Co-authored by Jens-Henrik Jeppesen, CDT Director of European Affairs
It has been more than a year since the European Union Data Protection Regulation (DPR) was unveiled, including a controversial proposal known as the "Right to Be Forgotten" (RTBF). While the proposal is intended to give Internet users more control over their data, many critics, including CDT, have charged that the new right would pose significant unintended risks for free expression online. As the European Parliament considers amendments to the Data Protection Regulation, ensuring that good intentions do not undermine the free expression rights of EU Internet users must be a top priority.
It has been a while since RTBF has been front and center in the policy debate, so it is worth a quick review. As drafted by the Commission, RTBF would allow a user to request that an online service delete all data -- including data that's been made public -- that it has about that user. And if the information has been made public, the service must notify others who link to or have copies of the data and request they also take it down. In turn, the notice recipients -- third-party content platforms, blogging sites, search engines, social networks and the like -- would also have to determine whether to take down the content, which by then may be quoted, referenced, or otherwise integrated into many other users' content, commentary, or other protected speech. To make matters worse, the DPR leaves it up to member states to decide in what circumstances free expression rights of other users should be taken into account, setting a baseline that fails to measure up to requirements under the European Convention on Human Rights.
It's understandable that a blogger might want to delete a post she's written from the website where she originally posted it, and in most circumstances she should probably be able to, but scoping a "right to be forgotten" any broader than this will necessarily implicate other users' free expression rights. (Even in this limited scenario, it leaves a host of questions about what remains of the speech of commenters on the post.) But RTBF asks the Internet's intermediaries to engage in balancing the privacy right of an individual user and the free expression rights of many others, a task which they are wholly unequipped to undertake. And because the provision is preferentially framed with the risk of significant penalties for violating the DPR, choosing to support free expression over privacy may be a risk that few will choose to take. Balancing fundamental rights is no easy task. Sorting it out has occupied considerable time at the European Court of Human Rights and is the subject of considerable scholarly examination and debate. Companies are simply not the right entities to make these decisions. Consider the following scenario:
A woman in EU Member State 'A' maintains a popular political opinion blog for several years, posting new commentary almost every day. One day, she writes a post in which she expresses her personal anti-immigration stance, which goes viral with hundreds of bloggers, journalists and ordinary citizens linking to, quoting, sharing, referencing, and debating her work. The blogger decides she wants her post to be taken down and contacts WordPress to exert her "right to be forgotten." EU Member State 'A' has adopted a narrow exception to RTBF that only protects journalists from takedown demands. WordPress is required to send a removal request to all "non-journalists" who quote, reproduce, or discuss the post, as well as any search engines who link to such commentary. Finding all possible references to the target post places an insuperable burden on WordPress. The company attempts to comply by sending notices to several dozen online intermediaries, whom it can readily identify as hosting the quoted content in question. The individuals who have reposted, linked, or otherwise referred to the targeted post all reside in different EU States, each which have adopted different formulations of a free expression exception. The sites each are faced with the decisions of whether to take the content down and which state's free expression exception to adopt: State 'A', where the blogger resides; States 'B'-'Z' ,where the posters reside; or that of the member state(s) where the company has a presence. The rights of both parties rely on the intermediary "getting it right." Meanwhile, hundreds of other less discoverable sites around the world continue to include quotes from the blogger's post and references to it.
This is not to say that a legislature may never decide to protect privacy or reputation, even when free expression is at issue. For example, many countries expunge juvenile arrest records after a period of time, often based on a person's "clean record" as an adult. Such laws clearly function as limits on truthful, once-public information, but have been supported in many countries to prevent lifelong stigmatization of an individual for actions taken as a minor. But such provisions are narrowly drawn and clearly defined. By restricting publication of an expunged juvenile record, legislatures are making a tough but appropriate decision to favor privacy and reputation over free expression and access to factual information in a very limited circumstance. By contrast, RTBF is broadly defined and unclear. It offers no guidance on when claims of privacy should trump free expression and is sure to sweep in and stifle legitimate speech. It is also likely to discourage the launch of innovative platforms for speech.
It is heartening that the significant free expression concerns about the RTBF proposal have resonated within the European Parliament. Importantly, European Parliament Rapporteur Jan Albrecht has proposed amendments that move RTBF in the right direction. These amendments narrow the scope of RTBF by limiting notice obligations for intermediaries only to third parties to whom they have illegally transferred data, and by strengthening the requirements on States to provide exceptions for free expression to meet existing human rights standards. While this represents progress, more still needs to be done.
The principal shortcoming of the Albrecht amendments is that the definition of personal data is left virtually untouched, meaning that the RTBF proposal could still be interpreted to apply to any data, provided by any user, about a person, rather than more narrowly applying only to data supplied by the data subject. This could allow someone to demand takedown of a truthful article, for example, about his or her role in a recently uncovered political scandal. This needs to be fixed.
CDT has proposed an amended version that would only cover personal data that a data subject has provided. This narrowing is critical to promote the data subject's ability to call for the takedown of data she has stored with or provided to an online service, while avoiding a rule that burdens other users' free expression rights.
CDT's proposed changes would also ensure online services that receive take down requests are only required to forward the requests to third parities with whom they have a direct contractual relationship. This will avoid the free expression questions and onerous implementation challenges of a broad obligation on online services to identify any and all third parties who may have accessed the data while it was publicly available.
We hope free expression and privacy advocates will join us in urging that the Right to Be Forgotten strike a fair balance between these two fundamental rights.