In the digital age, an individual’s data can be searchable and accessible at the speed of one click. The more someone interacts with the Internet, the bigger their digital footprint becomes. This footprint is collected, analysed and passed around by countless third parties without the owner’s explicit consent. In addition to companies making a profit from personal data, there’s a high risk of falling victim to leaks and harmful activity. In Europe, the “right to be forgotten” seeks to ensure its citizen’s digital privacy in the data mining economy. In the United States, the concept has drawn both interest and criticism.
What exactly is the right to be forgotten?
The right to be forgotten appears in Article 17 of the General Data Protection Regulation (GDPR), stating that the “data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” In other words, an individual has the ability to request search engines like Google to delist certain results linked to their name and remove sensitive data from public record databases.
To date, the right to be forgotten is only applicable to residents of the European Union and the European Economic Area. However, it is not an absolute right and it is only valid under specific circumstances, including cases where an organisation has unlawfully processed a person’s data, the data has become irrelevant to the organisation or where the collected data belongs to a child.
While the right to be forgotten was not a GDPR’s invention — it had been present in several jurisdictions in Europe — it gained significantly more traction after the 2014 Google vs. Spain case. The case related to a lawyer whose bankruptcy records had been published on a website that was accessible via Google. The Court ruled in favour of the plaintiff, radically changing the way Europe dealt with digital privacy.
Barriers in the United States
Even though the right to be forgotten only applies to European residents to date, the concept has been gaining ground worldwide. From Argentina to Canada and Japan, policymakers, courts, companies and digital privacy activists have debated whether the right should be incorporated into their nations’ laws. In countries like the Philippines, there is already a version of the right to be forgotten, granting people the ability to order the blocking, removal or destruction of their personal data.
What about the United States? To date, there are no all-encompassing laws or regulatory requirements regarding the blocking or removal of personal information from Google’s search results or online databases in the North American nation. While several states have considered laws similar to the right to be forgotten, none of them reach the scope of Europe.
Critics of the right to be forgotten argue that it contradicts the First Amendment, which grants American citizens the right to free speech. It is believed that the implementation of such a law would contribute to a widespread erasure of digital content that would negatively impact freedom of expression and other human rights. However, according to a survey by Pew Research Center, 74% of U.S. adults support the idea of preventing personal information from being accessible online, while only 23% of respondents favour the ability to discover useful information about others.
Current privacy protection laws and resources in the United States
American privacy protection laws differ from Europe in the sense that there is a lack of a single, comprehensive federal law like the GDPR. By contrast, the U.S. has numerous federal and state laws that offer varying degrees of protection to specific groups of people and focus on specific types of data. The Children’s Online Privacy Protection Rule (COPPA), for example, imposes certain limits on companies’ data collection of children under 13 years old, while the California Consumer Privacy Act (CCPA) grants California residents the right to ask businesses to disclose what personal information they have collected and to delete said information.
The official website of the U.S. government encourages citizens to find out from their state or local consumer agency whether their state has laws to protect their privacy. In addition, they recommend adopting preventive measures, including reading companies’ privacy policies, encrypting Internet connection via a free downloadable VPN, disabling cookies, and opting out of companies’ mailing lists.
Service providers have also sought to address the privacy question, as evidenced by a surge in automated tools and software that facilitate digital data removal. Companies such as Incogni can have their subscribers’ names, addresses, emails, phone numbers, and other sensitive information removed from market-leading data collection sites.
Going forward, in spite of the scepticism toward the EU’s right to be forgotten, the prevalence of the data mining economy will continue generating discussions on digital privacy protection.