In 1927, F. Scott Fitzgerald wrote: “There are no second acts in American lives.” He was wrong, of course. America is all about second acts. For the famous and nonfamous alike, one of the great American myths is the ability to constantly reinvent oneself.
So what Fitzgerald said wasn’t true. Then. But what about now? In this great inter-connected world in which we live, second acts may be a relic of the past. Now everything we write, text, type, email and browse, can be tracked online, go viral, get retweeted and end up on the front page of The New York Times. In our brave new world, a throwaway comment on a Chili’s restaurant receipt makes Google News. A video of a teenager getting drunk at a small town high school prom becomes the number one YouTube video in the nation. A racy picture a 21 year-old sends to her college boyfriend ends up on a public website devoted to destroying ex-girlfriends. We live in a world where everything we put online (intentionally or not) can be tracked, reviewed, judged and found severely lacking by billions the world over. In the past, this is what we would have called Act One.
But what happens when Act One stays in the public eye forever? What happens when those videos, comments and pictures are viewed by friends, parents, roommates, employers, dates, spouses, neighbors, in-laws, children, and grandchildren alike? For many Americans, that is the new reality, where youthful (and not so youthful) moments of indiscretion get replayed into eternity because the Internet never forgets. Perhaps F. Scott Fitzgerald is now correct. In this new Information Age, there are no second acts in American lives.
Enter Mario Costeja Gonzáles. In 2009, Spanish attorney Mr. Costeja decided to Google himself. In so doing, he discovered two 1998 articles in a Spanish newspaper detailing a tax auction on his repossessed home. The home had been sold and Mr. Costeja had fully paid the taxes. Years later however, he found out that his minor legal issue remained front and center in a Google search of his name. Mr. Costeja lodged a complaint with the Spanish Data Protection Agency against both the newspaper publisher and against Google. He requested that the publisher remove the pages that referred to his long-ago debts, and that Google remove all search results connected to the auction. The Data Protection Agency rejected the complaint against the newspaper. However it did accept the complaint against Google and informed Google it would have to remove the offending links. Google then sued the Agency in Spanish court. The court in turn referred several questions to the European Court of Justice, the highest court in the European Union. One of the questions was whether Google, an American company, could be required under the EU’s 1995 Data Protection Directive to remove the personal data of an individual upon request.
The EU’s Data Protection Regime
First, some background. In 1995, the EU passed the 1995 Data Protection Directive (Directive 95/46). An EU directive requires EU member states to harmonize their legislation with the directive. This particular directive required that Member States ensure that personal data be “accurate and, where necessary, kept up to date,” and that “every reasonable step … be taken to ensure that data which are inaccurate or incomplete … are erased or rectified.” This was the genesis of the “right to be forgotten.”
In 2012, the European Commission proposed the General Data Protection Regulation. Unlike a directive, an EU regulation establishes directly enforceable standards that immediately become national law. This regulation (which has not yet been adopted) includes Article 17, or the “right to be forgotten.” Article 17 of the Proposed Regulation provides every EU citizen with the right to obtain from a data controller “the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child” when one of several grounds applies, including when the data is no longer necessary.
Google v. AEPD and Mario Costeja González
Fast forward two years later. The General Data Protection Regulation still has not been enacted in the EU. However Directive 95/46 is alive and well, including in EU Member State Spain. It is under the directive that Mr. Costeja would find the relief he sought.
On May 13, 2014, the European Court of Justice ruled against Google and in favor of Mr. Costeja. It first found that since search engine operators, including Google, collect, retrieve, record and organize data, store that data on their servers, then make that data available to users, those search engines “process” data within the meaning of the directive. The Court then found that search providers also qualified as “controllers” as they, in creating search results, directed the processing of personal data based on that activity. As Google was a controller that processed personal data and operated within the EU, it was subject to Directive 95/46. Google therefore had to ensure its data processing was compatible with Directive 95/46. Data processing is incompatible with Directive 95/46 when the data is “inadequate, irrelevant or excessive in relation to the purposes of the processing … not kept up to date, or … kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.” This, in a nutshell, is the EU’s “right to be forgotten.”
Fall Out from the Decision
As we’ve written about before, the process of removal is relatively simple. Google provides a webpage form that asks whether you, the requestor, are requesting removal of links under European Data Protection Law. As of April 2015, Google had received 235,449 requests. It had evaluated 854,251 URLs. It had removed 58.7% of requested URLs, and left in place the remaining 41.3%. Some of the requests include:
- An Italian woman requesting that her name be removed from a decades-old article about her husband’s murder. Request granted.
- A German rape victim asking that a link to a newspaper article about the rape be removed. Request granted.
- An Italian financier requesting links to articles about his recent arrest be removed. Request denied.
- A UK citizen requesting links to an article referencing the dismissal of sexual crimes committed on the job be removed. Request denied.
- A UK citizen whose conviction had been expunged under UK law requesting links to a news article about the crime be removed. Request granted.
There has also been at least one case where Google denied a request to remove a link, after which the requesting party sued Google in Dutch court. An Amsterdam judge held that Google did not have to remove information concerning the man’s criminal conviction: “Negative publicity as a result of a criminal offence is not a sufficient ground for removal of search engine results.”
So on the surface, the “right to be forgotten” process seems fairly straightforward. However dig deeper and it’s easy to see the numerous issues that arise out of the Court’s decision. Who holds the right? Why is it the search engine’s responsibility to delete legally published information? How does one measure the “inadequate, irrelevant, excessive” criteria? What universal standards are data controllers using to determine which URLs are deleted? What about data controllers who lack the resources of Google? And, perhaps most importantly for Americans, how do we balance the “right to be forgotten” with the right to, and the need for, freedom of press, speech and information?
This last question is crucial for many reasons, one in particular. The three biggest search engines in the world are all based on the West Coast of the United States. However, the Court’s ruling only applies to the European servers of these American search engines. In other words, a URL could be removed from www.google.fr, the French Google server, but it could easily be found on www.google.com, the U.S. Google server. Having realized this, the EU has been pressing to make the “right to be forgotten” available on all servers, not just European ones. But doing that would directly conflict with American law, something that has been avoided until now. Which means now is the time to ask the question – will America get a “right to be forgotten”?
Privacy in Europe and America
It is not difficult to understand why Americans and Europeans have different approaches to privacy. Continental European privacy focuses on respect and personal dignity, including the right to protect one’s image, name, reputation and self-determination. It started as an aristocratic privilege that eventually got extended to ordinary European citizens. Through continental privacy protections, both historic and modern, European citizens are provided the right to project the image to the public that they want to project.
Conversely, in the United States, liberty is paramount, in particular liberty from the government. This can easily be seen in the privacy protections of the Fourth Amendment. The focus there is not on any kind of dignity interest but rather on keeping the state outside of the home. Numerous Supreme Court cases have held that 4th Amendment privacy ends when there is no longer a reasonable expectation of it. Rather than a dignity interest, privacy becomes a property right. Even where privacy has been expanded to include the 14th Amendment provision of “liberty”, that privacy is not dignity-based, but rather freedom from government interference, whether childbearing decisions or contraception or sexual relations.
Therefore in a simplistic and over-generalized way, Americans value privacy from the government more than Europeans do; Europeans value privacy from private parties more than Americans do. In America, our privacy is concerned with freedom from government intrusion. In Europe, privacy is concerned with freedom from public humiliation. In Europe, having the government intervene to preserve the personal dignity of Europeans is a natural continuation of the history of European dignity. In America, having the government intervene to preserve the personal dignity of Americans is often an affront to freedom, liberty and, of course, the guarantees of the First Amendment.
It is the First Amendment that most often gets in the way of expanding privacy protection in America. The First Amendment protects the publishing of lawfully obtained truthful information on matters of public significance. Any restrictions on that publication must be reviewed with strict scrutiny, i.e., the government must have a compelling interest in passing the law, and the law must be narrowly tailored to achieve that interest. In practice, strict scrutiny has, for good reason, become an almost impossible standard to meet.
Of course, there are dignity-based privacy torts in America, including one most relevant to the right to be forgotten, public disclosure of private facts. However as almost every legal commentator will admit, these privacy torts have for all intents and purposes been eviscerated by the First Amendment. There are scattered exceptions across the country, but the general rule is that for newsworthy stories, and the definition of newsworthy is broad, there is little to no relief under privacy tort theory.
Conclusion: What Remains for the American Right to be Forgotten?
If the European view of dignity is incompatible with the American view of liberty, and dignity-based privacy torts continue to run into the barriers of the First Amendment, what relief is there for a person who wants old URLs deleted forever? Copyright law could help. Copyright allows the holder of the copyright to exclude others from using the property without the holder’s authorization, for a specified length of time. However it is limited to one’s own expressive work, photographs for example. Therefore while it could potentially halt the reposting of embarrassing videos and pictures that you took yourself, it would come nowhere close to replicating the breadth of recovery that the “right to be forgotten” provides.
A second option is creating an automatic termination date for all data uploaded onto the Internet. But that solution is both over-inclusive and under-inclusive. It is over-inclusive because all data on the Internet is not the problem; only a tiny portion of it is. It is under-inclusive because it would only apply to future data. As we’ve seen, it’s the old data that creates the problems. Not to mention such a solution would require all content creators and data processors to share the same programming language, unlikely to happen anytime in the near future.
One last idea, this time out of California. In January, a California law went into effect that gave minors the right to remove content they have posted from any website or app. Unlike the right to be forgotten, the California right is subject to several limitations, including if the information was stored or posted by a third party, and if the minor received financial compensation or other consideration for providing the content. Nevertheless, California is paving the way for a potential “right to be forgotten” by starting with those who may need the right the most – the ones still writing the first act of their lives.
That brings us full circle to the question that we started with – will America get a right to be forgotten? Will we, as Americans, be allowed to reinvent ourselves? Will we have the chance to project the public image that we want to project? Will we get the opportunity to have our first act erased from Internet memory and remain only in the far more porous human one? And if we don’t, what remedy remains for those of us who do want to be forgotten? These are the questions that Europe has handed America. The clock is ticking on our response.
A longer version of this post was published in the March/April 2015 edition of Social Education, the flagship journal for the National Council for Social Studies.