Regulating the Right to be Forgotten?

Paul Daly July 31, 2014

The European Court of Justice’s recent ‘Right to be Forgotten‘ ruling has caused much ink to be spilled. Despite the significant criticism it has received, I think the decision was quite sensible, for reasons given here by Eric Posner.

It continues to provoke interesting commentary. Consider the following description of the problem from Babak Siavoshy at Concurring Opinions:

The current implementation of the right to be forgotten decision puts the day-to-day interpretation of a set of imprecise rules pertaining to the exercise of very important freedoms—a process typically reserved for public regulatory bodies and (in the U.S.) administrative agencies—in the hands of a small number of Silicon Valley companies…

Then there’s the issue of conflicts of interest. The ECJ’s decision tasks search engine providers to apply a public interest test to determine whether information should be deleted. But if you work for a search engine provider, chances are you already have some opinions about whether access to information serves the public interest. Google’s mission is “to organize the world’s information and make it universally accessible and useful.”

It’s in Google’s culture—and in its profit interest—to believe that making more information accessible makes the world a better place. There’s nothing wrong with that position, but if you’re a regulator looking for an impartial representative of European data subjects’ privacy rights you might start elsewhere. (This is not a critique of Google, by the way – it’s a commentary on the procedures that force them to play philosopher kings against their own interests).

And a proposed solution:

EU regulators are currently in the process of formulating additional guidelines for providers subject to takedown requests. Adding more meat to the ECJ’s ruling is a needed first step, but it may fall short of addressing the procedural flaws with the current regime, which puts day-to-day adjudication of right to be forgotten claims in the hands of providers rather than policymakers.

Instead, the EU’s best bet is to change the procedural framework governing right to be forgotten requests in a way that shifts the burden of practical policymaking away from the likes of Google, Yahoo, and Microsoft. As I’ll discuss below, inspiration for such an alternative can be found in other areas of law governing third party service providers and their users, including DMCA (copyright) takedowns and procedures governing law enforcement requests for email content…

The EU would do well to adopt a similar model for its right to be forgotten regime. In an ideal system, all right to be forgotten requests would be adjudicated, in the first instance, by EU data protection authorities. Those authorities would set up processes to manage these requests, perhaps including an adversarial process and appeals to handle close cases. Service providers would of course have to play a clerical role in the takedown process, as they do in the DMCA context. And providers would probably have to retain their right to appeal decisions under certain circumstances, as they do with court orders for user emails.

As with the DMCA and law enforcement procedures described above, this change in process would more firmly place responsibility for important questions of liberty and privacy in the hands of those who are accountable to the public. It would be regulators, rather than private companies, who are tasked with determining, on a day-to-day basis, what is in the public interest and what is not, what is relevant and what is outdated. And it would be they, rather than Google or Yahoo, who bear responsibility for balancing the right to be forgotten against the right of their citizens to know.

Administrative lawyers are familiar with the problem of choosing an instrument that will help a regulator achieve its objectives. Sometimes, an important meta question is posed: whether to establish a regulatory agency in the first place.

In this case, there are reasons against establishing an agency. For one thing, it is possible that the ‘right to be forgotten’ will be largely vindicated by internal changes to search engine technology. Would a regulator have the capacity to keep up with Google and Yahoo’s algorithms? For another, the problem of conflict of interest might simply arise in a (even?) more insidious form due to agency capture. Would a regulator end up espousing the interests of large internet companies over those of individuals? Or, less dramatically, simply integrating privately developed standards into formal or informal regulations?

The present situation, with private actors forced by a judicial decision to respond to individual complaints, seems workable. Over time, Google et al will doubtless learn how to sift the genuine complaints from the non-genuine and adjust their algorithms accordingly. If the companies refuse to do so, there will be popular, political and judicial pressure for them to act. Norms will invariably emerge to regulate search engines. If they prove deficient, perhaps it will then be time to consider creating a dedicated regulatory agency.

This content has been updated on July 31, 2014 at 07:31.