The “Right to Be Forgotten” in European Union Law

Abstract

Given global concern over the increasing conflict between “informational privacy” and protection of online communication, this article examines the post–Google Spain impact on the right to be forgotten in the European Union and its worldwide impact.

Keywords

right to be forgotten informational privacy freedom of expression European Union data protection

Imagine you conduct a vanity search on Google. Your name gets typed into an online search, and your arrest record from the early 1980s appears at the top of the Google search results. You are outraged that this mostly outdated and irrelevant information about yourself is so easily accessible after all these years.

Is there any way for you to scrub the information about your minor criminal violation from Google? As a citizen of the European Union (EU), you have a “right to be forgotten,”¹ now often abbreviated as RTBF. In Europe, the RTBF allows an individual to demand that Google and other search engines erase links to information that he or she regards as “prejudicial” to him or her (EU Committee, 2014).

In a landmark ruling of 2014, the European Court of Justice (ECJ)² has read an RTBF into the Data Protection Directive of the EU. The ECJ held that search engines should remove links from search results to information that is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the [data] processing at issue carried out by the operator of the search engine” (Google Spain v. AEPD, 2014, para. 94).

In many ways, the RTBF under EU law is a definitional quagmire. Is it identical to the “right to oblivion,” that is, full deletion of public data? Does it parallel the “right to erasure,” that is, deletion of personal data processed by third parties? Or is it a combination of the two? Furthermore, the RTBF cannot be entirely decoupled from the “right to remember” in that the right to remember enables people to hold others accountable for “who they once were, by knowing about or remembering what they have done” (Tutt, 2015, p. 1122).

Since the ECJ handed down its data protection ruling, the RTBF has stirred vociferous global debates.³ For the proponents of the RTBF, it properly balances citizens’ “fundamental rights” to personal data with Internet users’ “legitimate interests” of access to information (Reicherts, 2014). For opponents, it is “misguided in principle and unworkable in practice” (EU Committee, 2014, para. 62).

Given global concern over the increasing conflict between informational privacy and protection of online communication, this article examines the post–Google Spain impact on the RTBF in the EU.⁴

The next section of this article will survey conceptual and theoretical frameworks for a data privacy RTBF in EU and American law. It is followed by a detailed, contextual look at the evolution of this new right in Europe, focusing on the ECJ’s case involving Google Spain. The third section will analyze the judicial and non-judicial developments in the wake of Google Spain, in which European courts and data protection agencies have had a chance to follow or reject the ECJ’s approach to this issue. Finally, the article will conclude with recommendations for how courts should balance the RTBF with freedom of expression in the future.⁵

Data Protection as a Privacy Right in the United States and EU: A Conceptual and Theoretical Framework

In the borderless world of the Internet, informational privacy is easier to define than to apply. In Europe, it centers on one’s rights to “informational self-determination—the right to control the sorts of information disclosed about oneself” (Whitman, 2004, p. 1161, emphasis removed). As Yale Law Professor James Q. Whitman (2004) noted, these rights are:

all rights to control your public image—rights to guarantee that people see you the way you want to be seen. They are, as it were, rights to be shielded against unwanted public exposure—to be spared embarrassment or humiliation. (p. 1161)

Privacy and the RTBF

Privacy, whether informational or personal, is a fundamental human right in EU law. The European Convention on Human Rights (ECHR) states, “Everyone has the right to respect for his private and family life, his home, and his correspondence” (European Convention for the Protection of Human Rights and Fundamental Freedoms, art. 8). The Charter of Fundamental Rights of the EU (EU Charter; art. 8(1)) is no different. The EU Charter is more explicit than the ECHR in protecting personal data as a right:

Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.

Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. (EU Charter, art. 8(2))

In Europe, the State has a “negative” obligation to refrain from violating an individual’s right to privacy. In addition, it carries on a “positive” obligation to ensure the protection of privacy in a dispute between private parties (Gaskin v. United Kingdom, 1989, § 42).

By contrast, privacy in the United States is premised on the values of liberty against the government. So, it is primarily the right of citizens to be free from governmental intrusions. Private intrusions not acting with governmental authority are exempt from constitutional protections, but they are addressed as a matter of torts and consumer protection. The federal constitution does not provide for informational privacy, but it is accepted in American law in a piecemeal fashion. At least 10 state constitutions expressly recognize informational privacy as a right against government violations (Ambrose & Ausloos, 2013). Also, subject-specific rules, market-centered approaches, and codes of conduct are relied on when balancing privacy with other societal interests (Ambrose & Ausloos, 2013).

Is the RTBF novel as a legal, social, or cultural concept in America? Not as much as widely assumed. The adage “forgive and forget” underlies the beneficial purposes of various federal and state expungement and record-sealing statutes in the United States. These laws, which embody the “revisability principle,”⁶ were adopted on the theory that a person with a criminal record should be provided with an incentive to be rehabilitated for their own benefit and that of society (Ambrose, Friess, & Van Matre, 2012, p. 140). But the RTBF is often approached as an Internet privacy right, because its conceptual foundation ought to be viewed in relation to an individual’s informational autonomy: “[W]e want autonomy over what information is available to whom both for its own sake and for its implications for other aspects of our autonomy” (Bernal, 2014, p. 35).

As often argued, are the rights to be forgotten and free speech dichotomous? If the RTBF expands, will free speech shrink? The answer should be, “[P]rivacy is not the enemy of freedom of speech, it is its close ally” (Bernal, 2014, p. 52). First Amendment scholar Rodney Smolla (1992) elaborated:

[P]rivacy is often an aid to freedom of expression, for a life devoid of any intimacy or quiet contemplation is a life less likely to produce creative or insightful expression. Privacy may thus nurture the expressive side of men and women, by giving them something to say. (p. 120)

So, when viewed against the values of free speech in democratic societies, privacy encourages, not inhibits, speech. Individual autonomy is one of the goals for individuals to pursue through free expression. Privacy permits people to express themselves individually or collectively without too much worrying about their expressive consequences (Schachter, 2003). This explains in part why anonymity is allowed as a free speech right.

The self-governing political process in the United States and many EU nations would be less participatory if there were no guarantees of free speech. Here, as in autonomy, privacy protections promote free speech because people will be less robust in exchanging their candid thoughts on sensitive issues with others (Solove, 2007).

Likewise, the discovery of truth as a free speech value is facilitated by privacy, although in a different and not a self-fulfilling way. The informational value that should inform one’s discerning, not blind, quest for the truth depends on whether the fact involved is so private as to be trivial and irrelevant to the public. Thus, the public’s interest in truth purely out of curiosity should be distinguished from the public’s interest in truth as a matter of public concern, which enhances both free speech and privacy as a social value (Solove, 2007). Privacy bolsters informational quality, while it may affect the overall quantity of information, especially when the truth about a private individual regarding their private activities is at issue.

The RTBF for individuals in the Internet era can be understood as a counterpoise to the asymmetrical power of Google and other “information fiduciaries” over their customers and end users (Balkin, 2016), for the information fiduciary theory is better applicable than the usual free speech theory in that it is not the form of the information but the access to, and use of, the information that emerges as the central issue of the RTBF (Balkin, 2016). Imagine your informational disclosure or sharing through online service providers (OSPs). Google creates links and indexes the content not the way you as a Google end user have envisioned. No OSP has an obligation to alert you to the privacy-invasive consequences you have to pay because of your often non-chalant online disclosures. Here, however, Google, as an information fiduciary, is obliged by your RTBF to permit you to regain control over your information to a certain extent.

“Practical Obscurity” and the EU Data Protection Directive

The RTBF can be analogized to “practical obscurity” in U.S. law—at least conceptually. Computerized accessibility of previously hard-to-access information that “would otherwise have surely been forgotten” has threatened to undermine the privacy interest in maintaining the practical obscurity of the information (U.S. Dep’t of Justice v. Reporters Comm. for Freedom of the Press, 1989, p. 780). The practical obscurity doctrine heeds an individual’s enhanced privacy interest in controlling personal information when the time and distance required in obtaining “scattered” bits of information in the past is hardly an issue for those with computers (U.S. Dep’t of Justice v. Reporters Comm. for Freedom of the Press, 1989, p. 764).⁷ “Plainly there is a vast difference,” the U.S. Supreme Court elaborated in 1989, “between the public records that might be found after a diligent search of courthouse files, county archives, and local police stations throughout the country and a computerized summary located in a single clearinghouse of information” (U.S. Dep’t of Justice v. Reporters Comm. for Freedom of the Press, 1989, p. 764).

The EU Data Protection Directive serves as the legislative framework of informational privacy in Europe. It lays out the right to privacy in the processing of personal data wholly or partly by automatic means (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data [EU Data Protection Directive]). Data controllers in charge of data processing are required to process personal data “fairly and lawfully” (EU Data Protection Directive, Article 6(1)(a)). Data collection should not deviate from its original purposes (EU Data Protection Directive, Article 6(1)(b)). But data processing is exempted for “historical, statistical, or scientific purposes” from those limitations as long as appropriate safeguards set by a member State are followed (EU Data Protection Directive, Article 6(1)(b)).

In collecting and processing personal data, data controllers should ensure that the data are “adequate, relevant and not excessive” in connection with their intended purposes (EU Data Protection Directive, Article 6(1)(c)). Furthermore, personal data must be “accurate and, where necessary, kept up to date,” and data controllers must take “every reasonable step” to make certain that they delete or correct “inaccurate or incomplete” data with respect to their purposes (EU Data Protection Directive, Article 6(1)(d)).

The principal provision of the EU Directive on the RTBF is Article 12(b): Individuals may correct, erase, or block data if their processing violates the Directive, “in particular because of the incomplete or inaccurate nature of the data” (EU Data Protection Directive, Article 12(b)). The Directive authorizes individuals to object to data processing if they have “compelling legitimate” reasons (EU Data Protection Directive, Article 12(b)). But the right of objection will be of little avail where consent was unambiguously given to the processing and the data processing is necessary due to a contract, a legal obligation, or the data subject’s “vital interests” (EU Data Protection Directive, Article 7). Moreover, no objection shall be allowed for performance of a task in the public interest, under official authority, or in pursuit of the controller’s or the third party’s “legitimate interests” that does not violate the data subject’s fundamental rights and privacy (EU Data Protection Directive, Article 7).

The informational privacy under the EU Directive is not absolute. It is qualified as a right when necessary to protect national security and defense, criminal investigations, ethical probes, and “the rights and freedoms of others” (EU Data Protection Directive, Article 13(1)). Indeed, the ECJ, applying the EU Charter of Fundamental Rights, has held that privacy is a limited right that “must be considered in relation to its function in society” (Volker Under Markus Schecke GbR v. Hessen, 2010). Article 11 of the Charter stipulates the freedom of expression and information as a fundamental right, which is identical to Article 10 of the ECHR. In balancing freedom of expression with privacy, the ECJ needs to take into account the European Court of Human Rights case law on point (EU Charter, art. 52(3)).

The European Commission has proposed changes in the EU Data Protection Directive. The proposed Data Protection Regulation⁸ expands informational privacy significantly by providing more informational access for individuals to personal data collected and processed (Regulation (EU) No XXX/2016 of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data [EU General Data Protection Regulation]). Most controversial about the Regulation is the “strengthen[ed]” RTBF (EU General Data Protection Regulation, Recital 54).

Article 17 of the Regulation, titled “Right to Erasure (‘Right to Be Forgotten’),” is substantially more expansive and detailed than Article 12 of the Directive:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) [consent to the processing], or point (a) of Article 9(2) [explicit consent to the processing], and where there is no other legal ground for the processing of the data;

(c) the data subject objects to the processing of personal data pursuant to Article 19(1) [right to object] and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of personal data pursuant to Article 19(2) [right to object to processing for direct marketing purposes];

(d) they have been unlawfully processed;

(e) the data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the data have been collected in relation to the offering of information society services referred to in Article 8(1) [processing of a child’s personal data]. (EU General Data Protection Regulation, art. 17(1), emphasis added)

The draft Regulation is far reaching in the scope of what it calls the “right to erasure.” Individuals could compel third parties to erase any links to, or copy or replication of, personal data immediately upon receiving a RTBF request. It does not matter whether the request is contestable or whether the data are verifiable (EU General Data Protection Regulation, art. 17a1(a)). If the proposed revisions of the RTBF, as agreed upon by the European Parliament and the EU Council of Ministers in mid-December 2015, are adopted for the final version of the Regulation, the right will extend far beyond data controllers.

Right to Oblivion and Right to Erasure

Although it is limited to children, the new “online eraser law” of California, which came into force in January 2015, may be more balancing than the EU Data Protection Regulation on online privacy versus freedom of speech. The California law recognizes a right of California residents under 18 to erase information from websites they have posted. It does not apply where the information was posted by third parties or where state or federal law requires the posting of the information (California Senate Bill 568, 2013).

California’s eraser law solves one of the conceptual problems with the RTBF that stems from a convergence of the right to oblivion and the right to erasure. The right to oblivion allows convicted criminals who have served their time and been rehabilitated to prevent dissemination of information on their past convictions and rehabilitations (Rosen, 2012). It is a privacy claim that extends to public information.

The right to oblivion should be distinguished from the right to erasure in cyberspace. The key distinction between oblivion and erasure is that oblivion refers to “passive or transactional data sharing—when a service collects and uses personal data in the context of a commercial transaction,” while erasure centers on “active or expressive data sharing—when content is authored or disseminated by users themselves” (Ambrose & Ausloos, 2013, pp. 14-15, citing Center for Democracy & Technology, “Comments to the European Commission in the Matter of Consultation on the Commission’s Comprehensive Approach on Personal Data Protection in the European Union,” 2011, January 15).

Instead of conflating the right to oblivion and the right to erasure in formulating and implementing the RTBF, as the EU data protection law does, erasure, if sensibly separated from oblivion, is less problematic, for it poses “minimal additional burdens, implicates fewer fundamental rights, and does little to alter the nature of Internet communication” (Ambrose & Ausloos, 2013, pp. 14-15).

Oblivion, in the passive sense of “being forgotten” by others concerning one’s past and in the active sense of “forgetting” one’s own past, is far more profound than erasure (Ambrose & Ausloos, 2013, pp. 14-15). Oblivion is more likely to conflict with freedom of speech and the press. Erasure is more manageable because it is “relatively easy to exercise” as a mechanical right. The right to erasure, as it does under the California eraser law, allows a data subject to erase the personal data he or she has disclosed for processing (Ambrose & Ausloos, 2013, pp. 14-15). It is narrower than oblivion and not intended to cover content generated by third parties.

ECJ Upholds the RTBF in Google Spain v. AEPD

Immediately after the ECJ (grand chamber of 13 judges⁹) ruled on the RTBF in 2014, a prominent U.S. privacy law scholar argued that the RTBF is no longer “a proposal” but “a full-fledged right” in EU nations (Solove, 2014). No doubt the short- and long-term import of the ECJ ruling has been palpable.

The timing of Google Spain v. AEPD could not have been more fortuitous. The decision came in the middle of the EU member States’ ongoing debates on the proposed Data Protection Regulation of 2012. Equally noteworthy were the pre-decision extra-judicial developments in 2013. The game-changing revelations by the former National Security Agency (NSA) contractor Edward J. Snowden of the NSA’s global surveillance programs came 3 weeks before the ECJ held its hearing in Google Spain on June 25, 2013.

The Facts of Google Spain

In January 1998, La Vanguardia, a newspaper in Spain, published a regular auction listing. The listing included a real-estate auction in connection with attachment proceedings against Mario Costeja González for the recovery of social security debts he owed. When Costeja González conducted a vanity search through Google, the links to the La Vanguardia pages mentioning Costeja González appeared (Google Spain, para. 14).

In his complaint in 2010 to the Agencia Española de Protección de Datos (AEPD; Spanish National Data Protection Agency), Costeja González requested that La Vanguardia remove or alter the auction listing so that the personal data relating to him no longer appeared and that Google Spain or Google Inc. remove or conceal the information to prevent it from showing in search results or in links to the Spanish newspaper. He claimed that the attachment proceedings against him had been “fully” resolved years ago and that references to them were “now entirely irrelevant” (Google Spain, para. 15).

Costeja González’s complaint against La Vanguardia was rejected on the ground that the newspaper’s publication of the information at issue was ordered by the Spanish government. But the AEPD said it had the authority to order Google to delete data from its search indexes and to block access to the data (Google Spain, para. 17).

When the AEPD’s decision was appealed to the Audiencia Nacional (National High Court), the Spanish court asked the ECJ for a “preliminary ruling” on the RTBF under the EU Data Protection Directive (Google Spain, para. 20).

In his opinion on EU law on the RTBF, the ECJ advocate general, Niilo Jääskinen (2013), focused on the rights to rectification, erasure, and blocking under Article 12(b) of the Data Protection Directive (Jääskinen, 2013, paras. 104-111). Noting that the rights of erasure would kick in “in particular” where the data concerned were “incomplete or inaccurate,” the advocate general concluded that the rights could not apply to a search engine operator like Google (Jääskinen, 2013, para. 108). Because neither the search engine’s index nor the contents of its cache could be incomplete or inaccurate, Jääskinen stated, the RTBF could not be read into the directive (para. 111). Meanwhile, the ECJ advocate general pointed out that Google’s link removal would interfere with the web publisher’s freedom of expression and result in a private censorship by the data subject of the published content on the website (Jääskinen, 2013, para. 134). He offered an alternative: The State has a “positive obligation[]” to provide the data subject a remedy against the publisher for violating their privacy right (Jääskinen, 2013, para. 134).

The Judgment of the ECJ (Grand Chamber)

The ECJ, which fundamentally disagreed with ECJ Advocate General Jääskinen on the EU Data Protection Directive (Jääskinen, 2013), first addressed whether a search engine’s activity of locating information on the web, indexing the information, and storing and making it available online constitutes “processing of personal data” under EU law. The court held that the activities fell within the Directive’s meaning of “processing.” It was no issue whether the data were already made public on the Internet or whether the search did not alter the data (Google Spain, paras. 25-31).

Next, did Google’s activities as a search engine operator turn Google into a “data controller” of the personal data on the web? The ECJ said that the Directive’s controller provision would cover the operator of a search engine like Google regardless of whether it controls the personal data published on the web pages of third parties (Google Spain, para. 34).

The Directive’s territorial scope was also an issue before the European court in dealing with the RTBF question. Google claimed that the Directive should not apply to Google Inc. because no personal data processing by its search engine took place in Spain, and Google Spain was in no way involved in the processing (Google Spain, para. 51). The ECJ ruled that the Directive covers processing of personal data when a search engine operator, such as Google Inc., sets up in an EU member State a subsidiary for advertising that targets the inhabitants of that member State (Google Spain, para. 61). In considering Google Spain an “establishment,” as defined by the Directive, the ECJ scrutinized the commercial raison d’être of Google Spain (Google Spain, paras. 55-57).

The ECJ then concentrated on the central focus of the case: Do the data subject’s rights to erasure of personal data and to objection to data allow the data subject to require the search engine operator to delink the search results, although the linked web pages were lawfully published by third parties and the information accessed was true, simply because that information “may be prejudicial to him or . . . he wishes it to be ‘forgotten’ after a certain time?” (Google Spain, para. 89).

In answering the question, the ECJ viewed free speech through a data protection tunnel vision. The court was unmindful of the “detailed and nuanced case law” of the European Court of Human Rights on privacy and freedom of expression (Kulk & Borgesius, 2014).

The ECJ rebuffed Google’s “proportionality” argument that information about the data subject must be removed by the original web publisher, not by the search engine like Google (Google Spain, para. 63).¹⁰ Seemingly drawing from the practical obscurity principle of U.S. law, the European court highlighted the “important role” of the Internet and search engines in the digital world of the 21st century (Google Spain, para. 80):

[Search engines’] processing enables any Internet user to obtain through the list of [search] results a structured overview of the information relating to that individual that can be found on the Internet—information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty—and thereby to establish a more or less detailed profile of him. Furthermore, the effect of the interference with those rights of the data subject is heightened on account of the important role played by the Internet and search engines in modern society, which render the information contained in such a list of results ubiquitous.

According to the European court, search engines are more impactful than the web publishers on the informational privacy of individuals. The court pointed out that the search engine’s indexing of search results could violate the search target’s privacy more seriously than the publication of the target’s personal information on the web. The court worried about the Internet’s “decisive role” in enabling Internet users to access the information and in distributing that information with far less effort than ever (Google Spain, para. 87). Regardless of whether the complainant’s name has been removed from the web pages or whether the publication of the original information on those pages was lawful, the search engine operator must remove from the list of its search results the links to the third parties’ web pages that contain the personal information complained of (Google Spain, para. 88).

In response to Google’s assertion that requiring deletion of information from the search engine’s indexes would unduly affect the “fundamental” free speech rights of website publishers, Internet users, and also of the search engine operator (Google Spain, para. 63),¹¹ the ECJ took note, albeit cursorily, of the interests of website publishers and Internet users, but it ignored the search engine operator’s interests altogether.

The Data Protection Directive was intended specifically to protect individuals’ right to privacy. The ECJ placed the Directive within the context of the EU Charter of Fundamental Rights on privacy rights, including the protection of personal data. It then brought attention to the potential of search engines to seriously violate the individuals’ privacy through data processing. The “economic interests” of the search engine operators, the court concluded, should be rejected when balancing the competing interests involved in removing search links from the list of search results (Google Spain, para. 81).

The ECJ’s focus on Google’s and other search engines’ commercial interests seem to have derived from its selective attention to their market-driven behavior while ignoring the informational function of their operations. As a consequence, the court has sidelined the right of the public to receive information as well as the search engines’ right to disseminate. More troublesome about the ECJ approach was that the court simply disregarded freedom of expression as a fundamental right that makes no distinction between the commercial or non-commercial objectives of speakers.

A good illustration of how the ECJ gave too short shrift to freedom of expression is that the court has made not one single reference to Article 11 of the EU Charter on freedom of expression and information, although it cites or notes more than 10 times Articles 7 and 8 of the Charter on privacy as a right.

If the ECJ’s nakedly privacy-favoring holding is incorporated into new EU law in toto, Google Spain will certainly go a long way to making informational privacy more than equal to freedom of expression in Europe (Brookman & Llansó, 2014). This is all the more critical, given that privacy and free speech are on an equal footing in EU law.

Notice the ECJ’s seemingly facile discussion of the balancing of conflicting interests involved in the case, although it is textually correct. In case the removal of the search links affects Internet users’ “legitimate interest” in accessing the information at issue, the ECJ remarked perfunctorily, there should be a “fair balance” between the Internet searcher’s interest and the data subject’s privacy. The court refused to make more than general comments on what to consider in the ad hoc balancing.

Indeed, the ECJ’s sense of priority for privacy was revealing when it stated, “[T]he data subject’s rights . . . override, as a general rule, that interest of internet users” (Google Spain, para. 81, emphasis added). The ECJ’s mention of the Internet users’ freedom of speech as an “interest” was probably not inadvertent but deliberate in downgrading free speech, a fundamental “right” under the EU Charter and the ECHR, to a less-fundamental “interest.” The ECJ’s categorical ruling diverges from the European Court of Human Rights on freedom of expression in conflict with privacy.

Privacy was now given a presumptively preferred position in a judicial balancing when the ECJ indicated unambiguously: When in doubt, give the benefit of the doubt to informational privacy, not freedom of speech and the press. This leaves one wondering how genuine the ECJ was in backing away from the “rule” in acknowledging that the data subject versus Internet user balance may hinge on the nature of the information involved and its sensitivity for an individual’s private life, and on the public interest in the information, which will be influenced by the individual’s public life (Google Spain, para. 81).

On the contrary, the ECJ more likely found the two-party conflict between the data subject’s privacy and the Internet search operator’s commercial interest easier to address as a balancing issue. This was all the more compelling, because Costeja Gonzalez seemed to be a hapless private individual while Google looked like an overbearing global company. The ECJ might have ruled differently if Google had been sued by an all-purpose universal public figure, for the privacy of the public figure as a data subject would have been countered by the heightened free speech interests of Internet users in accessing their Google searches regarding him or her.

The ECJ’s mention of a possibility that the Internet searcher’s “interest” may override the data subject’s “right” must have drawn from the ECtHR case law on balancing of privacy and freedom of expression (Axel Springer AG v. Germany, 2012; Von Hannover v. Germany, 2012). As already noted, however, it is not clear whether this passing statement will have a real impact on the national data protection authorities’ and national courts’ application of the ECJ ruling.

Finally, the ECJ ruled that an individual has the right to have their personal data blocked when the data are “inaccurate,” “inadequate, irrelevant or excessive in relation to the purposes of the processing,” “not kept up to date,” or “kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes” (Axel Springer AG v. Germany, 2012, para. 92). In elaborating on these criteria, the court noted that the initially lawful processing of accurate data may violate the Directive when those data have outlived their purposes.

The qualitative standard for inclusion or exclusion of links to targeted data in search results is exceedingly elastic and unclear. As earlier discussed, the possible exceptions to the removal of information from search results were identified, but the ECJ failed to further elaborate on the scope of those exceptions.

The Google Spain decision has broadly addressed the scope of the data covered under the RTBF. The RTBF does not differentiate information that the data subject has provided about himself from information about him that others provide. Also, the lawfulness and accuracy of the information about the data subject will not weigh against finding the information irrelevant once it is determined to be outdated in one way or another. Furthermore, the proposed Data Protection Regulation will recognize no freedom of expression belonging to others in commenting on the data subject’s own information, as it allows the data subject to request removal of others’ public comments.

Informational Privacy Versus Free Speech as a Post–Google Spain Challenge

The ECJ ruling carries wide-reaching implications for freedom of expression on the Internet. It is hardly an overstatement to characterize the Google Spain decision as the beginning of the end to the Internet’s “unregulated idyll”—at least in Europe, for the moment (Toobin, 2014). Its impact has been immediate.

Google Complies With the ECJ Ruling and the Working Party 29 Issues Guidelines

In late May of 2014, Google started complying with the ECJ ruling. Google created a form allowing Europeans to request Internet search results through their names removed. The RTBF requests are limited to the European versions of Google Search. The form allows an individual to list the name that they want search results taken down for. It permits the requester to list one or more URLs they want delisted. The requesters are required to explain why each URL is “irrelevant, outdated, or otherwise inappropriate.” Google delists links from search results for that requester’s name from all its European domains.

During the ensuing 20-month period, Google received a total of 367,463 removal requests and reviewed more than 1.3 million URLs. According to its Transparency Report of January 8, 2016, Google deleted 42.3% of the URLs. Facebook was the site most affected by the RTBF ruling (Google Transparency Report, 2016).

To date, the bulk of the removal requests to Google did not concern news media websites. The data of May 13, 2015, from Reputation VIP, an online reputation management company in France, show that slightly more than 3% of the processed delisting requests had to do with the news media (Lomas, 2015). But several major news organizations in the United States and England have had links to some of their online stories disconnected from Google’s European search results (Cohen & Scott, 2014). The Telegraph in London lists more than 70 stories removed from Google search results (Williams, 2015). And the removal of news articles from the New York Times, Guardian, Telegraph, BBC, and others from Google links exemplifies free speech colliding with the RTBF.

Whether or not the ECJ ruling bears on news media organizations, Google’s enforcement of the court decision has been informed by First Amendment law on free speech. In reconciling an individual’s right to privacy with the public’s interest in access to information, Google is less likely to accommodate delisting requests from those with clear roles in public life due to the public’s overriding interest in knowing about them.

The Article 29 Working Party’s list of common criteria serves as “a working tool” for the data protection agencies in the 28 EU member states in handling complaints following Google’s and other search engines’ refusal to delist. And the list reflects the American public-figure doctrine.¹² For instance, one of the major delisting criteria asks, “Does the data subject play a role in public life? Is the data subject a public figure?” (“Article 29 Data Protection Working Party,” 2014, pp. 14-20).¹³

Such a speech-friendly approach toward the RTBF illustrates an important development in recent European human rights law. Over the years, Europe and the United States have converged in favoring freedom of expression over public figures’ interests in their reputation (Kozlowski, 2006). More often than not, the European Court of Human Rights decisions have turned to American free speech law as a valuable reference (Youm, 2011, pp. 28-29).

EU Data Protection Authorities Enforce RTBF

The EU data protection authorities have been addressing challenges to Google’s delisting refusals, although only about 1% of those who are denied delisting go on to appeal the denials (Kiss, 2015). According to the Information Commissioner’s Office (ICO) in England, the U.K. data protection watchdog, some 150 people have complained to the ICO after Google rejected their individual requests to delete links (Dean, 2015). In mid-May of 2015, the ICO was in discussion with Google over nearly 50 RTBF cases which it believed the U.S. search engine got wrong (Rawlinson, 2015).

Other national EU data protection authorities have started dealing with similar complaints. In Finland, there were about 30 cases against Google in May 2015. Finland’s Data Protection Ombudsman decided in his first ruling on the RTBF that Google had no obligation to delete the search results relating to a Finnish man’s previous business activities. Ombudsman Reijo Aarnio reasoned that the man was still on Finland’s business register as being engaged in business operations (“Google Wins,” 2015).

In the Netherlands, the Dutch Data Protection Authority in November 2014 received complaints from more than 30 people whose delisting requests were rebuffed by Google (Kulk & Borgesius, 2015, p. 117).¹⁴ When advised by the authority to delist search results in two cases, Google accommodated the request. In three other cases, in which Google was asked to reexamine its initial rejection of the delisting requests, the firm made a promise to give the matter consideration (Kulk & Borgesius, 2015, p. 117). In all the other cases, most of which involved those with a role in public life, the Authority recommended judicial recourse to the complainants (Kulk & Borgesius, 2015, p. 117).

Google Spain Ruling Applied in the Netherlands

In one of the first cases of a national court to apply Google Spain, the District Court of Amsterdam in the Netherlands in September of 2014 rejected an ex-convict’s request to have Google delete links to online publications relating to his crime of “attempting to incite an assassination.” This RTBF case started with a crime news broadcast of a Dutch TV station. The TV news featured Arthur van M discussing with a man an assassination attempt on another person. The news footage was used as evidence in a criminal trial against Arthur van M. He was convicted and sentenced to 6 years in jail (Kulk & Borgesius, 2015, p. 118).

Arthur van M’s conviction and the TV news program were the subjects of extensive coverage. When Google was searched for his full name, the search engine displayed several URLs, including those relating to a book about him. When Arthur van M asked Google to delink the search results under the EU data protection law, Google declined. Arthur van M, citing Google Spain, challenged Google’s rejection of his removal requests at the District Court of Amsterdam (Kulk & Borgesius, 2015, p. 118).

The Amsterdam district court rejected Arthur van M’s claims against Google. In applying the Google Spain holding to the facts, the Dutch court was remarkably restrained. It struck a more practical balance between privacy and free speech: “The [Google Spain] judgment does not intend to protect individuals against all negative communications on the Internet, but only against ‘being pursued’ for a long time by ‘irrelevant,’ ‘excessive’ or ‘unnecessarily defamatory’ expressions” (Spauwen & van den Brink, 2014).

In late March of 2015, the Amsterdam district court’s ruling was affirmed by the Amsterdam Court of Appeal. The Court of Appeal, calling the complainant a convicted criminal, noted the public interest in reading about his serious criminal offense and his conviction. The appellate court agreed with the district court’s support of Google’s decision, saying,

[T]he URLs should not be delisted. Because the criminal is prosecuted for a recently committed offense and has been convicted in first instance, he does not have the right to have search results removed that might link him to this offense. (Kulk & Borgesius, 2015, p. 11)

In a more recent RTBF case in the Netherlands, the District Court of Amsterdam diverged from the ECJ on informational privacy versus freedom of expression. This second right of removal case arose when Google refused to remove search links to news stories about a dispute between a partner at KPMG, a large tax audit firm, and a home building contractor (Kulk & Borgesius, 2015, pp. 12-14). The dispute led to a settlement through the Dutch Arbitration Board for the Building Industry, but the KPMG partner ended up paying about €60,000 (Kulk & Borgesius, 2015, p. 120).

The contract dispute was reported by De Telegraaf, the largest newspaper in the Netherlands, as a front-page story in 2012. The news story ran on other websites. In 2014, the KPMG partner requested Google to remove search results via his name. Google rejected the request. Google also turned down the KPMG partner’s deletion request on the ground that the information the Google search results link to the partner was of public interest and not dated (Kulk & Borgesius, 2015, p. 120).

The KPMG partner sued Google over its refusal of his RTBF demands. He asked the District Court of Amsterdam to order Google to delete the search results for the URLs relating to him. In case his deletion request was not acceptable to the court, he asked the court to order Google to push the search results down to the bottom of all search results. The KPMG partner argued that the article affected his reputation and it was irrelevant, since the information was 2½ years old (Kulk & Borgesius, 2015, p. 120).

In ruling in favor of Google, the court took note of “an important role” that Google and other search engines play in society by helping people find information. The court stated that if so many restrictions were imposed on search engines, their cataloguing function would be affected, and so their credibility would be jeopardized (Kulk & Borgesius, 2015, p. 120).

The Dutch court cautioned against doing an end-run around the law on defamatory and similar material. It held that “the right of removal is not meant to remove articles which may be unpleasant, but not unlawful, from the eyes of the public via the detour of a request for removal to the operator of a search machine” (Spauwen, 2015). In applying the Google Spain standard, the Dutch judge paid attention to the relevance of the Google search results, not whether the contents of the articles about the complainant were inadequate, irrelevant, or excessive (Spauwen, 2015). Noting that the contract-related argument remained in the news until recently, the judge found the search links to be still relevant.

Meanwhile, the court considered the “right to deletion” under the Data Protection Directive narrowly. It said that deletion was an exception to Google’s right to freedom of information and should be treated as such.

The District Court of Amsterdam’s second ruling on the RTBF is more solidly in support of freedom of the press than the earlier court rulings. It emphasizes the value of search engines in facilitating access to news online (Spauwen, 2015), while noting the inhibiting impact of numerous restrictions on the search engines’ cataloguing function (Kulk & Borgesius, 2015, p. 14). Most important, in weighing the complainant’s claim for privacy against its competing interests, the court considered Google’s freedom of information in relation to “the right to receive and impart information” under the ECHR and the Dutch Constitution (Kulk & Borgesius, 2015, p. 14). No less significant is the court’s attention to the interests of Internet users, Webmasters, and authors of online information as a factor in the balancing process (Kulk & Borgesius, 2015, p. 14).

To a certain extent, the Dutch court ruling countervails the little attention of Google Spain to the news media’s interest in being searched on the Internet. Its implication for the judicial interpretations of Google Spain’s holding is considerable, because the freedom of news media was treated as a non-issue for the ECJ in interpreting the informational privacy of EU citizens (Kulk & Borgesius, 2015, p. 14).

No matter how the proposed EU Data Protection Regulation will resolve the real or perceived tension between the RTBF and free speech, it will pose numerous substantive (i.e., what will be deleted?) and procedural (i.e., who will decide what to delete?) questions. This will be true particularly if the ECJ holding in Google Spain migrates into the Regulation.

RTBF Limited to EU or Global?

What makes the ECJ ruling potentially sweeping is the extension of jurisdiction under EU privacy law to non-EU companies if they have a branch or subsidiary in the EU and collect data as part of their business in the EU. Under the ECJ ruling, search engines operated outside the EU will be subject to the extraterritorial jurisdiction of the EU. The ECJ holding is not confined to claims brought by people in the EU. That is, if an individual seeks to assert the RTBF under the Directive, he need not be an EU citizen or have a connection with the EU insofar as the search engine’s data processing challenged should comply with EU data protection laws.

A data subject’s nationality or residence is irrelevant. The expanded privacy jurisdiction of the EU law could result in forum shopping by way of the “right to be forgotten tourism” (Kuner, 2014) by non-EU people, similar to the much criticized “libel tourism” in the United Kingdom.¹⁵ However, the proposed EU Data Protection Regulation will most likely address this extraterritorial issue by limiting its application to EU residents. The Regulation stipulates,

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

the monitoring of their behaviour as far as their behavior takes place within the European Union. (Article 3(2) (emphasis added))

Furthermore, the Article 29 Working Party has opined that the right to data protection under EU law will be limited to “claims where there is a clear link between the data subject and the EU, for instance, where the data subject is a citizen or resident of an EU Member State” (Article 29 Data Protection Working Party, 2014, para. 19).

Meanwhile, the Working Party stated in its Google Spain guidelines that Google’s exemption of Google.com from its de-linking procedures under the ECJ judgment would not be acceptable. “[D]elisting decisions must be implemented in a way that guarantees the effective and complete protection of these rights and that EU law cannot be easily circumvented,” the Working Party explained.

In that sense, limiting delisting to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the judgment. (Article 29 Data Protection Working Party, 2014, para. 20)

Google Spain has inspired a Canadian court to issue a global injunction against Google indexing search results (Equustek Solutions Inc. v. Jack, 2014). In an e-commerce case, Justice Lauri Ann Fenlon of the Supreme Court of British Columbia emphasized that Google was not a passive search engine and that it sold advertising to British Columbia clients. She then said the ECJ analysis of Google’s advertising and its search functions helped her draw an analogy between her case and Google Spain. The Court of Appeal for British Columbia upheld Justice Fenlon’s ruling in June 2015 (Equustek Solutions Inc. v. Google Inc., 2015).

Despite its profound impact on freedom of expression globally, the extraterritorial expansion of the RTBF is increasingly asserted in EU nations. The judicial and non-judicial actions to extend the delisting demands outside of the EU are a case in point. In February 2015, a French court ordered Google’s subsidiary in Paris to remove all the links to online defamatory statements about a Danish lawyer. Google in France was fined US$1,100 a day unless links to the defamatory content were removed from its parent company’s entire global network. The order set a precedent that the ECJ ruling on Google Spain is global, not regional (Scott, 2015).

More recently, the French data regulator rejected Google’s appeal against the global enforcement of the RTBF removals. In September 2015, the Commission Nationale de l’Informatique et des Libertés (CNIL) stated that once Google accepts a delisting request under the Google Spain ruling, it must apply to all its domain names. The French data protection agency echoed the EU Working Party 20 in arguing that the RTBF should be more efficiently enforced by preventing it from being circumvented technologically (“Right to Delisting,” 2015).

In calling for the worldwide implementation of the RTBF requests, CNIL has engaged in no balancing between data protection and free speech. It has simply declared that Google should comply with the ECJ ruling globally.

Discussion and Conclusion

The RTBF as an operational mechanism of online practical obscurity is now entrenched in the law of the EU. It is conceptually derived from an individual’s sense of dignity that encompasses his self-determination of what information to share with others and how and when to share it.

Meanwhile, the RTBF as a matter of informational privacy can enrich, not undermine, the values of free speech—autonomy, truth-seeking, or facilitation of democracy—in one way or the other. The overriding question is, “What should be done in properly balancing informational privacy with freedom of expression?”

Informational privacy is supposed to be weighed against freedom of expression as a right under the EU Charter of Fundamental Rights and the ECHR as well. Nonetheless, the lack of clarity and precision of the RTBF in the EU Data Protection Directive has led the ECJ to vaguely define and less holistically apply the right in Google Spain. With no precedent as a workable frame of reference, the ECJ seems to have chosen to balance free speech and privacy in favor of data protection. And its balancing approach might be viewed as an incremental step in the evolving EU law on the RTBF.

There is no doubt that Google Spain is reverberating throughout the world. It has set the agenda for a global discussion of informational privacy as a right in and outside Europe. What makes the paradigm-shifting ruling stand out is the ECJ’s uncompromising privacy-friendly view on an individual’s right to data protection in the digital world.

If the EU turns to Google Spain as an overarching guide on the RTBF, it might be too much to expect a sensibly balanced data protection law in Europe, for there was little balancing in the ECJ decision. But some European courts, especially the Dutch courts, and EU national data protection watchdogs are refreshingly sensitive to free speech in ensuring that the RTBF does not trump freedom of expression as a rule. Hence, the right of Internet search engines, website publishers, and EU citizens to “receive and impart information and ideas” is not necessarily passé.

Footnotes

Acknowledgements

The authors would like to thank attorney Charles J. Glasser, Jr., former global media counsel for Bloomberg News; Professor Woodrow Hartzog at Samford University Cumberland School of Law; Professor Richard Peltz-Steele at the University of Massachusetts School of Law; and researcher Stefan Kulk at Utrecht University Centre for Intellectual Property Law (CIER) for generously critiquing the early draft of their article. They are also grateful to professor Edward Carter at Brigham Young University, co-editor of Journalism & Mass Communication Quarterly’s (JMCQ) special issue on “Information Access and Control in an Age of Big Data,” and the three anonymous JMCQ reviewers. Meanwhile, the authors wish to note that this article has its genesis in an international conference hosted by Chairman Park Yongsang of the Press Arbitration Commission in Seoul in November 2014.

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

Notes

Author Biographies

Kyu Ho Youm (PhD, Southern Illinois University–Carbondale) is professor and Jonathan Marshall First Amendment Chair in the School of Journalism and Communication at the University of Oregon. He specializes in U.S. and international communication law.

Ahran Park (PhD, University of Oregon) is a research fellow at the Institute of Communication Research, Seoul National University. A former Chosun Ilbo reporter in South Korea, Park focuses on teaching and researching comparative media law and Internet law.

References

Ambrose

M. L.

Ausloos

(2013). The right to be forgotten across the pond. Journal of Information Policy, 3, 1-23.

Ambrose

M. L.

Friess

Van Matre

(2012). Seeking digital redemption: The future of forgiveness in the Internet age. Santa Clara Computer & High Technology Law Journal, 29, 99-163.

Article 29 Data Protection Working Party. (2014, November 26). Guidelines on the Implementation of the Court of Justice of the European Union Judgment on “Google Spain and Inc. v. Agencia Espñola de Protección de Datos (AEPD) and Mario Consteja González” C-131/12.

Axel Springer AG v. Germany. (2012, February 7). Retrieved from http://hudoc.echr.coe.int/eng?i=001-109034

Balkin

J. M.

(2016). Information fiduciaries and the first amendment. University of California-Davis Law Review, 49. Retrieved from http://ssrn.com/abstract=2675270.

Bernal

(2014). Internet privacy rights: Rights to protect autonomy. New York, NY: Cambridge University Press.

Brookman

Llansó

(2014, October 9). Seven key issues for EU justice ministers on the right to be forgotten. Retrieved from https://cdt.org/blog/seven-key-issues-for-eu-justice-ministers-on-the-right-to-be-forgotten/

California Senate Bill 568. (2013, September 23). Privacy: Internet: Minors. CA SB 568. Retrieved from http://legiscan.com/CA/text/SB568/2013

Carter

Connell

(2015). Chile and the right to enjoy the benefits of scientific progress by controlling one’s online identity. Communication Law & Policy, 20, 287-309.

10.

Charter of Fundamental Rights of the European Union. (2000, December 7). Retrieved from http://www.europarl.europa.eu/charter/pdf/text_en.pdf

11.

Cohen

Scott

(2014, October 3). Times articles removed from Google results in Europe. New York Times. Retrieved from http://www.nytimes.com/2014/10/04/business/media/times-articles-removed-from-google-results-in-europe.html?_r=0

12.

Collins

(2014). Collins on defamation. Oxford, UK: Oxford University Press.

13.

Dean

(2015, May 13). Google faces court action after refusing requests to be forgotten. Times, p. 17.

14.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. Retrieved from http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:31995L0046

15.

Equustek Solutions Inc. v. Google Inc., 2015 BCCA 265 (CanLII). Retrieved from http://www.canlii.org/en/bc/bcca/doc/2015/2015bcca265/2015bcca265.html

16.

Equustek Solutions Inc. v. Jack, 2014 BCSC 1063 (CanLII). Retrieved from https://www.canlii.org/en/bc/bcsc/doc/2014/2014bcsc1063/2014bcsc1063.html

17.

European Convention for the Protection of Human Rights and Fundamental Freedoms. (1950, November 4). Retrieved from http://www.mfa.gov.tr/convention-for-the-protection-of-human-rights-and-fundamental-freedoms-as-amended-by-protocol-no_-11-rome_-4_xi_1950.en.mfa

18.

European Union Committee. (2014, July 23). EU data protection law: A “right to be forgotten” (European Union Committee Second Report). Retrieved from http://www.publications.parliament.uk/pa/ld201415/ldselect/ldeucom/40/4003.htm

19.

Gaskin v. United Kingdom, 12 E.H.R.R. 36. (1989).

20.

Gertz v. Robert Welch, Inc., 418 U.S. 323. (1974).

21.

Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (AEPD), Mario Costeja González. Case C-131/12, Court of Justice of the European Union (Grand Chamber). (2014, May 13). Retrieved from http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&docid=152065

22.

Google Transparency Report. (2016, January 8). European privacy requests for search removals. Retrieved from https://www.google.com/transparencyreport/removals/europeprivacy/

23.

Google wins first “right to be forgotten” case in Finland. (2015, May 12). UUTISET. Retrieved from http://yle.fi/uutiset/google_wins_first_right_to_be_forgotten_case_in_finland/7988957

24.

Hartzog

Stutzman

F. D.

(2013). The case for online obscurity. California Law Review, 101, 1-49.

25.

Jääskinen

(2013, June 25). Opinion for case C-13/12 Google Spain SL v. Agencia Espanñola de Protección de Datos (AEPD), Mario Costeja González. Retrieved from http://curia.europa.eu/juris/document/document.jsf?docid=138782&doclang=EN

26.

Kiss

(2015, May 14). Dear Google: Open letter from 80 academics on “right to be forgotten.” Guardian. Retrieved from http://www.theguardian.com/technology/2015/may/14/dear-google-open-letter-from-80-academics-on-right-to-be-forgotten

27.

Kozlowski

(2006). “For the protection of the reputation or rights of others”: The European court of human rights’ interpretation of the defamation exception in Article 10(2). Communication Law & Policy, 11, 133-178.

28.

Kulk

Borgesius

F. Z.

(2014). Google Spain v. Gonzalez: Did the court forget about freedom of expression. European Journal of Risk Regulation. Retrieved from http://ssrn.com/abstract=2491486

29.

Kulk

Borgesius

F. Z.

(2015). Freedom of expression and right to be forgotten cases in the Netherlands after Google Spain. European Data Protection Law, 1, 113-125.

30.

Kuner

(2014, June 1). The right to be forgotten and the global reach of EU data protection law. Concurring Opinions. Retrieved from http://www.concurringopinions.com/archives/2014/06/the-right-to-be-forgotten-and-the-global-reach-of-eu-data-protection-law.html

31.

Lomas

(2015, May 13). Europe’s search de-listing ruling is mostly about social media privacy invasions. TechCrunch. Retrieved from http://techcrunch.com/2015/05/13/europes-search-delisting-ruling-is-mostly-about-social-media-privacy-invasions/

32.

Neij and Sunde Kolmisoppi v. Sweden. European Court of Human Rights. (2013, February 19). Retrieved from http://hudoc.echr.coe.int/eng?i=001-117513

33.

Powles

Larsen

(n.d.). Academic commentary: Google Spain. Cambridge Code. Retrieved from http://cambridge-code.org/googlespain.html

34.

Rawlinson

(2015, May 13). Google in “right to be forgotten” talks with regulator. BBC News. Retrieved from http://www.bbc.com/news/technology-32720944

35.

Regulation (EU) No XXX/2016 of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation). Retrieved from http://static.ow.ly/docs/Regulation_consolidated_text_EN_47uW.pdf

36.

Reicherts

(2014, August 18). The right to be forgotten and the EU data protection reform: Why we must see through a distorted debate and adopt strong new rules soon. Retrieved from http://europa.eu/rapid/press-release_SPEECH-14-568_en.htm

37.

Right to delisting: Google informal appeal rejected. (2015, September 21). CNIL. Retrieved from http://www.cnil.fr/english/news-and-events/news/article/right-to-delisting-google-informal-appeal-rejected/

38.

Rosen

(2012, February 13). The right to be forgotten. Stanford Law Review Online. Retrieved from http://www.stanfordlawreview.org/online/privacy-paradox/right-to-be-forgotten

39.

Schachter

(2003). Informational and decisional privacy. Durham, NC: Carolina Academic Press.

40.

Scott

(2015, February 1). A question over the reach of Europe’s “right to be forgotten.” New York Times. Retrieved from http://bits.blogs.nytimes.com/2015/02/01/questions-for-europes-right-to-be-forgotten/

41.

Selinger

Hartzog

(2014, May 20). Google can’t forget you, but it should make hard to find. Wired. Retrieved from http://www.wired.com/2014/05/google-cant-forget-you-but-it-should-make-you-hard-to-find/

42.

Smolla

R. A.

(1992). Free speech in an open society. New York, NY: Vintage Books.

43.

Solove

D. J.

(2007). The future of reputation: Gossip, rumor, and privacy on the Internet. New Haven, CT: Yale University Press.

44.

Solove

D. J.

(2014, May 13). What Google must forget: The EU ruling on the right to be forgotten. Retrieved from https://www-linkedin-com-s.web.bisu.edu.cn/pulse/article/20140513230300-2259773-what-google-must-forget-the-eu-ruling-on-the-right-to-be-forgotten

45.

Spauwen

(2015, March 3). Dutch Court (II): Google Spain ruling not meant to suppress news reporting. Media Report. Retrieved from http://www.mediareport.nl/en/press-law/03032015/dutch-court-ii-google-spain-ruling-not-meant-to-suppress-news-reporting/

46.

Spauwen

van den Brink

(2014, September 26). Dutch Google Spain ruling: More freedom of speech, less right to be forgotten for criminals. Media Report. Retrieved from http://www.mediareport.nl/persrecht/26092014/google-spain-judgment-in-the-netherlands-more-freedom-of-speech-less-right-to-be-forgotten-for-criminals/

47.

Toobin

(2014, September 29). The Solace of Oblivion: In Europe, the right to be forgotten trumps the Internet. New Yorker. Retrieved from http://www.newyorker.com/magazine/2014/09/29/solace-oblivion

48.

Tutt

(2015). The revisability principle. Hastings Law Journal, 66, 1113-1159.

49.

U.S. Department of Justice. v. Reporters Committee for Freedom of the Press et al., 489 U.S. 749. (1989).

50.

Volker Under Markus Schecke GbR v. Hessen, Joined Cases C-92/09 and C-93/09. (2010, November 9). European Court of Justice. Retrieved from http://goo.gl/uD8kst

51.

Von Hannover v. Germany. (2012, February 7). Retrieved from http://hudoc.echr.coe.int/eng?i=001-109029

52.

Whitman

J. Q.

(2004). The two western cultures of privacy: Dignity versus liberty. Yale Law Journal, 113, 1151-1221.

53.

Williams

(2015, September 3). Telegraph stories affected by EU “right to be forgotten.” Telegraph. Retrieved from http://www.telegraph.co.uk/technology/google/11036257/Telegraph-stories-affected-by-EU-right-to-be-forgotten.html

54.

Youm

(2011). “Actual Malice” in U.S. Defamation Law: The minority of doctrine in the world? Journal of International Media & Entertainment Law, 4, 1-30.