Cross-Examination: Data Deaths and a Funeral – The Right to be Forgotten

044_046_dataprotection_righttobeforgotton.jpg
Pooja Upadhyay, Content Contributor

Digital media is increasingly changing the nature of identity. Generations are growing up with their lives open to scrutiny on the Internet by virtue of a culture of documenting actions online. Google’s concrete memory bank means that, “[y]ou are what Google says you are”.[1] This can have serious psychological and occupational repercussions for data users.[2] Consequently a need for more citizen control over specific online data is escalating. The various recommendations for combating harmful developments of the digital age have been hotly debated. Serious questions especially arise when accounting for the fact that the web is truly worldwide. How do we regulate a phenomenon that transcends the borders of nation state?

The ‘right to be forgotten’ is a proposed solution that has been developed and implemented in certain jurisdictions. It seeks to transfer the power of erasure from the data controller to the data user.[3] Pursuant to the right, individuals can obtain from the data controller the deletion of links to documents disclosing personal information that is “inaccurate, inadequate, irrelevant or excessive”.[4]

Parties engaged in maintaining or crafting data privacy legislation

The European Court of Justice enforced this right in a recent ruling in 2014, under the authority of the European Union (EU) Data Protection Directive.[5] Google Spain and Google Inc. were obligated to remove links to content containing specific information about the Spanish citizen seeking to exercise his right to be forgotten. It also held that Google Inc. (although from the United States) is subject to this European data protection law.[6] The issue has since developed further, with France fining Google this year for not extending its facilitation of the right to be forgotten to all European domains.

A further contextualization of this right can be achieved when using the example of a criminal offender. An offender, whose conviction is easily accessible through a Google search, may suffer life-long societal stigma and consequently be unable to live without prejudice. With an enforceable right to be forgotten, the offender can make a request to Google to erase links to websites that disclose information about the criminal conviction. Google would then be obliged to delete the links so long as it cannot provide a legitimate justification for keeping them.

Is the right to be forgotten needed in New Zealand? Personal information can have severe consequences to the “socially valued and often protected individual interests of reputation, identity, and rehabilitation”.[7] Arguably there is already a sufficient amount of law in New Zealand protecting these interests so as to render the right to be forgotten as unnecessary.

The recently passed Harmful Digital Communications Act 2015 in New Zealand is one way in which citizens can apply for the erasure of specific content online.[8] The orders can range from acquiring an apology from the publisher to actual removal of the content online.[9] Therefore, citizens can apply for the erasure of specific content online in New Zealand. Further implications of the Act can be found in a recent Cross-Examination article published by the Equal Justice Project.

A list of other protective legislation in New Zealand includes:

  • The Privacy Act whereby an agency holding personal information must take reasonable steps to ensure that the information is “accurate, up to date, complete, relevant, and not misleading”.[10] It does not allow for information to be kept longer than it is needed for lawful purposes.[11]
  • The Films, Videos, and Publication Act, permits the seizure of publications that are believed to be (on reasonable grounds) “objectionable”.[12]
  • The Harassment Act 1997 gives the court authority to make orders (potentially including the deletion of information online) to protect victims from further harassment.[13]

Furthermore, judges take into account the absence of a right to be forgotten when making decisions. In the in-court media application of Hammond v Credit Union Baywide, judges sitting in the Human Rights Review Tribunal considered the lack of a right to be forgotten in New Zealand when deciding to reject the application to photograph an exhibit from the original case.[14] This indicates that judges are aware of the permanent nature of online content in light of the current law.

Interests of protecting reputation and identity are alleviated with protective mechanisms in torts like defamation and (although less established), privacy.[15] Additionally, in Tucker v Media Ownership, the court inferred that the tort of privacy applies to information that had formerly been publically available.[16] This idea underpins the right to be forgotten.

However, according to privacy expert Daimhin Warner, legal commentary on the issue appears to be divided. “The Privacy Act, and the privacy regime in NZ (and overseas), is not generally founded on the notion of confidentiality or secrecy,” Mr Warner told EJP, “Rather, it is founded on the concept that agencies should be able to use and disclose personal information for legitimate purposes to the extent that it is fair and reasonable. So, if personal information has been lawfully disclosed online, and the continued availability of that information serves a legitimate purpose, then on what basis should search engines be required to remove links to it?”

Although it may seem that the law in New Zealand is well equipped for citizen data protection, there are still differences that exist between the protections, which currently exist under New Zealand law, and the full recognition of a right to be forgotten. Firstly, a right to be forgotten would appear to have a lower threshold for the deletion of information. The information does not have to be harmful; it can merely be no longer relevant. Secondly, New Zealand privacy law does not have authority over online companies that are not registered in New Zealand and a right to be forgotten would extend privacy law authority to international search engines.[17]There are a number of different ways in which this right may be implemented. The right could be adopted into international law, which is generally created for issues that affect humanity as a whole. Due to the global characteristics of the internet, an international approach is likely the most appropriate response, especially given the European Court of Justice ruling, which held that international corporations are subject to European data protection laws.[18]

[x_blockquote type="left"]As international law is generally implemented through the treaties and conventions to which member states are legally bound, the right to be forgotten may be included under the Universal Declaration of Human rights or the International Covenant on Civil and Political Rights.[/x_blockquote]

Furthermore, there are already international privacy frameworks in play. The Organisation for Economic Co-operation and Development’s privacy framework (of which New Zealand is a member) includes the principle that personal data must be “relevant to the purposes for which they are to be used” and should be accurate.[19] The framework also suggests that when adopting these at national level, citizens should be provided with a reasonable means of expressing their rights through the adoption of laws.[20] The Global Privacy Enforcement Network (GPEN) supports the recommendations of the OECD privacy framework by contributing to efforts of global cooperation.[21] New Zealand as a member of GPEN is required to contribute to international development and endorsement of a GPEN action plan. The Asia Pacific Privacy Authority, providing a continental approach to the issue, was set up to discuss and develop new ways to manage evolving privacy concerns, including multi-jurisdictional law enforcement of data privacy laws and regulations.[22]  According to Mr Warner, “such cooperation includes the ability to transfer complaints from individuals between privacy regulators, ensuring that an individual in any one country can assert their rights regardless of the location of the respondent agency (provided of course that equivalent laws exist in that other country)”.[23]

It should be noted however that both international and continental approaches try to find ways to support domestic implementation. Accordingly, Mr Warner believes that “any right to be forgotten would need to be expressly written into our legal framework- into the Privacy Act itself. Reliance on international instruments would be ineffective. However, as noted above, our legal framework is such that one could currently construct a right to be forgotten argument, at least in respect of a NZ agency. The HDCA and other legislation also have a part to play. In Europe, where this right is becoming well established, the various privacy regulators cannot agree on its scope or application. We may see a similar inconsistency of application in the Asia Pacific region.”[24]

The future of data privacy-

If it were to be codified in New Zealand legislation as it appears in the proposed Data Protection Regulation of the European Union, it would codify the right of citizens to:[25] “[O]btain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, and to obtain from third parties the erasure of any links to, or copy or replication of that data.”

This can occur where:[26]

  • the data is no longer necessary
  • where there is no legal ground for the processing of the data
  • where the court has ruled that the data must be removed
  • where the data has been unlawfully possessed
  • where the data subject withdraws consent and;
  • where the data is inconsistent with the regulation for other reasons such as misinformation and inaccuracies

Furthermore, the data controller must take reasonable steps to inform third parties of the requests of erasure, as they are considered responsible for the publication of that information. There is even a suggestion in the proposed Data Protection Regulation that relevant authorities should impose fines on data controllers for non-compliance.

The burden of proof would lie on the company to prove that the data is still relevant and therefore should not be deleted.[27] Limits on the right are be placed when considerations of public interests, freedom of expression, public health and interests of a historical, statistical or scientific nature override the individual’s right to erasure.[28]

Alternatively, the right to be forgotten could be codified under the New Zealand Bill of Rights Act 1990. This may be a positive course of action as s 5 of the Bill of Rights Act permits certain justifiable limits to be place on rights which would ensure that the right to erasure would remain flexible and subject to other fundamental rights.[29] On the other hand, it would merely declare the existence of a right instead of providing mechanisms for the exercise of it whilst only extending to those that exercise public power. This would exclude private Internet users like corporations or individual users.

Regardless of the approach taken, the right to be forgotten holds a unique set of possible implications. First, there is a risk that the codification of the right that creates such a low threshold for erasure will bring forth a huge number of requests, demanding a lot of time and resources. From May 2014 till August of 2015, Google received requests for the erasure of around 1 million web links and has removed around 41% of those.[30] Sifting through each request would certainly be a tedious and time-consuming task. Data processors would need to ensure they have the appropriate systems in place for regulating these requests.

The right to be forgotten can pose a real threat to a healthy democracy because of its limits on the right to information. Information is vital for a healthy democracy because people need to be informed about whom to elect as a representative. Additionally, discourse is an essential element of a deliberative democracy.[31] It is a difficult to objectively decide what is relevant or irrelevant to discussion due to the fundamentally free nature of discussion and expression.

“This is a fundamental concern I have with the establishment of a right to be forgotten,” says Mr Warner, “Who is to make the call (a somewhat subjective moral judgement) on how the right to privacy should balance against the public interest to know? Certainly, where information relates to a highly public figure, or a figure in a position of trust or authority, it is arguable that the right to be forgotten should apply more restrictively… The question of where the line should be drawn is a difficult one.”

However, as discussed, there are justified limits to the right. In practice the percentage of granted requests to Google by public figures is significantly lower than the percentage of granted requests made about private personal information. Around 60-75% of the requests relating to politics, public figures and serious crimes were rejected.[32] This suggests, the right to erasure does not threaten discourse and important information that may be relevant for democracy.

Cultural history may also be under threat, should the right to be forgotten be implemented. Culture “depends on the quality of its record of knowledge”.[33] When knowledge of a culture in the form of online data is being removed from the record, the record of culture is manipulated. It authorizes users to edit history and compromise the objectivity of the Internet.[34] Although the EU directive allows for limitations on the right based on historical interests; the potential implications of the right are still significant. The notion of history is inherently retrospective. How does one decide, while history is being made, what will/will not be relevant in the future?   Indeed, although experts are divided on whether a right to be forgotten is in fact desirable, Mr Warner believes that “there appears to be somewhat of a consensus that this right should not amount to an ‘erasure of history’”.

However, the implications of not removing content may also be significant on data subjects.  Humans regard themselves as dynamic and as trying to improve morally.[35] However, the ability to believe one can change and move on from past mistakes may be hindered by the fact that past actions are permanently online. Past identity becomes inescapable and consequently, ones’ ability to move on the moral continuum deteriorates. A positive implication of the right is freeing moral autonomy and restoring possibilities for people to evolve.

Yet, opponents argue that the right to be forgotten will be ineffective. Overtime, online content becomes “uncontextualized, poorly duplicated, irrelevant, and/or inaccurate” in a process called the “information life cycle”.[36] A study by Gomes and Silva found that the majority of URLs have a short life span and die quickly within the first few months whilst only a small amount of URLs continues to exist for some time.[37] It is suggested that online data is less permanent through time.[38] Consequently, online data concerning individuals of no particular public role will fade away into the cacophony of net noise as if it were ‘forgotten’. In light of this, the right to be forgotten appears relatively futile. Conversely, proponents may argue that the right to make the Internet forget should exist regardless of what stage of the ‘information life cycle’ the data is at.

[x_blockquote type="left"]The possible implications of the right to be forgotten, and the various interests and values in contention, reflect how controversial this data right is. Ultimately the issue comes back down to identity. Do we leave it to the omnipotent search engines, or do we regain some control? Perhaps, as Mr Warner opines, we should continue to observe how the right to be forgotten operates on the global stage “to ensure that the pitfalls in application are avoided on this side of the world”.[39][/x_blockquote]

The views expressed in the posts and comments of this blog do not necessarily reflect those of the Equal Justice Project. They should be understood as the personal opinions of the author. No information on this blog will be understood as official. The Equal Justice Project makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The Equal Justice Project will not be liable for any errors or omissions in this information nor for the availability of this information.

[1] Megan Angelo “You are what Google says you are” (2 September 2010) Wired <http://www.wired.com/2009/02/you-are-what-go/>.

[2] Meg Leta Ambrose  “It’s About Time: Privacy, Information Life Cycles, and the Right to be Forgotten” (2013) 16 STAN TECH L REV 101 at 108.

[3] Ambrose, above n 2, at 150.

[4] “Factsheet on the ‘Right to be Forgotten’ ruling” (3 June 2014) European Commission < http://ec.europa.eu/justice/newsroom/data-protection/news/140602_en.htm> at 2.

[5] Joy Liddicoat “The Right to Be Forgotten” (paper presented to IT and Online Law Conferences, New Zealand, May 2015).

[6] “Factsheet on the ‘Right to be Forgotten’ ruling” (3 June 2014) European Commission < http://ec.europa.eu/justice/newsroom/data-protection/news/140602_en.htm> at 1.

[7] Ambrose, above n 2, at 106.

[8] Daniel Gambitsis “Cross Examination: The Unintended Consequences of the Harmful Digital Communications Act” (21 July 2015) Equal Justice Project < http://equaljusticeproject.co.nz/2015/07/cross-examination-the-unintended-consequences-of-the-harmful-digital-communications-act/>.

[9] Harmful Digital Communications Act 2015, s 19.

[10] Privacy Act 1993, s 6.

[11] Section 6.

[12] Films, Videos, and Publications Classification Act 1993, s 108.

[13] Harassment Act 1997, s 20(1).

[14] Hammond v Credit Union Baywide (In-Court Media Application) [2014] NZHRRT 56 at [7.5].

[15] New Zealand Law Commission “The Law of Torts” New Zealand Legal Information Institute <http://www.nzlii.org/nz/other/nzlc/report/R50/R50-4.html>.

[16] Liddicoat, above n 5, at 8.

[17] Daimhain Warner.

[18] “Factsheet on the ‘Right to be Forgotten’ ruling” (3 June 2014) European Commission < http://ec.europa.eu/justice/newsroom/data-protection/news/140602_en.htm> at 2.

[19] “The OECD Privacy Framework” (2013) OECD <http://oe.cd/privacy> at 14.

[20] At 17.

[21] “Action Plan for the Global Privacy Enforcement Network (GPEN)” (June 2012) Global Privacy Enforcement Network <https://www.privacyenforcement.net/public/activities>.

[22] Asia Pacific Privacy Authorities “Resources” APPA <http://www.appaforum.org/resources/#objectives>.

[23] Daimhin Warner.

[24] Daimhin Warner.

[25] “Factsheet on the ‘Right to be Forgotten’ ruling” (3 June 2014) European Commission < http://ec.europa.eu/justice/newsroom/data-protection/news/140602_en.htm> at 3.

[26] At 3.

[27] “Factsheet on the ‘Right to be Forgotten’ ruling” (3 June 2014) European Commission < http://ec.europa.eu/justice/newsroom/data-protection/news/140602_en.htm> at 3.

[28] At 4.

[29] New Zealand Bill of Rights Act 1990, s 5.

[30] Farhad Manjoo “’Right to Be Forgotten’ Online Could Spread” (5 August 2015) The New York Times < http://www.nytimes.com/2015/08/06/technology/personaltech/right-to-be-forgotten-online-is-poised-to-spread.html?_r=2>.

[31] Scott Wright and John Street “Democracy, deliberation and design: the case of online discussion forums” (2007) 9 New Media and Society 849 at 850.

[32] Sylvia Tippmann and Julia Powles “Google accidentally reveals data on 'right to be forgotten' requests” (14 July 2015) The Guardian < http://www.theguardian.com/technology/2015/jul/14/google-accidentally-reveals-right-to-be-forgotten-requests>.

[33] Donald J. Waters “How Do We Archive Digital Records?: The Report of the CPA/RLG Task Force” (paper presented to Documenting the Digital Age conference, San Francisco, February 1997) at 90.

[34] Ambrose, above n 2, at 128.

[35] J van den Hoven and J Weckert Information Technology and Moral Philosophy (Cambridge University Press, New York, 2008) at 319.

[36] Ambrose, above n 2, at 106.

[37] Daniel Gomes  and Mario J Silva “Modelling Information Persistence on the Web (paper presented to the 6th International Conference on Web Engineering, Palo Alto, July 2006) at 194.

[38] Ambrose, above n 2, at 124.

[39] Daimhin Warner.