Today, CDT is releasing a paper analyzing the free expression implications of the proposed “Right to Be Forgotten” in the draft European Data Protection Regulation (DPR). The Right to Be Forgotten concept has received much attention since the DPR was first introduced, and while we understand the concerns that motivate the proposal, CDT continues to have serious misgivings about the DPR’s approach to the concept. As described in Article 17, the Right to Be Forgotten would put private companies in the position of balancing users’ free expression and privacy rights – a difficult task that has traditionally been the purview of courts and
legislatures, and one that companies are not equipped to undertake. Further, the DPR puts a heavy thumb on the scale on the side of privacy, promising high fines if companies violate the regulation, but providing only narrowly scoped safeguards for journalistic and artistic expression.
The proposed Article 17 allows any user to request that an online service provider delete all of the data about her that the service provider possesses. If that information has been made publicly available, data controllers are required to notify third parties that link to, or have copies of, the data about the deletion request. This broad conception of the Right to Be Forgotten fails to adequately consider the free expression concerns inherent in a right to remove true, lawfully published information from the public record. Quoting and commentary are integral to free expression; yet Article 17 could chill such expression, since a deletion request would extend to third-party references to data that an individual requests deletion of. Article 80 requires Member States to make a limited accommodation for free expression, but that provision falls short of standards required by international human rights instruments. If adopted, the “Right to Be Forgotten” proposal would generate a variety of regulations to protect free expression throughout Member States, creating a lack of clarity for both individuals and data processors regarding what standards apply to a deletion request and what balance must be struck between privacy and free expression.
Since its proposal, several modifications and amendments to the DPR have been proposed. Notably, European Parliament Rapporteur Jan Albrecht has proposed in a draft report several amendments relating to Article 17 that address some of our concerns. For example, the Albrecht Report would amend Article 80 to require Member States to adopt legislation that protects free expression in accordance with the Charter of Fundamental Rights for the European Union and the European Convention on Human Rights. It would also limit controllers’ obligations to take “all necessary steps to have the data erased” from third parties’ services only to cases where the controller had illegally published the data. This is an important narrowing from the original draft, but one that still leaves the unworkably broad “all necessary steps” obligation in place. Further, the Albrecht Report does not effectively limit the scope of data covered by Article 17, leaving the critical flaw that would give a user the right to order the takedown of information beyond what she herself has posted. As a result, the obligations placed upon data controllers would remain insurmountably high, with undoubtedly negative consequences for users’ online expression.
No comments:
Post a Comment