On the 22nd January 2013, Ms Viviane Reding, Commissioner responsible for justice, fundamental rights and citizenship, announced the European Commission proposal to create a new right related to data protection and privacy, that is, the ‘right to be forgotten’. This right finds its origin in the le droit à l’oubli from French law and has been debated particularly in Europe and in the USA for the past years. This right was introduced as an effort to tackle the issue of data privacy amongst the growing technological advances. Essentially the ‘right to be forgotten’ gives the data subject the right to have all personal data related to him deleted when he requests to do so, if there is no legitimate reason for the retention of this data. Personal Data could be considered nowadays to be an extremely valuable currency, and the European Commission has been striving towards the power to retain control over this data much to the US’s disapproval. The debate has gone so far that the US diplomat warned that if the “right to be forgotten” is followed through by the European Commission this could induce a trans-Atlantic ‘trade war’. Nevertheless, Ms Viviane Reding insisted that any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules. Exempting non-EU companies from our data protection regulation is not on the table. It would mean applying double standards.
The right to be forgotten is a way of ensuring control on the data subject’s data. Nevertheless, this right has also been described as one of the biggest threats to freedom of speech on the Internet in the biggest decade. The call is made for the right to be defined more precisely since a lot of speculation has been going on regarding the ‘right’ and there is still little ground for agreement on this regard. Ultimately there needs to be a balance between the right to privacy and the right to freedom of speech.
This right raises 3 main points, which were outlined by Mr Peter Fleischer, Google’s global privacy counsel. In his blog he mentions 3 scenarios, which must be addressed when considering the right to be forgotten, namely:
- If I post something online, should I have the right to delete it again?
- If I post something online, and someone else decides to copy it and re-port it on their own site, do I have the right to delete it?
- If someone else posts something about me, do I have the right to delete it?
These 3 questions have been at the centre of the debate on the balance between the privacy rights and the right of freedom of speech.
In the first scenario there does not seem to be any problems and it seems to be quite a straightforward scenario – one should be allowed to delete something he would have uploaded himself. This is already available and yet if codified, it would only serve as a formalisation of the process.
The second scenario gets a bit more complicated because the data controller would be juggling between the data subject’s right to privacy and the other users right to freedom of speech. This thought is further exemplified in the third scenario. In this situation the legislators need to thread carefully since there does not seem to be a consensus on which right should prevail over the other. Evidently if the second and third scenario happen with the ‘right to be forgotten’ implemented, the answer would almost certainly be a positive one. In the second scenario, the regulation ensures that when someone demands erasure of personal data, it must be carried out “without delay” unless the retention of data is necessary. In the third scenario the regulation treats the data uploaded by someone else in an identical manner to the data uploaded by the data subject. Nevertheless, if the data subject demands for the data to be taken down, the third party must prove that it falls within the exception of journalistic exception and thus the onus of proof falls onto the person uploading the data.
Finally, even though the “right to be forgotten” is defined within a very wide context, the application of this right may be narrowed. The reason for the definition being so wide was for it to be applicable and relevant to the constant new technologies being developed on a daily basis. Harmonisation is imperative and the right to be forgotten must be reconciled with the US in a way which could satisfy both the US’s plight for freedom of expression, whilst satisfying the EU’s plight for more protection towards the data subject’s privacy. If the right is merely boiled down to the demand to delete personal stored data after a certain period of time, this should not create huge problems for harmonisation. The best way forward would be for the EU and US to agree on at least a minimum level of agreement on this right since this is sorely needed for the growth of trade in the cloud computing sector and would give the much needed security both users and providers are seeking.
Article originally Published by ELSA – European Law Students Association. This article is written by Dr. Stefan Balzan.
If you would like to contact Dr. Stefan Balzan regarding any ICT LAW related query please contact him on: [email protected]