Header graphic for print
Steptoe Cyberblog

Europe’s ‘Right to be Forgotten’ Privacy Protection Moving to the US?

Posted in Data Breach, International, Privacy Regulation

In his recent post, Eugene Volokh of the Volokh Conspiracy recently discussed whether it can ever be libelous to say, accurately, that someone has been arrested after the arrest has been expunged. The New Jersey Supreme Court rightly described the idea as Orwellian and rejected it.

However, in Europe a version of this rule is being advanced in the name of privacy. Unlike the strange libel theory highlighted by Eugene, the equally strange European “right to be forgotten” stands a good chance of being adopted in some form. In fact, there is a good chance it may be applied widely inside the United States as a result of Europe’s push to export its data protection standards.

The European Commission explains its proposed directive as follows:

Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation.

To clarify, a “data subject” is anyone about whom facts have been collected or processed. The data protection rules apply to anyone who does the collecting or processing, whether a big mail order company, a community newsletter, or a lonely blogger. While there’s a regulatory carveout allowing retention of data “for exercising the right of freedom of expression,” the presumption of the rule is that if the person objects to its retention any data about that person must be erased. Indeed, if the data has been passed on to third parties for processing, they must also be told “to erase any links to, or copies or replications of that personal data.”

If you’re thinking that such a law could never be adopted here, think again. Europe has long engaged in a kind of data boycott of the United States, refusing to allow American companies to process any personal data from Europe on grounds that US privacy law is not “adequate” to protect Europeans. Under this economic pressure, more and more companies have agreed in effect to apply European data protection law to their activities inside the United States. In fact, the Federal Trade Commission is now busily enforcing European data protection law in the US.

So there’s a decent chance that the “right to be forgotten” will be enforced here, and that it will end up regulating what information Americans are allowed to give to other Americans.

And what about the First Amendment, you say? Sorry, that’s just a local ordinance in Europe’s view – though in time perhaps you’ll be able to file a “Form 327a — Request to Retain Data for Purposes of Exercising the Right of Freedom of Expression” and receive a prompt reply from a European agency granting or denying your request.