25898
post-template-default,single,single-post,postid-25898,single-format-standard,stockholm-core-2.4,qodef-qi--no-touch,qi-addons-for-elementor-1.6.7,select-theme-ver-9.5,ajax_fade,page_not_loaded,,qode_menu_,wpb-js-composer js-comp-ver-7.4,vc_responsive,elementor-default,elementor-kit-38031
Title Image

Please Don’t Open That Link: Has the Right to Be Forgotten Disappeared in Our Interconnected World?

October 16, 2019 In Blog, European Union, Internet, Privacy By Charles Wollman

Please Don’t Open That Link: Has the Right to Be Forgotten Disappeared in Our Interconnected World?

Data privacy protection in the Internet Age just received a major ruling from the European Union’s highest court last week. The EU’s “right to be forgotten,” which allows individuals under certain circumstances to demand the removal of their private information from appearing in search engines, has now been severely limited, arguably fatally so.[1] Based on the ruling, search engines like Google must remove links to certain private information only from its services inside the EU, such as google.fr, to comply with this right. Other versions of the site, however, such as the popular U.S. version google.com, may still display the link.[2]

 What is the right to be forgotten? The right to be forgotten (“RTBF”), also known as the right to erasure, refers to an individual’s privacy right to remove certain information about them from the public sphere. Typically, this right has been invoked to remove outdated and embarrassing personal information that appears in Internet searches.[3]

 Who supports this right? The European Union. Proponents of the RTBF are concerned about the damaging influence of some search results on a person’s online reputation, to the point that the person will be “stigmatized as a consequence of a specific action performed in the past.”[4] An oft-cited and tragic example is revenge porn.[5] Europe has applied this right to search engines like Google following a 2014 ruling.[6] Under the EU’s legal framework, “data controllers” like Google must remove certain types of personal information.[7] The EU has further expanded and formalized this right in its recently adopted, comprehensive data privacy laws called the General Data Protection Regulation (“GDPR”).[8] The response has been dramatic. Google, including its subsidiaries like YouTube and Google Groups, has since removed at least 1.3 million links and Facebook and Twitter have also removed thousands of links.[9]

 Who opposes it? The United States, for the most part. As a country that heavily values freedom of speech and expression under the First Amendment, the public’s right to know and an individual’s similar right to publish has generally triumphed.[10] Opponents fear this right would empower individuals to simply remove unfavorable information and “whitewash their personal history.”[11] Data-based companies may even opt to effectively censor large swaths of information to avoid potential fines, leading to a troubling world of rampant censorship.[12]

Some have also pointed to the practical obstacles in enforcing such a right. They have challenged the definition and legitimacy of the RTPF’s generally recognized exception for public interest and journalistic material.[13]They also question the right’s survival in a blockchain-based future, in which all information is permanent.[14]

However, even the U.S. sometimes acknowledges a RTBF.[15] Some laws require the eventual removal of adverse information from credit reports and the sealing of criminal records.[16] California allows online information removal requests for minors.[17] A bill promoting an EU-like version of the right was even introduced in the New York State legislature in 2017.[18]

How does the recent court ruling affect this right? Perhaps the greatest practical problem in effectively protecting a person’s RTBF lies in globally enforcing information removal in an interconnected world with governments lacking similar protections. With the development of comprehensive data privacy rules like the GDPR, a legislative body’s authority to enforce these rights beyond its territorial limits has emerged as a major point of contention.

Following the EU’s 2014 ruling first obligating Google in its RTBF rules, authorities attempted to extend the requirement to all of Google’s sites. Google pushed back, and this recent court ruling largely sided with Google.[19] According to the court, the RTBF, like other data privacy rights, “is not an absolute right” and it must be viewed in context and in proportion to its impact on society.[20] The court dismissed an understanding of the EU’s data privacy laws mandating extraterritorial enforcement, though it murkily still required “preventing or at least discouraging” Internet users from accessing the links appearing in non-EU versions of the site.[21]

 What does this mean going forward? Some argue that the court decision just showcases the “absurdity” of the GDPR’s RTBF rules, claiming that the rules project a goal wholly unrealistic in today’s world.[22] What the decision means for other provisions in the GDPR, which seem to indicate that the GDPR’s rights and obligations extend extraterritorially, will likely further develop in the coming years.[23] At the very least, this issue highlights the legal system’s continued struggle to restrict web content across borders at a time when our personal information has never been more exposed nor more valuable.

Footnotes[+]

Charles Wollman

Charles Wollman is a second-year J.D. candidate at Fordham University School of Law and a staff member of the Intellectual Property, Media & Entertainment Law Journal. He is also a member of the Vis International Commercial Arbitration Moot Court Competition Team. He holds a B.A. from Yeshiva University.