Forget, erase and delist, but don’t forget the broader issue

Current state of affairs

A new year, a new CPDP Conference (Computers, Privacy & Data Protection, 21-23 January 2015). In the past 12 months we have seen privacy and data protection issues taking a much more prominent role in many different internet policy discussions. One of the key examples in this regard is the so-called Google Spain case by the Court of Justice of the EU (CJEU). Acknowledging the right of individuals to ask search engines to delist certain name-based search results, the ruling sent shockwaves through internet policy circles. If anything, the case has made us all re-think the balance between different fundamental rights and interests, the allegedly ‘neutral’ role of search engines and the extra-territorial reach of local regulations. Besides the unprecedented public debate and media coverage, the CJEU’s decision also resulted in the Article 29 Working Party publishing interpretation guidelines and Google setting up its very own ‘Advisory Council’ which held public hearings across the EU.

Unsurprisingly, the Google Spain ruling is usually talked about against the backdrop of the so-called ‘Right to be Forgotten’. This ‘right’ has been criticised fiercely by freedom of expression advocates and is emblematic of the fissure between the US and EU regarding online privacy policy-making. Nonetheless, there is at least one point all sides seem to agree on: the terminology is very problematic. Hence, it is great to see that the latest draft of the EU’s ‘Proposal for a Data Protection Regulation’ simply refers to the ‘right to erasure’ (Article 17). Still, the provision has been attacked for being unclear on both its scope and how it is to be implemented. But can we really be that upset about this? Isn’t the exact goal of legal norms to put forward an abstract – and especially future-proof – principle that should be interpreted differently, depending on the relevant facts and context of each case? Shouldn’t we rather look at the judicial (courts) and executive (e.g. Data Protection Authorities) branches to help make sense of the rules put forward by the legislator?

Some thoughts on balancing

Requesting the removal of certain information (on whatever legal ground) will always generate a conflict of interests and rights. In the context of the ‘right to be forgotten/erasure’ debate, the most recurring conflicts relate to either the right to freedom of expression (Article 11, CFREU) or economic freedoms (Article 16, CFREU). The ‘conflict’ between privacy and freedom of expression interests, however, is immensely inflated (to the great benefit of the big data industry).

As most readers will know, Europe has a rich legal tradition of balancing the two rights (most notably in the case law of the European Court of Human Rights), with clear criteria and safeguards for restricting either right. As a side note, one can only applaud the CJEU in Google Spain for clearly distinguishing the responsibilities and protections of actual speakers (i.e., newspapers) from third parties (i.e., search engines), each subject to a different balancing test.

Additionally, if you look at Google’s transparency report, it becomes clear that the majority of delisting requests does not relate to legitimate news reporting websites in the first place. Instead, most requestors seem to be average Joe’s concerned about how websites like 123people.com or facebook.com gratuitously show information about them on the basis of a mere name search. In short, the ‘right to be delisted’ is about online obscurity, not about eradicating information from the internet altogether.

More importantly, we should not be swayed by ‘right to be forgotten’ rhetoric professing that it constitutes a fundamental threat to freedom of expression online. The right to erasure has a much more important – and largely understated – goal: empowering data subjects with regard to their data being harvested and exploited ‘behind the scenes’ (e.g. for commercial/political profiling, digital market manipulation, etc.). No conflict with the right to freedom of expression exists in these contexts. Instead, these situations usually require a balancing exercise between individuals’ privacy and data protection interests on the one hand and the data controller’s economic freedoms (Article 16, CFREU) on the other. With regard to the latter, the Google Spain case made clear that such freedoms weigh considerably less when compared to freedom of expression interests. Still, neither fundamental right/interest can be discarded without giving it due regard in the balancing exercise first.

Conclusion

The right to erasure undoubtedly results in a conflict of rights/interests that needs to be solved. Whereas many cases will be very straightforward, a considerable portion will require a more thorough balancing exercise. We should be wary, however, not to be blinded by the rhetoric of freedom of expression absolutists, libertarians and corporate lobbyists defending their own agendas. We should not want to reinvent the wheel either. Balancing exercises and the proportionality principle are deeply embedded in the European legal framework. Applying them to the issue(s) at hand might not always be straightforward. But is it really asking too much from entities that, ultimately, benefit from using personal data?

Finally, the whole debate on the ‘Right to be Forgotten’, the ‘Right to Erasure’ and the GoogleSpain case seems to be far from finished. I hope you join me in congratulating Computers, Privacy & Data Protection (CPDP) for having provided a fertile platform (books and panels) for discussing these issues.