Earlier this week, when EU Justice Commissioner Viviane Reding laid out the privacy rules she expects social-networking sites and other online services to follow, she used a phrase that’s catching on in Europe: the “right to forget.” It was first thrown around about a year ago when France debated a “right to forget” law that didn’t come to pass. But the phrase has since been used in different contexts. So what exactly does it mean and what are proponents of such a law really seeking?
This debate is unfolding at a time when the first major European court case on this issue is also moving ahead, and again, privacy advocates are waving the banner of a “right to be forgotten.” In that case, the WSJ reported, Spanish privacy authorities are siding with Hugo Guidotti Russo, a Spanish doctor who’s unhappy with his Google (NSDQ: GOOG) results, because they summon up a 20-year-old headline in a Spanish newspaper about a dispute involving an allegedly botched surgery done by him.
Let’s unpack what we know — and don’t know — about the “right to forget.”
Is “Right to Forget” about users getting to control their own data, or data posted about those people by others? Reding’s talk really did not make that clear. Her explanation of the “right to be forgotten” is pretty foggy-people, she says, must have the right “to withdraw their consent to data processing.” Her spokesman didn’t help much, telling The Guardian this: “Maybe you’ve been at a party, up until four in the morning and you or someone you know posts photos of you… Well, it’s a harmless bit of fun, but being unable to erase this can threaten your job or access to future employment.”
The first problem is that, if it’s embarrassing photos or information we’re talking about, there’s a huge difference between data posted by “you” and that posted by “someone you know,” or anyone else, really. Such confusion about two quite different ideas permeates the “right to forget” debate.
Are European privacy activists talking about making sure that users have control of their own data? If so, that’s a widely agreed upon privacy goal, one that Facebook and other major companies are already on board with. Of course, there’s certainly a lot of work to be done to have services like Facebook make their privacy settings clear to average users. And second, even if this is the clear industry “best practice” (and it should be), there’s nothing wrong with enshrining it in law. That’s often what good legislation does. And there are disagreements about corporate data retention; consider the just-filed lawsuit over Netflix’s habit of keeping user data well after the account is canceled.
Or are privacy activists talking about a much more controversial idea-allowing people to delete online data and speech created by others about themselves? This would raise serious free-speech concerns, because once we start allowing people to take down information they don’t like, simply by declaring that it’s a privacy issue, it’s hard to say where that stops. As Peter Fleischer, Google’s Global head of Privacy, pointed out in a post earlier this month on his personal blog, unlike a defamation claim, privacy laws sometimes make the publication of true information illegal. So the granting of a “right to forget” along these lines could result in a situation where “privacy is the new black in censorship fashion.”
The final possibility is that a “right to forget” should be a general “internet forgetting”-that is, various internet services should simply let data expire after a period of time. A mandatory “forgetting” like this seems heavy-handed, and could abolish lots of useful services that require the retention of data. Fleischer says it would be “as sensible as burning down a library every five years.” But should auto-deletion of some kind be a best practice for social-networking sites? It seems unlikely that would be useful to the majority of users, and we don’t want to get in a situation where a vocal minority can cause massive data deletion.
Would any of this debate fly in the U.S.? Certainly, the few cases that have actually been moved into European courts would not fly stateside. Certainly, the German murderers who sought to remove their names from an English-language Wikipedia page would not get relief in U.S. courts; and Spain’s Dr. Russo, seeking government help to skew his personal Google results, might fare about as well as Bev Stayart, whose three lawsuits against search engines over the results that come up linked to her own name have made her something of a punch line in internet law circles.