Justice ministers from across Europe sat down in Brussels yesterday to discuss some tricky issues for internet privacy, one of the most controversial of which was the right to be forgotten.
After the NSA scandal, privacy has become particularly emotive for the general public. Why shouldn’t we be allowed to control what information is available about us on the internet, particularly those embarrassing photos of our exploits in the past?
The European Commission is seeking to tighten the rules to help European citizens do exactly that. It is proposing to amend legislation to require data “controllers” like Facebook to delete personal data at the request of users. They could even be fined for failing to do so.
The UK has other ideas. Speaking to the BBC ahead of the meeting in Brussels, Justice Secretary Chris Grayling argued that the stricter rules have been designed with large companies such as Facebook and Google in mind but that introducing them in the UK could have a serious financial impact on smaller businesses.
He wants the UK to be able to opt out of the rules and take a different approach to, say, Germany, which is backing the Commission.
How did I get here?
The “right to be forgotten” is a recent concept that addresses internet users’ concerns about the permanence of information publicly displayed about them. Now that the commercial internet is nearly 20 years old, it has become apparent that it does not readily forget things.
Once out there, posts, photos, stories and webpages don’t fade away. When people google themselves, they are often surprised and embarrassed to see pictures and comments they made in the past surface instantaneously. By its nature, the internet remembers, and search engines are in the business of indexing all of those remembrances. There are things that people wish were left in the past - inappropriate photos, immature comments, or simply views they held that are no longer true.
Consider speech, the first human form of communication. It is characterised by impermanence. Words spoken in the air are ephemeral and we rely on memory to recall what is said. Of course, with the advent of audio recording devices, a semi-permanent, faithful recollection of what someone said became available, though it was trapped on the media on which it was recorded. Now, with recording and publishing fused into a single act, online communications achieve a permanence that makes some people uncomfortable.
Information about a person can surface that she or he never wrote or uploaded. It could be a news story from a local paper with an unflattering quote, or worse, a mugshot made public and then automatically put online by an unprincipled but legal website. The right to be forgotten is the idea that people should have control over their informational lives, and be able to demand that posts and photos be erased.
Please delete me
Forgetting on a grand scale might be possible, but it would require a change in the way the internet is managed. Facebook, for example, owns its infrastructure and jealously guards its content. It is a “gated community” so the company can take unilateral action on the content within its walls. So, imagine a “biodegradability option,” where you are given the chance to have all your photos, comments and posts deleted from Facebook’s servers after, say, 90 days. This is a very simple way to give users some control. For other organisations, forgetting could function in the same way that a “subject access request” does already. If you know an organisation has your data, you formally ask it to tell you everything it knows. Theoretically, there could be a “subject deletion request.” The problem with this, as with the access request, is that you have to know who holds the data, and that’s not always clear.
To make the plan work, Brussels needs to further define who the data controller actually is. This would partly address the UK’s concerns. But still the the internet’s penchant for remembering remains an issue. Information on the internet proliferates in limitless ways: there are mirrors and backups and alternate versions everywhere. A company’s ability to delete information only extends to its own equipment. Who is in control if one company shares information with another? What if a business closes down but its data assets are still online? What happens in the case of cached data?
The internet’s primary nature is interlinking computers - the most valuable use of those links is data sharing. As such, intentional de-linking and deletion is difficult. Consider the case of a newspaper article. It may be unflattering or false, or may be a story of an arrest that was then cleared. The story is copyrighted by the newspaper, and it is part of both the company’s and the world’s historical record. If someone feels that the story is untrue or unappealing, or facts have changed or been updated, as in the clearing of a criminal charge, the idea of the right to be forgotten is compelling, but legally, it may not be possible.
Grayling’s decision to side with business on this issue has not played well with Europe. The minister says he is reluctant to impose stricter regulations on businesses at a time when growth is a top priority and argues that the proposal could create unrealistic expectations about our right to privacy.
Businesses are right to be worried about the extra costs involved and the extra hurdles they may need to jump, but does that justify diminishing the right of citizens to control their online identity? A key function of data protection authorities and policy-makers is to balance the interests of citizens, businesses and the state. Privacy rights are highly valued in Europe, and this proposed right logically fits within a privacy agenda.