======================================================================
=                       Right to be forgotten                        =
======================================================================

                            Introduction
======================================================================
The right to be forgotten is the right  to have negative private
information about a person to be removed from internet searches and
other directories under some circumstances. The concept that has been
discussed and put into practice both in the European Union (EU) and,
since 2006, in Argentina. The issue has arisen from desires of
individuals to "determine the development of their life in an
autonomous way, without being perpetually or periodically stigmatized
as a consequence of a specific action performed in the past."

There has been controversy about the practicality of establishing a
right to be forgotten to the status of an international human right in
respect to access of information, due in part to the vagueness of
current rulings attempting to implement such a right. Furthermore,
there are concerns about its impact on the right to freedom of
expression, its interaction with the right to privacy, and whether
creating a right to be forgotten would decrease the quality of the
Internet through censorship and a rewriting of history. Those in
favour of the right to be forgotten cite its necessity due to issues
such as revenge porn sites appearing in search engine listings for a
person's name, as well as instances of these results referencing petty
crimes individuals may have committed in the past. The central concern
lies in the potentially undue influence that such results may exert
upon a person's online reputation almost indefinitely if not removed.


                      Conception and proposal
======================================================================
Europe's data protection legislations are intended to secure
potentially damaging, private information about individuals. The
notion of "the right to be forgotten" is derived from numerous
pre-existing European ideas. There is a longstanding belief in the
United Kingdom, specifically under the Rehabilitation of Offenders
Act, that after a certain period of time, many criminal convictions
are "spent", meaning that information regarding said person should not
be regarded when obtaining insurance or seeking employment. Similarly,
France values this right - 'le droit �  l'oubli' (the right to be
forgotten) - as it was officially recognized in French Law in 2010.
Views on the right to be forgotten differ greatly between the United
States and EU countries. In the United States, transparency, the right
of free speech according to the First Amendment, and the right to know
have typically been favoured over the obliteration of truthfully
published information regarding individuals and corporations. The term
"right to be forgotten" is a relatively new idea, though on May 13,
2014, the European Court of Justice legally solidified that the "right
to be forgotten" is a human right when they ruled against Google in
the 'Costeja' case.

In 1995, the European Union adopted the European Data Protection
Directive (Directive 95/46/EC) to regulate the processing of personal
data. This is now considered a component of human rights law. The new
European Proposal for General Data Protection Regulation provides
protection and exemption for companies listed as "media" companies,
like newspapers and other journalistic work. However, Google purposely
opted out of being classified as a "media" company, therefore the
company is not protected. Judges in the European Union ruled that
because the international corporation, Google, is a collector and
processor of data it should be classified as a "data controller" under
the meaning of the EU data protection directive. These "data
controllers" are required under EU law to remove data that is
"inadequate, irrelevant, or no longer relevant", making this directive
of global importance.


                      Current legal frameworks
======================================================================
The right to be forgotten "reflects the claim of an individual to have
certain data deleted so that third persons can no longer trace them."
It has been defined as "the right to silence on past events in life
that are no longer occurring." The right to be forgotten leads to
allowing individuals to have information, videos, or photographs about
themselves deleted from certain internet records so that they cannot
be found by search engines.
there are few protections against the harm that incidents such as
revenge porn sharing, or pictures uploaded due to poor judgement, can
do.

The right to be forgotten is distinct from the right to privacy, due
to the distinction that the right to privacy constitutes information
that is not publicly known, whereas the right to be forgotten involves
removing information that was publicly known at a certain time and not
allowing third parties to access the information.

Limitations of application in a jurisdiction include the inability to
require removal of information held by companies outside the
jurisdiction. There is no global framework to allow individuals
control over their online image. However, Professor Viktor
Mayer-Schönberger, an expert from Oxford Internet Institute,
University of Oxford, said that Google cannot escape compliance with
the law of France implementing the decision of the European Court of
Justice in 2014 on the right to be forgotten. Mayer-Schönberger said
nations, including the US, had long maintained that their local laws
have "extra-territorial effects".


Google and the European Union
===============================
In Article 12 of the Directive 95/46/EC the EU gave a legal base to
internet protection for individuals. In 2012 the European Commission
disclosed a draft European Data Protection Regulation to supersede the
directive, which includes specific protection in the right to be
forgotten in Article 17.

To exercise the right to be forgotten and request removal from a
search engine, one must complete a form through the search engine's
website. Google's removal request process requires the applicant to
identify their country of residence, personal information, a list of
the URLs to be removed along with a short description of each one, and
attachment of legal identification. The applicant receives an email
from Google confirming the request but the request must be assessed
before it is approved for removal. If the request is approved,
searches using the individual's name will no longer result in the
content appearing in search results. The content remains online and is
not erased. After a request is filled, their removals team reviews the
request, weighing "the individual's right to privacy against the
public's right to know", deciding if the website is "inadequate,
irrelevant or no longer relevant, or excessive in relation to the
purposes for which they were processed". Google has formed an Advisory
Council of various professors, lawyers, and government officials from
around Europe to provide guidelines for these decisions. However, the
review process is still a mystery to the general public. Guidelines
set by EU regulators were not released until November 2014, but Google
began to take action on this much sooner than that, which (according
to one author) allowed them "to shape interpretation to [their] own
ends". In May 2015, eighty academics called for more transparency from
Google in an open letter.

The form asks people to select one of the twenty-eight countries that
make up the European Union, as well as Iceland, Liechtenstein, Norway,
and Switzerland. "The form allows an individual or someone
representing an individual to put in a request" for the removal of any
URLs believed to be a violation of the individual's privacy.
Regardless of who is submitting the form, some form of photo
identification of the person the form is being submitted for must be
presented. The purpose of this is to provide proof that the person for
whom the request is being made does in fact approve.

If Google refuses a request to delink material, Europeans can appeal
to their local data protection agency. As of May 2015, the British
Data Protection Agency had treated 184 such complaints, and overturned
Google's decision in about a quarter of those. If Google fails to
comply with a Data Protection Agency decision, it can face legal
action.

In July 2014, in the early stages of Google's effort to comply with
the court ruling, legal experts questioned whether Google's widely
publicized delistings of a number of news articles violated the UK and
EU Data Protection Directive, since in implementing the Directive,
Google is required to weigh the damage to the person making the
request against any public interest in the information being
available. Google indeed acknowledged that some of its search result
removals, affecting articles that were of public interest, were
incorrect, and reinstated the links a week later. Commentators like
Charles Arthur, technology editor of 'The Guardian', and Andrew
Orlowski of 'The Register' noted that Google is not required to comply
with removal requests at all, as it can refer requests to the
information commissioner in the relevant country for a decision
weighing the respective merits of public interest and individual
rights.

Google notifies websites that have URLs delinked, and various news
organizations, such as BBC, have published lists of delinked articles.
Complainants have been named in news commentary regarding those
delinkings. In August 2015 the British Data Protection Agency issued
an enforcement action requiring Google to delink some of these more
recent articles from searches for a complainant's name, after Google
refused to do so. Google complied with the request. Some academics
have criticized news organizations and Google for their behavior.

As of May 2014, Google has removed 1,390,838 URLs. From a gathering of
which websites had the most links removed, Facebook won with a total
of 11,973 URLs removed. YouTube had 5,999 removed, Google Groups had
7,246 removed, and Twitter had 4,588 removed. Though Facebook had the
largest number of deleted URLs, there were other received requests
that were not granted deletion. While Google does evaluate millions of
URLs that have been requested to be removed, the ultimate decision
must be made by a human "because the variables, including public
interest claims, needs to be handled on a case-by-case basis".
However, it is to be kept in mind that internet users can still find
removed information somewhat easily, just not through European Google
search engines.

In July 2015, Google accidentally revealed data on delinkings that
"shows 95% of Google privacy requests are from citizens out to protect
personal and private information - not criminals, politicians and
public figures."

This data leak caused serious social consequences for Google as the
public expressed their outrage and fear over the information that was
recently made public. Though only 5% of requests were made by
criminals, politicians, and public figures, the content removed was
what sparked the most fear. In particular, one request for data
removal was from a British doctor requesting to have 50 links removed
on past botched medical procedures. Google agreed to remove three
search results containing his personal information. The public voiced
their outrage stating that removing such information can be used for
manipulation and could lead to innocent people making uninformed
decisions. Google responded to the public outrage by saying that when
removing content they consider both the right of the individual and
public interest.

The European Union has been pushing for the delinkings requested by EU
citizens to be implemented by Google not just in European versions of
Google (as in google.co.uk, google.fr, etc.), but on google.com and
other international subdomains. Regulators want delinkings to be
implemented so that the law cannot be circumvented in any way. Google
has refused the French Data Protection Agency's demand to apply the
right internationally. Due in part to their refusal to comply with the
recommendation of the privacy regulating board Google has become the
subject of a four-year-long antitrust investigation by the European
Commission. In September 2015, the French Data Protection Agency
dismissed Google's appeal.

The French Data Protection Agency appealed to the EU courts to seek
action on Google for failing to delink across its global servers. In
September 2019 the Court of Justice for the EU issued its decision,
finding that Google is not required to delink on sites external to the
EU, concluding that "Currently, there is no obligation under EU law,
for a search engine operator who grants a request for de-referencing
made by a data subject ... to carry out such a de-referencing on all
the versions of its search engine."

As of September 2015, the most delinked site is 'www.facebook.com'.
Three of Google's own sites, 'groups.google.com', 'plus.google.com'
and 'www.youtube.com' are among the ten most delinked sites. In
addition to Google, Yahoo and Bing have also put up forms for making
delinking requests.


Spain
=======
In May 2014, the European Court of Justice ruled against Google in
'Costeja', a case brought by a Spanish man, Mario Costeja González,
who requested the removal of a link to a digitized 1998 article in 'La
Vanguardia' newspaper about an auction for his foreclosed home, for a
debt that he had subsequently paid. He initially attempted to have the
article removed by complaining to the Spanish Agency of data
protection, which rejected the claim on the grounds that it was lawful
and accurate, but accepted a complaint against Google and asked Google
to remove the results. Google sued in the Spanish 'Audiencia Nacional'
(National High Court) which referred a series of questions to the
European Court of Justice. The court ruled in 'Costeja' that search
engines are responsible for the content they point to and thus, Google
was required to comply with EU data privacy laws. On its first day of
compliance only (May 30, 2014), Google received 12,000 requests to
have personal details removed from its search engine.


Germany
=========
On October 27, 2009, lawyers for Wolfgang Werlé who�together with
Manfred Lauber�was convicted of murdering Walter Sedlmayr sent the
Wikimedia Foundation a cease and desist letter requesting that Werlé's
name be removed from the English language Wikipedia article Walter
Sedlmayr, citing a 1973 Federal Constitutional Court decision that
allows the suppression of a criminal's name in news accounts once he
is released from custody. Previously, Alexander H. Stopp, attorney for
Werlé and Lauber, had won a default judgment in German court, on
behalf of Lauber, against the Wikimedia Foundation. According to the
Electronic Frontier Foundation, Werlé's lawyers also challenged an
Internet service provider in Austria which published the names of the
convicted killers.

Wikimedia is based in the United States, where the First Amendment
protects freedom of speech and freedom of the press. In Germany, the
law seeks to protect the name and likenesses of private persons from
unwanted publicity. On January 18, 2008, a court in Hamburg supported
the personality rights of Werlé, which under German law includes
removing his name from archive coverage of the case.

On November 12, 2009, 'The New York Times' reported that Wolfgang
Werlé had a case pending against the Wikimedia Foundation in a German
court. The editors of the German-language Wikipedia article about
Sedlmayr removed the names of the murderers, which have since then
been restored to the article. 'The Guardian' observed that the lawsuit
has led to the Streisand effect, an upsurge in publicity for the case
resulting from the legal action.

On December 15, 2009, the German Federal Court of Justice
(Bundesgerichtshof) in Karlsruhe ruled that German websites do not
have to check their archives in order to provide permanent protection
of personality rights for convicted criminals. The case occurred after
the names of the brothers were found on the website of
Deutschlandradio, in an archive article dating from July 2000. The
presiding judge Gregor Galke stated "This is not a blank check", and
pointed out that the right to rehabilitation of offenders had been
taken into consideration.


Argentina
===========
Argentina has seen law suits by celebrities against Google and Yahoo!
in which the plaintiffs demand the removal of certain search results,
and require removal of links to photographs. One case, brought by
artist Virginia da Cunha, involved photographs which had originally
been taken with her permission and uploaded with her permission,
however she alleged that the search results improperly associated her
photographs with pornography. De Cunha's case achieved initial success
resulting in Argentina search engines not showing images of the
particular celebrity, however this decision is on appeal.

Virginia Simari, the judge in favour of De Cunha, stated that people
have the right to control their image and avert others from
"capturing, reproducing, broadcasting, or publishing one's image
without permission." In addition, Simari used a treatise written by
Julio César Rivera, a Buenos Aires lawyer, author, and law professor
"the right to control one's personal data includes the right to
prevent others from using one's image." Since the 1990s Argentina has
also been a part of the habeas data movement in which they "adopted a
constitutional provision that is part
freedom-of-government-information law and part data privacy law."
However, their version is known as amparo. Article 43 explains the
version:

"Any person shall file this action to obtain information on the data
about himself and their purpose, registered in public records or
databases, or in private ones intended to supply information; and in
case of false data or discrimination, this action may be filed to
request the suppression, rectification, confidentiality or updating of
said data."

Argentina's efforts to protect their people's right to be forgotten
has been called 'the most complete' because individuals are able to
correct, delete, or update information about themselves. Overall,
their information is bound to remain confidential.


United States
===============
Consideration of the right to be forgotten can be seen in US case law,
specifically in 'Melvin v. Reid', and in 'Sidis v. FR Publishing
Corp.'

In 'Melvin v. Reid' (1931), an ex-prostitute was charged with murder
and then acquitted; she subsequently tried to assume a quiet and
anonymous place in society. However, the 1925 film 'The Red Kimono'
revealed her history, and she successfully sued the producer. The
court reasoned that "any person living a life of rectitude has that
right to happiness which includes a freedom from unnecessary attacks
on his character, social standing or reputation."

In 'Sidis v. FR Publishing Corp.' (1940), the plaintiff, William James
Sidis, was a former child prodigy who wished to spend his adult life
quietly, without recognition; however, this was disrupted by an
article in 'The New Yorker'. The court held here that there were
limits to the right to control one's life and facts about oneself, and
held that there is social value in published facts, and that a person
cannot ignore their celebrity status merely because they want to.

There is opposition to further recognition of the right to be
forgotten in the United States as commentators argue that it will
contravene the right to freedom of speech and freedom of expression,
or will constitute censorship, thus potentially breaching peoples'
constitutionally protected right to freedom of expression in the
United States Constitution. These criticisms are consistent with the
proposal that the only information that can be removed by user's
request is content that they themselves uploaded.

In a June 2014 opinion piece in Forbes, columnist Joseph Steinberg
noted that "many privacy protections that Americans believe that they
enjoy - even some guaranteed by law - have, in fact, been eroded or
even obliterated by technological advances." Steinberg, in explaining
the need for legislation guaranteeing the "right to be forgotten",
noted that existing laws that require adverse information to be
removed from credit reports after a period of time, and that allow the
sealing or expunging of criminals records, are effectively undermined
by the ability of prospective lenders or employers to forever find the
removed information in a matter of seconds by doing a web search.

On March 11, 2015, Intelligence Squared US, an organization that
stages Oxford-Style debates, held an event centered on the question,
"Should the U.S. adopt the 'Right to be Forgotten' online?" The side
against the motion won with a 56% majority of the voting audience.

While opinions among experts are divided in the U.S., one survey
indicated that 9 in 10 Americans want some form of the right to be
forgotten. The consumer rights organization Consumer Watchdog has
filed a complaint with the Federal Trade Commission for Americans to
obtain the right as well.

In March 2017, New York state senator Tony Avella and assemblyman
David Weprin introduced a bill proposing that individuals be allowed
to require search engines and online speakers to remove information
that is "inaccurate", "irrelevant", "inadequate", or "excessive", that
is "no longer material to current public debate or discourse" and is
causing demonstrable harm to the subject.


India
=======
In April 2016, the Delhi High Court began to examine the issue after a
Delhi banker requested to have his personal details removed from
search results following a marital dispute. In this case, due to the
dispute being settled, the banker's request is valid. The High Court
has asked for a reply from Google and other search engine companies by
September 19, upon which the court will continue to investigate the
issue.

In January 2017 the Karnataka High Court upheld the right to be
forgotten, in a case involving a woman who originally went to court in
order to get a marriage certificate annulled, claiming to have never
been married to the man on the certificate. After the two parties came
to an agreement, the woman's father wanted her name to be removed from
search engines regarding criminal cases in the high court. The
Karnataka High Court approved the father's request, stating that she
had a right to be forgotten. According to the court, its ruling would
align with western countries' decisions, which typically approve of
the right to be forgotten when dealing with cases "involving women in
general and highly sensitive cases involving rape or affecting the
modesty and reputation of the person concerned." The woman in this
specific case was worried that the search results would affect her
standing with her husband, as well as her reputation in society.

As of February 2017, the Delhi High Court is hearing a case involving
a man requesting to have information regarding his mother and wife to
be removed from a search engine. The man believes that having his name
linked to the search is hindering his employment options. The Delhi
High Court is still working on the case, along with the issue of
whether or not a right to be forgotten should be a legal standard in
India. Currently, there is no legal standard for the right to be
forgotten, but if implemented, this would mean that citizens no longer
need to file a case in order to request for information from search
engines to be removed. This case could have significant impacts on the
right to be forgotten and search engines in India.


South Korea
=============
In May 2016, South Korea's Korea Communications Commission (KCC)
announced citizens will be able to request search engines and website
administrators to restrict their own postings from being publicly
accessible. The KCC released "[http://src.bna.com/eBy Guidelines on
the Right to Request Access Restrictions on Personal Internet
Postings]", which will take effect in June 2016, which will not apply
to third party contents. To the extent that the right to be forgotten
concerns a data subject's right to limit the searchability of third
party postings about him/her, the Guideline does not constitute a
right to be forgotten. Also, as to the right to withdraw one's own
posting, critics have noted that people have been able to delete their
own postings before the Guideline as long as they have retained their
login credentials, and that people who have misplaced their login
credentials were permitted to retrieve or receive new ones. The only
services significantly affected by the Guideline are Wiki-type
services where people's contributions make logical sense only in
response to or in conjunction with one another's contributions and
therefore the postings are made permanent part of the mass-created
content, but KCC made sure that the Guideline applies to these
services only when the posting identifies the authors.

The guidelines created by the KCC include that data subjects can
remove content that includes the URL links, and any evidence
consisting of personal information. The commission included different
amendments to the guideline. This includes describing the Guidelines
as a "minimum" and "preliminary" precaution regarding privacy rights
in vague areas of existing laws. The guideline encompasses foreign
Internet companies that provide translation services for South Korean
consumers. In order to have a person's information "forgotten" he or
she has to go through a three step process: the issue posted with the
URL, proof of ownership of the post, grounds for the request. There
are restrictions on each step. When posting the URL, the web operator
has the right to preserve the posting issue. The second being that if
the post is relevant to public interest, web operators will process
this request on the terms of relevance.


China
=======
In May 2016, Chinese courts in Beijing determined citizens do not have
the right to be forgotten when a judge ruled in favour of Baidu in a
lawsuit over removing search results. It was the first of such cases
to be heard in Chinese court. In the suit, Ren Jiayu sued Chinese
search engine Baidu over search results that associated him with a
previous employer, Wuxi Taoshi Biotechnology. Ren argued that by
posting the search results, Baidu had infringed upon his right of name
and right of reputation, both protected under Chinese law. Because of
these protections, Ren believed he had a right to be forgotten by
removing these search results. The court ruled against Ren, claiming
his name is a collection of common characters and as a result the
search results were derived from relevant words.

Nowhere in China's civil code are the concepts of privacy or the right
to be forgotten discussed. There is no data protection authority, nor
a specific state agency in place to monitor the protection of
citizens' personal data. In China today, data protection regulation is
aimed at consumers, on an individual level, in contrast to the EU's
right to privacy, in which the individual is considered a "data
subject", with the right to be protected. Chinese legislative progress
towards supporting the right to be forgotten is slow. The topic has
been debated for more than 10 years now, and continues to be a
challenge. Small provisions have been implemented related to personal
data processing, but do not amount to a comprehensive data protection
regime. The European Union Directorate-General for Internal Policies
has issued policy recommendations on a realistic, rather than a
legalistic basis for data protection as to the transfer of data
between the EU and China vis-a-vis the latter's lack of compatible
regulation in this area.


               Connection to international relations
======================================================================
The regulatory differences in the protection of personal data between
countries has real impact on international relations. The right to be
forgotten, specifically, is a matter of EU-US relations when applied
to cross-border data flow, as it raises questions about territorial
sovereignty. The structure of the Westphalian international system
assumes that the reach of a country's jurisdiction is limited to its
geographic territory. However, online interactions are independent of
geographic location and present across multiple locations, rendering
the traditional concept of territorial sovereignty moot. Therefore,
the EU and the United States are forced to confront their regulatory
differences and negotiate on a set of regulations that apply to all
foreign companies processing and handling data of European citizens
and residents.

The regulatory differences on the right to be forgotten along with
numerous other data protection rights have shaped discussions and
negotiations on trans-Atlantic data privacy regulations. A case in
point is the EU and the United States' endeavors to develop the Safe
Harbor agreement, a data transfer pact that enables the transfer of
data between the EU and US companies in a manner consistent with the
EU's data protection schemes. Article 25 of the Data Protection
Directive articulates that cross-border transfer of data can take
place only if the "third country in question ensures an adequate level
of protection," meaning that the country meets the EU's minimum
standards of data protection. The standards include, among many
provisions, a component that protects the right to "opt out" of
further processing or transmission of personal data, under the
assumption that data may not be further processed in ways inconsistent
with the intent for which they were collected.

Given the inconsistencies between the EU and the United States on
numerous digital privacy regulations, including the right to be
forgotten, Article 25 poses a threat to trans-Atlantic data flows.
Therefore, the EU and the United States entered into negotiations to
mediate the differences through the Safe Harbor agreement, which as a
result of debate and discussion between the two parties, requires
companies to provide individuals with the choice or opportunity to
"opt out" and afford other protections.

Under the pressures of the mass surveillance carried out by the US
government on European citizens' data, the Safe Harbor agreement has
been invalidated by the European Union Court of Justice in its
'Schrems' case. The Safe Harbor agreement has now been replaced by the
Privacy Shield principles.


             Draft European Data Protection Regulation
======================================================================
The 2012 draft European Data Protection Regulation Article 17 detailed
the "right to be forgotten and to erasure". Under Article 17
individuals to whom the data appertains are granted the right to
"obtain from the controller the erasure of personal data relating to
them and the abstention from further dissemination of such data,
especially in relation to personal data which are made available by
the data subject while he or she was a child or where the data is no
longer necessary for the purpose it was collected for, the subject
withdraws consent, the storage period has expired, the data subject
objects to the processing of personal data or the processing of data
does not comply with other regulation".

The EU defines "data controllers" as "people or bodies that collect
and manage personal data". The EU General Data Protection Regulation
requires data controllers who have been informed that an individual
has requested the deletion of any links to or copies of information
must "take all reasonable steps, including technical measures, in
relation to data for the publication of which the controller is
responsible, to inform third parties which are processing such data,
that a data subject requests them to erase any links to, or copy or
replication of that personal data. Where the controller has authorized
a third party publication of personal data, the controller shall be
considered responsible for that publication". In the situation that a
data controller does not take all reasonable steps then they will be
fined heavily.

The European Parliament was once "expected to adopt the proposals in
first reading in the April 2013 Plenary session". The right to be
forgotten was replaced by a more limited right to erasure in the
version of the GDPR adopted by the European Parliament in March 2014.
Article 17 provides that the data subject has the right to request
erasure of personal data related to him on any one of a number of
grounds including non-compliance with article 6.1 (lawfulness) that
includes a case (f) where the legitimate interests of the controller
is overridden by the interests or fundamental rights and freedoms of
the data subject which require protection of personal data (see also
Costeja).

The European Union is a highly influential group of states, and this
movement towards the right to be forgotten in the EU is a step towards
its global recognition as a right. To support this, in 2012 the Obama
Administration released a "Privacy Bill of Rights" to protect
consumers online, and while this is not quite the strength of the EU
law, it is a step towards recognition of the right to be forgotten.


              Response by reputation management firms
======================================================================
Businesses that manage their client's online reputation have responded
to the European Court ruling by exercising the right to be forgotten
as a means to remove unfavourable information. One technique used by
reputation consulting firms is to submit multiple requests for each
link, written with different angles in an attempt to get links
removed. Google for example does not limit the number of requests that
can be submitted on the removal of a given link.


                             Criticism
======================================================================
Major criticisms stem from the idea that the right to be forgotten
would restrict the right to freedom of speech. Many nations, and the
United States in particular (with the First Amendment to the United
States Constitution), have very strong domestic freedom of speech law,
which would be challenging to reconcile with the right to be
forgotten. Some academics see that only a limited form of the right to
be forgotten would be reconcilable with US constitutional law; the
right of an individual to delete data that he or she has personally
submitted. In this limited form of the right individuals could not
have material removed that has been uploaded by others, as demanding
the removal of information could constitute censorship and a reduction
in the freedom of expression in many countries. Sandra Coliver of the
Open Society Justice Initiative argues that not all rights must be
compatible and this conflict between the two rights is not detrimental
to the survival of either.

The draft General Data Protection Regulation was written broadly and
this has caused concern. It has attracted criticism that its enactment
would require data controlling companies to go to great lengths to
identify third parties with the information and remove it. The
proposed regulation has also attracted criticism due to the fact that
this could produce a censoring effect in that companies, such as
Facebook or Google, will wish to not be fined under the act, and will
therefore be likely to delete wholesale information rather than facing
the fine, which could produce a "serious chilling effect." In addition
to this, there are concerns about the requirement to take down
information that others have posted about an individual; the
definition of personal data in Article 4(2) includes "any information
relating to" the individual. This, critics have claimed, would require
companies to take down any information relating to an individual,
regardless of its source, which would amount to censorship, and result
in the big data companies eradicating a lot of data to comply with
this. Such removal can impact the accuracy and ability of businesses
and individuals to carry out business intelligence, particularly due
diligence to comply with antibribery, anticorruption, and know your
customer laws. The right to be forgotten was invoked to remove from
Google searches 120 reports about company directors published by Dato
Capital, a Spanish company which compiles such reports about private
company directors, consisting entirely of information they are
required by law to disclose; 'Fortune' magazine examined the 64
reports relating to UK directorships, finding that in 27 (42%) the
director was the only person named, in the remaining only the director
and co-directors were named, and 23 (36%) involve directorships
started since 2012.

Other criticism revolves around the principle of accountability.

There were concerns that the proposed General Data Protection
Regulation would result in Google and other Internet search engines
not producing neutral search results, but rather producing biased and
patchy results, and compromising the integrity of Internet-based
information. To balance out this criticism, the proposed General Data
Protection Regulation included an exception "for the processing of
personal data carried out solely for journalistic purposes or the
purpose of artistic or literary expression in order to reconcile the
right to the protection of personal data with the rules governing
freedom of expression." Article 80 upheld freedom of speech, and while
not lessening obligations on data providers and social media sites,
nevertheless due to the wide meaning of "journalistic purposes" allows
more autonomy and reduces the amount of information that is necessary
to be removed. When Google agreed to implement the ruling, European
Commission Vice-President Viviane Reding said, "The Court also made
clear that journalistic work must not be touched; it is to be
protected." However, Google was criticized for taking down (under the
Costeja precedent) a BBC News blog post about Stan O'Neal by economics
editor Robert Peston (eventually, Peston reported that his blog post
has remained findable in Google after all). Despite these criticisms
and Google's action, the company's CEO, Larry Page worries that the
ruling will be "used by other governments that aren't as forward and
progressive as Europe to do bad things", though has since distanced
himself from that position. For example, pianist Dejan Lazic cited the
'Right To Be Forgotten' in trying to remove a negative review about
his performance from 'The Washington Post'. He claimed that the
critique was "defamatory, mean-spirited, opionated, offensive and
simply irrelevant for the arts". and the St. Lawrence parish of the
Roman Catholic church in Kutno, Poland asked Google to remove the
Polish Wikipedia page about it,  without any allegations mentioned
therein as of that date.

Index on Censorship claimed that the 'Costeja' ruling "allows
individuals to complain to search engines about information they do
not like with no legal oversight. This is akin to marching into a
library and forcing it to pulp books. Although the ruling is intended
for private individuals it opens the door to anyone who wants to
whitewash their personal history� The Court's decision is a retrograde
move that misunderstands the role and responsibility of search engines
and the wider internet. It should send chills down the spine of
everyone in the European Union who believes in the crucial importance
of free expression and freedom of information."

In 2014, the Gerry Hutch page on the English Wikipedia was among the
first Wikipedia pages to be removed by several search engines' query
results in the European Union. 'The Daily Telegraph' said, on 6 Aug
2014, that Wikipedia co-founder Jimmy Wales "described the EU's Right
to be Forgotten as deeply immoral, as the organisation that operates
the online encyclopedia warned the ruling will result in an internet
riddled with memory holes". Other commentators have disagreed with
Wales, pointing to problems such as Google including links to revenge
porn sites in its search results, and have accused Google of
orchestrating a publicity campaign to escape the burdensome obligation
to comply with the law. Julia Powles, a law and technology researcher
at the University of Cambridge, made a rebuttal to Wales' and the
Wikimedia Foundation concerns in an editorial published by 'Guardian',
opining that "There is a public sphere of memory and truth, and there
is a private one...Without the freedom to be private, we have precious
little freedom at all."

In response to the criticism, the EU has released a factsheet to
address what it considers myths about the right to be forgotten.

Other criticisms involving the right to be forgotten revolves around
the policies for data removal regarding minors. The U.S. has laws in
place that protect the privacy of minors. The California Minor Eraser
Law is a law that allows California residents under the age of 18 to
request to have information removed that they posted on an online
server. The law "applies to websites, social media sites, mobile apps
and other online services" and follows "Europe's recognition of the
'right to be forgotten'". This law was put into effect on January 1,
2015 and remains in existence today. Online "service" operators that
have services "directed toward minors" must update their privacy
policies to include the option to remove data if requested by a minor
that is posted on a service.

In the UK, the 2017 Conservative manifesto included a pledge to allow
social media platform users to remove outdated information that was
posted when they were under the age of 18. "A Tory victory on the 8th
of June will lead to those youthful indiscretions on Facebook and
Twitter being open to erasure. But there are also plans to fine social
media firms for not moving at the speed of political opportunism over
extreme content." The United Kingdom has not yet fully adopted the
ruling of the European Court of Justice regarding the right to be
forgotten and argued to keep it from going into EU law. However, in
the upcoming elections in the UK laws could be passed to allow minors
to remove embarrassing posts or photos on social media that could come
back to affect job applications or public image in later life.

Theresa May, the Prime Minister of the UK, has been pushing to extend
privacy rights for minors in allowing them to have a right to delete
information. The intentions for this extension of privacy are based on
the fact that social media sites store years of data that affect
minors lives' much later after the information is posted. May gave her
stance on privacy when she said, "'The Internet has brought a wealth
of opportunity but also significant new risks which have evolved
faster than society's response to them'". The Conservative Party,
which is headed by May, has pushed for policies that aggressively
removes illegal material from the internet and fines firms that do not
take action in removing said material.

In 2015, Commission nationale de l'informatique et des libertés (CNIL)
asked Google to remove data from all versions available in any part of
the world. Google and other entities argued that European data
regulators should not be allowed to decide what Internet users around
the world find when they use a search engine.


                              Research
======================================================================
Security researchers from CISPA, Saarland University and the
University of Auckland proposed a framework, called Oblivion, to
support the automation of the right to be forgotten in a scalable,
provable and privacy-preserving manner. Oblivion is a program that
helps to "automate" the process of attempting to verify someone's
personal information that could be found in a Google search result."
Google gets many take-down requests at a high volume, so Oblivion is
able to help with this problem. Researchers and authors behind
Oblivion say that "it is essential to develop techniques that at least
partly automate this process and are scalable to internet size."
Oblivion helps the humans that operate the forms at Google ensure that
ill-intending users cannot "blacklist links to internet sources that
do not affect them." For example, tests have proven that Oblivion
handles requests at a rate of 278 per second. The software allows
Google, the government, and the user to work together to get content
removed quickly and for just cause. In order to ensure that the
program works quickly, is secure for its users and is impervious to
fake take-down requests, Oblivion uses a three-part system.

In the first part, Oblivion requires a user to submit identification
about themselves - not limited to "name, age, and nationality."
Oblivion then enables a user to automatically find and tag his or her
disseminated personal information using natural language processing
and image recognition techniques and file a request in a
privacy-preserving manner. Oblivion will scan the article for
attributes that match information that has been submitted by the user.
Second, Oblivion provides indexing systems with an automated and
provable eligibility mechanism, asserting that the author of a request
is indeed affected by an online resource. The author of a request is
then issued an "ownership token" that confirms the articles they
submitted for evaluation include sensitive personal information. The
automated eligibility proof ensures censorship-resistance so that only
legitimately affected individuals can request the removal of
corresponding links from search results. In the third and last phase,
this "ownership token" is submitted to Google, accompanied by the
user's concerns as to what information should be deleted. Google's
staff is then allowed to decide for themselves if they want to delete
this information or not - but thanks to Oblivion, they know that the
information in question is valid.

Researchers with Oblivion, however, have noted that it comes with some
limitations. The software is lacking a human element, therefore it
cannot decide on its own "whether or not a piece of information is
public interest and should therefore not be removed from Google search
results." Researchers have conducted comprehensive evaluations,
showing that Oblivion is suitable for large-scale deployment once it
is fine-tuned.

Data deletion protocols around the death of a user is another
consideration.


                              See also
======================================================================
* Accountability
* Article 29 Working Party
* Fundamental rights
* 'Google Spain v AEPD and Mario Costeja González'
* General Data Protection Regulation
* Information privacy
* International human rights law
* Internet privacy
*Search engine privacy
* 'Martin v. Hearst Corporation'
* Memory hole
* Right to disconnect
* Streisand effect
* Tiziana Cantone


Bibliography
==============
*
* Bennett, Steven C. "Right to be forgotten: Reconciling EU and US
Perspectives, The." Berkeley J. Int'l L. 30 (2012): 161.
* Blackman, Josh. "Omniveillance, Google, Privacy in Public, and the
Right to Your Digital Identity: A Tort for Recording and Disseminating
an Individual's Image over the Internet." Santa Clara L. Rev. 49
(2009): 313.
* Bolton, Robert, "The Right to Be Forgotten: Forced Amnesia in a
Technological Age," 31 J. Marshall J. Info. Tech. & Privacy L. 133
(2015).
* Castellano, Pere Simón. "The right to be forgotten under European
Law: a Constitutional debate." (2012).
* Koops, E. J. "Forgetting footprints, shunning shadows: A critical
analysis of the 'right to be forgotten' in big data practice."
SCRIPTed 8, no. 3 (2011): 229-256.
* Palazzi, Pablo. "El reconocimiento en Europa del derecho al olvido
en Internet." La Ley 10 de junio de 2014: (2014).
* Palazzi, Pablo. "Derecho al olvido en Internet e información sobre
condenas penales (a propósito de un reciente fallo holandés)." La Ley
17 de diciembre de 2014: (2014).
* Rosen, Jeffrey. "The right to be forgotten." Stanford law review
online 64 (2012): 88.
* Simeonovski, Milivoj; Bendun, Fabian; Asghar, Muhammad Rizwan;
Backes, Michael; Marnau, Ninja; Druschel, Peter. "Oblivion: Mitigating
Privacy Leaks by Controlling the Discoverability of Online
Information." The 13th International Conference on Applied
Cryptography and Network Security (ACNS 2015).
* Gallo Sallent, Juan Antonio; "'El Derecho al Olvido en Internet: Del
Caso Google al Big Data" (2015) (ed.): CreateSpace,, Barcelona,
España'. .
* Tsesis, Alexander. "The Right to Erasure: Privacy and the Indefinite
Retention of Data", 49 Wake Forest Law Review 433 (2014).


Cases
=======
* 'Melvin v. Reid' 112 Cal.App. 285, 297 P. 91 (1931)
* 'Sidis v F-R Publishing Corporation' 311 U.S. 711 61 S. Ct. 393 85
L. Ed. 462 1940 U.S.
* 'Google Spain, S.L., Google Inc. y Agencia Española de Protección de
Datos (AEPD), Mario Costeja González' ECLI:EU:C:2014:317


Legislation
=============
* Directive 95/46/EC on the protection of individuals with regard to
the processing of personal data and on the free movement of such data.
EU Directive 1995.
* European Commission. Proposal for a Regulation of the European
Parliament and of the Council on the Protection of Individuals with
Regard to the Processing of Personal Data and On the Free Movement of
Such Data (General Data Protection Regulation). 2012/0011 (COD).
Article 3. "Territorial Scope."


                           External links
======================================================================
*[https://support.google.com/legal/contact/lr_eudpa?product=websearch#
Google's 'Search removal request under European Data Protection law'
form]
*[https://uk.help.yahoo.com/kb/SLN24378.html Yahoo's Right to be
Forgotten Request page]
*[https://www.bing.com/webmaster/tools/eu-privacy-request Bing's
European Privacy Request form]
*[http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
List of European Data Protection Authorities (for appeals)]
*[http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-r
ecommendation/files/2014/wp225_en.pdf
Guidelines on the implementation of the Court of Justice of the
European Union judgment on 'Google Spain and inc v. Agencia Española
de Protección de Datos (AEPD) and Mario Costeja González']
*[http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_pr
otection_en.pdf
Factsheet on the "Right to be Forgotten" ruling (C-131/12)]
*[https://www.google.com/transparencyreport/removals/europeprivacy/?hl=en
Google's Transparency Report (statistics and examples)]
*[https://drive.google.com/a/google.com/file/d/0B1UgZshetMd4cEI3SjlvV0hNbDA/view
?pli=1
Report of the Advisory Council to Google on the Right to be Forgotten]
*[https://docs.google.com/file/d/0B8syaai6SSfiT0EwRUFyOENqR3M/view?sle=true&
pli=1
Google's responses to the Questionnaire addressed to Search Engines by
the Article 29 Working Party]
*[http://www.bbc.co.uk/blogs/internet/entries/1d765aa8-600b-4f32-b110-d02fbf7fd3
79
List of BBC web pages which have been removed from Google's search
results]
*[https://www.telegraph.co.uk/technology/google/11036257/Telegraph-stories-affec
ted-by-EU-right-to-be-forgotten.html
'Telegraph' stories affected by EU 'right to be forgotten']
*[http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2513652 The Right
to Be Forgotten: Forced Amnesia in a Technological Age]
*[https://eureka.eu.com/gdpr/the-right-to-be-forgotten/ The Right to
be Forgotten]


License
=========
All content on Gopherpedia comes from Wikipedia, and is licensed under CC-BY-SA
License URL: http://creativecommons.org/licenses/by-sa/3.0/
Original Article: http://en.wikipedia.org/wiki/Right_to_be_forgotten

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.