At the end of January, Viviane Reding, the European Commissioner for Justice, Fundamental Rights, and Citizenship, announced a sweeping new privacy right: the “right to be forgotten.” The proposed right would require companies like Facebook and Google to remove information that people post about themselves and later regret—even if that information has already been widely distributed. The right is designed to address a real and urgent problem in the digital age: It’s very hard to escape your past on the Internet now that every photo, status update, and tweet lives forever in the digital cloud. But the right to be forgotten takes a dangerously broad approach to solving the problem. In fact, it represents the biggest threat to Internet free speech in our time.
The new right’s intellectual roots can be found in French law, which recognizes le droit à l’oubli—or the “right of oblivion”—a right that allows a convicted criminal who has served his time and been rehabilitated to object to the publication of the facts of his conviction and incarceration. (In America, by contrast, publication of someone’s criminal history is protected by the First Amendment.) Now that the Internet records everything and forgets nothing, European regulators have concluded that the difficulty of escaping one’s past is not merely a problem for criminals—but instead applies to everyone.
In endorsing the new right, Reding downplayed its effect on free speech, and press accounts have been similarly reassuring. In a post at The Atlantic, John Hendel wrote that “the overhaul insists that Internet users control the data they put online, not the references in media or anywhere else.” But the regulations that were actually proposed on January 25 are not limited to personal data people have posted themselves; instead, they create a much broader right to delete personal data, defined broadly as “any information relating to a data subject.”
In a widely cited blog post last March, Peter Fleischer, chief privacy counsel of Google, noted that the right to be forgotten, as discussed in Europe, can apply in three situations, each of which proposes progressively greater threats to free speech. The regulations that the European Commission proposed in January are troubling because they extend to all three.
The first category is the narrowest: “If I post something online, do I have the right to delete it again?” Since Facebook and other social networking sites already allow users to do this, creating a legally enforceable right here is mostly symbolic and entirely unobjectionable. It would also usefully put pressure on Facebook to abide by its own stated privacy policies, by allowing users to confirm that photos and other data have been deleted from its archives after they are removed from public display.
But the right to delete data becomes far more controversial when it involves the second category: “If I post something, and someone else copies it and re-posts it on their own site, do I have the right to delete it?” Imagine a teenager regrets posting a picture of herself with a bottle of beer and, after deleting it, later discovers that several of her friends have copied and reposted the picture on their own profiles. If she asks them to take down the pictures, and her friends refuse or can’t be found, should Facebook be forced to delete the picture from her friends’ albums without the owners’ consent?
According to the proposed European right to be forgotten, the answer is almost certainly yes. If contacted by someone who regrets posting an embarrassing picture, Facebook must take “all reasonable steps” on its own to identify any relevant third parties and secure the takedown of the content. The regulation does create an exemption for “the processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression.” But this essentially puts the burden on Facebook to prove that an embarrassing picture is a legitimate journalistic (or literary or artistic) exercise. At the very least, Facebook will have to engage in the kinds of difficult line-drawing exercises previously performed by courts. And the prospect of ruinous monetary sanctions for any data controller that does not comply—a fine up to 1,000,000 euros or up to two percent of Facebook’s annual worldwide income—might lead data controllers to opt for deletion in even ambiguous cases.
Moreover, the right to be forgotten can be asserted not only against the publisher of content (such as Facebook or a newspaper) but against search engines like Google and Yahoo that link to the content. In Argentina, which recognizes a version of the right to be forgotten, there are more than one hundred cases demanding the removal of user-generated content brought by entertainers and celebrities, such as the Sports Illustrated swimsuit model Yesica Toscanini. As a result, when a user of Yahoo Argentina plugs Toscanini’s name into the Yahoo search engine, the result is a blank page and a judicial order.
But the most serious concerns about free expression are raised by the third category of takedown requests: things other people post about us. The proposed European regulation treats takedown requests for truthful information posted by others identically to takedown requests for photos I’ve posted myself that have then been copied by others: Both are included in the definition of personal data as “any information relating” to me, regardless of its source. I can demand takedown, and the burden, once again, is on the social networking site or search engine to prove that it falls within the journalistic, artistic, or literary exception. This could transform Google, Yahoo, and other hosts of third party content into censors-in-chief for the European Union, rather than neutral platforms.
It’s possible, of course, that although the European regulation defines the right to be forgotten very broadly, it will be applied more narrowly. Europeans have a long tradition of declaring abstract privacy rights in theory that they fail to enforce in practice. And the regulation may be further refined by the European parliament over the next year or so.
But, for now at least, there are plenty of reasons for concern. Currently, American companies doing business in Europe enjoy some exemptions from E.U. law, under a 1995 agreement. But should that agreement be altered, the new right to be forgotten could be imposed on U.S. companies throughout Europe. It’s hard to imagine the Internet that results will be as free and open as it is now.
Jeffrey Rosen is legal affairs editor of The New Republic. A longer version of this article appears in the Stanford Law Reviewonline.