Our thoughts on the right to be forgotten

Thursday, February 16, 2012 | 12:59 PM

Labels: , ,

One of the most talked about concepts in the European Commission’s new Data Protection Regulation proposal is the right to be forgotten. It is, at least in part, a continuation of the rights of access and objection that web users were granted in the 1995 Data Protection Directive. It also goes further, including other concepts that we have already embedded in our privacy principles and practices like improved transparency, providing clear information to people and giving them fine-grained privacy choices - including the ability to remove data they uploaded to our services.

Today, more and more people are entrusting their data to online hosting platforms and using social networks and search engines to find information on the Web - and there are no signs of web usage slowing. So it’s vitally important that both those who provide online services and those who use them have a clear understanding of how a concept such as the right to be forgotten might apply.

For providers of online services, we think there are some important distinctions that need to be made between services that host content created by people (such as Facebook and YouTube) and services that point people to content that exists elsewhere (for example, search engines such as Google, Bing and Yahoo!).

Hosting Platforms:

  • Users’ Rights: At the core of the right to be forgotten is the idea that a person using a hosting platform should have full control over, including the ability to delete, data he or she published intentionally. That means that a user should be able to delete an individual post, photo or video that he or she stored with the hosting platform. The user should also be able to delete his or her entire account with a given hosting platform, thereby deleting all the materials he or she had published and which was stored in that account.
  • Hosting Platforms’ Obligations: Hosting platforms, for their part, should respect deletion requests made by a user regarding content placed there by that user, and carry them out in a timely way. That does not necessarily mean that deletion should be instantaneous; there are practical reasons why some delay should be permitted, for example to prevent the abusive deletion of content when an account has been compromised. Other limits, including legal or contractual obligations, may also legitimately delay deletion in certain circumstances.
  • Understanding the practical limits on what hosting platforms can do: There are practical and legal limits to what can be expected of hosting platforms.
    • First, it is possible for any material published online to be copied and re-published elsewhere. A hosting platform can and should delete copies of material that they store on behalf of a user upon his or her request, but it cannot be expected to maintain control over other copies of the material published elsewhere online, as these are outside of the control of the hosting platform.
    • Second, it is important that hosting platforms not be obliged to delete materials when doing so would be likely to undermine the security of the service or allow for fraud.
    • Third, hosting platforms cannot be expected to delete materials created collaboratively at the unilateral request of a single contributor. Where a clear ownership of a collaborative document has been assigned, responsibility for deletion should lie with that owner. In cases where ownership of a collaborative document is not clear - as in the case of wikis or usenet posts - the questions are more complex, and a clear solution is not currently obvious.
    • Fourth, in the same way postal services are not expected to monitor what is in the letters they carry, Internet hosting platforms should not be expected to exercise control over materials published by third parties. Fundamental responsibility for information available online must rest with the party that put that particular copy online, rather than with the hosting platform. This is consistent with the premise of existing European law, namely, the eCommerce Directive.
Search engines:
  • Search engines serve an important function online, and the right to be forgotten should not interfere with their ability to point consumers to information published elsewhere.
  • For their part, search engines should respect the standard ways in which websites instruct search engines whether to crawl and index particular pages, such as header meta tags and robots.txt files
  • When, in the course of crawling the web, a search engine discovers that a page or site is no longer available online, it should update its search index to reflect these changes in a timely way.
  • Search engines should also provide a means for webmasters to accelerate removal of their site from search results. As with hosting platforms, the fundamental responsibility for information available online must rest with the publisher of that information, rather than with a search engine or other similar intermediary.
Ultimately, responsibility for deleting content published online should lie with the person or entity who published it. Host providers store this information on behalf of the content provider and so have no original right to delete the data. Similarly, search engines index any publicly available information to make it searchable. They too have no direct relationship with the original content.

We’re supportive of the principles behind the right to be forgotten - and believe that it’s possible to implement this concept in a way that not only enhances privacy online, but also fosters free expression for all.

1 comments:

Patrick said...

Hello Peter, thank you for clarifying Google's stance on this aspect of the EC's Data Protection Proposal and it would be good to read about Google's policy on other aspects, such as the concepts of data controller and processor. However, I'm afraid the distinction you make between hosting platforms and search engines is not going to hold, especially not for services such as Google+ or Youtube. From a legal point I can see the rationale behind the distinction, but in reality both services are increasingly getting mixed.

Kind regards,

Patrick Laureys