A chat bot released by Microsoft this Wednesday, was taken down on Thursday because her self-learning capabilities had turned her...
The landmark Google Spain decision from 2014 established the right to be forgotten (RTBF) or, more precisely, the right to remove inaccurate, irrelevant or otherwise incompatible links that contain personal data. This judgement received massive media attention and filled citizens with hope that in the future they will be able to bring personal data back under their control.
Traditionally, fundamental rights are ‘conceived as liberties’ – consisting of relatively simple, aspirational statements. Administration of these rights is delegated to contemporary human rights institutions. Their “customary vernacular” is often criticized for being insufficient to guarantee the actual enjoyment of the rights. The right to data protection differs from a typical ‘right-conceived-as-liberty’ and should rather be described as a ‘right-conceived-as-affordance’, i.e. a right granting individuals a possibility to act. This active character is in particular reflected through the right to be forgotten, an important building block of the broader right to data protection. The increasing willingness of Europeans to oppose Google’s data processing yields strong proof that the newly established process of link removal did indeed provide some sort of affordance. Until today Google has received over 700.000 requests for removal and has delisted almost 2 million URLs.
Soon after the CJEU judgement in 2014, the right to be forgotten has begun its march across the EU national courts. Out of approx. 700.000 requests that Google has received so far, deletion was only granted in approx. 43 % of the cases. Some of the cases that were not resolved in favour of individuals have ended up at national DPAs and courts.
Despite a high number of cases, the complexity of adjudicating the RTBF has not decreased a bit, neither for Google nor for the courts. Contrasting opinions issued by national DPAs and judges prove that they often encounter difficulties with the interpretation. The RTBF aims to protect the values that are at the heart of data protection – (informational) privacy, personal autonomy and power symmetry. Understanding what the right to be forgotten is about is certainly relevant for its interpretation and application. That said, understanding what the right is not about is equally important. Among other things, the right to be forgotten does not aim to protect commercial interests or to resolve the problem of fake news.
In this blog I consider two recent decisions on the RTBF. They both demonstrate the intention of applicants to expand the right to fit an array of diverse situations. DPAs and courts, in turn, struggle to determine clear boundaries to the RTBF. Some questions might be less daunting, however, if the true nature of the right to be forgotten as a facet of data protection founded on the values of privacy, autonomy and democratic principles, would be taken into account more carefully.
Manni – the analogy of commercial registers to search engines
Manni was an Italian entrepreneur who sued the Lecce Chamber of commerce for not removing his personal data from their commercial register. Registering commercial entities and their directors is a legal obligation in Italy (as well as in other EU countries). The rationale behind the publicity is, among others, protection of (future) commercial transactions between companies and third parties. Manni contended that the fact that his name in the register could be associated with a dissolved company would negatively impact his reputation and therefore infringe his privacy. The fact that data from the register could be reused (and had been reused) by rating agencies specialised in the collection and processing of market information and in risk assessment, represented a particular danger.
The European Court of Justice (CJEU) denied Manni the RTBF. In the analysis it balanced the right to privacy/data protection and the right to publicity (more precisely, the objectives of legal certainty and protection of third parties), and decided that the latter prevails. Two arguments supported the judgement: 1. the commercial register only discloses a limited number of personal data items, 2. Manni has deliberately chosen to participate in trade and should have known that certain publicity is an indispensable part of it. However, the court pointed out that in exceptional circumstances Manni might have the right to object, i. e. a more limited control right under data protection law. This possibility needs to be assessed on a case-by-case basis.
As Kulk and Borgesius note, in the digital age every online publication might have fatal effects on someone’s privacy: “If a public register is published online, its data can be collected and republished by data brokers, journalists, search engines, and others. Such data re-use can serve important goals […]. However, data re-use can also threaten privacy.” Zanfir, while supporting the CJEU ruling, acknowledges the important point that Kulk and Borgesius make, noting that there is still room for improvement of “…analysing the proportionality of the interference of the virtually unlimited publishing [underlined by H.U.] of personal data in the Companies Register with Articles 7 and 8 of the Charter.”
The CJEU’s arguments could be stronger if they were supported by the purpose and values behind Article 7 and 8. One of these values is personal autonomy, which could offer an additional explanation why in Manni the RTBF cannot outweigh the publicity principle. If a trader could use the right to remove his personal data, it would be the autonomy of his business that would gain protection but not (necessarily) him as a natural person. From the assertions of the applicant, no particular concern about privacy and autonomy of his person can be inferred. Rather, it is his commercial reputation that is at stake. In the light of the growing importance of data-driven processing Kulk and Borgesius’ observation is welcome, but data reuse’s implicit privacy threats seem, at least in this case, insufficient to tilt the balance in favour of the entrepreneur’s privacy.
Marc Savage v. DPA – the right to be forgotten as a tool to address “fake news”?
In 2014 Marc Savage, an Irish politician, demanded from Google to delete the URL containing the following statement: Mark Savage North County Dublin’s Homophobic Candidate. This URL linked to a web forum Reddit where users discussed Savage’s public behaviour and assumed his negative approach to homosexuals. Google refused Savage’s request, asserting that as a public figure, Mr Savage had joined a debate on matters relating to the gay community and that it was in the public interest that internet users have access to his political and cultural views. Savage filed a complaint against Google at the Irish DPA, which later confirmed Google’s decision. The DPA perceived the post as a representation of someone’s opinion and not as a fact that described Savage’s true characteristics. In line with Article 29 Working Party’s guidelines, the DPA found no inaccuracy that would give rise to the right to be forgotten. Moving the case to the judicial branch, Savage challenged the DPA’s holding at the Dublin Circuit Court.
The case is now pending on the Irish High Court and the decision will be delivered in May. Some expect that the notion of “information (in)accuracy” will once again play the decisive role in the decision. While justice Sheahan herself admitted that the appeal turned on a consideration of a narrow premise, it is disappointing that the court remained silent regarding the ways in which the URL to the discussion on Reddit actually influenced (or could influence) individual privacy and other values underlining the right to data protection. Hopefully, the high court will shed more light on the balancing process.
“… users of the internet, now more than ever, rely on it for ascertaining information, and therefore the need for accuracy regarding factual information in same is of paramount importance,” asserted the applicant. While this is indeed true, it remains open whether the right to data protection is an appropriate instrument to address that many highly diverse challenges of the modern data-driven reality.
What is striking in both cases is the fact that the applicants attempt to take the right to be forgotten to its edges, transforming it into a facilitator of not only data protection and privacy but also other interests, such as preservation of commercial interests and the fight against defamatory comments (in the sense of libel) or fake news. While balancing the right to privacy/data protection and the freedom of expression is challenging enough, various interests that also play a role in a growing number of cases additionally complicate courts’ argumentation. It might be helpful to turn back to normative anchors of data protection, which are self-determination, powers’ symmetry and protection of privacy, to set the boundaries to the right to be forgotten.
Thanks to Pieter, Jenneke and Vivian for their helpful comments.
 Court of Justice of the EU, C 131/12, Google Spain v. AEPD and Mario Costeja Gonzales, judgment from May 13,, 2014, para 92.
 Cohen, Julie E., Affording Fundamental Rights (March 13, 2017). 4:1 Critical Analysis of Law (2017), pp. 3-4.
 https://www.google.com/transparencyreport/removals/europeprivacy/?hl=en (accessed on March 25, 2017)
 https://blog.google/topics/google-europe/reflecting-right-be-forgotten/ (accessed on March 25, 2017)
 See for example Lynskey, O., The foundations of EU data protection law (2015), Oxford University Press.
 CJEU, C 398/15, Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni, judgment from March 9, 2017.
 Kulk, Stefan in Borgesius, Z. F.: Freedom of expression and ‘right to be forgotten’ cases in the Netherlands after Google Spain, European Data Protection Law Review 2015-2, p. 113-125.
 Zanfir-Foruna, Gabriela: CJEU in Manni: data subjects do not have the right to obtain erasure from the Companies Register, but they do have the right to object, pdpEcho, available at: https://pdpecho.com/2017/03/13/cjeu-in-manni-data-subjects-do-not-have-the-right-to-obtain-erasure-from-the-companies-register-but-they-do-have-the-right-to-object/.
 Unfortunately, to date, the Court has been reluctant to elaborate on the precise content of Article 8.
 First Irish ‘Right to be Forgotten’ Case (10 March 2017), Mason Hayes & Curran Tech law blog, https://www.mhc.ie/latest/blog/first-irish-right-to-be-forgotten-case.
 Supra 12.
 Article 29 Working Party, Guidelines on the Implementation of the Court of Justice of the European Union judgment on “Google Spain And Inc v. Agencia Española De Protección De Datos (Aepd) and Mario Costeja González” C-131/12, adopted on 26 November 2014
 Mark savage v. Data Protection Commissioner and Google Ireland, Record NO. 2015/-2589, delivered by Judge Elma Sheahan on the 11th October, 2016.
 Unfortunately, the balancing exercise between the freedom of expression of Reddit users and Savage’s right to data protection and privacy is rather implicit and does not allow for a more detailed analysis.
 Supra 12.
 Also, it would be useful if the court could address the possibility that the case would be considered through the lens of a possible defamation instead of a violation of privacy.
One of the big internet cases of this year, the Microsoft Ireland case, has come to an end about a month ago as the 2nd Circuit Court has handed down it’s ruling in favour of Microsoft. The case made quite a splash and has been covered before at the RENFORCE blog. With the verdict in, the time is ripe to revisit it and look at it again, this time from a different angle.
The case started when Microsoft was served with a (domestic) search warrant by the U.S. government under the Electronic Communications Privacy Act to produce information relating to a drugs trafficking and money laundering case. The warrant included the production of e-mails stored behind the msn.com domain, which is operated by Microsoft. Microsoft declined to comply with the warrant as far as the e-mails were concerned because, according to Microsoft, those e-mails were located on servers in Ireland and only there, and therefore not susceptible to a domestic search warrant. More…
However, these revelations stand out because they were not leaks; there were no whistleblowers. Instead, we see two occasions where WikiLeaks used material that was purloined by hackers outside of the target organisations, who then offered the data to WikiLeaks for publication. By accepting, WikiLeaks got hacked at its own game. The DNC and AKP disclosures provide some ‘scientific journalism’ for Assange of how and why hacking-to-leak falls short. More…
Two of our contributors, Dr. Christoph Lutz and Aurelia Tamò, are co-organizing with Eduard Fosch Villaronga and Jo Bac a twinned workshop on robotics, to be held in both Barcelona (Spain) and Yokohama (Japan). These workshops take place on 2 and 14 November 2016 and will have the same content and format. Participants can select which workshop they would prefer to attend.
On June 15, the Representation of the state North-Rhine Westphalia to the EU hosted a panel of renowned experts and high-level representatives from the European Commission and the industry, all gathered in Brussels to answer a daunting question: does the EU data economy need an industry data protection right?
We were among the lucky ones chosen to present at the 2016 We Robot Conference and for both of us, it was one of the best conferences we have ever attended. We Robot 2016 took place at the University of Miami and was hosted mainly by Professor Michael Froomkin. From the organization to the speakers: everything was amazing! We won’t address every topic discussed at the conference but we will give you a taste of the topics and point you to some interesting readings in this area. Interested parties should also check out the We Robot website and consider applying for next year’s edition, taking place on March 31 & April 1 at Yale University. More…
In her speech “Time for delivery” at the aviation summit in Brussels in January 2016, European Commissioner for transport Violeta Bulc announced that this year the Commission will deliver a proposal for a basic legal framework for the safe use of drones at the European level. EU-wide rules will materialise the European Commission’s aviation strategy revealed in the EC 2014 communication and, as many hope, boost the market while building confidence in drones’ manufacturers and users. Unfortunately, the Commission does not have a magic stick that would instantly create a well-balanced and sustainable EU regulatory landscape. Up until now, member states’ steps towards smart regulation have been slow and, as it will be shown below, a daunting task for many of them, in particular for the small ones.
Balázs Gulyás is a young Hungarian sociologist and activist who helped organize mass protests that took place in Hungary in autumn 2014 against a government proposal to tax the Internet. Gulyás organized protests against a proposal to tax based on the amount of data transferred or “consumed”. With him, tens of thousands of Hungarians took to streets to protest, which forced the government to withdraw its plans to directly tax Internet use.
We recently had a chance to talk to Mr. Gulyás about the protests and their impact on Hungarian society, and broader subjects of Internet taxation and Internet governance. The interview took place in Budapest, Hungary, on July 12th 2015.
Today the Court of Justice of the European Union (CJEU) invalidated Decision 2000/520 of the European Commission establishing a safe harbour for transferring personal data from the EU to the US. Furthermore, it clarified and strengthened the role of national Data Protection Authorities when such a safe harbour is issued. The judgment is explained by some highlights, and the post is concluded with the Commission’s response.
The abrupt death of hitchBOT on August 1, 2015 shocked its fans. hitchBOT, the friendly hitchhiker robot, had traveled across Germany, the Netherlands, Canada and some parts of the USA. In Philadelphia, however, the robot was vandalized—a scenario he had not been programmed to deal with. And so his journey ended. More…
(Spoiler alert: Ex Machina & The Age of Ultron)
What if the internet was a person? This idea, that the internet could have a personality, is a theme that has recently appeared in two big-budget sci-fi film releases over the last little while. We’ve got Ex Machina, a story about the search for artificial intelligence, and The Avengers: The Age of Ultron , where the main villain is an alien AI. But the idea stretches back a fair bit further. More…
We would like to follow up on the activities of our Privacy Roundtable, so as to keep you in the loop. As we mentioned in January, we created the “Sankt Galler Privacy Interaction Framework” (short: SG-PIF) – an interdisciplinary approach to analyze current and future privacy issues. One phenomenon that caught our eye was email tracking. More…
A Dutch Court today ruled that Facebook has a duty to identify a person who has uploaded revenge porn video on its social network. In this case, the video displays a woman, Chantal, performing oral sex on her now ex-boyfriend. A fake account bearing Chantal’s name was created and used to share the private video with her friends and others. Chantal’s ex-boyfriend, who recorded the video, has always denied uploading the video. Although Facebook removed the video within one hour, the video had already found its way online and is still being shared. Chantal went to court and claimed release of information identifying of the person who created the fake account and uploaded the video. More…
Facebook is the modern-day microphone. The social media platform, in contrast to traditional ways of conveying messages, provides the opportunity for opinions to be amplified immediately to millions of others with the click of a mouse.
But unlike an orator physically standing before you where speech patterns can be scrutinized, emotions can be evaluated, and body language can be deciphered, words from a Facebook user become one-dimensional in transit to readers. Often, those construing messages miles away add their own color and depth to the communication composed behind an emotionless keyboard, creating a discrepancy between the intent of the original speaker and the how the expression is perceived by other parties.
This results in dissonance in the interpretation of messages between the speaker and listener in the digital world not as prevalent through in-person communications. The divergence in the discernment of words created through online speech can add complications to speech laws where intent is a key inquiry and can determine innocence or guilt. More…
Disclaimer: Although the issue of memory in a digital society is a very cutting-edge topic, this report can be rather confusing for anyone who hasn’t been thinking about remembering and forgetting in the digital age for as long as I have, I apologize for that. For more insight on the ideas behind this workshop and the project run by the Research Center for Information Law (FIR-HSG) at the University of St.Gallen, Switzerland please take a look at our Wiki.
Last month, I organized and attended the concluding workshop for our (my professors’ and my) project called “Remembering and Forgetting in the Digital Age“. We invited renown scholars from all over the world who in one way or the other deal with memory in the digital age and we were very happy to host guests such Urs Gasser, Viktor Mayer-Schönberger, Michael Arnold, Wesley Shumar and many more. More…
In this brief piece, I’m going to address the culture of image responses in online communication, and look at how and why I think Facebook has incorporated its own system. Within the last two years Facebook has provided a new feature in its chat and thread systems: the ability to comment or post using small images called ‘stickers’. Finding a precise date on the inclusion of stickers into the Facebook social media ecology is difficult because the inclusion hasn’t been marked by much in the way of press releases or other trumpeting. Stickers subtly became a part of the everyday use of Facebook without much fanfare, neither changing extant services nor replacing existing ones. We collectively woke up one day, logged-in, maybe noted a new button in our chat windows and then perhaps thought in passing “was that smiley face there yesterday?” Perhaps we used them, perhaps we did not, but they were now here to stay. More…
A few weeks ago, I watched Toute le mémoire du monde as part of a project I was working on. It’s a short documentary film by Alain Resnais. Shallow as I am, I have a soft corner for high-resolution and detailed color display. But this film, in all it’s shades of grey (pardon the reference) captured my interests, into this contemplative essay.
Luke: February 2015 marks The Interdisciplinary Internet Institute’s 1/2 Birthday! It has been an exciting 6 months. Founded by 5 researchers who met at Harvard’s Berkman Center for Internet and Society last September, the site has grown to 16 contributors all interested in how the internet affects our social, political, and personal lives.
Our content has covered how open data lets us track where celebrity’s take their taxis, why thousands of internet connected cameras are wide open for anyone to use as spying devices, Reddit’s reaction to the deluge of nude celebrity pictures that made the news in August, the launch of Facebook’s glittery competitor ello, the right to be forgotten, and on and on and on! Some of these stories were cross-posted in media such as The Conversation and the New York Times, others our authors wrote exclusively for our site.
These stories have been shared across Facebook, chirped at on Twitter, mentioned in EU Commission presentations and read in over 145 countries (no love from Greenland, or North Korea). At the top right of this page, we also provide links to ‘things that caught our eye’ and make the net ‘go round’. More…