It’s been a few months now since the controversial EUCJ sent me a paper pointing out that, yes, the EUCJ decision overlooked the balance needed to protect our right to freedom of expression. By the way, Reuben has also written an interesting piece on how Wikipedia deals with person’s subjective rights — I think you should read it because I think Wikipedia is a very good illustration on how to do this right, and thus also an incredibly strong illustration on how the EUCJ’s so called “right to be forgotten” (RTBF for short) is wrong.decision has been published. And I’m too busy, lagging behind: my draft (in French) on why I disagree a lot with this decision is still in the making. But it will eventually come. Meanwhile I got some interesting discussions, for instance with Neil Brown. I’m still waiting for Neil to set up is Known profile online somewhere so we can copy/paste our discussion there. Just now, Reuben Binns
So, roughly and quickly, I’d like to point out a few flaws that I think are very worrying considering the wider context; namely, the European Union Court of Justice getting more powerful as a court dealing with fundamental rights (in addition to the European Court of Human Rights).
The EUCJ is confused about privacy
You may disagree, and I have no time to explain here now (it’s still a draft mode) but I think there’s no such thing as a personal, subjective right to privacy. A right to privacy is not the same thing as a right to the respect of your private life. There is an important distinction to make.
Privacy is an ecological thing as Moglen says, it’s not an individual thing. Privacy is often understood only in a given context: a technological context and a social as well as cultural context. We have different privacy expectations and understanding depending on who we communicate with, what we communicate about, where we communicate, by which means we communicate and based on the cultural background of the communicating parties. Note that “communicate” needs to be understood broadly and may not be the right word.
One of the most interesting researchers working on explaining privacy is danah boyd. She lately published a piece: What Is Privacy? You should read the entire piece, it’s not long. Meanwhile, emphasis is mine:
The notion of private is also a social convention, but privacy isn’t a state of a particular set of data. It’s a practice and a process, an idealized state of being, to be actively negotiated in an effort to have agency.
While learning to read social contexts is hard, it’s especially hard online, where the contexts seem to be constantly destabilized by new technological interventions. As such, context becomes visible and significant in the effort to achieve privacy. Achieving privacy requires a whole slew of skills, not just in the technological sense, but in the social sense. Knowing how to read people, how to navigate interpersonal conflict, how to make trust stick. This is far more complex than people realize, and yet we do this every day in our efforts to control the social situations around us.
The core of the point is, privacy is not an individual’s subjective legal right. It’s a social and fragile, but needed social process. We shouldn’t mess this up with simplistic views on the issue, because there could be casualties (like getting the State involved in defining all the things where privacy was dealt with socially and, freely, before).
The judges’ justification is in the decisions’ paragraphs 80, 81 and 36, 38. As you’ll notice, it significantly lags behind good research on what privacy is and it also lacks a thorough legal analysis.
In the EUCJ’s RTBF, privacy is considered in a simplistic, narrow way that does not consider the right of the public to access lawfully published information that can be of public interest. This is very worrisome because that right is substantially a consequence of our right to free speech.
Moreover, the legal basis of the EUCJ analysis is unclear. To make their arguments justified by fundamental rights, the EUCJ takes article 7 of the EU Charter. This article is not a right to privacy, otherwise it would say just that: “a right to privacy.” Instead, it is a right to the “respect for private and family life” and that’s not the same thing.
On the one hand, the right to respect for private life is well established as a person’s subjective right. For instance, in France it used to be under general tort law (art. 1382) but then has taken its own stance in article 9 of the code civil. One important condition of such a right is that there is a need to demonstrate préjudice, i.e. harm has been done to that persons’ in way of infringing their private life.
On the other hand, as already pointed out, privacy is a process. And as you know if you’ve read the decision, there’s no such need to demonstrate prejudice in order for the RTBF to apply.
The legal basis thus is not clear. Is this new so called “right to be forgotten” based on the right for the respect of private life (in this case it needs to be demonstrated that there is prejudice) or is it based on another part of the EU Charter, the one that recognises personal data protection? Well, if it’s the latter, then the RTBF should be much less powerful than what the EUCJ makes it!
The EUCJ new “general rule” harms freedom of expression
The personal data protection directive says in article 7:
‘Member States shall provide that personal data may be processed only if:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests [or] fundamental rights and freedoms of the data subject which require protection under Article 1(1).’
In the case where the service in question is accessible and used by a large majority of the population, it means that we are talking about the legitimate interests of the public. Surely, the right to access lawfully published information is a priori a legitimate interest of the public. Otherwise, what good is a right to freedom of expression if nobody else has the right to hear you and that someone can block access to your article when they feel like?
Now, let’s have another read at the article above (article 7). It is clear that the general rule is that processing of personal data is allowed when the right of the public to freedom of expression is at stake, except where the data subject’s fundamental rights should override them.
But as already pointed out, there is a confusion between fundamental rights and thus the whole analysis on balance breaks, at the detriment of the public’s right to access lawfully published information.
In the decision, the Court indeed invents a new “general rule”:
The rights to privacy of the data subject override “as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name.” (¶ 97)
It is clear now that there’s a problem. The rule and the exception have been exchanged.
Interesting fact: I just learned that the Spanish plaintiff, M. González, is a lawyer… This whole case and the decision to me, is an illustration of what goes wrong when we try to solve problems that should be best solved freely with our social processes. Solving privacy with this kind of ruling is doing us no favour.
The real privacy issues for us today come from massive surveillance by the NSA and other mass-surveillance State agencies aroudn the world. They also come from surveillance operated by companies.
Search engines giving access to lawfully published information is not the real privacy issue! The RTBF is the wrong fight, and it’s actually wasting our time; time that should be better spent fighting the real issues of massive surveillance which makes much more harm to our right to have a private life outside the reach of the State’s agents.
Finally, the ultimate irony of the decision is that Google and the like are the ones who have to apply individual’s requests to be deleted from search engines results relating to their names. Thus, giving the role of defining privacy to… Google. Well done for the rule of law.
We should demand that the European commission does not to pursue this RTBF nonsense, but instead focuses on the real issues affecting our privacy and our autonomy.