The Right to Be Forgotten: A Criminal’s Best Friend?
By now, you’ve likely heard about the the proposed EU regulation concerning the right to be forgotten. The drafters of the proposal expressed concern for social media users who have posted comments or photographs that they later regretted. Commissioner Reding explained: “If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.”
Proposed Article 17 provides:
[T]he data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies . . . .
Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
The controller shall carry out the erasure without delay, except to the extent that the retention of the personal data is necessary: (a) for exercising the right of freedom of expression in accordance with Article 80; (b) for reasons of public interest in the area of public health in accordance with Article 81; (c) for historical, statistical and scientific research purposes in accordance with Article 83; (d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject . . . .
The right is explained in paragraphs 53 and 54 of the preamble in the Regulation:
Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. . . . To strengthen the ‘right to be forgotten’ in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data. To ensure this information, the controller should take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible. In relation to a third party publication of personal data, the controller should be considered responsible for the publication, where the controller has authorised the publication by the third party.
There’s much to criticize here, from free speech concerns (as Professor and TNR journalist Jeffrey Rosen has argued that the right to be forgotten is pretty much the free speech problem of our time) to more prosaic practical ones of operationalizing this. For instance, what happens when someone requests deletion of an item that has been shared with a third party for advertising purposes? Does this require something like a clawback of data shared with third parties? All data controllers face penalties of up to 2 percent of their global income if they fail to remove photographs and other content that people have posted and then regretted. Criticizing the proposal, Google’s privacy chief pointed out that any material published online could be copied and re-published anywhere, so it is unreasonable of EU regulators to expect providers such as Facebook to keep control over those republished versions.
It is also worth considering its impact on law breakers. Might a cyber stalker who tormented someone with YouTube videos (let’s say the person threatened to kill the victim) be able to request the deletion of those videos just in time to ensure that they can’t be successfully prosecuted but after they’ve traumatized the victim? Might someone put up a Craigslist advertisement impersonating someone and suggesting their interest in rape, see this Wyoming case that led to the rape of a woman, and then request to delete it in time to escape responsibility and ensure the woman’s rape? The “right to be forgotten” seems like an extreme response to concerns about users putting up embarrassing pictures and comments. Not surprisingly perhaps, it does nothing for the person whose online reputations have been trashed and who face threats from anonymous posters and everything to protect the perpetrators who want to escape responsibility for the damage they cause.