Law in the Internet Society

Privacy, Protection of our data: the right to be forgotten online versus freedom of information

-- By CarlaDULAC - 06 Oct 2019

My worries about having no say in the use of my personal data.

If we were to ask people from our generation

In the minority of the human race that is wealthy....

if they own a smartphone, use the internet on a daily basis or have social media accounts, their answer would be yes without any hesitation. But what they and I haven't realised when using those technologies, is that we share our personal information either intentionally or unintentionally with private or public entities worldwide, that tend to violate our right to privacy by selling information without our consent to companies we haven't even heard about.

Any information related to us, in our private or professional life, that we share online, constitutes our personal data.

Not necessarily. The information might not have anything to do with you at all. Once again, you might want to distinguish between the information distributed and the fact that you are either disseminating or receiving it. And you might be more attentive to the receiving activity rather than the transmitting activity, precisely because if you are, it will destabilize the structure of the current draft's argument.

Those data are precious for companies because they reveal our preferences, our likes that can be sold to other companies to increase their sell. Following this discovery, we can feel frustrated because it is something we were unaware of when we started using the internet or social media since no one explained it or talked to us about it.

One could argue it is easy to blame those companies and that it is our responsibility as individuals to react and do something. But by the time we heard about it, it was too late. We were already connected and dependent on social media, the internet. Our personal data were already used and sold everywhere in the world. Our discouragement gets bigger when we think about what to do to correct that, to make things change. One idea that emerged was to make the personal information that was gathered unlawfully disappear, be erased. One way to answer that problem was that states had to step in and protect our data.

The EU is concerned with the right to be forgotten but doesn't address the real issue.

The right to be forgotten entered the European Union privacy sphere with the 2014 judgement of the ECJ involving Google. It enabled people to demand the removal of links to information that are inaccurate, inadequate, irrelevant or excessive. This is called right to be forgotten. Then, it was implemented under article 17 of the General Data Protection Regulation (GDPR). The right to erasure grants data subjects a possibility to have their personal data deleted if they don't want them used anymore and when there is no legitimate reason for a data controller to keep it. It seemed a good way to act posteriorly and find a way to correct our past mistakes. But can we really rely on it? It did not take long before we could see the limit of this regulation.

In fact, the ECJ issued a ruling on September 25, 2019, regarding the implementation of the EU's right to be forgotten. This dispute involved Google and France's data authority (CNIL). The ruling held that CNIL can compel Google to remove links to offending material for users that are in Europe, but can't do that worldwide. We should not be shocked with the ECJ ruling, it was foreseeable since a different ruling could have been viewed as an attempt by Europe to police an US tech giant beyond US borders.

No. It upholds the right to police the US company beyond US borders. Perhaps you meant inside US borders. That is, to displace US law in the US. But the point is to deny all extraterritorial effects to EU orders coercively implementing the duty to forget or censoring indexes through deindexing orders. As I emphasized in class,, the Indian sister organization to my own Software Freedom Law Center, intervened in the EJC against CNIL, from a purely non-US perspective.

When we read through the decision, we see another underlying problem: how can right to privacy and freedom of information work together. France asked the Court to extend the right to be forgotten universally to people outside the EU. Google argued that such a ruling may result in global censorship and infringement of freedom of information rights. The real issue at stake is: can we impose on other a duty to forget?

What about freedom of information. What else can we do?

As said before, one good aspect of GDPR is that it creates a fast process to erase the data that Internet companies collect and store for use in profiling and targeted advertising. But on other side it can be used to erase online content, whether or not that content actually violates anyone else's rights. Such a use could constitute a violation of freedom of information with is part of the fundamental right of freedom of expression. Those rights are recognised in international law, as in the article 19 of the Universal Declaration of Human rights. It is true that there are some very important concerns about data protection and privacy in face of mass collection of our data by companies, but the way "right to be forgotten" is built is not appropriate.

First of all, freedom of expression for the public interest is essential, even for information obtained unlawfully. In fact, information may not have been accessible otherwise because it was kept secret, but for the good of the society, they have been revealed. Allowing a right to forget for those data would be harmful for the society. One other argument would be that allowing people to have some links related to their name delated could become a way to hide the truth and give a false picture of who they are. Imposing on people that are seeking information on other a duty to forget on some other's information is not the good answer. Individuals have a right to access all the information available, and past mistakes should not be forgotten, but used as examples. Maybe one answer to the problem would be to allow a right of correction, to reply that restricts less the freedom of expression, compares to the right to be forgotten. It would enable individuals to present themselves as they really are and correct false information about them.

Finally, instead of using a right to be forgotten that does more harm to freedom of expression, we could use other remedies such as going to court which will decide if the information will remain available to the public society or not.

This is still judicial censorship, is it not?

We could also use mechanisms available on social media platforms that helps to identify harmful content and then can be removed by those platforms.

The draft does a good job explaining existing European legal phenomena. It also clearly voices the basic free expression arguments that limit the use of censorship orders in the interest of privacy. But the draft lacks a clear idea of your own to be placed in dialogue with these exterior sets of ideas, which is why the conclusion find you basically throwing up your hands. Making the draft stronger means bringing your ideas to the front. You can say what you think, show how your idea emerges from your understanding of the two other points of view, then providing some real conclusion on which the reader can then base her own further thinking.

As I said in the early lines of the draft, by abstracting from the narrow "right to be forgotten" fact pattern, you can make progress. Censorship orders seem useful, whatever their problems in principal, only so far as we concern ourselves with searching: in the end, it's about the state's right to censor indexes on behalf of individuals. But if you start from the role of the same parties in surveiling what everyone reads, it is rapidly apparent that censoring indexes, or indeed censoring content directly, will not address the center of the problem at all.

Once it is apparent that the orders censoring indexes are a minor response to an infinitesimal part of the problem, one can no longer cast the issue as "right to be forgotten" against "free expression." That makes much more room for your own ideas.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r3 - 24 Nov 2019 - 15:49:36 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM