This week the European Courts effectively created a new law, the Right to be Forgotten on the Internet. The Right to Forget is also included in the proposed new EU Data Protection law that is due to come into force in 2016. But are they the same? In this case it does not appear to be so, and the fact that they are different appears to be being missed by most observers.
Let’s take the new Data Protection Act first. This gives the individual the right to be forgotten, but what does that mean? It’s very simple really – if I give Company x some data, whether that is for say a Facebook post or some financial data for a comparison website, then I can subsequently ask that site/service to delete the data which I have given it. I have a right for them to ‘forget’ this information. This seems entirely reasonable – I share information with you on the understanding that it carries a ‘burn after reading’ caveat. I can ask for it to be deleted after it has served the purpose for which I had originally shared it with you.
But this week’s ruling in relation to Mario Costeja González was different. In this case he wanted a 3rd party, Google, to delete a link (search result) to an old court case, yet the original court case data is not being deleted. This does not seem reasonable as the original source remains. In a rather crude analogy it is like asking the highways agency to remove road signs or redact places from maps. If there is an issue with data remaining public years later, then logic says that it should be dealt with under Spanish law for ongoing publication of old legal cases, not by requiring 3rd parties to know what is public and whether it can be used or not.
Mr González did not volunteer this information to the courts, nor entrust the details of the case to a third-party under the assumption that they would stay private. This information is a matter of public record, and as such it seems odd to think that he has any right to demand that Google not return this information as a search result. As some commentators have suggested, this is a particularly Stalinist approach which is more akin to censorship than it is to The Right to be Forgotten on the Internet.
An article in The Times summarised it nicely:
The embracing of a “right to be forgotten” is… of course, a right to be forgotten selectively; complainants are unlikely to demand that flattering references to themselves are de-linked.
It is important to draw a distinction between these two examples (providing a company or organisation with personal data for a specific purpose and then expecting it to be deleted after use, vs requesting that links to matters of public record be deleted), otherwise the important Right to Forget in the Data Protection proposals may be deleted because of the concerns over what we could call “3rd party Right to Forget”.