Last week, I had a speaking slot at the Westminster Media Forum’s event on “Social media, online privacy and the right to be forgotten”. My comment that the proposed “right to forget won’t work” was widely reported, so I think it is incumbent on me to detail the argument. I also think there is a better way of dealing with this issue through the use of the “right to object” to the processing.
The “right to forget” is very laudable. It means all those useful youthful indiscretions (where one shudders with embarrassment when one remembers them) do not form part of a publicly available record being used, for example, by employers to assess whether to give you a job.
For the current generation, the existence of the likes of Facebook, YouTube, and the mobile phone camera means that every forgettable action can easily be recorded for posterity and subsequently distributed by social networking, posted in blogs or hosted on websites. Everybody, I suspect, has some personal detail they don’t want reminding of; the problem is that the Internet hardly ever forgets once this detail is published.
Hence the idea behind the “right to forget”: why not get rid of that stuff. If it’s not there, it can’t be accessed, and if it can’t be accessed, it can’t be used. Oh, if only life was that simple!
The first problem is to treat the underlying issue as a privacy problem when it has nothing to do with privacy. Suppose somebody has posted something on a website or distributes personal data to hundreds of Facebook Friends. The personal data have been published – end of story – and if they are published, the genie is out of the bottle. Take Max Mosely for instance – he might win his privacy case at the Human Rights Court, but everybody knows what he did. You can’t “unknow” that which has been published. So, I think the intellectual idea underpinning the “right to forget” (i.e. that there is some kind of “magic cork” that can compress that genie back into the bottle) is based on a fundamental misconception.
Commissioner Reding, the Commissioner who is supporting the idea, states that one of the reasons why she is promoting the “right to forget” is that she is “a firm believer in the necessity of enhancing individuals’ control over their own data”. All I would say in response is that when the personal data are published or widely distributed, the individual has lost that control; like Humpty Dumpty, you can’t put the pieces back together again. However, as we shall see, although the individual has lost control of the personal data, there is an existing right (the right to object) that can come to the rescue.
Of course, if the personal details are in one place, a “right to forget” might succeed; however, in that case, they have not been widely distributed. If, however, there are several jurisdictions where the personal data are located then it becomes more and more impracticable for the right to be exercised. For instance suppose a Facebook Friend in the USA receives some embarrassing detail which is then shared with his Facebook Friends distributed round the planet. How is a right to object going to work across a number of different jurisdictions?
What then happens in this case if a “right to object”, as exercised, is ignored? Do I complain to the UK Information Commissioner to enforce a right in the USA? That is another reason why I think the “right to forget” is unenforceable; it needs all the world’s privacy regulators and legislators to decide on a common enforcement strategy. This in itself is going to be very difficult task, because the USA and APEC countries have already decided that once the personal data are in the public domain, then the data protection rules that we take for granted in the UK do not apply (see references, as I have a blog on the GAPP Principles in the USA).
Then there is the “kiss and tell” problem. What can be seen as one individual’s freedom of speech (i.e. telling the world about the kiss) is the other person’s invasion of privacy (i.e. the fact of being kissed should be kept private). Which one of these takes precedent? A “right to forget” has to start from the position that privacy is more valuable than freedom of speech? Personally, I don’t think that this is a safe presumption to start from: both privacy and freedom of expression are of equal value and which one takes precedence over the other has to depend on the facts of each case.
My own solution to this problem is not to attack where the personal data are posted, or which organisation (e.g. Google) facilitates access to the personal data, but rather when the personal data are used. For instance, an embarrassing fact might be posted on a USA web-site, but their use in the UK has to be by a data controller. That data controller, through the obtaining of personal data from the USA web-site is processing such personal data for a specific purpose; as that controller is situated in the UK, then the Data Protection Act applies.
Then the data controller has to apply three Data Protection Principles (1st, 3rd and 4th). He has to demonstrate that the personal data are relevant to the purpose (e.g. employment purpose), that they are accurate and up to date (e.g. the personal data relate to the actual individual under examination and not someone who happens to have the same name) and ensure that the data subject knows of their use for a specific purpose.
I would also argue that it is not fair to the data subject to use personal data extracted from, for example, Facebook without explaining in detail what personal data were actually used by the data controller (e.g. by providing a copy of the personal data used). Any failing in this area can already be enforced by the Commissioner without any change to the current data protection law; a position that should also apply across all European Countries that have based their data protection legislation on Directive 95/46/EC.
The only change in the Directive I would make is to strengthen the existing “right to object” to the processing. This right in the UK is currently restricted to that processing where the data controller has to balance his interests against the interests of the data subject (or where the processing is necessary for the functions of a public authority - paragraphs 5 and 6 of Schedule 2 if you want to be complete). The right also requires the processing to cause “unwarranted substantial distress” or “unwarranted substantial damage” to the data subject; a requirement which heavily tips the scales in favour of the data controller’s processing (in this case, the ability to use the internet to retrieve personal data about an individual).
The change I would make therefore is to drop the “substantial” element of this threshold test; this means the test of the balance of interests between a data subject’s interest and a data controller’s interest is assessed on a level playing field. I would also apply the “right to object” to those circumstances where the processing is “necessary for a contract with the data subject” or with “a view to entering into a contract with the data subject” (e.g. an employment contract with a prospective employee).
In this way, data controllers can argue that they should be able to scour the internet for background details about an individual but that data subject will be able to argue the exact opposite. This provides a structure where the facts of each case can be independently examined to identify whether the data controller’s or the data subject’s position should prevail. Following such an examination and case-law can then be turned into advice on best practice.
That is why I argue that one should forget about the “right to forget”. It is a nice idea but it does not work. There is a far better alternative that attacks the use of personal data not its hosting, and that alternative is by strengthening the “right to object to the processing”.
"North America’s Generally Accepted Privacy Principles establish an inadequate data protection regime" (blog of 25/11/10); these Privacy Principles do not apply to public domain personal data. See http://amberhawk.typepad.com/amberhawk/2010/11/north-americas-generally-accepted-privacy-principles-establish-an-inadequate-data-protection-regime.html
“The APEC Privacy Framework and data protection – 2008”; the document explains where the APEC Framework is deficient in terms of the European Data Protection Directive 95/46/EC and this includes public domain personal data). Downloadable from http://www.amberhawk.com/policydoc.asp (link towards the middle of the page)
Advert: Our UPDATE session, April 11th, Central London: a snip at £195+VAT. Still places available. Automated booking available on www.amberhawk.com. The Programme includes:
- “What might a new data protection regime look like? What might the main changes be?”; Stephen McCartney, Strategic Liaison Group Manager, ICO
- "Freedom of Information decisions on the personal data exemption"; Sue Cullen, Amberhawk
- "Legal Update (Article 8, Enforcement and Data Protection Act)"; Rosemary Jay, Partner, Pinsent Masons
- "Data Protection from the other end of the telescope: a view from the data processor (including the cloud)”; Louise Townsend, Accenture, Data Privacy Officer (UK and Ireland), Legal Counsel
- "What’s new from the ICO’s website"; Sue Cullen, Amberhawk
- "What’s new re Undertakings, Audit and Assessment" and "News Roundup"; Dr. Chris Pounder, Amberhawk