This is an instance of a duty of best efforts a violation of which will have to be proven and which may be contested by proving the absence of fault.52
9.4 The Characteristics of the Right to Erasure in the First Data Protection Laws in Europe
Some instances of the right to erasure of personal data were already enshrined in the different European laws with regard to the protection of personal data enacted before the adoption of the 1995 DPD.
According to the German data protection act (Bundesdatenschutzgesetz), enforced in 1977,53 in principle “every data subject has the right to: […] (4) erasure of stored data concerning him where such storage was inadmissible or – as an option to the right of blocking of data – where the original requirements for storage no longer apply”.54 Thus, the act also provided for an intermediary state between data used for processing and deleted data: “blocked data”. Personal data that have been blocked may not be further processed or otherwise used, with a few exceptions.55 Regarding the right to erasure, it presupposed that personal data may be erased when the information is no longer required for the purpose for which they were recorded and there is no reason to believe that the interests of the data subject would be thereby jeopardized. Personal data must be erased when storage is not permissible or where the data subject wishes to have them erased rather than blocked.56
To this date, the German data protection law maintains the clear differentiation between erasure and blocking of data,57 even though the DPD is evasive in this regard.