Over at Concurring Opinions, Frank Pasquale has a post defending the EU Court of Justice’s decision that enshrined the “right to be forgotten” in European law. Arguing against “a reflexively rejectionist position” which he sees emerging among some American commentators, prof. Pasquale writes that it fails to “recognize the power of certain dominant firms to shape impressions of individuals,” and might lead, by design or otherwise, to an undermining even of the (limited) protections for privacy and reputation which American law recognizes. For my part, I think that prof. Pasquale sets up something of a false dichotomy. There are other options than a free-for-all in which any disclosure of any information is permissible and acceptance of the “right to be forgotten.”
Prof. Pasquale worries about the possibility that people’s medical records or intimate photos will be stolen and posted online. If that happens, he asks,
[a]re the critics of the [right to be forgotten] really willing to just shrug and say, “Well, they’re true facts and the later-publishing websites weren’t in on the hack, so leave them up”?
American law, he explains, provides for some penalties against those who publish purely private information. “Perhaps,” he says, “critics of the [right to be forgotten] want to sweep away these penalties, too. But if they succeed, there will be real human costs.” The right to be forgotten, he concludes, is essential to “guaranteeing a digital future where our reputations aren’t at the mercy of malicious hackers and careless search engines.”
I’m unconvinced. Prof. Pasquale’s concerns are serious, but the right to be forgotten is at once insufficient and excessive to address them.
The information disclosure of which rightly worries prof. Pasquale is intrinsically private. Companies which compile it or to which people entrust it for storage or safekeeping should not disclose it without the consent of the individuals concerned; those who receive such information from people not authorized to communicate it have no business publishing it. The publication of such information is a harm which the law should sanction. But the “right to be forgotten,” at least as articulated by the EU Court of Justice, is at best an indirect protection against this harm. As its name suggests, it is not a right against having private information about you published in the first place. It is not even a right to have private information removed from the websites that originally published it, but only to have links to that information removed from search results. Of course it will make the information that much more difficult to find. More difficult, but not impossible. Something like a (much narrower, as I’ll presently explain) version of the right to be forgotten might be useful to protect us from disclosure of private information, but only as a complement, not an alternative, to going after the actual publishers of such information.
At the same time, the “right to be forgotten” potentially extends to all sorts of information that is not necessarily intrinsically private in the way medical records or intimate pictures are. For instance, back in August, the BBC explained that many of the 12 pages from its website that had been removed from Google’s search results up to that point, concerned court cases ― including those where a defendant had been convicted of a serious crime. (Now, I’ve already written about the difficulties that being mentioned in a court decision can create, and wondered whether anonymizing (at least some) of them would not be better. But, for now at least, the prevailing view is that court cases, including the parties’ names, are generally public matters.) In such cases, there can surely be no question of forcing the actual publishers of the stories to remove them, and the “right to be forgotten” only means, as I recently explained here, that ordinary people, those who do not have much time and/or money for research, will not be able to find them. Even if in some cases a version of the “right to be forgotten” would help us protect what most people will agree is private information, the current European version of this “right” is vastly overbroad.”
So it seems to me that one can easily be against the recognition of a “right to be forgotten” in the shape in which the EU Court of Justice created it, and in favour of protecting people from “malicious hackers and careless search engines” disclosing intrinsically private information about them. It should be possible to craft more narrowly-tailored and more effective regulation, directed in the first instance against the publication of such information and, as a secondary measure, allowing links to infringing information to also be removed. In the inevitable conflict between privacy and freedom of expression, we shouldn’t forget nuance and balance.