Forget me not

First published in Data Protection Law & Policy, December 2010.

At any given time, each of the 37 legislative changes currently being considered by the European Commission as part of the reform of the EU data protection directive would qualify as a major development. As a whole, the proposed reform package is awesome. From greater transparency to full harmonisation across Member States, the Commission’s strategy is ambitious and far-reaching. In some areas, the Commission appears willing to test the boundaries of what regulation can practically achieve and Viviane Reding herself, the Commissioner leading this process, is not afraid to speak up. The enhancement of people’s data privacy rights is top of her priorities and the introduction of the ‘right to be forgotten’ is spearheading this quest.

One logical question to put to the Commission is what they actually mean by the right to be forgotten. EU data protection law already features a data quality principle that requires organisations to get rid of obsolete data, plus we also have a right to object to the use of our information by others. So what is new about this proposed right? Commissioner Reding's words are rather revealing. She wants individuals to be able to maintain control over their data. The Commissioner points out that this is particularly important in the online world, where data protection practices are often unclear, non-transparent and non-compliant with existing rules. So to compensate for this lack of control, the Commission is looking at introducing a stand-alone right to be forgotten.

The issue with this new right is when it should apply and when it shouldn’t. Forgetting – and indeed forgiving – is human, so there is a clear rationale for giving people a chance to let time perform its natural healing role.  However, even the most basic digital technology enables us to retrieve in a matter of seconds information which would otherwise fade in people’s memories. There are many cases – possibly the majority – where this is good news for us, limited humans. But there will be other instances where the inability to forget will bring with it the constant embarrassment and possibly humiliation attached to making our past mistakes visible. The problem is that although it is possible to see when the right to be forgotten would be a convenient tool to delete any digital evidence of those mistakes, there are only very few instances where the exercise of that right would be truly feasible.

Let’s start with a clear cut situation: overexcited youngsters decide to boast about their high-spirited lifestyle by disseminating photographic evidence of it via a social networking site. A few years or just days later, those pictures become an unhelpful reminder of their foolish behaviour but by then the images have attracted many comments, links and tags. Should it be possible for the subjects of those photos to withdraw them entirely from the face of the net? They will certainly be able to take them off the pages or profiles within their control but that’s pretty much it. In a world of user generated content and limitless communications it is simply not going to be possible to stop the spread of personal information.

Should the law instead prevent the ability to find that information even if it is out there somewhere? As logical as that may sound, that would turn search engines into policemen, judges and censors of potentially every bit of information on the web so that cannot possibly be right. Sure, it may be privacy friendly for a social networking site to allow users to make their profiles invisible to search engines – as Facebook does – but it would be ludicrous to make those search engines responsible for determining what information about one particular topic or individual should be revealed or withheld. That would be like making a telco responsible for spotting lies told by people on the phone. That clearly cannot be the way forward.

Ultimately, the establishment of a right to be forgotten is about how far other civil liberties may be suppressed. In its most extreme form, the right to be forgotten would enable individuals to construe a digital persona which according to them would keep the good bits and bury the bad bits. That is of course everyone’s dream but does not reflect the complex reality of human interactions. People and organisations rely on information about others to function.  Reducing that information to a fake avatar would turn us all into autocratic dictators who present themselves as flawless and hide behind that perfect persona. Let’s focus on allowing the technology to prosper and regulating unfair uses of that technology instead.