At the end of January, the European Commission released its official data protection rules, including a new directive, “the right to be forgotten,” which adheres to European law that protects information privacy, such as France’s le droit à l’oubli, sometimes translated at the right of oblivion. This right allows criminals who have served time to object to the publication of facts of their conviction.
What exactly does this new privacy right entail in Europe in the online world? Commentary is rampant East and West of the Atlantic.
How might we be affected here in the States? At issue is privacy rights vs. free speech rights. Here’s a breakdown.
1. The Internet owns us. (via the Atlantic)
Surely all people suffer from some unknown horror embarrassing them online, from an old photo or comment, up to a Gawker post. The Internet owns us. Our social networks, our blog comments, our quotes in newspapers, our Yelp ratings, Amazon reviews, e-mails, all our personal data, from our birthday to our home state, the Internet knows. But should it always? Or do we Internet users bear an innate “a right to be forgotten” online? It’s natural for people to want to control their online reputations.
2. So if you post up an embarrassing photo, yes you can request it be taken down. (via The New Republic)
Since Facebook and other social networking sites already allow users to do this, creating a legally enforceable right here is mostly symbolic and entirely unobjectionable. It would also usefully put pressure on Facebook to abide by its own stated privacy policies, by allowing users to confirm that photos and other data have been deleted from its archives after they are removed from public display.
3. But if your friends, or a tabloid, or an unidentifiable stranger reposts the photo, can you request it to be taken down? Should that be your right?
A year ago, when the right was first proposed, the answer was maybe. It has since been clarified. Still…
Some say, the answer is now: no. (via the Atlantic)
Back then, the right would have potentially given people the ability to cull any digital reference — from the public record, journalism, or social networks — they deemed irrelevant and unflattering; today, the EU specifies that the data people have a right to remove is, according to Reding, “personal data [people] have given out themselves.” This provision is key. The overhaul insists that Internet users control the data they put online, not the references in media or anywhere else.
Others say, the answer is most certainly yes. (via The New Republic)
If contacted by someone who regrets posting an embarrassing picture, Facebook must take “all reasonable steps” on its own to identify any relevant third parties and secure the takedown of the content…Moreover, the right to be forgotten can be asserted not only against the publisher of content (such as Facebook or a newspaper) but against search engines like Google and Yahoo that link to the content.
4. Any exemptions?
Yes, for “the processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression.” (original source)
At the very least, Facebook will have to engage in the kinds of difficult line-drawing exercises previously performed by courts. And the prospect of ruinous monetary sanctions for any data controller that does not comply—a fine up to 1,000,000 euros or up to two percent of Facebook’s annual worldwide income—might lead data controllers to opt for deletion in even ambiguous cases.
5. What about things other people post about me online?
The act treats such takedown requests for “truthful information posted by others” the same as it does photos you post yourself. Key point of controversy: As TNR’s Legal Affairs Editor explains, once you demand takedown, the social networking site or search engine has to prove that it falls within journalistic, artistic, or literary exception.
This could transform Google, Yahoo, and other hosts of third party content into censors-in-chief for the European Union, rather than neutral platforms.
7. Yikes. How about us here in the U.S.?
Currently, American companies doing business in Europe enjoy some exemptions from E.U. law, under a 1995 agreement. But should that agreement be altered, the new right to be forgotten could be imposed on U.S. companies throughout Europe.
Pending European Parliament approval, the law will go into effect in the European Union in 2014.
8. While you’re at it, might as well read a bit about what India and China are up to. (via The Economist)
Building a single European data-protection regime is hard enough. Harmonising it smoothly with America will be harder. Reaching deals with Indian bureaucrats and Chinese mandarins set to defend the interests and the data of their countries’ rapidly growing online firms may be downright impossible. Welcome to the new world of data geopolitics.