A new privacy right has been proposed: the "right to be forgotten."

This new "right", announced in January as a part of the European Union’s proposed new data protection regulations, aims to grant greater control to consumers over their personal information and allow them to demand that companies and organizations delete consumers’ personal data, as long as there are no legitimate grounds to hold it. In the US, many privacy activists have come to refer to it as an "eraser button."

Although not nearly as extensive and problematic as that proposed by the European Commission, this "right" has also been proposed by legislators and regulators in the United States. In May, Chariman John Leibowitz of the Federal Trade Commission (FTC) announced that he was open to a proposal to give minors a way to delete personal information that they post on Facebook or other online sites. "The Do Not Track Kids Act" (H.R. 1895), legislation introduced by Congressmen Joe Barton (R-TX) and Ed Markey (D-MA), goes even farther, giving parents control (and deletion options) for data related to their minor children.

Debating the "right to be forgotten"
As Viviane Reding, the European Commissioner for Justice, Fundamental Rights, and Citizenship, explained, "If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system." (1) The underlying principle of the "right to be forgotten" is that postings online and any data generated should be an individual’s own property.

Supporters identify multiple reasons why a "right to be forgotten" may be necessary:

  • Teenagers, who might reveal compromising information that they would later come to regret, need to be protected.
  • Convicted criminals, who have served their time and been rehabilitated, should be able to object to the publication of the facts of their conviction and incarceration.
  • Allowing users to confirm that photos and other data have been deleted from a company or organization’s archives after they are removed from public display necessarily creates pressure on social networking sites to abide by their publicly-stated privacy policies. Christian Toon, head of information security at document management firm Iron Mountain, stated more broadly, "Many businesses of all sizes are falling short of what is required to manage information responsibly…Regardless of turnover, sector or country of operation, making sure that employee and customer information is protected should be common practice, not a reaction to new legislation." (2)

Opponents argue not only that the "right to be forgotten" imposes harsh, burdensome mandates for how enterprises must collect, store, and manage information, but also that the "right" proposes threats to freedom of speech.

The proposals are not limited to personal data that people "have given out themselves," but instead create a new right to delete personal data, defined broadly as "any information relation to a data subject." This creates a concern for public records, journalism, and social networks, as it allows people to demand the deletion of any digital reference (including photos or information posted by the user himself, photos or information that have gone viral, and photos or information posted by others, whether or not it is true.)

Most concerning for opponents is in situations where people can demand the removal of information posted by third parties. The United States Supreme Court has held that, "states cannot pass laws restricting the media from disseminating truthful but embarrassing information – such as the name of a rape victim – as long as the information was legally acquired." (3)However, the "right to be forgotten" treats information "relating to" a person the same as photos a person has posted of himself. Once a demand to take down information is made, the burden is on the third party to prove that it falls within the exception for journalistic, artistic, or literary purposes, or otherwise face monetary sanctions, at the very least.

Some of the data highlighted by opponents of the "right to be forgotten":

  • Any data controller that "does not comply with the right to be forgotten or to erasure" (after a user demands the personal data be deleted), can face monetary sanctions of up to 1 million euros.
  • There are at least 130 cases in Argentine courts demanding removal of photos and user-generated content, mostly brought by entertainers and models. (4)
  • The Spanish Data Protection authority has sued Google to force it to delete links to embarrassing newspaper articles – articles that are perfectly legal under Spanish law.
  • Two German men, Wolfgang Werle and Manfred Lauber, killed a man in 1990. After being convicted, serving their time, and getting released, they sued Wikipedia in an effort to have their names expunged.(5)

Potential global impact on survey research

  • The "right to be forgotten" could stop the tracking of consumers’ shopping habits, their movements on the Web, their location on mobile devices, and any other type of data collection or processing that is not directly required to provide service to customers. This could severely curtail a wealth of data currently available for online marketing research.
  • Marketing researchers could be severely restricted in how they share or transfer information. Every request to process individual data would need to be explained to the consumer separately, and the consumer would have to opt-in.
  • The "right to be forgotten" would allow consumers to ask any service provider or company (including marketing research companies) for complete details of the data they hold about them, and request the complete erasing of the information, except data that the law requires such companies maintain. This means that marketing research companies could face time and resource-consuming requests for data access and deletion and potentially crippling lawsuits.
  • Marketing research companies will need to be prepared for increased costs and get ready to innovate new ways of getting permissions from consumers, and deleting requested data in an easy, cost-effective way.

In the US, legislators and regulators need to be mindful of fundamental American concepts of freedom that often outweigh a European-style focus on privacy rights. More importantly, MRA will be working to ensure that they consider all the implications associated with writing definitions too broadly (such as the third party liability inherent in the European proposals), and the potentially heavy burdens such prescriptive mandates may place on American businesses in a competitive global economy.

As with many proposed data privacy efforts, the "right to be forgotten" will spawn significantly greater privacy pitfalls than the ones it is trying to ameliorate. Companies will have to make their data holdings more easily searchable and linkable in order to be able to identify personal data for one individual across a multitude of databases. That confluence of linked personal data will make data security breaches even more dangerous for the consumers in question, as well as the holders of their data, and demands the kind of profiling and tracking that legislators and regulators claim to oppose.

All in all, any serious discussion of an "eraser button" or "right to be forgotten" leads to important and complex conversations involving more than just control over Facebook photos. Our current discussions will shape the future landscape of data privacy and the digital marketplace for years to come. Whatever regulations are adopted should be promulgated with care and consideration for future technologies, their users, and key American values and rights.

Jennifer McDonald, pursuing her law degree at The University of Montana School of Law, was a legal intern at the Marketing Research Association (MRA).

Footnotes:

  1. Jeffrey Rosen. "The Right to Be Forgotten."Stanford Law Review. 64 Stan. L. Rev. Online 88. www. Stanfordlawreview.org/online/privacy-paradoc/right-to-be-forgotten
  2. Allan Swann. "Tough New EU Data Privacy Law Revealed- Expert Reaction." http://itservices.cbronline.com/news/tough-new-eu-data-privacy-laws-revealed-expert-reaction250112
  3. Rosen.
  4. Vinod Sreeharsha. "Google and Yahoo Win Appeal in Argentine Case", N.Y. Times, Aug. 20, 2010, at B4.
  5. David Coursey. "How the ‘Right to Be Forgotten’ Threatens the Internet."Forbes.http://www.forbes.com/sites/davidcoursey/2012/02/24/how-the-right-to-be-forgotten-threatens-the-internet/print/