Cyberlaw Prediction #6: The right to be forgotten
A very loose collection of cyberlaw predictions for 2014. More social media lunacy. The cloud gets a whole lot larger. The Internet starts to erase itself, much to Google’s chagrin. Facebook implodes. For the first time in the history of 3D printing, a 3D printer gets printed by a 3D printer. Everyone locks everything on the Internet down. Legal challenges to Cameron’s porn filters. The Daily Mail continues to advocate for the blocking of every offensive website, except its. Intellectual property lawyers continue sending letters demanding things be removed from the internet, highlighting their complete misunderstanding of the Streisand effect.
#6: Forget me not. The right to be forgotten
It should be rather autopoietic that we live in the time of a symbiotic data economy. We use free services like Google and Facebook and in turn the data that we hand over to these companies allows them to generate revenue by selling advertising to marketers. The sacrifice made by the likes of Web 2.0 is often under valued and under estimated: we don’t pay for the services upfront and they get the option to turn the data into revenue at a later date. It should be then evident that some of the data we share is immediately relevant for marketing purposes and other data may have a longer-term speculative value. Regardless of on what basis the data is collected, the Europeans have begun to address the long term collection of massive amounts of data gathered and uploaded to data processors.
The law has struggled with its development of a framework that protects data and the rights of the data subjects. The Data Protection Act in the UK is a hodgepodge of law, regulations, guidance, and online tutorials. Data Protection is a mess. It is a lot like sex in secondary school: Everyone claims to know what it is, everyone claims to be doing it, but no-one actually knows what it is. As a result, we have security guards arresting people in shopping centres under terrorism legislation for taking pictures of their daughters with ice cream cones. Now things are going to get a whole lot more complicated as the Europeans are debating whether or not to grant its citizens the “right to be forgotten”.
I know of quite a few nights out where I wished that I had the right to be forgotten. However, this right is said to tackle the collection of long term data hoarding collection. The European proposal on data protection of 2012 (‘the proposed regulation’) is to replace Directive 95/46/EC of 1995 which is said to be outdated – in particular in regards to the way the internet helps contribute to the mass collection of personal and sensitive data. Some notable provisions of the proposed regulation include: the definition of a ‘data subject’ (to mean an identified or identifiable person by means likely to be used); a strengthened ‘right to be forgotten’ (such that individuals can ask for their personal data to be deleted and where there are no legitimate grounds for retaining it, the data will be deleted); right of data portability; requirement for consent to be given explicitly by individuals when it is required for certain types of data processing. The proposed regulation also introduces data protection officers for companies with over 250 employees as well as a requirement to conduct data protection impact assessments.
The thinking behind the proposal is based in the harm that the Internet can cause the data subject. The right to be forgotten addresses the permanence of information stored on all the servers, the cloud, the mainframes, and memory chips around Europe. Historically one could just pick up, move, and start all over again and the past and the rumours and the gossip would fade away with time. With the permanence of information affecting employment prospects, reputation and relationships, the “proposed regulation” gives back some control over their personal information.
Article 17 of the proposition for a new regulation introduces a “right to be forgotten and to erasure and ensures that the data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, (…) where one of the following grounds applies: (a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (...)”.
Furthermore, a whole list of exceptions to the obligation of erasure without delay is mentioned in Article 17 point 3, including one related to the exercise of the right of freedom of expression in accordance with Article 80. The latter states that “Member states shall provide for exemptions or derogations from the provisions on the general principles (…) for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression”.
Not much seems to change regarding the rights of individuals. Indeed, even without this new provision, data subjects can already request that data be erased when it is no longer necessary. What this seems to do is enhance the obligations of the data controller. As University of East Anglia law lecturer Paul Bernal says: "Though individuals do not currently have a 'right' to be forgotten, it can be argued that those holding the data do currently have a duty to 'forget' them."
He suggests that “the default should be that data can be deleted, and that those holding the data should need to justify why they hold it (…) In general a data subject should be seen as having the right to delete any data held relating to them, and that those holding that data must put into place systems that allow that right to be enforced at any time”.