The other day, I posted a news story about a New Jersey Supreme Court decision concerning what expungement means – and doesn’t mean – in terms of the media’s ability to discuss a case involving a named individual where the individual’s conviction was subsequently expunged. At the time, I commented that once again, a U.S. court had issued an opinion that may run counter to the views of Europeans who have recently started talking about a “right to be forgotten.”
The concept of a “right to be forgotten” started with the notion of data controllers not retaining data past its use requirements or allowing people to request that their data be deleted. Peter Hustinx, the European Data Protection Supervisor, recently wrote:
A newly codified “right to be forgotten” would ensure the deletion of personal data or the prohibition to further use them, without a necessary action of the data subject, but at the condition that this data has been already stored for a certain amount of time. The data would in other words be attributed some sort of expiration date. This principle is already affirmed in national court cases or applied in specific sectors, for instance for police files, criminal records or disciplinary files: under some national laws, information about individuals is automatically deleted or not to be further used or disseminated, especially after a fixed period of time, without need for a prior analysis on a case by case basis.
[…]
The EDPS considers that the right to be forgotten could prove especially useful in the context of information society services. An obligation to delete or not further disseminate information after a fixed period of time makes sense especially in the media or the internet, and notably in social networks. It would also be useful as far as terminal equipments are concerned: data stored on mobile devices or computers would be automatically deleted or blocked after a fixed period of time, when they are no more in the possession of the individual. In that sense the right to be forgotten can be translated in a “privacy by design” obligation.
Some Americans I’ve chatted with seem somewhat dismissive of – or skeptical about – a “right to be forgotten” but I don’t know if they are reacting to what Hustinx was describing or a broader definition that would allow individuals to have their information removed from sites on the Internet. Curiously, some people who seem to quickly dismiss “right to be forgotten” advocate strongly against mandatory data retention, urge businesses not to collect a lot of information, and want businesses to purge data when it is no longer needed. In some sense, then, I think a number of American privacy advocates really might embrace the concept of a “right to be forgotten” if it were called by some other name such as “mandatory data deletion.” But how far should such a right extend? Would it extend to requiring sites and search engines to remove old information or unflattering information that was more than “x” months or years old? If so, that would open up a huge can of First Amendment and other issues here.
Some countries, like Germany, may not necessarily codify a right to be forgotten but do have laws that might prohibit publication of individuals’ identities after a certain amount of time or under certain conditions. Back in November 2009, Americans learned of a lawsuit against WikiMedia filed by attorneys for a convicted murder. The lawyers asserted that under German law, the media – including Wikipedia – was barred from publishing the names of two convicted murderers as they had served their sentence, were attempting to be rehabilitated, and were no longer public figures under German law. The attorneys wrote, in their cease and desist letter to Wikimedia:
The German courts including several Courts of Appeals, have held that our client’s name and likeness cannot be used any more in publication regarding Mr. Sedlmayr’s death (cf. e.g. Nuremburg Court of Appeals Judgment dated December 12, 2006, File No. 3 U 2023/06, published in Magazindienst 2007, 313-31,OLGR Nuremberg 2007, 227,ZUM-RD 2007, 133-134 and Court of Appeals Frankfurt, Judgment dated February 6, 2007, File. No. 11 U 51/06).
Not surprisingly, Americans tended to view the cease and desist letter, with its attendant lawsuit, as an attempt at censorship. As Jennifer Granick of EFF wrote at the time:
A foreign power should not be able to censor publications in the United States, regardless of whether doing so suits the country’s domestic law. The current dispute is reminiscent of LICRA v. Yahoo!, in which a French court ordered the American company to prevent access to its Nazi memorabilia auctions by French residents, then fined the company for failing to do so.
Wikipedia’s administrators’ discussion of the issue can be found on Wikipedia.
Did, and do, the convicted murders have some “right to be forgotten” in terms of the media’s ability to name them or identify them? What happened in the lawsuit against Wikimedia?
With the help of Mark Boltz who kindly helped me understand Google’s translation of a Buskeismus report on the case, it seems that while the convicted murder had prevailed in lawsuits against Axel Springer, a German publisher, it failed in its suit against Wikimedia. From what I can tell, Wikimedia did not even have a lawyer at one of the hearings. I’ve emailed Wikimedia asking for more clarification of the case, but have not yet received their response.
I’ve now read a number of translated articles and it appears (but I cannot be sure due to translation difficulties) that although the convicted murder had prevailed in some decisions against several entities, an intervening ruling by Germany’s federal court in a related case had overturned earlier decisions prior to the Wikimedia decision in January 2010. It appears that the federal court ruled that it was acceptable for Der Spiegel to maintain its originally contemporaneous files on the case in an archive where readers could purchase the articles but where the articles were not still freely available. In another decision, the federal court held that Deutschlandradio was legally permitted to maintain transcripts of broadcasts that had explicitly identified the convicted murderers. The court also appeared to recognize the historical importance of some cases and that attempting to suppress publication or requiring media sites to go back and delete or redact old articles would impose a too-heavy obligation on media and suppress freedom of expression.
As I read/translate the articles, the German federal court may have decided that sometimes, the privacy rights of individuals do take second place to the broader public and historical interest in a matter.
But of course, I’m not a lawyer and I don’t speak German and I could be totally wrong in what I think I understood from the articles I read. It would be great if some privacy lawyers or media lawyers wrote about the outcome of the cases brought on behalf of this one convicted murder and the implications of the decisions both for European privacy law and for American journalists or bloggers who refer to German cases.
And what does it mean, if anything, in terms of a broader conceptual approach to a “right to be forgotten” on the Internet? Has Germany’s federal court established that any right to be forgotten has exemptions for cases of historical or great public interest?
Image of German Federal Court of Justice by Kucharek, used under Creative Commons License.
This is an interesting post. the problem of the right to be forgotten is troubling on all sides. Attractive in theory, but difficult in practice. It creates conflicts with all kinds of important principles. And it is very hard to address in the abstract. There may be ways to implement it in narrow areas. The FCRA says credit bureaus can’t report on some old debts or bankruptcies after a term of years. That’s worked well enough, although the Internet threatens its effectiveness. Anyone can report on a 15 year old bankruptcy EXCEPT a credit bureau. Still works, but we can all see the problem.
I have an idea to toss in the mix. I have proposed tying privacy rules to the length of time that personal data is kept. Keep data for only 24 hours, and no privacy rules might apply. Keep it for longer, and more and more requirements attach. If you set more onerous requirements for data over ten? twenty? years old, that might discourage long term storage. For a bare outline of the idea, see http://bobgellman.com/rg-docs/rg-FTC-1-27-10.pdf.
Having said this, I admit that implementing a time rule for privacy has plenty of implementation problems. It will work well in some contexts and not in others. It might require all PII to be tagged with a date of origin. But it’s another idea to toss on the table and to consider. I don’t suggest that it is a panacea.
Problem is that right forgotten has not been recognized in any law or regulation yet.
Cancellation right is part of proportionality principle. Data are incorrect or inaccurate should be cancelled and superseded by proper data. In the other hand when data is not needed anymore should be cancelled. So incorrect, unaccurate and obsolete data have to be forgotten by data contollers and processors.
But sometimes there are needs that require to keep data permanently or for very long periods. If this information is published on a website it is been added to search engines caché copies and indexed as long as they stay on websites. It will be like this unless website admins use robots.txt or no index/no archive/no follow metatags.
Right to be forgotten is being called for some as something wider as cancellation right. Recently Spanish DPA has forced Google to face a judicial body as it is opposing to cancel search results that drive to personal data that holders want to be forgotten by the search engine even if they are kept in official diaries or online mass media sites. Among other arguments, Googke is saying that this will not make sense from a technological point of view and that such a measure could have chilling effects on freedom of speech.
Spanish DPA considers that personal data holders have the right to avoid “multiplying effect” of the search engine.
Peter Hustinx view is not reaching that far, and it is more linked to cancellation rigbt as we know it nowadays. Anyway this privacy by design approach have some problems like information not being copy qnd paste, but just rewritten on other websites that could be the case if people do not agree to a resolution ordering data deletion.
I am of the opinion that in some cases freedom of speech and right to know, statistics, History and research should prevail over privacy.
For instance, a Spanish couple was put cocaine in their luggage when coming back from a LATAM country. An online newspaper was reporting the case using their first name and name. But neither of couple members was arrested nor prosecuted, but this has not been told later on that same newspaper. Do they have to ask for that newspaper article from search results? And from newspapers?
If we follow Spqnish DPA proposal we should understand that Google hqs to delete search results, but what if we understand right to be forgotten as Peter Hustinx is defining? Does Spanish DPA should be applied right to be forgotten is built in as privacy by design control?
Going ba k to our previous example. Should newspaper delete article or amend it according to situation evidenced by our couple of tourist?
As long as there is a reason allowing information to be published and limits of freedom of spee h have been respected, should Google delete search results even when there is no way to remove data from origin?
Should this German murder privacy right prevail over peoples right to know and Wikimedia freedom of speech when criminal penalties have been fulfilled?
As long as freedom of speech limits are respected it should prevail over pri acy/right to be forgotten.
I think that it will be better to reach wide consensus on the topic before search engines or websites admins are force to delete information. Meanwhile cancellation right should be asked to websites originally publishing information. And they should decide whether or not to delete, amend or anonymized data.
In any case, do Spanish and DPA have jurisdiction to force Google to delete or to fine it if not doing it so? This is another interesting case of International Private Law considering Safe Har or Agreement and dispute resolution chose by Google. But this is another story 😉
Regards
at_alvarohoyo on Twitter
Thanks to you both for sharing your thoughts on this.
I think we all agree that in some cases, data may legitimately need to be kept for a long time (e.g., medical history). In that case, and as Bob suggests, length of time should not impose onerous burdens that we might implement for behavioral advertisers because we want doctors to be able to access patients’ past records, right?
While we tend to focus on the online privacy issues, some of the same issues apply to offline privacy. How many times have we seen data breaches because data decades old was still on devices that were stolen from offices? Had there been an expiration/mandatory deletion requirement, a lot of data would not be in the wild.
I found another article on the “Right to be forgotten” that I’m posting to this blog today. It gives an interesting overview of the EU-US differences in history/framework. See what you think.
When you have two very different frameworks/core values – one where privacy trumps free speech and one where free speech trumps privacy – it’s going to be an uphill battle to reconcile them, but I do hope we can find some ground to start.