The so-called ‘right to be forgotten’, is of particular current interest: its mooted inclusion in the forthcoming revision of the Data Protection Directive (Directive 95/46/EC) has produced much debate and comment, some of it extremely negative, some emotional and some displaying both ignorance and misunderstanding.
The EC Communication setting out ‘a comprehensive approach on personal data protection in the European Union’ in November 2010 refers to the right to be forgotten as:
“…the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes.”
The communication states that in the review they will examine ways to clarify this right: as shall be discussed below, set out in this way the ‘right to be forgotten’ is not really a new right, but a right derived from the existing data protection principle of data minimisation. Despite this, the inclusion of the right within the Communication, together with its mention in speeches by Commissioner Viviane Reding, particularly in the context of social networking services, produced a number of reactions in both media and political circles.
The idea of a ‘right to be forgotten’ has its origins in the French and Italian legal concept of a ‘right to oblivion’ – in French the ‘droit à l’oubli’, in Italian the ‘diritto al’ oblio’ – which been described as ‘the right to silence on past events in life that are no longer occurring’ such as crimes for which the person has later been exonerated. It has arisen through a combination of legislation and jurisprudence since the late 1970s. In this form it could be seen as restricting free speech – controlling what can and cannot be said in a particular way, albeit in terms that refer to legally established facts and events.
As noted above, however, the online version of the right to be forgotten as set out in the Communication, is neither intended to be like that nor could function like that. It deals with the deletion of data that is no longer needed rather than anything as dramatic as the erasing of past events or preventing any kind of speech. Despite this, the reactions – from journalists, from politicians like Ken Clarke, and even from a number of academics, have treated is as though it does. Many of these reactions have appears to be based more on emotion than on fact.
Emotional reactions matter
The often-emotional reactions to the idea of a right to be forgotten may not seem immediately of great importance in relation to law – but particularly in this context emotional reactions do matter, for a number of reasons. First of all, they matter politically, because there are many political hurdles that need to be tackled before this kind of law could be enacted.
Secondly, they matter in the battle for the hearts and minds of ordinary people. The public matters – particularly in the context of the regulation of the internet.
Thirdly, that matter in relation to the United States, particularly in relation to free speech. The key players in the internet world, particularly in relation to personal data, are principally U.S. companies: Google, Facebook, Microsoft, Twitter and so forth. If the idea of a right to be forgotten is automatically or emotionally associated with restrictions on freedom of speech, then those companies are likely to oppose it – as free speech is close to sacrosanct in the U.S., as the primacy of the First Amendment requires. For Google and Facebook to be convinced to comply with or cooperate with a right to delete data, it would have to be seen as consistent with rather than in opposition to freedom of expression – and for any kind of right to delete to function effectively on the internet it would have to have the cooperation of Google and Facebook.
All these concerns seem to suggest that the implementation of a ‘right to be forgotten’ would be fraught with problems. It could face resistance from the media, from politicians, from the big players of the internet – and potentially from any number of other businesses operating online. It is important to acknowledge that though these reactions are sometimes emotional and sometimes based on a misunderstanding of what is being proposed, they do reflect significant and relevant concerns. Fears of censorship, of rewriting history – and of losing more through the introduction of the right that might be gained are real fears, and must be understood and where appropriate addressed.
However, even considering these concerns, there are real issues that the right to be forgotten are intended to address. The amount of personal data gathered and held on the internet is enormous. The existence of that data itself is of concern – and people can feel that their privacy is being invaded. What is more, that data appears to be increasingly vulnerable: vulnerable to misuse by those who gather it, vulnerable to acquisition by governments through legislation or court action, vulnerable to hackers or other criminals, vulnerable to those who might leak it for good reasons or bad, vulnerable to sale or other commercial misuse, vulnerable to function creep. It can be aggregated or combined with other forms of data for profiling.
Does this all matter? It does appear to matter to people if evidence from the ICO is to be believed. In their 2010 ‘Response to the Ministry of Justice’s Call for Evidence on the current data protection legislative framework’ the ICO revealed that their research indicated that ‘individuals increasingly feel they have lost control of their personal information’. If their data is vulnerable, the people themselves are vulnerable. If their data is threatened, people themselves feel threatened.
Solutions to the underlying problems
There are many potential routes to a solution: more conventional legal routes such as better enforcement powers for the ICO and stronger penalties for data protection breaches, technological routes such as better use of encryption and related technologies and attempts to change the culture of organisations to make them more ‘data conscious’. Even so, there will still be problems, and risks that cannot ever be completely eliminated. Human errors, human nature, human malice, technological error and technological developments, business pressures to deal with things such as illegal file-sharing and community pressures such as the demands to fight terrorism or catch child abusers or murderers are just some of the possibilities. Ultimately, wherever data exists, it is vulnerable: the ultimate weapon for in the fight against data vulnerability is to eliminate the very existence of data wherever possible – and to minimise what data is held.
Real data minimisation
The concept of data minimisation is built in to data protection law. It combines the third and fifth data protection principles, as set out in Schedule 1 to the Data Protection Act 1998: that data should be ‘adequate, relevant and not excessive’ and ‘not kept for longer than is necessary’. It is, however, a concept that seems to be paid far less attention too than it should, partly, perhaps, because the terms are difficult to define. What is ‘excessive’ and how long is ‘necessary’? In general the answers to the questions are left to the discretion of those holding the data. Unless specifically challenged, the holders can choose how much data to hold and how long to hold it for – and as things stand, it appears that many businesses choose to hold more data than they need and for longer than they need to.
What is more, data minimisation is scarcely enforced – and is in some ways inherently difficult for authorities to enforce. Authorities would have to institute some kind of compulsory ‘data audit’ in which they examine data policies and practices of anyone holding data – the difficulties and costs surrounding anything like this would make it all-but impossible. The best way – perhaps the only way – for things to change positively in this field is for a new business model to develop. The key is to find a way to encourage the development of new business models that get closer to a real sense of data minimisation. How could this happen? If a way can be found to put the data subjects more in control of the data minimisation process, then not only will people be more in control of their own data but businesses would be put in a position where they have to develop these business models, business models that do not depend on their ability to gather whatever data they choose and hold it as long as they would like. That brings us back to the idea of a right to delete.
Paul Bernal is a lecturer at the UEA Law School and a member of media@UEA. He blogs at the Symbiotic Web blog and tweets as @paulbernalUK.
This post is based on Paul’s academic article ‘A right to delete?’, published in the European Journal of Law and Technology, Volume 2 No. 2, 2011, accessible here.