|
Last week, Google and other US platform companies won a landmark decision when Europe’s top court, the European Court of Justice (ECJ), ruled that the continent’s right to be forgotten doctrine did not apply worldwide. Sensibly, the court stated that the right to be forgotten was “not an absolute right,” but must be balanced against other rights such as free speech. While this was a win for Google and the US view of free speech, it is by no means certain that the decision will have widespread, long-term impact.
To review, in 2014 the ECJ upheld the right to be forgotten as fundamental to the right of privacy for EU citizens. Under the right to be forgotten principle, individuals and organizations can demand that a search engine remove information about them even if the details had been public knowledge and disseminated through the press or other media. In complying with the ruling, Google assumed a quasi-judicial role, and has spent hundreds of millions of dollars deleting information. Google estimates that it has responded positively to some 45 percent of the individual requests.
In 2016, CNIL, France’s data protection regulator, demanded that Google not only take down contested material from French and EU websites but also extend the deletions worldwide. CNIL noted that it was possible to bypass French regulations by clicking on websites outside the country, or outside of the EU. Google, along with many free speech advocates, argued strenuously against the CNIL demand as a bad precedent that would allow one country — or economic area such as the EU — to dictate internet privacy terms for the entire world. (For more background, see my earlier blog).
Even with the ECJ’s favorable decision, there are solid reasons for caution about its current and future impact on the balance between privacy and free speech.
First, it should be underscored that the ECJ’s original decision upholding the right to be forgotten still stands. France and all other EU member states have the right to enforce the right to be forgotten within their own borders and across the EU. Other nations outside Europe are also considering adopting such a course.
Second, even in the US, there is a push to adopt some version of the right to be forgotten. California’s privacy law (set to take effect on January 1, 2020) includes a provision for the “right to delete.” While the new legislation is “considered less burdensome than Europe’s General Data Protection Regulation (GDPR),” Silicon Valley executives have warned that it is broadly and vaguely worded and will cause great confusion and wasted resources given the lack of guidance. All this has spurred a bipartisan effort in Congress to pass a broader US privacy law in coming months — though it is unlikely this comes to pass before the California law goes into effect.
Finally, these divisions in Congress and among key interest groups — coupled with a lack of leadership by both the Barack Obama and Donald Trump administrations — highlights the stark fact that the US has no legally binding national position on the balance between privacy, free speech, and data flows. This has been the result by default of the increasing prevalence of the European view on this balance embodied in the GDPR. The GDPR tilts strongly toward privacy over free speech and data flow imperatives and has “frustrated users, companies, and regulators.”
So while the recent ECJ right to be forgotten decision is welcome, many difficult challenges remain to an efficient and equitable balance between privacy and data on the internet.
While the European Court of Justice’s recent decision on the right to be forgotten is welcome, difficult challenges lay ahead for achieving an equitable balance between privacy and data on the internet.
|
