Free Expression, Privacy, and Diminishing Sovereignty in

Concordia University - PortlandCU Commons

Faculty Scholarship School of Law

2016

Free Expression, Privacy, and DiminishingSovereignty in the Information Age: TheInternationalization of CensorshipMcKay CunninghamConcordia University School of Law, [email protected]

Follow this and additional works at: http://commons.cu-portland.edu/lawfaculty

Part of the European Law Commons, and the Privacy Law Commons

This Article is brought to you for free and open access by the School of Law at CU Commons. It has been accepted for inclusion in Faculty Scholarshipby an authorized administrator of CU Commons. For more information, please contact [email protected].

CU Commons CitationMcKay Cunningham, Free Expression, Privacy, and Diminishing Sovereignty in the Information Age: The Internationalization ofCensorship, 69 Ark. L. Rev. 71, 116 (2016).

http://commons.cu-portland.edu?utm_source=commons.cu-portland.edu%2Flawfaculty%2F18&utm_medium=PDF&utm_campaign=PDFCoverPages

http://commons.cu-portland.edu/lawfaculty?utm_source=commons.cu-portland.edu%2Flawfaculty%2F18&utm_medium=PDF&utm_campaign=PDFCoverPages

http://commons.cu-portland.edu/law?utm_source=commons.cu-portland.edu%2Flawfaculty%2F18&utm_medium=PDF&utm_campaign=PDFCoverPages

http://commons.cu-portland.edu/lawfaculty?utm_source=commons.cu-portland.edu%2Flawfaculty%2F18&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/1084?utm_source=commons.cu-portland.edu%2Flawfaculty%2F18&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/1234?utm_source=commons.cu-portland.edu%2Flawfaculty%2F18&utm_medium=PDF&utm_campaign=PDFCoverPages

mailto:[email protected]

Free Expression, Privacy, and DiminishingSovereignty in the Information Age: The

Internationalization of Censorship

McKay Cunningham*

I. INTRODUCTION

The Internet is still new. In relation to the history of humancommunication, the Internet's saturation occurred in an instant.The Internet facilitated one percent of two-waytelecommunications in 1993, fifty-one percent in 2000, andninety-seven percent by 2007.1 If you reduced the world'sdigital content to a stack of books, it would reach from Earth to

2Pluto ten times. Digital data has increased to the point that"we're running out of language to describe it. The only quantitybigger than a zettabyte is a yottabyte, a figure with 24 zeroes."3

This windfall of accessible information spurred the increasein its value. Those at the World Economic Forum describeddata and personal information as "the new oil." 4 Some arguethat "the dominant principle of the new economy, theinformation economy, has lately been to conceal the value ofinformation,"5 an observation strengthened by the fact that theprimary activity of ninety-two percent of commercial websites isdata collection.6 With both private and public sectorsincentivized to gather, understand, and leverage personalinformation, privacy advocates fight to ensure that personal

Associate Professor, Concordia University School of Law.1. Martin Hilbert & Priscila L6pez, The World's Technological Capacity to Store,

Communicate, and Compute Information, SCI., Apr. 1, 2011, at 62.2. Richard Wray, Internet Data Heads for 500bn Gigabytes, GUARDIAN (May 18,

2009, 2:22 PM), http://www.theguardian.co.uk/business/2009/may/18/digital-content-expansion [https://perma.cc/GA7B-MWMF].

3. See Rebecca Lowe, Me, Myself and1, INT'L BAR ASS'N GLOBAL INSIGHT (Oct.17, 2013), http://www.ibanet.org/Article/Detail.aspx?ArticleUid=b47al361-16dd-4f04-b83d-add60898f213 [https://perma.cc/H3KT-BG5A].

4. See id5. JARON LANIER, WHO OWNS THE FUTURE? 15 (2013).6. See Scott R. Peppet, Unraveling Privacy: The Personal Prospectus and the Threat

ofa Full-Disclosure Future, 105 Nw. U. L. REV. 1153, 1164 (2011).

ARKANSAS LAW REVIEW [Vol. 69:71]

information is not surreptitiously taken and improperly used.Internet users, for example, expect the law to bar unknown thirdparties from secretly capturing every webpage visited and everyemail sent.8

In the pursuit of protecting informational privacy, Europeleads the world.9 The European Union labels privacy afundamental right and confers broad privacy rights to itscitizens-rights that apply extraterritorially.'0 These rightsprotecting personal information, however, derive from privacylaw that pre-dated the Internet. Early privacy law could nothave imagined, much less accounted for, the ubiquity andcomplexity of Internet communication and content. As a result,European law poorly achieves its primary goal of protecting itscitizens' personal information. It is simultaneously over-inclusive by restricting a host of innocuous Internet users, andunder-inclusive by exempting many of the most harmful privacyviolators.'1

Indeed, the recent European Commission pronouncementrecognizing the "right to be forgotten"'2 highlights the flawedEuropean approach. The right to be forgotten allows Europeanslegal authority to erase certain content from the Internet.' Theright is broadly-even nebulously-circumscribed, applying toinformation that is "inaccurate, inadequate, irrelevant orexcessive... ."14 No court or government official firstinterprets whether claimed information is "inadequate" or"irrelevant." Rather, the burden falls on data controllers-like

7. See id. at 1185.8. See Juliane Kokott & Christoph Sobotta, The Distinction Between Privacy and

Data Protection in the Jurisprudence of the CJEU and the ECtHR, 3 INT'L DATA PRIVACYL. 222, 223 (2013) (discussing the right to privacy in "private and family life, home, andcommunications").

9. See Christopher Kuner, The European Union and the Search for an InternationalData Protection Framework, 2 GRONINGEN J. INT'L L. 55, 56-57 (2014).

10. Council Directive 95/46/EC, 1995 O.J. (L 281) 31, 31-32, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L: 1995:281 :FULL&from=EN[https://perma.cc/GKD5-HQGG] [hereinafter Data Protection Directive].

11. See infra Part V.12. Factsheet on the "Right to be Forgotten" Ruling (c-131/12), EUR. COMMISSION,

http://ec.europa.eu/justice/data-protection/files/factsbeets/factsheet _dataprotection en.pdf [https://perma.cc/FJ7K-GJ6C] (last visited Feb. 13, 2016) [hereinafterEuropean Commission Factsheet].

13. Id.14. Id

72

2016] SOVEREIGNTY IN THE INFORMATION AGE 73

Google-webpage masters, and a host of other data merchantsto determine whether to delete content.1 5

In the months following enactment of the right to beforgotten, Google issued a form enabling Europeans to requestdeletion of their personal information.16 Within one day of theform's publication, Europeans submitted 12,000 requests todelete information, growing to 41,000 requests in four days.1 7

Of those requests, approximately thirty-three percent related tofraud accusations, twenty percent to serious or violent crimes,and twelve percent to child pornography arrests.18 As of May2016, Google has fielded more than 430,000 requests todeactivate over 1.5 million links and has deleted 549,624 links.19Microsoft and Yahoo have also "begun processing requests as aresult of the court's ruling" and have already deleted thousandsof links.20

While privacy in the new age of information is undoubtedlyimportant, the right to be forgotten harms more than it helps. Itallows a single individual to determine what the rest of theworld sees, threatening to censor the Internet in its adolescence.It undermines national sovereignty and democratic values bypromoting one culture's adherence to privacy over anotherculture's preference for free expression. It ignores a host ofalternative regulatory approaches-approaches that tailor legalrestrictions to the harms associated with privacy violations. Thisarticle analyzes European Union (E.U.) and United States (U.S.)privacy law and, specifically, the right to be forgotten in Parts IIand III. The article highlights the extraterritoriality of European

15. See id.16. Caitlin Dewey, Want to Remove Your Personal Search Results from Google?

Here's How the Request Form Works, WASH. POST (May 30, 2014),https://www.washingtonpost.com/news/the-intersect/wp/2014/05/30/want-to-remove-your-personal-search-results-from-google-heres-how-the-request-form-works/[https://perma.cc/6DKJ-5DXU].

17. See Caroline Preece et al., Google "Right to be Forgotten ": Everything You Needto Know, IT PRO (Feb. 9, 2015), http://www.itpro.co.uk/security/22378/google-right-to-be-forgotten-everything-you-need-to-know [https://perma.cc/WW5S-PQM3].

18. Id.19. Transparency Report: European Privacy Requests for Search Removals,

GOOGLE, http://www.google.com/transparencyreport/removals/europeprivacy/[https://perma.cc/44BG-9DNM] (last updated May 24, 2016).

20. See Stuart Dredge, Microsoft and Yahoo Respond to European 'Right to beForgotten'Requests, GUARDIAN (Dec. 1, 2014, 4:04 AM),http://www.theguardian.com/technology/2014/dec/0 1/microsoft-yahoo-right-to-be-forgotten [https://perma.cc/ZN53-38ND].


privacy law in Part IV, explores censorship implications in PartV, and articulates alternative regulatory frameworks in Part VI.

11. EMERGENCE OF THE RIGHT TO BE FORGOTTEN

A. Google / SpainMario Costeja Gonzdles, a Spanish citizen, spent part of his

life in debt.21 Some of his property was auctioned to pay hisdebts and a local newspaper, La Vanguardia, published twosmall notices announcing the auction in 1998.22 CostejaGonzAles resolved his debts by 2010, but Google searches underhis name still linked him with the La Vanguardia notices and the

23auction. He sued, asking a Spanish court to delete the recordof the auction as to both La Vanguardia's 2publication andGoogle's linking the same to Costeja GonzAles.2

Costeja GonzAles did not argue that the information abouthis debt and the auction were false, but rather that he had a rightto be forgotten because the information was no longer relevant.25

The court referred the case to the Court of Justice of theEuropean Union (CJEU), certifying three legal issues, the thirdof which asked whether an individual has the right to requestthat his or her personal data be removed from an online searchengine.26 The CJEU, which exercises jurisdiction over twenty-eight E.U. Member States, held that the auction publicationscould remain on La Vanguardia's website but that Google mustdelete any link connecting Costeja Gonziles to them.27

The ruling was not narrowly circumscribed to the facts.The court pronounced a broad precedent: All Europeanresidents have the right to stop Google and other data controllers

21. See Case C-131/12, Google Spain SL v. Agencia Espafiola de Protecci6n deDatos T 14 (May 13, 2014), http://curia.europa.eu/juris/document/document.jsftext-&docid=152065&doclang=EN [https://perma.cc/8YA9-52SM].

22. Id23. Id24. Id. T 14-15.25. Id. ¶ 15; see also Dave Lee, What is the "Right To Be Forgotten"?, BBC (May

13, 2014), http://www.bbc.com/news/technology-27394751 [https://perma.cc/ACC7-PTC4].

26. Google Spain SL, Case C-131/12, ¶ 20.27. Id T 93-94; see also Court of Justice of the European Union, INT'L JUSTICE

RESOURCE CTR., http://www.ijrcenter.org/regional-communities/court-of-justice-of-the-european-union/ [https://perma.cc/5X6G-R83V] (last visited Feb. 2, 2016) (detailing thejurisdiction of the CJEU).

74


from providing links to information deemed "inadequate,irrelevant or no longer relevant, or excessive in relation to thosepurposes and in light of the time that has elapsed."28

This standard lacks objective guideposts. Whatinformation is "irrelevant" or "inadequate"? How much timemust pass, and in what context? Where do media rights, self-expression, and free speech factor into the court's standard?What notification, if any, must Google give to websites andothers that their links have been erased?

Soon after the Google Spain SL decision, the EuropeanCommission emphasized the burden of proof: "It is for thecompany-and not the individual-to prove that the data cannotbe deleted because it is still needed or is still relevant."29 Thus,the claimant seeking data erasure has no obligation to prove thedata's irrelevancy. As Professor Luciano Floridi explains, "Aprivate company now has to decide what is in the publicinterest."30

B. Expanding the Reach of the Right to be Forgotten

While the reversed burden is a significant consequence ofthe Google Spain SL ruling, it is not the most important.European authorities claim the precedent applies worldwide, toany data controller offering services to Europeans.3 1 A requestby a Spanish citizen to scrub "irrelevant" information from theInternet not only blots that data from searches conducted inMadrid but from searches conducted in Florida, New Delhi,Moscow, and almost any place in between.32 The implicationsfrom this recent decision and its subsequent interpretation are

28. Google Spain SL, Case C-131/12,1 93-94.29. European Commission Factsheet, supra note 12.30. Preece et al., supra note 17.31. See European Commission Factsheet, supra note 12.32. See Guidelines on the Implementation of the Court ofJustice of the European

Union Judgment on "Google Spain and Inc v. Agencia Espailola de Proteccidn de Datos(AEPD) and Mario Costeja Gonziles" C-131/12, at 8-9 (Nov. 26, 2014),http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp225_en.pdf [https://perma.cc/JSR5-DG4A] [hereinafterGuidelines]. Of course, questions remain regarding the E.U.'s jurisdictional reach and howit can force non-E.U. entities to comply. In Google Spain SL, the court relied on the factthat U.S.-based Google operates a registered office in Spain. Google Spain SL, Case C-131/12, ¶ 43. But the E.U. also asserts the application of its law to those individuals andindustries without a physical presence in the E.U., as later illustrated in this article. Seeinfra Part IV.


far-reaching and have generated notable controversy.33

Allowing one person to have information erased fromworldwide access due to the data's alleged "irrelevancy"subverts national sovereignty and promotes one culture's valueof individual privacy rights over other cultures' values of freeexpression.

Google argued that only its European search domainsshould be required to comply and that the ruling should onlyaffect European search results because those search results aredirected towards users in Europe.34 Ninety-five percent ofEuropean users search under their respective country's domainname extension.35 Google's global privacy counsel condoned adomain-based approach:

National versions of our search service are offered from therelevant ccTLD (country code top level domains) for eachcountry, like google.fr for France and google.it forItaly.... European users overwhelmingly use thoseservices. Fewer than 5% of European users usegoogle.com, and we think travelers are a significant portionof those.36

While ninety-five percent is a significant figure, European usersare not prohibited from accessing Google.com and couldconnect to forbidden links in that way.37

Another alternative to wholesale deletion-geographicfiltering-tailors search results according to the geographicorigin of the search query, regardless of domain nameextension. Through existing software, geographic filteringenables national authorities to more justifiably assert jurisdictionover foreign conduct because the impact of the ruling or

33. See, e.g., Michael L. Rustad & Sanna Kulevska, Reconceptualizing the Right tobe Forgotten to Enable Transatlantic Data Flow, 28 HARV. J.L. & TECH. 349, 398 (2015).

34. Brendan Van Alsenoy & Marieke Koekkoek, The Extra- Territorial Reach of theEU's "Right to be Forgotten " 17 (Interdisciplinary Ctr. for Law and ICT, Working PaperNo. 20, 2015), http://papers.ssrn.com/sol3/papers.cfn? abstractid=2551838[https://perma.cc/S3T4-G3GA].

35. Id; see also Letter from Peter Fleischer, Glob. Privacy Counsel, Google, toIsabelle Falque-Pierrotin, Chair, Article 29 Working Party (July 31, 2014),http://online.wsj.com/public/resources/documents/google.pdf [https://perma.cc/KHV7-L3N4].

36. See Letter from Peter Fleischer, supra note 35.37. See Guidelines, supra note 32, at 9.38. Marketa Trimble, The Future of Cybertravel: Legal Implications of the Evasion

of Geolocation, 22 FORDHAM INTELL. PROP. MEDIA & ENT. L.J. 567, 585-95 (2012).

76


regulation is confined to national territory.39 This approach isnot foolproof, though. Proxy servers, for example, circumvent

40geographic filtering.

While the CJEU refrained from deciding the geographicalscope of the right to be forgotten,41 leaving the law's reachunclear, European authorities have since signaled that neitherdomain-based nor geographic filtering suffices.42 The Article 29Working Party, charged with implementing and interpretingEuropean data privacy law,4 3 characterized domain-basedcompliance as unacceptable.

[D]e-listing decisions must be implemented in a way thatguarantees the effective and complete protection of theserights and that EU law cannot be easily circumvented. Inthat sense, limiting de-listing to EU domains on thegrounds that users tend to access search engines via theirnational domains cannot be considered a sufficient meansto satisfactorily guarantee the rights of data subjectsaccording to the judgment. In practice, this means that anycase de-listing should also be effective on all relevantdomains, including .com."

Indeed, E.U. regulatory law parallels the CJEU decisionand purports to apply internationally. The Data ProtectionRegulation (Regulation), set to become effective in 2017,45envisions worldwide applicability of European privacy law.46

The Regulation, "for the first time, leaves no legal doubt that nomatter where the physical sever of a company processing data islocated, non-European companies, when offering services toEuropean consumers, must apply European rules.'A7 ImpartingEuropean residents with the power to delete data from the global

39. Seeidat591.40. Id. at 602; Lawrence B. Solum & Minn Chung, The Layers Principle: Internet

Architecture and the Law, 79 NOTRE DAME L. REv. 815, 898 (2004).41. Case C-131/12, Google Spain SL v. Agencia Espahola de Protecci6n de Datos l

60-61 (May 13, 2014), http://curia.europa.eu/juris/document/document.jsf? text=&docid

=152065&doclang=EN [https://perma.cc/8YA9-52SM]; see also Rustad & Kulevska,

supra note 33, at 365.42. See Guidelines, supra note 32, at 9.43. See Article 29 Working Party, EUR. COMMISSION, http://ec.europa.eu

/justice/data-protection/article-29/indexen.htm [https://perma.cc/CZU6-YZLB] (last

updated June 10, 2015).44. See Guidelines, supra note 32, at 9.45. See Rustad & Kulevska, supra note 33, at 366.46. See Kuner, supra note 9, at 60.47. European Commission Factsheet, supra note 12 (emphasis omitted).

78 ARKANSAS LAW REVIEW [Vol. 69:71]

public invites a unilateral censorship that bypasses thesovereignty of other states.

Wikipedia's founder labeled the E.U.'s approach''completely insane" and stated:

In the case of truthful, non-defamatory informationobtained legally, I think there is no possibility of anydefensible "right" to censor what other people are saying.You do not have the right to use the law to preventWikipedia editors from writing truthful information, nor doyou have a right to use the law to prevent Google frompublishing truthful information.49

Stanford scholar Jennifer Granick thinks this "marks thebeginning of the end of the global Internet, where everyone hasaccess to the same information, and the beginning of an Internetwhere there are national networks, where decisions bygovernments dictate which information people get access to."50

Others laud the right to be forgotten and justify its globalapplication as necessary given the borderless flow of digitaldata.5 Marc Rotenberg, president of the Electronic PrivacyInformation Center, characterized the CJEU's ruling as "a greatdecision, a forward-looking decision," in line with privacyadvocates' long battle to gain more control over personalinformation.52 Like Rotenberg, European leaders view the rightto be forgotten as integral to regaining individual autonomy overconnected devices and the personal data those devices collect.

48. See Robert G. Larson III, Forgetting the First Amendment: How Obscurity-Based Privacy and a Right To Be Forgotten Are Incompatible with Free Speech, 18COMM. L. & POL'Y 91, 114 (2013); Dan Jerker B. Svantesson, Delineating the Reach ofInternet Intermediaries' Content Blocking - "ccTLD Blocking", "Strict Geo-locationBlocking" or a "Country Lens Approach?", 11 SCRIPTED 153, 155 (2014), http://script-ed.org/wp-content/uploads/2014/10/svantesson.pdf [https://perma.cc/KYD2-A4FE].

49. Preece et al., supra note 17.50. Jeffrey Toobin, The Solace of Oblivion, NEW YORKER (Sept. 29, 2014),

http://www.newyorker.com/magazine/2014/09/29/solace-oblivion [https://perma.cc/T5SZ-4Y89].

51. See Marc Rotenberg & David Jacobs, Updating the Law ofInformation Privacy:The New Framework of the European Union, 36 HARV. J.L. & PUB. POL'Y 605, 641(2013); see also Sophie Curtis, Information Commissioner Defends "Right to beForgotten", TELEGRAPH (Aug. 7, 2014, 5:55 PM), http://www.telegraph.co.uk/technology/internet-security/l 1019585/lnformation-Commissioner-defends-right-to-be-forgotten.html [https://perma.cc/T4UL-P6R8].

52. Toobin, supra note 50.53. See European Commission Factsheet, supra note 12.


Ill. CONFLICTING VALUES: FREE EXPRESSION ANDPRIVACY

A. E.U. Privacy Law and the Origin of the Right to beForgotten

Privacy is a fundamental right in the E.U. 54 Rather thansectoral and industry-specific laws protecting privacy only incertain contexts like sensitive medical and financial information,twenty years ago the E.U. enacted com rehensive legislationprotecting personal data across the board. Nazi exploitation ofpersonal records during World War 11,56 coupled with ahistorical preference for dignity-based rights over freeexpression, underscores European characterization of privacyas a fundamental right.

The Declaration of Human Rights was adopted by theUnited Nations shortly after World War II and provided that"[n]o one shall be subjected to arbitrary interference with hisprivacy, family, home or correspondence. .. ."59 Article 16 ofthe Consolidated Treaty on the Functioning of the EuropeanUnion specified that "[e]veryone has the right to the protectionof personal data concerning them."60 Article 8 of the EuropeanUnion's Charter of Fundamental Rights confers the rights ofconsent, access, and ability to rectify personal information.

54. Charter of Fundamental Rights of the European Union, 2010 O.J. (C 83/02) 389,393; see also Tracie B. Loring, An Analysis of the Informational Privacy ProtectionAfforded by the European Union and the United States, 37 TEX. INT'L L.J. 421, 423(2002).

55. Data Protection Directive, supra note 10, at 31.56. See Francesca Bignami, European Versus American Liberty: A Comparative

Privacy Analysis of Antiterrorism Data Mining, 48 B.C. L. REV. 609, 609-10 (2007);Michael W. Heydrich, A Brave New World: Complying with the European Union Directiveon Personal Privacy Through the Power of Contract, 25 BROOK. J. INT'L L. 407, 417(1999).

57. See Robert Kirk Walker, Note, The Right to Be Forgotten, 64 HASTINGS L.J.257, 270 (2012); see also James Q. Whitman, The Two Western Cultures of Privacy:Dignity Versus Liberty, 113 YALE L.J. 1151, 1194 (2004).

58. Data Protection Directive, supra note 10, at 31.59. G.A. Res. 217 (III) A, Universal Declaration of Human Rights (Dec. 10, 1948),

http://www.ohchr.org/EN/UDHR/Documents/UDHRTranslations/eng.pdf[https://perma.cc/KY2E-P5TL].

60. Consolidated Version of the Treaty on the Functioning of the European Unionart. 16, Oct. 26, 2012, 2012 O.J. (C 326) 47, 55, http://eur-lex.europa.eullegal-content/EN/TXT/PDF/?uri=OJ:C:2012:326:FULL&from=EN [https://perma.cc/TNM2-H8WE].

61. Charter of Fundamental Rights of the European Union, supra note 54.

80 ARKANSAS LAW REVIEW [Vol. 69:71]

Finally, numerous provisions in the Convention for theProtection of Individuals with regard to Automatic Processing ofPersonal Data specifically address collection, storage, transfer,and use of personal data.6

But it was a non-government economic organization thatinspired the current legal structure for data privacy found in thepresent-day Directive and forthcoming Regulation. TheOrganisation for Economic Co-operation and Development63

(OECD) introduced a proposal for internationally recognizedprivacy principles in the 1970s and set forth guidelines in 198064that became the blueprint for binding legislation throughout eachE.U. Member State and spawned the formal enactment ofCouncil Directive 95/46/EC on October 24, 1995.65

While many of the agreements listed above are aspirational,the Directive is legally binding.66 Now over twenty years old,the Directive is arguably the most influential data privacy lawworldwide.6 7 Borrowing from the tenets articulated by theOECD in 1980, the Directive restricts individuals andorganizations that process E.U. personal data and grants datasubjects rights of notice, access, correction, and arguably

62. Convention for the Protection of Individuals with Regard to AutomaticProcessing of Personal Data arts. 5-6, 8-9, Jan. 28, 1981, 1496 U.N.T.S. 65, 66-67https://treaties.un.org/doc/Publication/UNTS/Volume%201496/volume-1496-1-25702-English.pdf [https://perma.cc/R6BQ-UUCP].

63. The Organisation for Economic Co-operation and Development (OECD) is aninternational economic organization of over thirty countries and was founded in 1961 tostimulate economic growth and world trade. History, ORG. FOR ECON. CO-OPERATION &DEV., http://www.oecd.org/history [https://perma.cc/6S88-3AEJ] (last visited Feb. 13,2016). It was originated in 1947 to run the U.S.-financed Marshall Plan for reconstructionof war-torn Europe. See id

64. See OECD Guidelines on the Protection of Privacy and Transborder Flows ofPersonal Data, ORG. FOR ECON. CO-OPERATION & DEV., http://www.oecd.org/stilieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm[https://perma.cc/8R3L-PBXT] (last visited Feb. 3, 2016); see also Fred H. Cate, TheChanging Face of Privacy Protection in the European Union and the United States, 33IND. L. REv. 173, 180-81 (1999).

65. See Cate, supra note 64, at 180-82.66. Data Protection Directive, supra note 10, at 31; see also EUR. UNION AGENCY

FOR FUNDAMENTAL RIGHTS, HANDBOOK ON EUROPEAN DATA PROTECTION LAW 17(2014).

67. See generally Gregory Shaffer, Globalization and Social Protection: The ImpactofEU and International Rules in the Ratcheting Up of U.S. Privacy Standards, 25 YALE J.INT'L L. 1, 55-88 (2000) (discussing the Directive's worldwide impact); see also RyanMoshell, Comment,.. . And Then There Was One: The Outlook for a Self-RegulatoryUnited States Amidst a Global Trend Toward Comprehensive Data Protection, 37 TEX.TECH L. REv. 357, 384-86 (2005).


deletion of their personal information.68 It honors thefundamental right to privacy by governing the use, collection,storage, and transfer of E.U. residents' personal data.69 It isimportant to note that the privacy policies animating theDirective, as well as the actual restrictions therein, originatedbefore popularization of the Internet.70 The Directive's draftersdid not contemplate how the law they were drafting would applyto today's Internet.

The Data Protection Regulation will soon replace theDirective.7 1 The forthcoming Regulation mirrors the Directive'sprincipal framework and purportedly strengthens the goal ofdata privacy law by injecting new rights for data subjects whileincreasing penalties for non-compliance.72 The Regulation,which explicitly recognizes the right to be forgotten for the firsttime, will likely become effective in 2017.73 Both the Directiveand Regulation require that personal data be:

1. Processed fairly and lawfully;2. Collected for legitimate and specified reasons;3. Adequate, relevant, and not excessive in relation tothe purposes for which it is collected;4. Accurate and, where necessary, kept up to date; and5. Retained as identifiable data for no longer thannecessary to serve the purposes for which the data wascollected.74

These requirements place significant strain on those that"process" E.U. personal data. The right to know when personal

68. See Data Protection Directive, supra note 10, at 33.69. Id. at 38.70. See Patricia Sinchez Abril & Jacqueline D. Lipton, The Right to be Forgotten:

Who Decides What the World Forgets?, 103 KY. L.J. 363, 383-84 (2014) ("Interactive,widely-used online services, such as the Google search engine, are very different entitiesfrom those to whom the 1995 Privacy Directive were targeted.").

71. Proposal for a Regulation of the European Parliament and of the Council on theProtection of Individuals with Regard to the Processing of Personal Data and on the FreeMovement of Such Data (General Data Protection Regulation), at 18-19, COM (2012) 11final (Jan. 25 2012) [hereinafter Data Regulation Proposal]. Unlike "Directives," whichrequire that Member States enact national laws that reflect the spirit of the Directive,"Regulations" directly bind Member States. See Treaty on European Union art. G, Feb. 7,1992, 1992 O.J. (C 191) 1.

72. See Data Regulation Proposal, supra note 71.73. See Rustad & Kulevska, supra note 33, at 386.74. Data Regulation Proposal, supra note 71, at 43; Data Protection Directive, supra

note 10, at 40.


data is collected, for example, requires companies to providenotice before gleaning that digital data.5 Consent must be a"freely given specific and informed indication of [the resident's]wishes." 7 6 Even after proper notice and consent, personal datacan only be "collected for specified, explicit and legitimatepurposes and not further processed in a way incompatible withthose purposes."7 If a company follows protocol by issuingproper notice, obtaining consent, and collecting data for alegitimate purpose, an E.U. resident still has the right to have italtered or corrected. Indeed, an E.U. resident now has theright to have it deleted altogether-to have it "forgotten."79

Finally, those who control private data must protect it.soProtecting personal data requires data processors to "implementappropriate technical and organizational measures to protectpersonal data against . . . destruction or . .. loss, alteration,unauthorized disclosure or access, in particular where theprocessing involves the transmission of data over a network."8 1

Taken together, these provisions materially affect individualsand entities that process personal data.

B. E.U. Codification of the Right to be Forgotten

One of the most controversial rights at the heart of dataprotection law is the right to be forgotten, which has beendescribed by E.U. officials as the right of individuals to "havetheir data fully removed when it is no longer needed for thepurposes for which it was collected."82 The right allows E.U.residents to have photographs, videos, text, and other

75. See Data Regulation Proposal, supra note 71, at 48-49; Data ProtectionDirective, supra note 10, at 41.

76. Data Protection Directive, supra note 10, at 39.77. Id at 40.78. Id. at 42.79. See Case C-131/12, Google Spain SL v. Agencia Espaftiola de Protecci6n de

Datos 193-94 (May 13, 2014), http://curia.europa.eu/juris/document/document.jsf?text-&docid=152065&doclang=EN [https://perma.cc/8YA9-52SM]; see also EuropeanCommission Factsheet, supra note 12.

80. Data Protection Directive, supra note 10, at 43.8 1. Id.82. See Press Release, Eur. Comm'n, Data Protection Reform - Frequently Asked

Questions (Nov. 4, 2010), http://europa.eu/rapid/press-releaseMEMO-10-542_en.htm?locale=EN [https://perma.cc/45SH-VFZ5] (stating that "[p]eople who want to deleteprofiles on social networking sites should be able to rely on the service provider to removepersonal data, such as photos, completely").

82

20161 SOVEREIGNTY IN THE INFORMATION AGE 83

information about themselves deleted or canceled from Internetsites, as well as the links generated by search engines.83

The 1995 Directive failed to unequivocally confer the rightto be forgotten, creating uncertainty in its application.84 Evenso, Google Spain interpreted the Directive as including the rightto be forgotten,85 a ruling subsequently embraced by theEuropean Commission, which claimed that the Directive"already includes the principle underpinning the right to beforgotten."86 The forthcoming Regulation eliminates anylingering uncertainty. Article 17 of the Regulation states:

1. The data subject shall have the right to obtain from thecontroller the erasure of personal data relating to them andthe abstention from further dissemination of such data,especially in relation to personal data which are madeavailable by the data subject while he or she was a child,where one of the following grounds applies:(a) the data are no longer necessary in relation to thepurposes for which they were collected or otherwiseprocessed; ...

2. Where the controller referred to in paragraph I has madethe personal data public, it shall take all reasonable steps,including technical measures, . . . [to have the data erased,including by third parties] ....

Under these and other proposed provisions, E.U. residentsseeking deletion of data must allege that their personal data isirrelevant or no longer necessary. E.U. officials project thatassessment of such requests eludes categorization and must be

8 3. Id.84. See Google Spain SL, Case C-131/12,1 3.85. Id. ¶97, 99.86. See European Commission Factsheet, supra note 12. Support for the claim that

the Directive includes the right to be forgotten stems from Article 12 of the Directive:Member States shall guarantee every data subject the right to obtain from the controller:

(b) as appropriate the rectification, erasure or blocking of data theprocessing of which does not comply with the provisions of this Directive, inparticular because of the incomplete or inaccurate nature of the data; (c)notification to third parties to whom the data have been disclosed of anyrectification, erasure or blocking carried out in compliance with (b), unlessthis proves impossible or involves a disproportionate effort.

Data Protection Directive, supra note 10, at 42.87. Data Regulation Proposal, supra note 71, at 51.88. See European Commission Factsheet, supra note 12.


made on "a case-by-case basis."89 Review includes analysis ofthe "accuracy, adequacy, relevance-including time passed-and proportionality of the links, in relation to the purposes of thedata processing."9 The individual holds no obligation to provethe data's irrelevancy or inadequacy.91 Instead, the company(search engine, blog, news media, etc.) must prove that the datacannot be deleted because it is still relevant or still needed.92 IfGoogle deems the data irrelevant or unnecessary, for example,all links to it must be deleted.

The right to be forgotten requires data controllers go a stepfurther. Upon a proper request to delete personal information,Google must not only delete the links, it must also identify theoperators of the third-party websites hosting that data and act asintermediary for the data subject by prompting deletion fromthose websites.93 This additional obligation has "createdvehement opposition."94 Any data controller that "has made ...personal data public" must take "reasonable steps" to find thirdparties processing that data and ask them "to erase any links to,or copy or replication of that personal data."95 As theserequirements make clear, European privacy law-and the rightto be forgotten in particular-reflect a preference for privacyrights when they compete with rights associated with freeexpression.

C. U.S. Privacy and Free Expression

Although Americans largel' decry the elevation of privacyrights over free expression, the right to be forgottennevertheless resonates in certain contexts.

Nikki Catsourus was eighteen when she died on Halloweenin a brutal car accident.9 7 The severe wreck decapitated her.98

89. Id90. Id; see also Google Spain SL, Case C-131/12, [ 94.91. See European Commission Factsheet, supra note 12.92. Id.93. Data Regulation Proposal, supra note 71, at 51.94. Meg Leta Ambrose, A Digital Dark Age and the Right to Be Forgotten, 17 J.

INTERNET L. 1, 10 (2013).95. Data Regulation Proposal, supra note 71, at 51.96. Steven C. Bennett, The "Right to Be Forgotten": Reconciling EU and US

Perspectives, 30 BERKELEY J. INT'L L. 161, 169 (2012).97. See Jessica Bennett, One Family's Fight Against Grisly Web Photos, NEWSWEEK

(Apr. 24, 2009, 8:00 PM), http://www.newsweek.com/one-familys-fight-against-grisly-web-photos-77275 [https://perma.cc/U9NT-TEBE].

84


Highway patrolmen emailed photographs of the gruesome sceneto various friends.99 The images soon spread through socialmedia, deepening the despair of Nikki's family and friends.00

Nikki's father forbade his remaining daughters from using theInternet and began a futile crusade to force social media, blogs,websites, and search engines to remove the images.101

Many in the U.S. have similarly struggled to excise digitalrecords that forever capture long-ago indiscretions or recordsthat associate them with a singular painful or embarrassingincident. However, longstanding allegiance to free expressionleaves little room for the right to be forgotten in Americanjurisprudence. 02

1. U.S. Regulation of Privacy

Although the First, Third, Fourth, Fifth, and FourteenthAmendments carry implicit privacy rights in certaincircumstances, the U.S. Constitution does not explicitly protectprivacy.103 In the absence of express constitutional protection, amyriad of laws from various authorities prompt many tocharacterize the U.S. approach as "sectoral," a reference tofragmented'o cross-governmental, and industry-specificregulation. 4 The font of privacy law in U.S. jurisprudenceflows in large part from a law review article penned over 120years ago and largely attributed to Louis Brandeis.' 05

Rather than webpages and the Internet, Brandeis confrontedthe privacy implications spurred by the "modem enterprise andinvention" of photography and newspapers.106 The articlestrained to find legal grounds to prevent technology fromproliferating gossip columns that delved into domestic life and

98. Id.99. Id100. Id101. See id.; see also Toobin, supra note 50.102. See Larson III, supra note 48, at 92-93.103. U.S. CONST. amends. I, III, IV, V, XIV; see also Roe v. Wade, 410 U.S. 113,

153 (1973); Griswold v. Connecticut, 381 U.S. 479, 483-85 (1965).104. Cate, supra note 64, at 217.105. See generally Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4

HARV. L. REV. 193 (1890); see also Bennett, supra note 96; Melville B. Nimmer, TheRight of Publicity, 19 L. & CONTEMP. PROBS. 203, 203 (1954); Neil M. Richards, ThePuzzle of Brandeis, Privacy, and Speech, 63 VAND. L. REV. 1295, 1295-96 (2010).

106. Warren & Brandeis, supra note 105, at 195-96.


sexual relations. 107 Brandeis described the article's goalsuccinctly: "It is our purpose to consider whether the existinglaw affords a principle which can properly be invoked to protectthe privacy of the individual; and, if it does, what the nature andextent of such protection is."108

The mere posture of the question cuts againstcharacterizing privacy as a historically fundamental right.While Brandeis did discover a "principle which may be invokedto protect the privacy of the individual" from invasion, includingany "modem device for recording or reproducing scenes orsounds,"'09 the article listed several limitations and, unlike freeexpression, lacked the permanence and prominence attendingconstitutional warrant. p a p

Given this history, the absence of a comprehensive privacyright is unsurprising. Instead, privacy laws crop up aroundindustries that process sensitive data like the healthcare andfinancial sectors. The Gramm-Leach-Bliley Act, for example,restricts the use and dissemination of private financial data,",the Health Insurance Portability and Accountability Actregulates the use and disclosure of "protected healthinformation,"" 2 and the Fair and Accurate Credit TransactionsAct addresses privacy concerns that attend credit reporting. 113

These sectoral privacy laws are not uniform; they define"personal information" differentlyll 4 and are tailored to

107. Id. at 195-98.108. Id at 197.109. Id at 206.110. Id at 207-14.111. Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, 113 Stat. 1338

(codified at 15 U.S.C. §§ 6801-6809 (2012)).112. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-

191, 110 Stat. 1936 (codified at 42 U.S.C. §§ 1320d-1 to -9 (2012)); see also JeannaPhipps, State of Confusion: The HIPAA Privacy Rule and State Physician-Patient PrivilegeLaws in Federal Question Cases, 12 SUFFOLK J. TRIAL & APP. ADVOC. 159, 170 (2007).

113. Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159, 117Stat. 1952 (codified at 15 U.S.C. §§ 1681-1681v (2012)).

114. Compare 15 U.S.C. § 1681(b) (2006) (applying to consumer reporting agenciesthat provide consumer reports, defined as communications by such an agency bearing on aconsumer's credit worthiness or personal characteristics when used to establish consumer'seligibility in certain contexts), with Video Privacy Protection Act of 1988, Pub. L. No. 100-618 102 Stat. 3195 (codified at 18 U.S.C. § 2710 (2012) (defining personally identifiableinformation as "information which identifies a person")), and 15 U.S.C. § 6809(4)(A)(2012) (defining personally identifiable financial information as "nonpublic personalinformation").

86

2016] SOVEREIGNTY IN THE INFORMATION AGE

particular elements of personal information or discrete uses ofdiscrete data.

U.S. law is further fragmented by state and local privacylaw. Forty-seven of fifty states have varying breach notificationlaws, which generally require that organizations divulge whenthey have been hacked if sensitive data was made vulnerable."1 5

California's state constitution labels "privacy" an inalienableright,116 and the state's law recently recognized the right to beforgotten for minors.117 Nebraska and Pennsylvania prohibitknowingly making misleading statements on website privacypolicies,' and Connecticut restricts anyone who collects socialsecurity numbers.119 The variations among state privacy laws

120are numerous and growing.A crosscurrent of self-regulation also marks U.S. privacy

regulation. A number of specialized trades self-regulate byadopting non-legally binding guidelines and promoting privacy"best practices."121 The Direct Marketing Association, forexample, drafts and promotes online privacy guides that call forits members to post a prominent notice on their websites alertingconsumers to information-collection practices.12 2 The creditcard industry self-imposes encryption obligations and requiresreporting on lost data.123 Such self-regulation is not accidental.The Clinton Administration promoted self-regulation as apreferable method of protecting consumer privacy withoutsaddling businesses with bureaucratic interference, stating, "Webelieve that private efforts of industry working in cooperation

115. See US Data Breach Notification Laws by State, IT GOVERNANCE,http://www.itgovernanceusa.com/data-breach-notification-laws.aspx#.VPyf-WdOXIU[https://perma.cc/B4FG-5YCW] (last visited Feb. 4, 2016).

116. CAL. CONST. art. I, § 1.117. See CAL. BUS. & PROF. CODE § 22581 (West 2015).118. NEB. REV. STAT. ANN. § 87-302(a)(14) (West 2015); 18 PA. STAT. AND CONS.

STAT. ANN. § 4107(a)(10) (West 2015).119. CONN. GEN. STAT. ANN. § 42-471 (West 2015).120. See State Laws Related to Internet Privacy, NAT'L CONF. ST. LEGISLATURES

(Jan. 5, 2016), http://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-related-to-internet-privacy.aspx [https://perma.cc/P3MA-5ARC].

121. See John Schinasi, Note, Practicing Privacy Online: Examining DataProtection Regulations Through Google's Global Expansion, 52 COLUM. J. TRANSNAT'LL. 569, 585-87 (2014).

122. Jonathan P. Cody, Comment, Protecting Privacy Over The Internet: Has theTime Come to Abandon Self-Regulation?, 48 CATH. U. L. REv. 1183, 1218-19 (1999).

123. See generally Abraham Shaw, Note, Data Breach: From Notification toPrevention Using PCI DSS, 43 COLUM. J.L. & SOC. PROBS. 517 (2010).

87


with consumer groups are preferable to governmentregulation... ."124

The patchwork of federal privacy laws is at times cause forconfusion.1 25 It reflects regulatory reticence and helps explainwhy the U.S. is one of few developed nations without acomprehensive data privacy law. It also reflects a historical-though receding 26-adherence to free expression.127

2. U.S. Law Elevating Free Expression over Privacy

Unlike privacy law, the American legal history of freeexpression begins with an explicit Constitutional guarantee andcontinues through deeply rooted Supreme Court precedentcovering a broad array of contexts and historical eras too lengthyfor categorization here.128 With regard to the right to beforgotten, lawsuits alleging that publication of personalinformation would be injurious have found little traction whenthe publication is accurate and newsworthy. In 1977, theSupreme Court invalidated an order that would have stoppednewspapers from publishing the name and picture of a juvenileoffender.129 The Court allowed the press to publish the name ofa rape victim in a case decided two years earlier.130 In 1989, theCourt noted that "if a newspaper lawfully obtains truthfulinformation about a matter of public significance then stateofficials may not constitutionally punish publication of theinformation, absent a need to further a state interest of thehighest order."1 3 '

124. See William J. Clinton & Albert Gore, Jr., A Framework for Global ElectronicCommerce, WHITE HOUSE (July 1, 1997), http://clinton4.nara.gov/ WH/New/Commerce/read.html [https://perma.cc/ZFH4-ZWJZ].

125. See Peter Fleischer, Call for Global Privacy Standards, GOOGLE PUB. POL'YBLOG (Sept. 14, 2007), http://googlepublicpolicy.blogspot.com/2007/09/call-for-global-privacy-standards.html [https://perma.cc/FR9Y-L38F].

126. See Richard J. Peltz-Steele, The New American Privacy, 44 GEO. J. INT'L L.365, 383-93 (2013).

127. See Emily Adams Shoor, Narrowing the Right to be Forgotten: Why theEuropean Union Needs to Amend the Proposed Data Protection Regulation, 39 BROOK. J.INT'L L. 487, 498-502 (2014).

128. See generally David M. Rabban, The First Amendment in Its Forgotten Years,90 YALE L.J. 514, 522-42 (1981) (discussing Supreme Court free speech cases beforeWorld War I).

129. Okla. Publ'g Co. v. Dist. Court In & For Okla. Cty., 430 U.S. 308, 311-12(1977) (per curiam).

130. Cox Broad. Corp. v. Cohn, 420 U.S. 469, 496-97 (1975).131. Fla. Star v. B.J.F., 491 U.S. 524, 533 (1989).

88


Indeed, a U.S. court likely would not have granted CostejaGonzdles relief.132 Costeja Gonzdles's debt and auction recordswere public and accurately reported by La Vanguardia.133 Astring of U.S. Supreme Court cases affirm that the Constitution'soutright promise of free expression protects newsworthy, truestories though they may embarrass or otherwise harm thestories' subjects.134 The fact that Google did not generate thecontent, but merely acted as a "newsstand" 3 for itsdissemination does not itself forestall First Amendmentprotections.13

The U.S. historical preference for free expression is notabsolute, just as the European historical preference forindividual privacy rights is not absolute.37 The gap betweenthem, however, deepens under "the right to be forgotten" andglobal legislation implementing it. As one Facebook executiveremarked, "Technology didn't create the tension but justrevealed it in a dramatic way."l 38

IV. THE RIGHT TO BE FORGOTTEN ASUNILATERALLY DECREED AND UNIVERSALLY

APPLIED

It is acceptable, even optimal, for different cultures topromote certain values over others and to effectuate suchpreferences through democratic governance. But digital data

132. See Rustad & Kulevska, supra note 33, at 355 (characterizing the right to beforgotten as "antithetical to the First Amendment of the U.S. Constitution").

133. See Case C-131/12, Google Spain SL v. Agencia Espailola de Protecci6n de

Datos ¶ 14-15 (May 13, 2014), http://curia.europa.eu/juris/ document/document.jsf?text=&docid=152065&doclang=EN [https://perma.cc/8YA9-52SM] (stating that CostejaGonziles challenged the newspaper on the ground that the published information wasirrelevant).

134. See, e.g., Fla. Star, 491 U.S. at 533; Smith v. Daily Mail Publ'g Co., 443 U.S.97, 105-06 (1979); Okla. Publ'g Co., 430 U.S. at 311-12; Cox Broad. Corp., 420 U.S. at

496-97.135. Toobin, supra note 50 ("We like to think of ourselves as the newsstand, or a

card catalogue.").136. See, e.g., Bartnicki v. Vopper, 532 U.S. 514, 535 (2001) (holding that

dissemination of illegally obtained content does not create liability for the media entitywhen the media entity itself did nothing illegal to obtain the content).

137. See Peltz-Steele, supra note 126, at 382; see also Data Regulation Proposal,supra note 71, at 6-7.

138. See Toobin, supra note 50.


flow does not stop at territorial borders.139 Companies adverselyaffected by one nation's restrictive digital data laws need onlyrelocate out of jurisdictional reach and continue business asusual.140 To avoid circumvention, European policymakersopenly seek to impose the right to be forgotten worldwide.141As Viviane Reding told the U.S. Chamber of Commerce, "Allcompanies that operate in the E.U. must abide by our highstandards of data protection and privacy."' 42 This internationalclaim is not new.

When the E.U. adopted the seminal 1995 Directive, itrecognized that the protections it afforded were ephemeral iftethered to territorial boundaries. 143 As a result, the Directivepurports to apply beyond European borders.14 4 The EuropeanCommission concedes as much: "Without such precautions, thehigh standards of data protection established by the DataProtection Directive would quickly be undermined, given theease with which data can be moved around in internationalnetworks." 45

A. Inclusive Definitions

The Directive and the forthcoming Regulation containmultiple mechanisms designed to ensure compliance from bothdata processors in the E.U. and those around the world. TheDirective broadly defines those who fall within its ambit, as

139. See Paul M. Schwartz, The EU-US. Privacy Collision: A Turn to Institutionsand Procedures, 126 HARV. L. REV. 1966, 1972-73 (2013) ("Globalization of world dataflows called for EU action with just such an international reach."); see also A.T. KEARNEY,WORLD ECON. FORUM, RETHINKING PERSONAL DATA: A NEW LENS FORSTRENGTHENING TRUST 3 (2014), http://www3.weforum.org/docs/WEFRethinkingPersonalDataANewLensReport 2014.pdf [https://perma.cc/YMN6-Q3G2] ("Thegrowth of data, the sophistication of ubiquitous computing and the borderless flow of dataare all outstripping the ability to effectively govern on a global basis.").

140. See Transferring Your Personal Data Outside the EU, EUR. COMMISSION,http://ec.europa.eu/justice/data-protection/data-collection/data-transfer/index-en.htm[https://perma.cc/W2QM-AWR7] (last visited Feb. 4, 2016).

141. See Kuner, supra note 9, at 61-63.142. See Viviane Reding, Vice President, Eur. Comm'n Responsible for Justice,

Fundamental Rights and Citizenship, Speech at the American Chamber of Commerce tothe EU (June 22, 2010), http://europa.eu/rapid/press-releaseSPEECH-10-327_en.htm[https://perma.cc/9HGX-FXLK].

143. See Data Protection Directive, supra note 10, at 39.144. See id; see also Kuner, supra note 9, at 61.145. See Transferring Your Personal Data Outside the EU, supra note 140

(emphasis omitted).

90


illustrated by three key definitions. The Directive applies topersonal data that is processed by controllers or processors.14 6

Personal data is defined as "[a]ny information relating to anidentified or identifiable natural person ('data subject'); anidentifiable person is one who can be identified, directly orindirectly, in particular by reference to an identification numberor to one or more factors specific to his physical, physiological,mental, economic, cultural or social identity."1 47

Personal data certainly includes names, nationalidentification numbers, birth certificates, and residentialaddresses, but it captures much more by equating "identified"with "identifiable," such as information that can identify a datasubject directly or indirectly.14 8 Data is considered personalwhen it enables anyone to link information to a specific personeven if the entity holding that data cannot itself make the link.143European authorities deem data "personal" when, "althou theperson has not been identified yet, it is possible to do it." 0 Asa result, "information need not identify an individual directly toconstitute 'personal data,' but the mere fact that the informationis related to an individual capable of being identified results inthe data being 'personal data' under the Directive.""s1 Theforthcoming data Regulation does not attempt to curb thisdefinition; if anything, it broadens "personal data" by defining itas "any information relating to a data subject." 52

The Directive and Regulation marry this broad definition ofpersonal data with an equally broad definition of data"processing," defined as "any operation or set of operationswhich is performed upon personal data or sets of personal data,whether or not by automated means, such as collection,recording, organization, structuring, storage, adaptation or

146. See Data Protection Directive, supra note 10, at 40.147. Id at 38.148. See Paul M. Schwartz & Daniel J. Solove, The PH1 Problem: Privacy and a New

Concept ofPersonally Identifiable Information, 86 N.Y.U. L. REv. 1814, 1874 (2011).149. Opinion 1/2008 on Data Protection Issues Related to Search Engines, at 3, 8

(Apr. 4, 2008), http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wpl48 en.pdf [https://perma.cc/CM5B-4W6N].

150. See Opinion 4/2007 on the Concept ofPersonal Data, at 12 (June 20,2007),http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf[https://perma.cc/G9HQ-UUGW] (emphasis omitted).

151. McKay Cunningham, Privacy in the Age of the Hacker: Balancing GlobalPrivacy and Data Security Law, 44 GEO. WASH. INT'L L. REV. 643, 657 (2012).

152. Data Regulation Proposal, supra note 71, at 41.


alteration, retrieval, consultation, use, disclosure bytransmission, dissemination or otherwise making available,alignment or combination, erasure or destruction."5

"Processing" includes collection and transfer of personaldata.154 It includes redaction, deletion, storage, and automaticprocessing of personal data.155 The Directive and the Regulationdefine those deemed to have "processed" personal data as eitherdata controllers or data processors.'56 A data controller is "thenatural or legal person, public authority, agency or any otherbody which alone or jointly with others determines the purposesconditions and means of the processing of personal data."i53Data controllers include not only Google and Axciom, butcapture "neighborhood children who record orders for GirlScout cookies."5 8

The Directive's operative terms are defined not by howthey differ or exclude concepts, but rather how they areinclusive of them, leaving commentators wondering what, ifanything, is not "personal data" and who, if anyone, is not"processing" that data.'59 Anyone engaging in any commercewithin the E.U. or with E.U. residents would rightly presume theDirective's application.

B. Extraterritorial Reach

The Directive, and soon the Regulation, bolster these broaddefinitions with compliance requirements that are purposefullyextra-jurisdictional. By restricting the transfer of personal dataout of the E.U., the Directive constrains data flow to theinternational community.160 The Directive begins broadly byprohibiting personal data transfers to all "inadequate"

153. Id.154. Data Protection Directive, supra note 10, at 38.155. Id.156. Data Regulation Proposal, supra note 71, at 41-42; Data Protection Directive,

supra note 10, at 38.157. Data Regulation Proposal, supra note 71, at 41.158. Cate, supra note 64, at 183.159. See id. at 182 (discussing the broad application of "personal data"); see also

Schwartz & Solove, supra note 148, at 1873-74.160. Data Protection Directive, supra note 10, at 45; see also Data Regulation

Proposal, supra note 71, at 69 ("A transfer may take place where the Commission hasdecided that the third country, or a territory or a processing sector within that third country,or the international organisation in question ensures an adequate level of protection.").

92


countries.161 As a result, European companies conductingbusiness outside the E.U. require assurance that the homecountry of all business partners adequately complies with theDirective.162 Notably, only eleven countries are "adequate"according to the E.U., and the U.S. is not among them.1 63

Because reducing data flow to eleven countries would severelydiminish continental commerce,1 64 the Directive allows datatransfers to organizations located in nations that have"inadequate" privacy laws if the organization receiving andprocessing that data complies with the Directive.165 Rigidcontractual agreements and binding corporate rules are twoavenues the Directive allows that facilitate data transfer outsidethe E.U.1 66 Both require that the receiving entity comply withthe Directive's strictures.

In addition to inhibiting the transfer of personal informationoutside the E.U., the Directive reaches beyond E.U. bordersthrough extraterritorial provisions. The Directive requirescompliance from data controllers located outside the E.U. if they"make[] use of equipment" located in the E.U.

Each Member State shall apply . . . this Directive to theprocessing of personal data where ... the controller is notestablished on Community territory and, for purposes ofprocessing personal data makes use of equipment,automated or otherwise, situated on the territory of the saidMember State, unless such equipment is used only for

161. Data Protection Directive, supra note 10, at 45-46.162. See Shaffer, supra note 67, at 22.163. See Commission Decisions on the Adequacy of the Protection of Personal Data

in Third Countries, EUR. COMMISSION, http://ec.europa.eu/justice/data-protection/intemational-transfers/adequacy/index en.htm [https://perma.cc/9AB6-FK44] (last visited Feb. 4,2016) (listing Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel,Isle of Man, Jersey, New Zealand, and Uruguay).

164. See Shaffer, supra note 67, at 39.165. The principal avenues for U.S. companies seeking to comply with the E.U.

Directive-and thereby receive personal information from the E.U.-include obtaining

actual consent of the data subject, standard contractual clauses, binding corporate rules, and

participation in the Safe Harbor program. See Data Protection Directive, supra note 10, at46; Working Document: Transfers of Personal Data to Third Countries: Applying Article

26 (2) of the E. U. Data Protection Directive to Binding Corporate Rules for International

Data Transfers, at 5-6 (June 3, 2003), http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2003/wp74_en.pdf[https://perma.cc/923A-DPYZ ] [hereinafter Transfers ofPersonal Data]

166. See Data Protection Directive, supra note 10, at 46; Transfers of Personal Data,supra note 165.


purposes of transit through the territory of theCommunity.16 7

Online businesses, companies engaging in e-commerce, andentities with E.U. employees likely "process" the "personaldata" of E.U. residents. If those E.U. residents use their laptops,smart phones, or other such device, the transaction "makes useof equipment" within the E.U. and arguably places such entitieswithin the Directive's purview.'6 8

The Regulation, interestingly, drops the "equipment" nexusand extends its extra-jurisdictional reach by purporting tocontrol all non-E.U. entities that offer goods or services topersons in the E.U. 169 As one scholar suggests, this "seemslikely to bring all providers of Internet services such as websites,social networking services and app providers under the scope ofthe E.U. Regulation as soon as they interact with data subjectsresiding in the European Union."' 0 Organizations with onlyone domestic office have been historically insulated from beinghaled into the court of a foreign country to account for actionsunder that country's law.'7 1 But both the Directive andRegulation stretch normal jurisdictional law.1 7 2 In light of theflattening effect of e-commerce, the internationalization ofmarkets, and the estimation that over ninety percent ofcommercial websites collect personal data from web users, theseextraterritorial provisions encompass much of the developedworld. 7 1

The impact of these provisions is evidenced by trendinginternational law. Nineteen new omnibus privacy laws spouted

167. Data Protection Directive, supra note 10, at 39.168. John T. Soma et al., An Analysis of the Use of Bilateral Agreements Between

Transnational Trading Groups: The US./EU E-Commerce Privacy Safe Harbor, 39 TEX.INT'L L.J. 171, 208 (2004).

169. See Data Regulation Proposal, supra note 71, at 41.170. Kuner, supra note 9, at 61 (quoting DAN JERKER B. SVANTESSON,

EXTRATERRITORIALITY IN DATA PRIVACY LAW 107 n.41 (2013)).171. See Glenn R. Sarno, Haling Foreign Subsidiary Corporations into Court Under

the 1934 Act: Jurisdictional Bases and Forum Non Conveniens, 55 L. & CONTEMP. PROBS.379, 381-82 (1992).

172. Article 4 of the Directive states that if a data controller is located outside theE.U., but uses equipment within the E.U. for any purpose other than transmission, the lawof the Member State where the equipment is located will apply. Data Protection Directive,supra note 10, at 39.

173. See Peppet, supra note 6.

94


up in the 1990s, and thirty-two more emerged in the 2000s.174

At the current rate of expansion, fifty new laws will emerge inthis decade.175 As Professor Graham Greenleaf notes, "Thepicture that emerges is that data privacy laws are spreadingglobally, and their number and geographical diversityaccelerating since 2000." 176 The Directive's extraterritorialreach arguably spurs non-E.U. countries to enact data privacylaws commensurate with the Directive.1 77 In fact, the greatmajority of countries that have enacted data privacy laws withinthe last two decades have tracked, to a large degree, thelanguage of the E.U. Directive.'7 8 If the Directive prevents non-E.U. organizations from "processing" E.U. data, it effectivelytruncates access to the E.U. market.

At a certain level of abstraction, European officialsdesigned the Directive and Regulation to require discreteprotections of E.U. residents' personal data no matter where thatdata is processed.180 As one scholar stated, "[B]ecause of thescope of the Data Protection Directive, any business that hascontact with E.U. residents on anything other than ananonymous cash-only basis has effectively collected some formof personal data and thus would be subject to the DataProtection Directive."' 8 '

V. THE RIGHT TO BE FORGOTTEN AS DISGUISEDCENSORSHIP

Many characterize the right to be forgotten as censorship inthe name of privacy.182 The new law empowers E.U. residents

174. See Graham Greenleaf, 76 Global Data Privacy Laws, PRIVACY L. & BUS.,Sept. 2011, at 2.

175. Id.176. Id.177. Rotenberg & Jacobs, supra note 51, at 642 ("The practical consequence of

compliance is to raise privacy standards for customers both within and without theEuropean Union, thus 'ratcheting up' the standards for data privacy regulation globally.").

178. Kuner, supra note 9, at 60.179. See Shaffer, supra note 67, at 39 ("Were a country that attracted little U.S. trade

and investment to restrict data transfers to the United States, a ban would pose little harmto overall U.S. commercial interests because of the small size of the country's market.").

180. See Kuner, supra note 9, at 60.181. Soma et al., supra note 168, at 205.182. See Ambrose, supra note 94, at 11; Jeffrey Rosen, The Deciders: The Future of

Privacy and Free Speech in the Age of Facebook and Google, 80 FORDHAM L. REV. 1525,1533 (2012); Svantesson, supra note 48, at 165; Peter Fleischer, Foggy Thinking About the


to delete their personal data from public access if search enginesdeem the data "irrelevant" or no longer "necessary," subvertingneutral search results, creating content gaps, and according tosome scholars, "rewriting history."' 83 Deleted information neednot be untruthful, defamatory, or inaccurate.'84 No legaloversight or official authority determines whether data should bedeleted.'85 The Wikimedia Foundation's executive director, LilaTretikov, warned of "an internet riddled with memory holes," 86

while other academics contend that a less searchable Internet"derogates the role of counterspeech," and "disrupt[s] thenatural process of communication"-both necessary for a robustmarketplace of ideas.'8 7

Search engines, bloggers, websites, and news media facesignificant fines for non-compliance. The current data Directiveallows fines up to two percent of worldwide turnover, whichwill increase to the greater of C100 million or five percent ofannual worldwide turnover under the new Regulation.'8 Suchimposing fines generate a chilling effect;1 89 search engines likeGoogle would sooner delete wholesale links than paydebilitating fines for each refused request.'90 Perhaps in light ofsuch fines, Google promptly instituted the mechanismsnecessary to comply with the CJEU ruling, opening the way forlarge-scale data erasures.

Right to Oblivion, PETER FLEISCHER: PRIVACY (Mar. 9, 2011), http://peterfleischer.blogspot.com/2011/03/foggy-thinking-about-right-to-oblivion.html [https://perma.cc/2AGH-UHT3].

183. See Rustad & Kulevska, supra note 33, at 372-73 ("An overly expansive rightto be forgotten will lead to censorship of the Internet because data subjects can force searchengines or websites to erase personal data, which may rewrite history.").

184. See Peltz-Steele, supra note 126, at 382.185. See Fleischer, supra note 182 (emphasis omitted) ("It used to be that people

would invoke libel or defamation to justify censorship about things that hurt theirreputations. But invoking libel or defamation requires that the speech not be true. Privacyis far more elastic, because privacy claims can be made on speech that is true.").

186. Loek Essers, Wikimedia: Right to be Forgotten Results in "Internet Riddledwith Memory Holes ", PC WORLD (Aug. 6, 2014, 9:55 AM), http://www.pcworld.com/article/2462220/wikimedia-right-to-be-forgotten-results-in-internet-riddled-with-memory-holes.html [https://perma.cc/VT38-VHUP].

187. Larson III, supra note 48.188. Data Regulation Proposal, supra note 71, at 93.189. See Shoor, supra note 127, at 505 (stating that data "controllers will be

incentivized to take content down even when it may in fact be permissible").190. Jeffrey Rosen, The Right To Be Forgotten, 64 STAN. L. REV. ONLINE 88, 90-91

(2012).

96

2016] SOVEREIGNTY IN THE INFORMATION AGE

A. Applying the Right to be Forgotten

Google first created software enabling link removal, whichwas not novel since Google already employs similar systems forcopyrighted and trademarked works.191 The trickier task calledfor an administrative system to facilitate and determine thevalidity of removal requests.192 Google created and posted arequest form, which was itself controversial.19 3

The form appears in at least twenty-five languages withinthe various European search domains. 94 It is not currentlyavailable on Google's website, a fact likely to spawn legaldisputes.195 The form requires claimants to give their name andsubmit a photograph of their driver's license or national ID,which seems antithetical to the request for erasure, but isnevertheless required due to "fraudulent removal requests frompeople impersonating others, trying to harm competitors, orimproperly seeking to suppress legal information."l9 The formalso requires claimants to identify the "country whose lawapplies" to the request, " reflecting Google's determination tolimit the right to be forgotten to country-specific searchdomains. Finally, claimants must explain why the "inclusion ofthat result in search results is irrelevant, outdated, or otherwiseobjectionable."'9 8

Google received 12,000 requests to delete informationwithin one day of publishing the form; those requests grew to41,000 over the next three days.199 Fraud accusations and otherserious crimes constituted over half of those requests, and

191. See Toobin, supra note 50.192. See Shoor, supra note 127, at 505-07.193. See The Right to be Forgotten: Drawing the Line, ECONOMIST (Oct. 4, 2014),

http://www.economist.com/news/intemational/21621804-google-grapples-consequences-controversial-ruling-boundary-between [https://perna.cc/L3JE-EUHR].

194. See Toobin, supra note 50.195. Id Instead of posting a form allowing petitions for content deletion, Google's

legal page states that "Google.com is a US site regulated by US law," and "Googleprovides access to publicly available webpages, but does not control the content of any ofthe billions of pages currently in the index." See Removing Content from Google, GOOGLESUPPORT, https://support.google.com/legal/troubleshooter/I 114905?rd= l#ts= 115655,6034194,1115974 [https://perma.cc/FWK4-K75V] (last visited Feb. 18, 2016).

196. See Dewey, supra note 16.197. Id.198. See Toobin, supra note 50.199. See Preece et al., supra note 17.

97


another twelve percent related to child pornography.200 As ofMay 2016, Google has evaluated 432,097 requests to removeURLs and has removed 549,624 URLs,201 refusing for now tocomply with the Working Party's exhortations to delete theinformation fully, including deletions from Google's website.202

As a result of these deletions, an identical query underdiffering domain extensions renders disparate results. TheInternet of Spain is not the Internet of Germany and certainlynot the Internet of the U.S., marking "the beginning of anInternet where there are national networks, where decisions bgovernments dictate which information people get access to."2A Google search using someone's name in European countriesnow prompts a warning at the bottom of the page: "Someresults may have been removed under data protection law in

,,204Europe. Google is not the only search engine to comply withthe CJEU's ruling. As early as November 2014, search enginerivals Bing and Yahoo announced plans to comply with theruling.205 Both companies have created a process for Europeansto claim deletions and both have deleted links in compliancewith European law.2 06

Perhaps predictably, deleting information in the digital agehas proven difficult. The website "Hidden from Google"archives deleted links, along with the relevant search term andthe source that revealed the missing information.20 Mediastories involving a financial scandal, a shoplifter, and a sexualpredator have disappeared from Google search results only toreappear on the "Hidden from Google" webpage.208 Media

200. Id201. See Transparency Report: European Privacy Requests for Search Removals,

supra note 19.202. See Van Alsenoy & Koekkoek, supra note 34, at 15.203. See Toobin, supra note 50.204. See Charles Arthur, What is Google Deleting Under the "Right to be

Forgotten" - and Why?, GUARDIAN (July 4, 2014, 12:45 PM), http://www.theguardian.com/technology/2014/jul/04/what-is-google-deleting-under-the-right-to-be-forgotten-and-why [https://perma.cc/4DLD-7BZW].

205. See Dredge, supra note 20.206. See id207. See A List of Links Affected by the "Right to be Forgotten", HIDDEN FROM

GOOGLE, http://hiddenfromgoogle.afaqtariq.com/ [https://perma.cc/HUR9-8JDF] (lastvisited Feb. 4, 2016).

208. See Jeff Roberts, "Hidden from Google" Shows Sites Censored Under EU'sRight-to-be-Forgotten Law, GIGAOM (July 16, 2014, 6:41 AM), https://gigaom.com/2014/0

98


outlets have followed suit. The British BroadcastingCorporation (BBC) now publishes the links to its stories thathave been deleted from Google searches.209 In the short timesince the 2014 ruling that recognized the right to be forgotten,well over 100 BBC stories have disappeared from Googlesearches2 1-an alarming number given the erasure ofpresumably newsworthy content. Indeed, the BBC articlesremoved include stories about the sentencing of a rapist, themurder of an heiress and a court case defining what constitutesa game of football." The publication of Google's delistedstories perhaps presage a "black market Google," a searchingapplication that grows in proportion with the increase of deletedlinks under the right to be forgotten.

B. Search Engines, Webmasters, and Application of anAmbiguous Standard

Characterizing the right to be forgotten as censorship growsin part from the amorphous standard that Google and other datacontrollers must apply. They are called to ferret the relevantfrom the irrelevant, the outdated from the germane.212 In oneinstance, BBC's Robert Peston claimed he was "cast intooblivion" when his blog post seemingly disappeared from

213Google searches. Peston's blog post discussed chiefexecutive Stanley O'Neal's departure from investment bankMerrill Lynch, which raised censorship allegations due to thenewsworthy content and whitewashing implications.214 Indeed,Google has removed links to numerous news articles,2 15 one

7/16/hidden-from-google-shows-sites-censored-under-eus-right-to-be-forgotten-law/[https://perma.cc/FH9F-667U].

209. Neil McIntosh, List of BBC Web Pages Which Have Been Removed fromGoogle's Search Results, BBC: INTERNET BLOG (June 25, 2015, 2:40 PM),http://www.bbc.co.uk/blogs/intemet/entries/1d765aa8-600b-4f32-bl 10-d02fbf7fd379[https://perma.cc/AX9H-FZK3].

210. Id.211. Jamie Condliffe, BBC Is Listing Pages Removed by Google Under EU Right-

To-Be-Forgotten, GIZMODO (June 29, 2015, 6:00 AM), http://gizmodo.com/bbc-is-listing-pages-removed-by-google-under-eu-right-t- 1714610528 [https://perma.cc/E95Q-DXAH].

212. See Abril & Lipton, supra note 70, at 380-81.213. Robert Peston, Why has Google Cast me into Oblivion?, BBC (July 2, 2014),

http://www.bbc.com/news/business-28130581 [https://perma.cc/ZC2L-TUP8].214. Id.215. See Uki Goni, Can a Soccer Star Block Google Searches?, TIME (Nov. 14,

2008), http://content.time.com/time/world/article/0,8599,1859329,00.html


about a sales director antagonizing a couple before a sportsgame, another about a teenager responsible for almost fortypercent of the crime in his town.2 A page about formercriminal Gerry Hutch was removed, as well as data about theItalian gangster Renato Vallanzasca.2 17 Two convictedmurderers in Germany sued Wikipedia's parent organization forrefusing their requested anonymity in the English-languagearticle that memorialized the victim's murder.2 18

The deletion of data generated by news media bolsterscensorship allegations and reflects the precarious position datacontrollers occupy in attempting to honor the right to beforgotten-and thus avoid E.U. fines-while not offending anarray of other national laws that protect free expression andfreedom of the press.2 19 Members of the United Kingdom'sHouse of Lords argue that it is 'wrong in principle' to leave itto search engines to decide whether or not to delete information,based on 'vague, ambiguous and unhelpful' criteria."220

Adding to allegations of censorship, data controllers haveno obligation under either the CJEU ruling or the Directive toalert webmasters that links to their pages have been delisted.221

In fact, E.U. officials discouraged Google from giving suchnotice. 2 Although Google has nevertheless committed tonotification, data controllers are under no obligation to do so,suggesting that links removing access to data may disappear

[https://perma.cc/MN5H-5KBA] (reporting that various public figures sought data deletion

under Argentina's version of the right to be forgotten).216. See Preece et al., supra note 17.217. Alex Hern, Wikipedia Swears to Fight 'Censorship'of 'Right to be Forgotten'

Ruling, GUARDIAN (Aug. 6, 2014, 8:40 AM), http://www.theguardian.com/technology/2014/aug/06/wikipedia-censorship-right-to-be-forgotten-ruling [https://perma.cc/9LNT-R8DS].

218. See John Schwartz, Two German Killers Demanding Anonymity SueWikipedia's Parent, N.Y. TIMES (Nov. 12, 2009), http://www.nytimes.com/2009/11/13/us/13wiki.html [https://perma.cc/H8XS-5HPB].

219. See Shoor, supra note 127, at 505-07.220. Catherine Baksi, Right To Be Forgotten "Must Go", Lords Committee Says, L.

GAZETTE (July 30, 2014), http://www.lawgazette.co.uk/law/right-to-be-forgotten-must-go-lords-committee-says/5042439.fullarticle [https://perma.cc/P4QP-E6U9].

221. See, e.g., Jef Ausloos & Aleksandra Kuczerawy, From Notice-and-Takedown to

Notice-and-Delist: Implementing the Google Spain Ruling, 14 COLO. TECH. LJ.(forthcoming Spring 2016). But see Data Regulation Proposal, supra note 71, at 51(requiring data controllers to notify third parties of requested deletion).

222. See Toobin, supra note 50 (citing objections from the Article 29 Working Party

to "Google's practice of informing publishers when links that individuals objected to were

deleted").

100


without knowledge of their removal. Wikipedia postulates thatlinks have been removed without its knowledge, drawingunequivocal disapproval from its executive director: "We findthis type of veiled censorship unacceptable. But we find thelack of disclosure unforgivable. This is not a tenable future. Wecannot build the sum of all human knowledge without theworld's true source, based on pre-edited stories.

Finally, requests for data removal belie the varied andcomplex ways in which data originates to the Internet. Theoffensiveness of the censorship often depends on the datasubject's relationship to the information.224 Requesting removalof a data subject's own photograph of himself that he postedprompts a different assessment than requesting removal ofinformation posted about the data subject by someone else.225

Personal information collected by cookies or logs used tofacilitate transactions on a particular website pose differentconcerns than personal information volunteered by the datasubject years ago, but later copied or transformed into a differentformat by others.226 Must Google remove links to a familyphotograph when only one member wants the photograph takendown? When a data subject requests removal of her "tweet,"must Google also remove links to a blog posting thatincorporated that "tweet"?

The Directive and forthcoming Regulation do not addressthese complexities directly. The Regulation contains specificexceptions that limit the right to be forgotten, including freedomof expression, public interest, and historical, statistical, andscientific research.227 These exceptions arguably prohibitpoliticians and other public figures from whitewashing pastindiscretions but, as mentioned above, data generated throughjournalism and news media have already been deleted under theright to be forgotten. Public figures have successfully deleteddeprecating links.228 Perhaps such deletions only reflect the

223. Hern, supra note 217.224. See Fleischer, supra note 182.225. See id226. See Abril & Lipton, supra note 70, at 382-84.227. See Data Regulation Proposal, supra note 71, at 52.228. See, e.g., Preece et al., supra note 17; Right to be Forgotten: Google Raise

Concern with BBC Link Removal, TELEGRAPH (July 4, 2014, 10:44 AM),http://www.telegraph.co.uk/technology/google/10945597/Right-to-be-forgotten-Google-raise-concern-with-BBC-link-removal.html [https://perma.cc/S7LW-BS93].


growing pains associated with the roll out of a newly conferredright. Google, in fact, has publicly confessed missteps in itsattempted compliance.22 9

But even if news media eventually obtain betterexemptions, and even if data controllers gain a fuller awarenessof the inapplicability of the erasure requests of data pertaining topublic figures, data controllers still decide.23 0 The Regulationprovides little guidance for data controllers when determiningwhether a given request implicates the free-expression exceptionsufficient to allow rejection of the request. 231 For example, theRegulation requires that Member States provide an exemptionfor "journalistic purposes,"232 but it does not define "journalist,"leaving vulnerable data published by bloggers, tweeters, andother non-traditional media.233 Moreover, the Regulationdirectly binds all E.U. Member States,234 but each has differingfree-expression laws,235 necessarily requiring that datacontrollers become international legal experts. No Europeanofficial or authority first assesses these often legally complexissues. Since data controllers confront "ruinous monetarysanctions" if they "do[] not comply with the right to beforgotten,"236 close calls and requests that provoke nuancedlegal analysis will likely result in data deletion.

C. Restricting the Innocuous; Exempting the Harmful

The right to be forgotten is also flawed in applicationbecause the law is both over- and under-inclusive. TheDirective's and the Regulation's expansive definitions of

229. See Preece et al., supra note 17 ("Only two months in, our process is still verymuch a work in progress. It's why we incorrectly removed links to an article last week.").

230. See Data Regulation Proposal, supra note 71, at 51-52.231. Abril & Lipton, supra note 70, at 371 (stating that the Regulation "sketches

only faint boundaries for the right to be forgotten").232. Data Regulation Proposal, supra note 71, at 94.233. Abril & Lipton, supra note 70, at 382 (asking whether information "published

in a formal news media outlet" would be "treated differently from that published in apersonal blog, social media website, or chat group"); Rustad & Kulevska, supra note 33, at

375.234. Data Regulation Proposal, supra note 71, at 94-95.235. Id. ("Member States shall provide for exemptions or derogations from [Article

17] . . . for the processing of personal data carried out solely for journalistic purposes or the

purpose of artistic or literary expression in order to reconcile the right to the protection of

personal data with the rules governing freedom of expression.").236. Rosen, supra note 190, at 90.

102


"personal information" and those who "process" personalinformation237 dilute their effect. Teens posting pictures offriends on Facebook, companies cataloguing business contacts,and students using websites to register volunteers qualify as datacontrollers.238 IP addresses-the nine digits assigned to deviceslogged onto the Internet-are "personal information," as areweb cookies.239 Data constitutes "personal information" when itenables the holder to link information to a specific person, evenif the holder herself has not made the link. 24

The broad definition of "personal information" stretcheseven further with re-identification software. Information thattangentially relates to a person, but does not include the person'sname, likeness, address, social security number, or other directidentifier can be readily de-coded.24 1 Commenters have noted,"The emergence of powerful re-identification algorithmsdemonstrates ... the fundamental inadequacy of the entireprivacy protection paradigm based on 'de-identifying' thedata."242 The more data we have, the less any of it can beconsidered "private." 243 Location data, commercial transactions,web browsing histories and much more populate de-anonymizing algorithms, prompting the observation that "anyattribute can be identifying in combination with others."24 4 Bydefining "processing" and "personal information" so broadlyand thereby capturing a sea of harmless behavior, the law isdisconnected from the violations it seeks to redress, diluting itseffectiveness and inviting uneven enforcement.24 5

237. See Data Regulation Proposal, supra note 71, at 41-42; Data ProtectionDirective, supra note 10, at 38.

238. See Cate, supra note 64, at 183.239. Opinion 1/2008 on Data Protection Issues Related to Search Engines, supra

note 149, at 6-9.240. Schwartz & Solove, supra note 148, at 1817.241. Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure

of Anonymization, 57 UCLA L. REV. 1701, 1706-18 (2010) (discussing the prevalence ofidentifying individuals through anonymized data).

242. Arvind Narayanan & Vitaly Shmatikov, Privacy and Security: Myths andFallacies of "Personally Identifiable Information ", COMM. ACM, June 2010, at 24-26.

243. Patrick Tucker, Has Big Data Made Anonymity Impossible?, MIT TECH. REV.(May 7, 2013), http://technologyreview.com/news/514351/has-big-data-made-anonymity-impossible/ [https://perma.cc/XJF3-TBVF].

244. Narayanan & Shmatikov, supra note 242, at 26 (emphasis omitted).245. Enforcement of laws that incriminate a disproportionately large ratio of those

individuals governed by it, or that are so broad as to capture the entire body politic, havehistorically been declared invalid. See, e.g., People v. Golb, 15 N.E.3d 805, 464-68 (N.Y.


The right to be forgotten's scope is expanded with theapplication of this definition of "personal information." Itamplifies the range of data that is subject to deletion since theright to be forgotten is tethered to an E.U. resident's personal

246information. As noted above, the definition and subsequentinterpretation of that term reaches far beyond its denotation.247

It reaches beyond a request to delete photographs or links toFacebook profiles. It includes IP addresses, search histories,anonymized locational data, metadata, and a host of other databecause that data could enable the holder to eventually link it tothe data subject.248

The over-inclusiveness of the Directive is also illustratedby its application to providers of data security.249 The mosteffective data security protocols require large data sets to detectminiscule aberrations or abnormal data processing, which oftenattend malware.2 50 Given the need to analyze massive data setsin order to detect malware, the likelihood of processing personalinformation in so doing is high.2 5 But the over-inclusiveDirective allows no exception for processing personal data-which could be as innocuous as IP addresses-for purposes ofdata security. Requiring that data security providers notify eachdata subject and obtain unqualified consent slows, if notcompletely forestalls, those security protocols that requireanalysis of large data sets. Failing to allow an exception for datasecurity runs counter to the Directive's privacy goal since datathat cannot be protected cannot be private. Security breaches

2014); People v. Dietze, 549 N.E.2d 1166, 1168 (N.Y. 1989) (striking down a similarharassment statute which prohibited the use of abusive or obscene language with the intentto harass, annoy, or alarm another person).

246. See Data Regulation Proposal, supra note 71, at 51-52.247. See supra Section IV.A.248. Id.; see also Schwartz & Solove, supra note 148, at 1819.249. See Cunningham, supra note 151, at 646.250. SYMANTEC CORP., INTERNET SECURITY THREAT REPORT: 2011 TRENDs 44

(2012), http://www.symantec.com/content/en/us /enterprise/other resources/b-istr main report 2011_21239364.en-us.pdf [https://perma.cc/CTP6-9FC8] (describingstrategies where "multiple, overlapping, and mutually supportive defensive systems ...guard against single-point failures in any specific technology or protection method").

251. See Technology: Defense in Depth, SYMANTEC, http://securityresponse.symantec.com/about/profile/star technology.jsp [https://perma.cc/7BN9-45AA]("Unlike file-based protection, which must wait until a file is physically created on a user'scomputer before scanning it, network-based protection analyzes all incoming data streamsbefore they can [sic] processed by the computer's operating system and cause harm.") (lastvisited Feb. 18, 2016).

104


from Sony to top U.S. agencies occur with increasingregularity. 2 Commentators, journalists, and governmentofficials "all agree that inadequate security is an emergingthreat-perhaps a catastrophic one . . . .,253

The Directive's broad reach captures an unnecessarily highpercentage of "data processors" whose use of E.U. "personalinformation" is disassociated from the harms the Directive seeksto alleviate.254

While the Directive's over-inclusive scope captures manyinnocent uses of "personal information," it is also under-inclusive, exempting many of privacy's worst offenders. TheDirective and the Regulation do not apply, for example, to dataprocessing relating to national security and criminalinvestigations.255 Although both pursuits often require secrecy,the Directive grants wholesale exemptions with noparameters.256 Edward Snowden's revelations about U.S.domestic and international interception programs, data mining,surveillance, and third-party data collection unveiled privacyviolations to an extent previously unknown.2 57 Of course, theU.S. is not the only nation exploiting privacy and personalrecords under the guise of "national security. Anindividual's right to access should "never be totally excluded,but rather can at most be partially restricted or temporarilysuspended in a series of unequivocally defined and exhaustivelylisted cases."259 The Directive offers no such definition to the

252. See Devlin Barrett & Danny Yadron, Sony, US. Agencies Fumbled AfterCyberattack, WALL STREET J. (Feb. 22, 2015, 4:43 PM), http://www.wsj.com/articles/sony-u-s-agencies-fumbled-after-cyberattack-1424641424 [https://perma.cc/PT5N-N5H2].

253. Derek E. Bambauer, Conundrum, 96 MINN. L. REV. 584, 586-87 (2011).254. See Cate, supra note 64, at 183.255. Data Regulation Proposal, supra note 71, at 40; Data Protection Directive,

supra note 10, at 39.256. Data Protection Directive, supra note 10, at 42.257. Stephanie K. Pell & Christopher Soghoian, A Lot More than a Pen Register,

and Less than a Wiretap: What the StingRay Teaches Us About How Congress ShouldApproach the Reform of Law Enforcement Surveillance Authorities, 16 YALE J.L. & TECH.134, 136-43 (2013).

258. See Zachary W. Smith, Privacy and Security Post-Snowden: Surveillance Lawand Policy in the United States and India, 9 INTERCULTURAL HUM. RTS. L. REV. 137, 210(2014) (discussing India's expansion of surveillance at the cost of privacy).

259. Spiros Simitis, From the Market to the Polis: The EU Directive on theProtection ofPersonal Data, 80 IOWA L. REV. 445, 460 (1995).

ARKANSAS LAWREVIEW [Vol. 69:71]

national security and criminal investigation exceptions, leavinggovernment surveillance largely unchecked.

The right to be forgotten does not curb these privacyviolations. It has no effect on them. Private informationgathered or retained for purposes of national security areimmune from a data subject's erasure requests.260 Under thebanner of national security, governments have no duty to reveal,turn over, and certainl Kno obligation to delete a data subject'spersonal information. It borders on irony to exemptgovernment exploitation of personal records in the name ofnational security when the font of European privacy vigilancestems from similar exploitation.

The other notable exception revealing the law's under-inclusiveness is the Directive's Safe Harbor provision. Afteryears of negotiations, the European Commission agreed to aless-demanding version of the Directive for application in theU.S.262 Given U.S. reliance on self-regulation and freeexpression, European officials hoped to bridge the gap with aSafe Harbor program that incorporated the Directive's principlesbut remained voluntary and required little oversight.263 Theless-exacting version of the Directive has thus far resulted in proforma compliance from the relatively few U.S. companies thathave chosen to participate.2 64

Safe Harbor invites hollow compliance because it isvoluntary and largely unenforced.265 Government officials do

260. See Data Regulation Proposal, supra note 71, at 40 (providing that the new dataprotection regime will not apply to the processing of personal data in the course of anyactivity concerning national security).

261. Id.262. See Christopher Kuner, Onward Transfers of Personal Data under the U.S. Safe

Harbor Framework, PRIVACY & SEC. L. REP. Aug. 2009, at 2, https://www.wsgr.com/attorneys/BIOS/PDFs/kuner-0809.pdf [https://perma.cc/R68B-98JM].

263. See Welcome to the U.S.-EU & US.-Swiss Safe Harbor Frameworks, EXPORT,http://export.gov/safeharbor/ [https://perma.ccIY8HQ-WN7B] (last updated Feb. 11, 2016);see also Opinion 7/99 On the Level of Data Protection Provided by the "Safe Harbor"Principles, at 2, 11-13 (Dec. 3, 1999), http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/1999/wp27_en.pdf[https://perma.cc/4FKW-4SFR]; Morey Elizabeth Barnes, Falling Short of the Mark: TheUnited States Response to the European Union's Data Privacy Directive, 27 Nw. J. INT'LL. & Bus. 171, 179-80 (2006).

264. See Angela Vitale, Note, The EU Privacy Directive and the Regulating SafeHarbor: The Negative Effects on U.S. Legislation Concerning Privacy on the Internet, 35VAND. J. TRANSNAT'L L. 321, 339 (2002).

265. See McKay Cunningham, Next Generation Privacy: The Internet of Things,Data Exhaust, and Reforming Regulation by Risk of Harm, 2 GRONINGEN J. INT'L L. 115,

106


not analyze or otherwise certify that an applicant complies withSafe Harbor principles before awarding certification. Acompany need only declare compliance publicly and mail anotification of self-certification to the U.S. Department ofCommerce.266 U.S. businesses that self-certify in this mannerare then afforded automatic approval to process the personalinformation of E.U. residents.

This approach does not foster compliance with theDirective's privacy principles.268 One 2008 study scrutinizedeach of the 1597 companies that self-certified as compliant withSafe Harbor principles.269 The study focused on one of theseven Safe Harbor principles, finding that only 348 of 1597companies complied with that single principle.27 The voluntarynature of the Safe Harbor program also dissuades potentialapplicants who view self-certification as inviting unnecessaryliability and oversight.271 Professor Joel R. Reidenbergconcludes that "self-regulation is not an appropriate mechanismto achieve the protection of basic political rights. Self-regulation in the United States reduces privacy protection to anuncertain regime of notice and choice."2

What little protection the Safe Harbor program hasengendered has been minimally enforced. As one commentatornotes, "The heaviest criticism is levied against the Safe Harbor'sinadequate internal and external enforcement mechanisms."27 3

While Safe Harbor became effective in 2000, the Federal Trade

130 (2014); Daniel R. Leathers, Note, Giving Bite to the EU-US. Data Privacy SafeHarbor: Model Solutions for Effective Enforcement, 41 CASE W. RES. J. INT'L L. 193,195-96 (2009).

266. See Safe Harbor Overview, EXPORT, http:// www.export.gov/safeharbor/sh overview.html [https://perma.cc/5VFD-A6ZB] (last visited Feb. 5, 2016).

267. See id.268. See Soma et al., supra note 168, at 185.269. See CHRIS CONNOLLY, GALEXIA, THE US SAFE HARBOR - FACT OR FICTION?

(2008), at 4 (2008), http://www.galexia.com/public/research/ assets/safe harbor fact or_fiction 2008/safe harbor fact or fiction.pdf [https://perma.cc/V79B-834S].

270. Id.271. See David Raj Nijhawan, Note, The Emperor Has No Clothes: A Critique of

Applying the European Union Approach to Privacy Regulation in the United States, 56VAND. L. REv. 939, 957 (2003) (noting that "in order to comply, companies must incursubstantial costs to ensure that their data management processes meet thresholdrequirements").

272. Joel R. Reidenberg, E-Commerce and Trans-Atlantic Privacy, 38 HOUS. L.REv. 717, 727 (2001).

273. See Leathers, supra note 265, at 195.


Commission-charged with its enforcement-did not bring anenforcement action until 2009.274 Given the large number ofU.S. organizations engaged in e-commerce, data analytics, orotherwise processing large amounts of data, the Safe Harbor"exception" effectively insulates a significant faction of privacyoffenders. A right to be forgotten that applies in the U.S. but isnot respected by U.S. companies or enforced by U.S. authoritiessubverts the Directive's primary goal.

This Safe Harbor flaw mirrors the critical defect plaguingthe overall European approach to privacy. The Directive and theRegulation aspire to a universal right to privacy.275 In so doing,they pronounce sweeping privacy rights that encompass allprocessing of all E.U. personal data. But the privacy rightsare unmoored from the harms associated with the absence ofprivacy. The laws restrict harmless data controllers, and in sodoing reduce incentive to respect the law and enforce it.2 77 TheDirective and the Regulation then carve out considerableexemptions for entities that propagate harms deriving from theexploitation of private data. By including almost all datacontrollers irrespective of whether they cause privacy harms andby excluding many data controllers that in fact harm individualsby misusing their private data, the Directive and Regulationundermine their core objective.

VI. ALTERNATIVES TO THE RIGHT TO BEFORGOTTEN

Better legal frameworks exist, though they are morecomplex and therefore less readily enacted. Instead of aunilateral privacy law declaring all personal data protected andrequiring data controllers to delete personal information deemed"irrelevant," privacy law should target specific harms that attendspecific privacy violations. Regulation that bars entities fromsurreptitiously collecting a user's browser history and sharing it

274. See LISA J. SOTTO, PRIVACY AND DATA SECURITY LAW DESKBOOK §18.02[B] (Supp. 2015); see also Press Release, Fed. Trade Comm'n, Court Halts U.S.Internet Seller Deceptively Posing as U.K. Home Electronics Site (Aug. 6, 2009),https://www.ftc.gov/news-events/press-releases/2009/08/court-halts-us-internet-seller-deceptively-posing-uk-home [https://perma.cc/9SX5-QQ2Q].

275. See Data Regulation Proposal, supra note 71, at 40; Data Protection Directive,supra note 10, at 38.

276. See infra Part IV.A.277. See Cate, supra note 64, at 184.

108


with advertisers or creating a user profile for marketingpurposes, for example, entails a closer nexus between userprivacy and potential harm from its violation. A private datausage regulation "as it relates to particular risks or harms bettercomports with consumer law generally and permits the neededadaptability to reflect context and evolving technology."27 8

Instead of a ubiquitous E.U. law that captures all dataprocessing, privacy regulation should reflect user expectations.Users expect that purchases made with vendors, online bankingdeals, geolocation logs captured by telephone carriers, searchactivity logs, and email addresses divulged for singularcommercial transactions will remain with the relevant parties forthe original and intended uses.279 The undisclosed collection,transfer to third parties, and monetization of this personal datafor marketing and profiling should be prevented. Calibrating therisk of harm based on the use of personal data reveals the valueof that data and allows local regulatory regimes to adoptprotective policies incrementally.

Such policies must abandon the all-encompassingdefinition of "personal information" and adopt a privacytaxonomy that reflects the complexity and transferability ofdigital information. As Professor Daniel Solove notes, "Privacyseems to be about everything, and therefore it appears to benothing.... [N]obody seems to have any very clear idea what it

99280 Slv iieis. Professor Solove divides informational privacy intocategories and contexts, including information collection,information processing, information dissemination, and

. 281information invasion.

Others posit taxonomies directly applicable to the right tobe forgotten. For example, meaningful distinctions attendregulation of data that is passively created (e.g. clickstream data)versus actively created data (e.g. "tweets").282 Likewise,policymakers craft more precise laws when distinguishing"internal" data, which "derive[s] from the data subject about

278. Cunningham, supra note 265, at 142.279. See Joshua J. McIntyre, Comment, Balancing Expectations of Online Privacy:

Why Internet Protocol (IP) Addresses Should Be Protected as Personally Identifiable

Information, 60 DEPAUL L. REv. 895, 895-96 (2011).280. Daniel J. Solove, A Taxonomy of Privacy, 154 U. PA. L. REv. 477, 479-80

(2006).281. Id. at 489.282. Ambrose, supra note 94, at 11.


herself," from "external" data, "which is generated by someoneelse about the data subject."283 Accounting for the data'sorigination and initial publication as compared to its"downstream" integration would similarly facilitate morenuanced privacy regulation.284 Identifying and defining thediverse avenues in which personal data is created, published,transferred, and used enables policymakers to more effectivelyprotect it.

Viable privacy regulation that honors these complexities isnot beyond reach. To a degree, U.S. law already envisionssuch a multi-tiered legal framework.286 Inlaid within the manyexceptions to free expression, privacy advocates see commonground with European sentiments promoting the right to be

287forgotten. The law distinguishes public figures from privatepersons, for example, and addresses harms that derive fromdefamatory publications.288 In criminal law, assorted proceduralrules insulate an individual's reputation, including secrecy ingrand jury proceeding,2 8 9 pre-sentencing reports, and searchwarrant applications. Numerous states permit some form ofcriminal record expungement,292 similar in spirit to the right tobe forgotten. Access to civil court records are limited in variousinstances, including access for "improper purposes," like

283. Id.284. Id.285. See generally Peltz-Steele, supra note 126 (describing privacy norms within the

United States that resemble those in Europe).286. Id. at 409.287. See id. at 410; see also Bennett, supra note 96.288. See, e.g., Gertz v. Robert Welch, Inc., 418 U.S. 323, 342-43 (1974); N.Y.

Times Co. v. Sullivan, 376 U.S. 254, 279-80 (1964).289. See, e.g., FED. R. CRIM. P. 6(e)(2).290. See FED. R. CRIM. P. 32(e). Upon conviction, the federal code and most state

criminal procedure codes provide for a pre-sentence investigation and report, usuallyresearched and written by a probation officer to guide the judge's sentencing ruling. Id.;see also Ricardo J. Bascuas, The American Inquisition: Sentencing After the FederalGuidelines, 45 WAKE FOREST L. REV. 1, 60 (2010). The pre-sentencing reports oftencontain hearsay, opinion, and speculation. See id. at 64-66. As a result, most criminalprocedure codes call for confidentiality of pre-sentence reports. See id. at 66.

291. See Peter A. Winn, Online Court Records: Balancing Judicial Accountabilityand Privacy in an Age ofElectronic Information, 79 WASH. L. REv. 307, 309 (2004).

292. See Anna Kessler, Comment, Excavating Expungement Law: A ComprehensiveApproach, 87 TEMPLE L. REV. 403, 417 (2015); see also Fruqan Mouzon, Forgive Us OurTrespasses: The Need for Federal Expungement Legislation, 39 U. MEM. L. REv. 1, 31-34(2008).

110


"gratify[ing] private spite."293 In 2004, the Supreme Courtsuggested that a legal privacy right was "at its apex" whenrecords involve private citizens.294 Even copyright law has beeninvoked to erase data.2 95 When Jennifer Lawrence, Kate Upton,and other celebrities scrambled to contain leaked photographs,copyright law was their most potent legal tool in convincingGoogle and other websites to take down posted pictures.2 96

These laws already alleviate some of the harms that theright to be forgotten addresses. But there is a meaningfuldistinction between outlawing defamatory statements orpublication of copyrighted material and a right to erase all"irrelevant" personal information. A right to be forgottenpromotes withdrawal from society and, in its extreme form, isantisocial.297 It is differentiated from a right to privacy fromprying eyes, which itself is not antithetical to societalengagement. Even those fully immersed in public life requireoccasional respite from it. The right to be forgotten, by contrast,does not mediate the relationship between individual andsociety, it truncates it.29 8

While it is true that the Internet to some extent better"remembers" past indiscretions, and that the second chancesenjoyed by our ancestors by merely relocating cross-country arenot ours to enjoy, it is not justification enough to scrubpublished truthful data from public access. Instead, the public

293. See, e.g., Nixon v. Warner Commc'ns, Inc., 435 U.S. 589, 598 (1978); see alsoU.S. Dep't of Justice v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 769(1989).

294. Nat'1 Archives & Records Admin. v. Favish, 541 U.S. 157, 166 (2004); see alsoWhalen v. Roe, 429 U.S. 589, 599 (1977) (noting "individual interest in avoidingdisclosure of personal matters"); Dep't of the Air Force v. Rose, 425 U.S. 352, 381 (1976)(stating republishing of information that may have been "wholly forgotten" can causeseparate harm, which "cannot be rejected as trivial").

295. Copyright Act, 17 U.S.C. § 107 (2006); Universal City Studios, Inc. v. Corley,273 F.3d 429, 458-61 (2d Cir. 2001).

296. See Eriq Gardner, Google Responds to Jennifer Lawrence Attorney's $100Million Lawsuit Threat, HOLLYWOOD REP. (Oct. 2, 2014, 12:23 PM), http://www.hollywoodreporter.com/thr-esq/google-responds-jennifer-lawrence-attomeys-737656[https://perma.cc/K5FY-TEWL] (claiming Google "isn't abiding by its responsibilitiesunder the Digital Millennium Copyright Act to expeditiously remove owned images onplatforms that include YouTube and Blogspot").

297. See Tessa Mayes, We Have No Right to be Forgotten Online, GUARDIAN (Mar.18, 2011, 10:16 AM), http://www.theguardian.com/commentisfree/ libertycentral/201 1/mar/i 8/forgotten-online-european-union-law-intemet [https://perma.cc/843A-4S2U].

298. See id


must and will evolve to the information age.299 Already werecognize that a teenager's drunken Facebook photograph haslittle to do with her employability eight years later. "Likeother resources, information is perishable, depreciating in valueover time. Depreciation will occur at different rates for differentpieces of information, which correlates to the content'srelevance and accuracy."301

Moreover, claims that the "the web collects nearlyeverything and everyone " and that "Internet postings" are "nowimpossible to forget"30 are wrong.3 0 3 The Internet shedstremendous amounts of digital data, often in short order. Thosetasked with archiving Internet data say "the Internet is quitefleeting," and note that the life span of the average link is forty-four to 100 days.304 In one study, 77% of content remainedaccessible after one day.305 In another study, only 50% of

306content remained accessible after 100 days. Between 2009and 2012, researchers selected tweets on publicly significantevents, including the Syrian revolution and the H1N1 virus.30 7

As time passed, content disappeared: 11% disappeared within ayear, increasing to 27% after two years.308 The dissolvingnature of digital data casts the right to be forgotten in a differentlight. Why exacerbate data loss with additional deletions? Doesthe natural decay of digital data better protect individuals andsociety from the harms of lingering data than allowingpurposeful content manipulation by those with the most biastowards it?

The harms associated with deleting digital content seemespecially severe when considering the universal impact.Although undecided by Google Spain SL, the E.U. Regulation

299. Jessica Winter, The Advantages of Amnesia, Bos. GLOBE (Sept. 23, 2007),http://www.boston.com/news/globe/ideas/articles/2007/09/23/theadvantagesof amnesia/?page=full [https://perma.cc/LPC7-LLNY] ("People, particularly younger people, aregoing to come up with coping mechanisms. That's going to be the shift, not anyintervention by a governmental or technological body.").

300. See Ambrose, supra note 94, at 13.301. Id302. Rustad & Kulevska, supra note 33, at 352-53.303. See Ambrose, supra note 94, at 11-12.304. Id.305. Id. at 12.306. Id.307. See id.308. Ambrose, supra note 94, at 12.

112


signals worldwide applicability.309 If a German residentconvinces Google of information irrelevancy, E.U. officialsrequire "effective and complete" erasure.310 The data must notonly disappear from searches conducted through Germany'sdomain name, it must also disappear from every Google domain,including Google.com.3 11 The Article 29 Working Party stated,"limiting de-listing to EU domains on the grounds that userstend to access search engines via their national domains cannotbe considered a sufficient means to satisfactorily guarantee therights of data subjects .... ."312

The extra-jurisdictional impact undermines nationalsovereignty and democratic principles. Uruguayans had no voteon the right to be forgotten, but they will feel its impact. OneEuropean scholar observes:

[W]e may be tempted to say that when our courts concludethat certain content is to be blocked or removed, we wantthat blocking or removal to be global. However ... [manypeople] may not necessarily wish for Internetintermediaries to engage in global blocking/removal basedon court orders from other countries in the world -particularly where such court orders stem from restrictive,undemocratic laws with an extraterritorial effect.3 13

European officials claim their extraterritorial lawharmonizes international privacy law, a claim supported by thenumber of countries that have scrambled to comply with it.3 14

But "harmonization" can substitute as homogeneity. Theinherent value in cultural diversity diminishes when one cultureunilaterally imposes its values on others. Perhaps theinternational "flattening" of economies and information systemssignals inevitable homogeneity. Linguistic anthropologists havelong associated increased interconnectivity with increasedlanguage extinction.3 15 But preserving conflicting culturalvalues through democratic governance remains viable throughnuanced privacy regulation that targets harms associated with

309. See European Commission Factsheet, supra note 12.310. Guidelines, supra note 32, at 9.311. See id312. Id313. Svantesson, supra note 48.314. See Greenleaf, supra note 174, at 3.3 15. See generally Marco Jacquemet, Transidiomatic Practices: Language and

Power in the Age of Globalization, 25 LANGUAGE & COMM. 257 (2005).


privacy violations. European privacy regulation that effectivelyprotects E.U. citizens can meaningfully co-exist with robust freeexpression rights. The right to be forgotten as currentlyenvisioned, however, upsets the balance and invites controversyrather than mediates accord.

VII. CONCLUSION

Censorship in the name of privacy is well underway. As ofMay 2016, hundreds of thousands of requests to deactivate morethan 1.5 million links have resulted in Google's deletion of549,624 links.3 16 This number will further increase due togrowing European awareness of their newly conferred right tobe forgotten and in light of the high rate in which deletionrequests are granted by Google, Yahoo, and Microsoft. Whilecontent disappears only from European domain searches fornow, the Article 29 Working Party has clearly signaleddissatisfaction with that approach and pushed for data erasureacross the board, including Google. The forthcomingRegulation will likely require such universal deletions by 2017,effectively crowning the E.U. as the self-anointed keeper of theInternet.

European filtering of Internet content worldwide throughthe right to be forgotten is objectionable on several counts. Itundermines the sovereignty of other nations as well asdemocratic, representative governance generally. It effectuatesinternational censorship in the guise of privacy, diluting theInternet's promise in its adolescence. Through flawedimplementation, it requires data merchants like Google to decidewhether to delete content based on an amorphous "relevance"standard-a standard imbalanced by large fines that can belevied for failure to erase irrelevant content. Finally, it promotesa European privacy law in need of complete overhaul. The E.U.Directive and forthcoming Regulation fail to protect E.U.privacy by restricting a multitude of innocent Internet userswhile simultaneously excluding the worst privacy violators.

Alternatives exist. Through a modern Internet taxonomythat better reveals how data is communicated over the Internet,privacy harms can be articulated. Lawmakers need only tailor

316. See Transparency Report: European Privacy Requests for Search Removals,supra note 19; see also supra note 202 and accompanying text.

114


legislation to those harms, most of which stem fromunauthorized surveillance and undisclosed secondary use.Moreover, privacy laws that track discrete privacy harms are notdissonant with U.S. free expression jurisprudence. Shadows ofthe right to be forgotten have been legitimized in various formsin U.S. law from copyright to juvenile criminal proceedings.These in-roads reveal that bridging European privacy andAmerican free speech is not as formidable as conventionallysupposed.

The European drive for privacy protection in the digital ageis laudable and needed, but the legal means employed to that endpoorly achieve it. The right to be forgotten, emblematic of E.U.privacy law, threatens more harm than help and will led toentrenchment in the ongoing international debate betweenprivacy and free expression. If we are, in fact, "still in the firstminutes of the first day of the Internet revolution,"317 lawsregulating the Internet should be cognizant to its workings.

317. See Stephen Levingston, Internet Entrepreneurs Are Upbeat Despite Market'sRough Ride, N.Y. TIMES (May 24, 2000), http://www.nytimes.com/ 2000/05/24/business/worldbusiness/24iht-hype.2.t.html [https://perma.cc/RHA6-K3SC].

ARKANSAS LAW REVIEW