There has been much said in the past week about the ‘right to be forgotten’ principle being developed in European Law, after the decision by the European Court of Justice in the case of Google Spain v AEPD and Mario Costeja González.
Why this decision isn’t a good thing
The decision of the ECJ has been subject to swathes of criticism for a variety of reasons. However, one of the biggest issues to raise its head is the ideological discussion of Data Protection v. Freedom of Expression.
Originally, data protection was intended to help protect individuals from organisations collecting and storing information on them erroneously. In general, data protection is a good thing. Infact, it’s bloody awesome. It means that when any company or other body collects ‘personal data’ on you, recording it in a filing system, you have the right not only to see it, but to have inaccurate data modified, as well as to prevent the processing of it for marketing purposes.* Sounds good, right? Oh, and this also applies to organised filing systems that are stored on paper, not just electronically.
In reaching its decision in the Google Spain case, the ECJ has applied the established approach to data protection, whilst at the same time injecting the relatively new principle of the ‘right to be forgotten’. The problem with this is that the circumstances are fundamentally different to those in which the protections were introduced to be applicable to.
In the Google Spain case, the information was held to be legally published on the site of the newspaper in question, and so is not required to be removed. However, because Google collected, stored, and processed the links to the information, it was then considered a ‘data collector’ under the data protection definitions, and so obliged to consider, and give effect to the removal request.
This is DUMB.
This is not the same as a situation where an organisation is keeping detailed personal records on an individual (such as their medical details, telephone number, or address, for example), that would not otherwise necessarily be found elsewhere. In this situation, the information is already in the public domain, published lawfully. The fact that Google collects the locations of this data, stores it, and then offers up the hyperlinks in search results should not bring it under the gambit of The Directive in its current form. I won’t even begin to think too much about the baffling way in which this seems to fly in the face of the general approach to hyperlinking that was laid out in the Svensson case, earlier this year.
In any event, these removals only apply to the EU – not to Google sites (or those of any other ‘search engine operator’) that lie outside. Clearly the ECJ must not have heard of a proxy before. At the root of it, this is bad law because in the context of a global Internet, it is meaningless.
Why the right to be forgotten isn’t a bad thing
When the right to be forgotten was first being discussed, it was in relation to something far more sensible – something which had very little to do with freedom of expression at all. It was to do with the right of users to have online service providers remove the personal information held on them when they chose to delete their account. Ever tried to delete your Facebook account completely? It’s not exactly a walk in the park. It wasn’t about trying to hide past transgressions that have already received media attention, and it wasn’t about curtailing the basic architecture of the web – it was about being able to tell Zuckerberg that when you want to leave, they should honour that.
The problem with the ECJ’s decision is the way in which they have applied the principles of data protection, rather than data protection itself. Whether or not the Court wilfully misunderstood, in order to crowbar the right to be forgotten into the judgement in this case is one thing, but that doesn’t mean the entire principle should be dismissed.
Sadly, a lot of the commentary has focussed on the specific facts of this case, and applied them broadly to support a wider theoretical gap between the supposed American principle of freedom of expression, and the European importance on privacy. Whilst that is a whole separate discussion, I do not believe that this should be reduced to some sort of absolute Transatlantic ideological difference. Instead, it should be seen for what it is: a bad application of principles that are fundamentally designed to protect individuals.
The right to be forgotten is valuable, but it should never have come close to impinging on the freedom to ‘receive and impart information‘ on that which is already lawfully published.
* This interpretation is based on the UK Data Protection Act of 1998, which gave effect to Directive 95/46/EC – the EU Data Protection Directive.
More reading:
You can read the full text of the original application, the opinion, and the judgement of the ECJ over on Curia.
The relevant (English) press release from the ECJ on the Google decision is here.
Here is a helpful description of how Google’s new form dealing with right to be forgotten requests will operate.
Stanford Law Review article on the Right to be Forgotten here.
Article on the decision and censorship from Index here.
‘What you need to know about the ‘Right to be Forgotten’ – here.