Implementing the right to be forgotten was never going to be easy as earlier blogs in this series have pointed out. But recent press reports show how tricking this implementing is going to be, revealing suggestions that search engines should take down the links globally and keep their actions secret. Both of these ideas would be missteps.
The secrecy suggestion seems backed by common sense logic – it is self-defeating for search engines to announce to the world that they have taken down the links to stories that should be forgotten. But that is not the concern, since search engines aren’t making such public announcements. Rather they are informing the third-party publishers that a link to their content has been deleted from search results. So the problem seems to be that if affected parties know that a link has been deleted they might object and this objection would direct attention to the topic that was to have been forgotten.
There is clearly room for debate on what the right policy is here. Any added discussion of the take downs creates an added risk of creating exactly the kind of exposure the right to be forgotten is intended to avoid. But secrecy seems to be the wrong answer. In fact, if search engines kept their deletions secret they would have faced accusations of lack of transparency! Publishers clearly have an interest in knowing that links to their content will no longer appear in certain search results. For one thing it provides a check on the search engines getting it wrong, as apparently they did in the early days of implementing the take down program. And as long as the rest of the world isn’t simultaneously informed of the takedowns this seems a balanced approach.
The other concern seems to be that the new right to be forgotten will not be effective if the takedowns are purely local. Why should people outside the EU be allowed to get search results that people inside the EU cannot get? So, the argument goes, search engines should delete links globally when they decide that they should be deleted under EU privacy law.
This is the wrong direction. It improperly extends EU privacy law to the world. The impulse to limit information globally is understandable, but unworkable. We know this from other examples. For instance, it is easy to understand why Turkey objects to videos that denigrate the Turkish nation and would like to make sure that they are not shown anywhere in the world. But it goes too far to extend Turkish rules on hate speech to the entire world. A reasonable compromise is to comply with Turkish law with respect to videos shown in Turkey.
This is the balance struck in many other areas of cross-border electronic commerce. Internet gambling rules are locally, not globally, enforced. British law permits and regulates Internet gambling, while US law prohibits it. It would be an easy matter to structure US law so that global payment systems blocked all Internet gambling transactions. Bu that is not what US law does. It provides for local enforcement. People in Britain can go on the Internet to gamble, while people in the US face restrictions, including restrictions on using payment cards at Internet gambling sites. Examples are not hard to multiply – alcohol ads, for example, are not allowed in Saudi Arabia, but are permitted on websites available in other countries.
There is certainly nothing in the right to be forgotten decision that compels search engines to delete search results globally. Moreover, earlier cases under EU law show a conscious desire to avoid the extraterritorial application of European privacy law. In the 2003 Bodil Lindquist case, for instance, the European Court of Justice rejected the idea that posting material on an EU website amounted to a transfer of data to other countries. It made this judgment precisely to avoid the implication that the entire Internet would be subject to EU jurisdiction.
Each country is entitled to its own privacy laws, Europe no less than the United States. We should seek to make them sufficiently compatible at the edges so as to allow data transfers. But simply extending European jurisdiction to the globe is the wrong way to go.
Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.