Concordia University - Portland CU Commons
Faculty Scholarship School of Law
2016 Free Expression, Privacy, and Diminishing Sovereignty in the Information Age: The Internationalization of Censorship McKay Cunningham Concordia University School of Law, [email protected]
Follow this and additional works at: http://commons.cu-portland.edu/lawfaculty Part of the European Law Commons, and the Privacy Law Commons
CU Commons Citation McKay Cunningham, Free Expression, Privacy, and Diminishing Sovereignty in the Information Age: The nI ternationalization of Censorship, 69 Ark. L. Rev. 71, 116 (2016).
This Article is brought to you for free and open access by the School of Law at CU Commons. It has been accepted for inclusion in Faculty Scholarship by an authorized administrator of CU Commons. For more information, please contact [email protected]. Free Expression, Privacy, and Diminishing Sovereignty in the Information Age: The Internationalization of Censorship
McKay Cunningham*
I. INTRODUCTION The Internet is still new. In relation to the history of human communication, the Internet's saturation occurred in an instant. The Internet facilitated one percent of two-way telecommunications in 1993, fifty-one percent in 2000, and ninety-seven percent by 2007.1 If you reduced the world's digital content to a stack of books, it would reach from Earth to Pluto ten times. 2 Digital data has increased to the point that "we're running out of language to describe it. The only quantity bigger than a zettabyte is a yottabyte, a figure with 24 zeroes."3 This windfall of accessible information spurred the increase in its value. Those at the World Economic Forum described data and personal information as "the new oil." 4 Some argue that "the dominant principle of the new economy, the information economy, has lately been to conceal the value of information,"5 an observation strengthened by the fact that the primary activity of ninety-two percent of commercial websites is data collection.6 With both private and public sectors incentivized to gather, understand, and leverage personal information, privacy advocates fight to ensure that personal
Associate Professor, Concordia University School of Law. 1. Martin Hilbert & Priscila L6pez, The World's Technological Capacity to Store, Communicate, and Compute Information, SCI., Apr. 1, 2011, at 62. 2. Richard Wray, Internet Data Heads for 500bn Gigabytes, GUARDIAN (May 18, 2009, 2:22 PM), http://www.theguardian.co.uk/business/2009/may/18/digital-content-expa nsion [https://perma.cc/GA7B-MWMF]. 3. See Rebecca Lowe, Me, Myself and1, INT'L BAR ASS'N GLOBAL INSIGHT (Oct. 17, 2013), http://www.ibanet.org/Article/Detail.aspx?ArticleUid=b47al361-16dd-4f04-b 83d-add60898f213 [https://perma.cc/H3KT-BG5A]. 4. See id 5. JARON LANIER, WHO OWNS THE FUTURE? 15 (2013). 6. See Scott R. Peppet, UnravelingPrivacy: The PersonalProspectus and the Threat ofa Full-DisclosureFuture, 105 Nw. U. L. REV. 1153, 1164 (2011). 72 ARKANSAS LAW REVIEW [Vol. 69:71] information is not surreptitiously taken and improperly used. Internet users, for example, expect the law to bar unknown third parties from secretly capturing every webpage visited and every email sent.8 In the pursuit of protecting informational privacy, Europe leads the world. 9 The European Union labels privacy a fundamental right and confers broad privacy rights to its citizens-rights that apply extraterritorially.' 0 These rights protecting personal information, however, derive from privacy law that pre-dated the Internet. Early privacy law could not have imagined, much less accounted for, the ubiquity and complexity of Internet communication and content. As a result, European law poorly achieves its primary goal of protecting its citizens' personal information. It is simultaneously over- inclusive by restricting a host of innocuous Internet users, and under-inclusive by exempting many of the most harmful privacy violators.'1 Indeed, the recent European Commission pronouncement recognizing the "right to be forgotten"' 2 highlights the flawed European approach. The right to be forgotten allows Europeans legal authority to erase certain content from the Internet.' The right is broadly-even nebulously-circumscribed, applying to information that is "inaccurate, inadequate, irrelevant or excessive... ."14 No court or government official first interprets whether claimed information is "inadequate" or "irrelevant." Rather, the burden falls on data controllers-like
7. See id. at 1185. 8. See Juliane Kokott & Christoph Sobotta, The Distinction Between Privacy and Data Protectionin the Jurisprudenceof the CJEU and the ECtHR, 3 INT'L DATA PRIVACY L. 222, 223 (2013) (discussing the right to privacy in "private and family life, home, and communications"). 9. See Christopher Kuner, The European Union and the Searchfor an International Data ProtectionFramework, 2 GRONINGEN J. INT'L L. 55, 56-57 (2014). 10. Council Directive 95/46/EC, 1995 O.J. (L 281) 31, 31-32, http://eur- lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L: 1995:281 :FULL&from=EN [https://perma.cc/GKD5-HQGG][hereinafter Data Protection Directive]. 11. See infra Part V. 12. Factsheeton the "Right to be Forgotten" Ruling (c-131/12), EUR. COMMISSION, http://ec.europa.eu/justice/data-protection/files/factsbeets/factsheet _dataprot ection en.pdf [https://perma.cc/FJ7K-GJ6C] (last visited Feb. 13, 2016) [hereinafter European Commission Factsheet]. 13. Id. 14. Id 2016] SOVEREIGNTY IN THE INFORMATION AGE 73 Google-webpage masters, and a host of other data merchants to determine whether to delete content.1 5 In the months following enactment of the right to be forgotten, Google issued a form enabling Europeans to request deletion of their personal information. 16 Within one day of the form's publication, Europeans submitted 12,000 requests to delete information, growing to 41,000 requests in four days.1 7 Of those requests, approximately thirty-three percent related to fraud accusations, twenty percent to serious or violent crimes, and twelve percent to child pornography arrests.18 As of May 2016, Google has fielded more than 430,000 requests to deactivate over 1.5 million links and has deleted 549,624 links.19 Microsoft and Yahoo have also "begun processing requests as a result of the court's ruling" and have already deleted thousands of links.20 While privacy in the new age of information is undoubtedly important, the right to be forgotten harms more than it helps. It allows a single individual to determine what the rest of the world sees, threatening to censor the Internet in its adolescence. It undermines national sovereignty and democratic values by promoting one culture's adherence to privacy over another culture's preference for free expression. It ignores a host of alternative regulatory approaches-approaches that tailor legal restrictions to the harms associated with privacy violations. This article analyzes European Union (E.U.) and United States (U.S.) privacy law and, specifically, the right to be forgotten in Parts II and III. The article highlights the extraterritoriality of European
15. See id. 16. Caitlin Dewey, Want to Remove Your Personal Search Results from Google? Here's How the Request Form Works, WASH. POST (May 30, 2014), https://www.washingtonpost.com/news/the-intersect/wp/2014/05/30/want-to-remove-your- personal-search-results-from-google-heres-how-the-request-form-works/ [https://perma.cc/6DKJ-5DXU]. 17. See Caroline Preece et al., Google "Right to be Forgotten": Everything You Need to Know, IT PRO (Feb. 9, 2015), http://www.itpro.co.uk/security/22378/google-right-to-be- forgotten-everything-you-need-to-know [https://perma.cc/WW5S-PQM3]. 18. Id. 19. TransparencyReport: European PrivacyRequests for Search Removals, GOOGLE, http://www.google.com/transparencyreport/removals/europeprivacy/ [https://perma.cc/44BG-9DNM] (last updated May 24, 2016). 20. See Stuart Dredge, Microsoft and Yahoo Respond to European 'Right to be Forgotten'Requests,GUARDIAN (Dec. 1, 2014, 4:04 AM), http://www.theguardian.com/technology/2014/dec/0 1/microsoft-yahoo-right-to-be- forgotten [https://perma.cc/ZN53-38ND]. 74 ARKANSAS LAW REVIEW [Vol. 69:71] privacy law in Part IV, explores censorship implications in Part V, and articulates alternative regulatory frameworks in Part VI.
11. EMERGENCE OF THE RIGHT TO BE FORGOTTEN A. Google / Spain Mario Costeja Gonzdles, a Spanish citizen, spent part of his life in debt.21 Some of his property was auctioned to pay his debts and a local newspaper, La Vanguardia, published two small notices announcing the auction in 1998.22 Costeja GonzAles resolved his debts by 2010, but Google searches under his name still linked him with the La Vanguardia notices and the 23 auction. He sued, asking a Spanish court to delete the record of the auction as to both La Vanguardia's2publication and Google's linking the same to Costeja GonzAles.2 Costeja GonzAles did not argue that the information about his debt and the auction were false, but rather that he had a right to be forgotten because the information was no longer relevant.25 The court referred the case to the Court of Justice of the European Union (CJEU), certifying three legal issues, the third of which asked whether an individual has the right to request that his or her personal data be removed from an online search engine.26 The CJEU, which exercises jurisdiction over twenty- eight E.U. Member States, held that the auction publications could remain on La Vanguardia'swebsite but that Google must delete any link connecting Costeja Gonziles to them.27 The ruling was not narrowly circumscribed to the facts. The court pronounced a broad precedent: All European residents have the right to stop Google and other data controllers
21. See Case C-131/12, Google Spain SL v. Agencia Espafiola de Protecci6n de Datos T 14 (May 13, 2014), http://curia.europa.eu/juris/document/document.jsftext-& docid=152065&doclang=EN [https://perma.cc/8YA9-52SM]. 22. Id 23. Id 24. Id. T 14-15. 25. Id. ¶ 15; see also Dave Lee, What is the "Right To Be Forgotten"?,BBC (May 13, 2014), http://www.bbc.com/news/technology-27394751 [https://perma.cc/ACC7- PTC4]. 26. Google Spain SL, Case C-131/12, ¶ 20. 27. Id T 93-94; see also Court of Justice of the European Union, INT'L JUSTICE RESOURCE CTR., http://www.ijrcenter.org/regional-communities/court-of-justice-of-the- european-union/ [https://perma.cc/5X6G-R83V] (last visited Feb. 2, 2016) (detailing the jurisdiction of the CJEU). 2016] SOVEREIGNTY IN THE INFORMATION AGE 75 from providing links to information deemed "inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in light of the time that has elapsed." 28 This standard lacks objective guideposts. What information is "irrelevant" or "inadequate"? How much time must pass, and in what context? Where do media rights, self- expression, and free speech factor into the court's standard? What notification, if any, must Google give to websites and others that their links have been erased? Soon after the Google Spain SL decision, the European Commission emphasized the burden of proof: "It is for the company-and not the individual-to prove that the data cannot be deleted because it is still needed or is still relevant." 29 Thus, the claimant seeking data erasure has no obligation to prove the data's irrelevancy. As Professor Luciano Floridi explains, "A private company now has to decide what is in the public interest." 30
B. Expanding the Reach of the Right to be Forgotten While the reversed burden is a significant consequence of the Google Spain SL ruling, it is not the most important. European authorities claim the precedent applies worldwide, to any data controller offering services to Europeans.3 1 A request by a Spanish citizen to scrub "irrelevant" information from the Internet not only blots that data from searches conducted in Madrid but from searches conducted in Florida, New Delhi, Moscow, and almost any place in between. 32 The implications from this recent decision and its subsequent interpretation are
28. Google Spain SL, Case C-131/12,1 93-94. 29. European Commission Factsheet, supra note 12. 30. Preece et al., supra note 17. 31. See European Commission Factsheet, supra note 12. 32. See Guidelineson the Implementation of the Court ofJustice of the European Union Judgment on "Google Spain and Inc v. Agencia Espailolade Proteccidn de Datos (AEPD) and Mario Costeja Gonziles" C-131/12, at 8-9 (Nov. 26, 2014), http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2014/wp225_en.pdf [https://perma.cc/JSR5-DG4A] [hereinafter Guidelines]. Of course, questions remain regarding the E.U.'s jurisdictional reach and how it can force non-E.U. entities to comply. In Google Spain SL, the court relied on the fact that U.S.-based Google operates a registered office in Spain. Google Spain SL, Case C- 131/12, ¶ 43. But the E.U. also asserts the application of its law to those individuals and industries without a physical presence in the E.U., as later illustrated in this article. See infra Part IV. 76 ARKANSAS LAW REVIEW [Vol. 69:71] far-reaching and have generated notable controversy. 33 Allowing one person to have information erased from worldwide access due to the data's alleged "irrelevancy" subverts national sovereignty and promotes one culture's value of individual privacy rights over other cultures' values of free expression. Google argued that only its European search domains should be required to comply and that the ruling should only affect European search results because those search results are directed towards users in Europe. 34 Ninety-five percent of European users search under their respective country's domain name extension.35 Google's global privacy counsel condoned a domain-based approach: National versions of our search service are offered from the relevant ccTLD (country code top level domains) for each country, like google.fr for France and google.it for Italy.... European users overwhelmingly use those services. Fewer than 5% of European users use google.com, and we think travelers are a significant portion of those.36 While ninety-five percent is a significant figure, European users are not prohibited from accessing Google.com and could connect to forbidden links in that way.37 Another alternative to wholesale deletion-geographic filtering-tailors search results according to the geographic origin of the search query, regardless of domain name extension. Through existing software, geographic filtering enables national authorities to more justifiably assert jurisdiction over foreign conduct because the impact of the ruling or
33. See, e.g., Michael L. Rustad & Sanna Kulevska, Reconceptualizing the Right to be Forgotten to Enable TransatlanticData Flow, 28 HARV. J.L. & TECH. 349, 398 (2015). 34. Brendan Van Alsenoy & Marieke Koekkoek, The Extra- TerritorialReach of the EU's "Right to be Forgotten" 17 (Interdisciplinary Ctr. for Law and ICT, Working Paper No. 20, 2015), http://papers.ssrn.com/sol3/papers.cfn? abstractid=2551838 [https://perma.cc/S3T4-G3GA]. 35. Id; see also Letter from Peter Fleischer, Glob. Privacy Counsel, Google, to Isabelle Falque-Pierrotin, Chair, Article 29 Working Party (July 31, 2014), http://online.wsj.com/public/resources/documents/google.pdf [https://perma.cc/KHV7-L3N 4]. 36. See Letter from Peter Fleischer, supra note 35. 37. See Guidelines, supra note 32, at 9. 38. Marketa Trimble, The Future of Cybertravel: Legal Implications of the Evasion of Geolocation, 22 FORDHAM INTELL. PROP. MEDIA & ENT. L.J. 567, 585-95 (2012). 2016] SOVEREIGNTY IN THE INFORMATION AGE 77 regulation is confined to national territory. 39 This approach is not foolproof, though. Proxy servers, for example, circumvent 40 geographic filtering. While the CJEU refrained from deciding the geographical scope of the right to be forgotten,41 leaving the law's reach unclear, European authorities have since signaled that neither domain-based nor geographic filtering suffices.42 The Article 29 Working Party, charged with implementing and interpreting European data privacy law,4 3 characterized domain-based compliance as unacceptable. [D]e-listing decisions must be implemented in a way that guarantees the effective and complete protection of these rights and that EU law cannot be easily circumvented. In that sense, limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the judgment. In practice, this means that any case de-listing should also be effective on all relevant domains, including .com." Indeed, E.U. regulatory law parallels the CJEU decision and purports to apply internationally. The Data Protection Regulation (Regulation), set to become effective in 2017,45 envisions worldwide applicability of European privacy law.46 The Regulation, "for the first time, leaves no legal doubt that no matter where the physical sever of a company processing data is located, non-European companies, when offering services to European consumers, must apply European rules.'A 7 Imparting European residents with the power to delete data from the global
39. Seeidat591. 40. Id. at 602; Lawrence B. Solum & Minn Chung, The Layers Principle: Internet Architecture and the Law, 79 NOTRE DAME L. REv. 815, 898 (2004). 41. Case C-131/12, Google Spain SL v. Agencia Espahola de Protecci6n de Datos l 60-61 (May 13, 2014), http://curia.europa.eu/juris/document/document.jsf? text=&docid =152065&doclang=EN [https://perma.cc/8YA9-52SM]; see also Rustad & Kulevska, supra note 33, at 365. 42. See Guidelines, supra note 32, at 9. 43. See Article 29 Working Party, EUR. COMMISSION, http://ec.europa.eu /justice/data-protection/article-29/indexen.htm [https://perma.cc/CZU6-YZLB] (last updated June 10, 2015). 44. See Guidelines, supra note 32, at 9. 45. See Rustad & Kulevska, supra note 33, at 366. 46. See Kuner, supra note 9, at 60. 47. European Commission Factsheet, supra note 12 (emphasis omitted). 78 ARKANSAS LAW REVIEW [Vol. 69:71] public invites a unilateral censorship that bypasses the sovereignty of other states. Wikipedia's founder labeled the E.U.'s approach ''completely insane" and stated: In the case of truthful, non-defamatory information obtained legally, I think there is no possibility of any defensible "right" to censor what other people are saying. You do not have the right to use the law to prevent Wikipedia editors from writing truthful information, nor do you have a right to use the law to prevent Google from publishing truthful information.49 Stanford scholar Jennifer Granick thinks this "marks the beginning of the end of the global Internet, where everyone has access to the same information, and the beginning of an Internet where there are national networks, where decisions by governments dictate which information people get access to."50 Others laud the right to be forgotten and justify its global application as necessary given the borderless flow of digital data.5 Marc Rotenberg, president of the Electronic Privacy Information Center, characterized the CJEU's ruling as "a great decision, a forward-looking decision," in line with privacy advocates' long battle to gain more control over personal information.52 Like Rotenberg, European leaders view the right to be forgotten as integral to regaining individual autonomy over connected devices and the personal data those devices collect.
48. See Robert G. Larson III, Forgetting the First Amendment: How Obscurity- Based Privacy and a Right To Be Forgotten Are Incompatible with Free Speech, 18 COMM. L. & POL'Y 91, 114 (2013); Dan Jerker B. Svantesson, Delineating the Reach of Internet Intermediaries' Content Blocking - "ccTLD Blocking", "Strict Geo-location Blocking" or a "Country Lens Approach?", 11 SCRIPTED 153, 155 (2014), http://script- ed.org/wp-content/uploads/2014/10/svantesson.pdf [https://perma.cc/KYD2-A4FE]. 49. Preece et al., supra note 17. 50. Jeffrey Toobin, The Solace of Oblivion, NEW YORKER (Sept. 29, 2014), http://www.newyorker.com/magazine/2014/09/29/solace-oblivion [https://perma.cc/T5SZ- 4Y89]. 51. See Marc Rotenberg & David Jacobs, Updating the Law ofInformationPrivacy: The New Framework of the European Union, 36 HARV. J.L. & PUB. POL'Y 605, 641 (2013); see also Sophie Curtis, Information Commissioner Defends "Right to be Forgotten", TELEGRAPH (Aug. 7, 2014, 5:55 PM), http://www.telegraph.co.uk/ technology/internet-security/l1019585/lnformation-Commissioner-defends-right-to-be- forgotten.html [https://perma.cc/T4UL-P6R8]. 52. Toobin, supra note 50. 53. See European Commission Factsheet, supra note 12. 2016] SOVEREIGNTY IN THE INFORMATION AGE 79 Ill. CONFLICTING VALUES: FREE EXPRESSION AND PRIVACY A. E.U. Privacy Law and the Origin of the Right to be Forgotten Privacy is a fundamental right in the E.U. 54 Rather than sectoral and industry-specific laws protecting privacy only in certain contexts like sensitive medical and financial information, twenty years ago the E.U. enacted com rehensive legislation protecting personal data across the board. Nazi exploitation of personal records during World War 11,56 coupled with a historical preference for dignity-based rights over free expression, underscores European characterization of privacy as a fundamental right. The Declaration of Human Rights was adopted by the United Nations shortly after World War II and provided that "[n]o one shall be subjected to arbitrary interference with his privacy, family, home or correspondence. .. ."59 Article 16 of the Consolidated Treaty on the Functioning of the European Union specified that "[e]veryone has the right to the protection of personal data concerning them." 60 Article 8 of the European Union's Charter of Fundamental Rights confers the rights of consent, access, and ability to rectify personal information.
54. Charter of Fundamental Rights of the European Union, 2010 O.J. (C 83/02) 389, 393; see also Tracie B. Loring, An Analysis of the Informational Privacy Protection Afforded by the European Union and the United States, 37 TEX. INT'L L.J. 421, 423 (2002). 55. Data Protection Directive, supra note 10, at 31. 56. See Francesca Bignami, European Versus American Liberty: A Comparative Privacy Analysis of Antiterrorism Data Mining, 48 B.C. L. REV. 609, 609-10 (2007); Michael W. Heydrich, A Brave New World: Complying with the European Union Directive on Personal Privacy Through the Power of Contract, 25 BROOK. J. INT'L L. 407, 417 (1999). 57. See Robert Kirk Walker, Note, The Right to Be Forgotten, 64 HASTINGS L.J. 257, 270 (2012); see also James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 YALE L.J. 1151, 1194 (2004). 58. Data Protection Directive, supra note 10, at 31. 59. G.A. Res. 217 (III) A, Universal Declaration of Human Rights (Dec. 10, 1948), http://www.ohchr.org/EN/UDHR/Documents/UDHRTranslations/eng.pdf [https://perma.cc/KY2E-P5TL]. 60. Consolidated Version of the Treaty on the Functioning of the European Union art. 16, Oct. 26, 2012, 2012 O.J. (C 326) 47, 55, http://eur-lex.europa.eullegal- content/EN/TXT/PDF/?uri=OJ:C:2012:326:FULL&from=EN [https://perma.cc/TNM2-H8 WE]. 61. Charter of Fundamental Rights of the European Union, supra note 54. 80 ARKANSAS LAW REVIEW [Vol. 69:71] Finally, numerous provisions in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data specifically address collection, storage, transfer, and use of personal data.6 But it was a non-government economic organization that inspired the current legal structure for data privacy found in the present-day Directive and forthcoming Regulation. The Organisation for Economic Co-operation and Development 63 (OECD) introduced a proposal for internationally recognized privacy principles in the 1970s and set forth guidelines in 198064 that became the blueprint for binding legislation throughout each E.U. Member State and spawned the formal enactment of Council Directive 95/46/EC on October 24, 1995.65 While many of the agreements listed above are aspirational, the Directive is legally binding.66 Now over twenty years old, the Directive is arguably the most influential data privacy law worldwide. 6 7 Borrowing from the tenets articulated by the OECD in 1980, the Directive restricts individuals and organizations that process E.U. personal data and grants data subjects rights of notice, access, correction, and arguably
62. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data arts. 5-6, 8-9, Jan. 28, 1981, 1496 U.N.T.S. 65, 66-67 https://treaties.un.org/doc/Publication/UNTS/Volume%201496/volume-1496-1-25702- English.pdf [https://perma.cc/R6BQ-UUCP]. 63. The Organisation for Economic Co-operation and Development (OECD) is an international economic organization of over thirty countries and was founded in 1961 to stimulate economic growth and world trade. History, ORG. FOR ECON. CO-OPERATION & DEV., http://www.oecd.org/history [https://perma.cc/6S88-3AEJ] (last visited Feb. 13, 2016). It was originated in 1947 to run the U.S.-financed Marshall Plan for reconstruction of war-torn Europe. See id 64. See OECD Guidelines on the Protection of Privacy and TransborderFlows of Personal Data, ORG. FOR ECON. CO-OPERATION & DEV., http://www.oecd.org/stil ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm [https://perma.cc/8R3L-PBXT] (last visited Feb. 3, 2016); see also Fred H. Cate, The Changing Face of Privacy Protection in the European Union and the United States, 33 IND. L. REv. 173, 180-81 (1999). 65. See Cate, supra note 64, at 180-82. 66. Data Protection Directive, supra note 10, at 31; see also EUR. UNION AGENCY FOR FUNDAMENTAL RIGHTS, HANDBOOK ON EUROPEAN DATA PROTECTION LAW 17 (2014). 67. See generally Gregory Shaffer, Globalization and Social Protection: The Impact ofEU and InternationalRules in the Ratcheting Up of U.S. Privacy Standards, 25 YALE J. INT'L L. 1, 55-88 (2000) (discussing the Directive's worldwide impact); see also Ryan Moshell, Comment,.. . And Then There Was One: The Outlook for a Self-Regulatory United States Amidst a Global Trend Toward Comprehensive Data Protection, 37 TEX. TECH L. REv. 357, 384-86 (2005). 2016] SOVEREIGNTY IN THE INFORMATION AGE 81 deletion of their personal information.68 It honors the fundamental right to privacy by governing the use, collection, storage, and transfer of E.U. residents' personal data.69 It is important to note that the privacy policies animating the Directive, as well as the actual restrictions therein, originated before popularization of the Internet.70 The Directive's drafters did not contemplate how the law they were drafting would apply to today's Internet. The Data Protection Regulation will soon replace the Directive.7 1 The forthcoming Regulation mirrors the Directive's principal framework and purportedly strengthens the goal of data privacy law by injecting new rights for data subjects while increasing penalties for non-compliance.72 The Regulation, which explicitly recognizes the right to be forgotten for the first time, will likely become effective in 2017.73 Both the Directive and Regulation require that personal data be: 1. Processed fairly and lawfully; 2. Collected for legitimate and specified reasons; 3. Adequate, relevant, and not excessive in relation to the purposes for which it is collected; 4. Accurate and, where necessary, kept up to date; and 5. Retained as identifiable data for no longer than necessary to serve the purposes for which the data was collected.74 These requirements place significant strain on those that "process" E.U. personal data. The right to know when personal
68. See Data Protection Directive, supra note 10, at 33. 69. Id. at 38. 70. See Patricia Sinchez Abril & Jacqueline D. Lipton, The Right to be Forgotten: Who Decides What the World Forgets?, 103 KY. L.J. 363, 383-84 (2014) ("Interactive, widely-used online services, such as the Google search engine, are very different entities from those to whom the 1995 Privacy Directive were targeted."). 71. Proposalfor a Regulation of the European Parliamentand of the Council on the Protection of Individuals with Regard to the Processing of PersonalData and on the Free Movement of Such Data (GeneralData Protection Regulation), at 18-19, COM (2012) 11 final (Jan. 25 2012) [hereinafter Data Regulation Proposal]. Unlike "Directives," which require that Member States enact national laws that reflect the spirit of the Directive, "Regulations" directly bind Member States. See Treaty on European Union art. G, Feb. 7, 1992, 1992 O.J. (C 191) 1. 72. See Data Regulation Proposal, supra note 71. 73. See Rustad & Kulevska, supra note 33, at 386. 74. Data Regulation Proposal, supra note 71, at 43; Data Protection Directive, supra note 10, at 40. 82 ARKANSAS LAW REVIEW [Vol. 69:71] data is collected, for example, requires companies to provide notice before gleaning that digital data. 5 Consent must be a "freely given specific and informed indication of [the resident's] wishes." 7 6 Even after proper notice and consent, personal data can only be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes."7 If a company follows protocol by issuing proper notice, obtaining consent, and collecting data for a legitimate purpose, an E.U. resident still has the right to have it altered or corrected. Indeed, an E.U. resident now has the right to have it deleted altogether-to have it "forgotten." 79 Finally, those who control private data must protect it.so Protecting personal data requires data processors to "implement appropriate technical and organizational measures to protect personal data against . . . destruction or . .. loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network."8 1 Taken together, these provisions materially affect individuals and entities that process personal data.
B. E.U. Codification of the Right to be Forgotten One of the most controversial rights at the heart of data protection law is the right to be forgotten, which has been described by E.U. officials as the right of individuals to "have their data fully removed when it is no longer needed for the purposes for which it was collected." 82 The right allows E.U. residents to have photographs, videos, text, and other
75. See Data Regulation Proposal, supra note 71, at 48-49; Data Protection Directive, supra note 10, at 41. 76. Data Protection Directive, supra note 10, at 39. 77. Id at 40. 78. Id. at 42. 79. See Case C-131/12, Google Spain SL v. Agencia Espaftiola de Protecci6n de Datos 193-94 (May 13, 2014), http://curia.europa.eu/juris/document/document.jsf? text-&docid=152065&doclang=EN [https://perma.cc/8YA9-52SM]; see also European Commission Factsheet, supra note 12. 80. Data Protection Directive, supra note 10, at 43. 8 1. Id. 82. See Press Release, Eur. Comm'n, Data Protection Reform - Frequently Asked Questions (Nov. 4, 2010), http://europa.eu/rapid/press-releaseMEMO-10-542_en.htm? locale=EN [https://perma.cc/45SH-VFZ5] (stating that "[p]eople who want to delete profiles on social networking sites should be able to rely on the service provider to remove personal data, such as photos, completely"). 20161 SOVEREIGNTY IN THE INFORMATION AGE 83 information about themselves deleted or canceled from Internet sites, as well as the links generated by search engines.83 The 1995 Directive failed to unequivocally confer the right to be forgotten, creating uncertainty in its application. 84 Even so, Google Spain interpreted the Directive as including the right to be forgotten,85 a ruling subsequently embraced by the European Commission, which claimed that the Directive "already includes the principle underpinning the right to be forgotten." 86 The forthcoming Regulation eliminates any lingering uncertainty. Article 17 of the Regulation states: 1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies: (a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; ... 2. Where the controller referred to in paragraph I has made the personal data public, it shall take all reasonable steps, including technical measures, .. . [to have the data erased, including by third parties] .... Under these and other proposed provisions, E.U. residents seeking deletion of data must allege that their personal data is irrelevant or no longer necessary. E.U. officials project that assessment of such requests eludes categorization and must be
8 3. Id. 84. See Google Spain SL, Case C-131/12,1 3. 85. Id. ¶97, 99. 86. See European Commission Factsheet, supra note 12. Support for the claim that the Directive includes the right to be forgotten stems from Article 12 of the Directive: Member States shall guarantee every data subject the right to obtain from the controller: (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort. Data Protection Directive, supra note 10, at 42. 87. Data Regulation Proposal, supra note 71, at 51. 88. See European Commission Factsheet, supra note 12. 84 ARKANSAS LAW REVIEW [Vol. 69:71] made on "a case-by-case basis."89 Review includes analysis of the "accuracy, adequacy, relevance-including time passed- and proportionality of the links, in relation to the purposes of the data processing."9 The individual holds no obligation to prove the data's irrelevancy or inadequacy. 91 Instead, the company (search engine, blog, news media, etc.) must prove that the data cannot be deleted because it is still relevant or still needed. 92 If Google deems the data irrelevant or unnecessary, for example, all links to it must be deleted. The right to be forgotten requires data controllers go a step further. Upon a proper request to delete personal information, Google must not only delete the links, it must also identify the operators of the third-party websites hosting that data and act as intermediary for the data subject by prompting deletion from those websites.93 This additional obligation has "created vehement opposition." 94 Any data controller that "has made ... personal data public" must take "reasonable steps" to find third parties processing that data and ask them "to erase any links to, or copy or replication of that personal data." 95 As these requirements make clear, European privacy law-and the right to be forgotten in particular-reflect a preference for privacy rights when they compete with rights associated with free expression.
C. U.S. Privacy and Free Expression Although Americans largel' decry the elevation of privacy rights over free expression, the right to be forgotten nevertheless resonates in certain contexts. Nikki Catsourus was eighteen when she died on Halloween in a brutal car accident.9 7 The severe wreck decapitated her. 98
89. Id 90. Id; see also Google Spain SL, Case C-131/12, [ 94. 91. See European Commission Factsheet, supra note 12. 92. Id. 93. Data Regulation Proposal, supra note 71, at 51. 94. Meg Leta Ambrose, A Digital Dark Age and the Right to Be Forgotten, 17 J. INTERNET L. 1, 10 (2013). 95. Data Regulation Proposal, supra note 71, at 51. 96. Steven C. Bennett, The "Right to Be Forgotten": Reconciling EU and US Perspectives, 30 BERKELEY J. INT'L L. 161, 169 (2012). 97. See Jessica Bennett, One Family's Fight Against Grisly Web Photos, NEWSWEEK (Apr. 24, 2009, 8:00 PM), http://www.newsweek.com/one-familys-fight-against-grisly- web-photos-77275 [https://perma.cc/U9NT-TEBE]. 2016] SOVEREIGNTY IN THE INFORMATION AGE 85 Highway patrolmen emailed photographs of the gruesome scene to various friends. 99 The images soon spread through social media, deepening the despair of Nikki's family and friends. 00 Nikki's father forbade his remaining daughters from using the Internet and began a futile crusade to force social media, blogs, websites, and search engines to remove the images.101 Many in the U.S. have similarly struggled to excise digital records that forever capture long-ago indiscretions or records that associate them with a singular painful or embarrassing incident. However, longstanding allegiance to free expression leaves little room for the right to be forgotten in American jurisprudence. 02
1. U.S. Regulation of Privacy Although the First, Third, Fourth, Fifth, and Fourteenth Amendments carry implicit privacy rights in certain circumstances, the U.S. Constitution does not explicitly protect privacy.1 03 In the absence of express constitutional protection, a myriad of laws from various authorities prompt many to characterize the U.S. approach as "sectoral," a reference to fragmented'o cross-governmental, and industry-specific regulation. 4 The font of privacy law in U.S. jurisprudence flows in large part from a law review article penned over 120 years ago and largely attributed to Louis Brandeis.' 05 Rather than webpages and the Internet, Brandeis confronted the privacy implications spurred by the "modem enterprise and invention" of photography and newspapers.1 06 The article strained to find legal grounds to prevent technology from proliferating gossip columns that delved into domestic life and
98. Id. 99. Id 100. Id 101. See id.; see also Toobin, supra note 50. 102. See Larson III, supra note 48, at 92-93. 103. U.S. CONST. amends. I, III, IV, V, XIV; see also Roe v. Wade, 410 U.S. 113, 153 (1973); Griswold v. Connecticut, 381 U.S. 479, 483-85 (1965). 104. Cate, supra note 64, at 217. 105. See generally Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193 (1890); see also Bennett, supra note 96; Melville B. Nimmer, The Right of Publicity, 19 L. & CONTEMP. PROBS. 203, 203 (1954); Neil M. Richards, The Puzzle of Brandeis, Privacy, and Speech, 63 VAND. L. REV. 1295, 1295-96 (2010). 106. Warren & Brandeis, supra note 105, at 195-96. 86 ARKANSAS LAW REVIEW [Vol. 69:71] sexual relations. 107 Brandeis described the article's goal succinctly: "It is our purpose to consider whether the existing law affords a principle which can properly be invoked to protect the privacy of the individual; and, if it does, what the nature and extent of such protection is."108 The mere posture of the question cuts against characterizing privacy as a historically fundamental right. While Brandeis did discover a "principle which may be invoked to protect the privacy of the individual" from invasion, including any "modem device for recording or reproducing scenes or sounds,"' 09 the article listed several limitations and, unlike free expression, lacked the permanence and prominence attending constitutional warrant. p a p Given this history, the absence of a comprehensive privacy right is unsurprising. Instead, privacy laws crop up around industries that process sensitive data like the healthcare and financial sectors. The Gramm-Leach-Bliley Act, for example, restricts the use and dissemination of private financial data,", the Health Insurance Portability and Accountability Act regulates the use and disclosure of "protected health information,"" 2 and the Fair and Accurate Credit Transactions Act addresses privacy concerns that attend credit reporting. 113 These sectoral privacy laws are not uniform; they define "personal information" differentlyll 4 and are tailored to
107. Id. at 195-98. 108. Id at 197. 109. Id at 206. 110. Id at 207-14. 111. Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, 113 Stat. 1338 (codified at 15 U.S.C. §§ 6801-6809 (2012)). 112. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104- 191, 110 Stat. 1936 (codified at 42 U.S.C. §§ 1320d-1 to -9 (2012)); see also Jeanna Phipps, State of Confusion: The HIPAA Privacy Rule and State Physician-PatientPrivilege Laws in Federal Question Cases, 12 SUFFOLK J. TRIAL & APP. ADVOC. 159, 170 (2007). 113. Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159, 117 Stat. 1952 (codified at 15 U.S.C. §§ 1681-1681v (2012)). 114. Compare 15 U.S.C. § 1681(b) (2006) (applying to consumer reporting agencies that provide consumer reports, defined as communications by such an agency bearing on a consumer's credit worthiness or personal characteristics when used to establish consumer's eligibility in certain contexts), with Video Privacy Protection Act of 1988, Pub. L. No. 100- 618 102 Stat. 3195 (codified at 18 U.S.C. § 2710 (2012) (defining personally identifiable information as "information which identifies a person")), and 15 U.S.C. § 6809(4)(A) (2012) (defining personally identifiable financial information as "nonpublic personal information"). 2016] SOVEREIGNTY IN THE INFORMATION AGE 87
particular elements of personal information or discrete uses of discrete data. U.S. law is further fragmented by state and local privacy law. Forty-seven of fifty states have varying breach notification laws, which generally require that organizations divulge when they have been hacked if sensitive data was made vulnerable."1 5 California's state constitution labels "privacy" an inalienable right, 116 and the state's law recently recognized the right to be forgotten for minors.117 Nebraska and Pennsylvania prohibit knowingly making misleading statements on website privacy policies,' and Connecticut restricts anyone who collects social security numbers. 119 The variations among state privacy laws are numerous and growing. 120 A crosscurrent of self-regulation also marks U.S. privacy regulation. A number of specialized trades self-regulate by adopting non-legally binding guidelines and promoting privacy "best practices." 1 21 The Direct Marketing Association, for example, drafts and promotes online privacy guides that call for its members to post a prominent notice on their websites alerting consumers to information-collection practices. 12 2 The credit card industry self-imposes encryption obligations and requires reporting on lost data.123 Such self-regulation is not accidental. The Clinton Administration promoted self-regulation as a preferable method of protecting consumer privacy without saddling businesses with bureaucratic interference, stating, "We believe that private efforts of industry working in cooperation
115. See US Data Breach Notification Laws by State, IT GOVERNANCE, http://www.itgovernanceusa.com/data-breach-notification-laws.aspx#.VPyf-WdOXIU [https://perma.cc/B4FG-5YCW] (last visited Feb. 4, 2016). 116. CAL. CONST. art. I, § 1. 117. See CAL. BUS. & PROF. CODE § 22581 (West 2015). 118. NEB. REV. STAT. ANN. § 87-302(a)(14) (West 2015); 18 PA. STAT. AND CONS. STAT. ANN. § 4107(a)(10) (West 2015). 119. CONN. GEN. STAT. ANN. § 42-471 (West 2015). 120. See State Laws Related to Internet Privacy, NAT'L CONF. ST. LEGISLATURES (Jan. 5, 2016), http://www.ncsl.org/research/telecommunications-and-information-technolo gy/state-laws-related-to-internet-privacy.aspx [https://perma.cc/P3MA-5ARC]. 121. See John Schinasi, Note, Practicing Privacy Online: Examining Data Protection Regulations Through Google's Global Expansion, 52 COLUM. J. TRANSNAT'L L. 569, 585-87 (2014). 122. Jonathan P. Cody, Comment, Protecting Privacy Over The Internet: Has the Time Come to Abandon Self-Regulation?, 48 CATH. U. L. REv. 1183, 1218-19 (1999). 123. See generally Abraham Shaw, Note, Data Breach: From Notification to Prevention Using PCI DSS, 43 COLUM. J.L. & SOC. PROBS. 517 (2010). 88 ARKANSAS LAW REVIEW [Vol. 69:71] with consumer groups are preferable to government regulation... ."124 The patchwork of federal privacy laws is at times cause for confusion.1 25 It reflects regulatory reticence and helps explain why the U.S. is one of few developed nations without a comprehensive data privacy law. It also reflects a historical- though receding 26-adherence to free expression.127
2. U.S. Law Elevating Free Expression over Privacy Unlike privacy law, the American legal history of free expression begins with an explicit Constitutional guarantee and continues through deeply rooted Supreme Court precedent covering a broad array of contexts and historical eras too lengthy for categorization here.128 With regard to the right to be forgotten, lawsuits alleging that publication of personal information would be injurious have found little traction when the publication is accurate and newsworthy. In 1977, the Supreme Court invalidated an order that would have stopped newspapers from publishing the name and picture of a juvenile offender.1 29 The Court allowed the press to publish the name of a rape victim in a case decided two years earlier.130 In 1989, the Court noted that "if a newspaper lawfully obtains truthful information about a matter of public significance then state officials may not constitutionally punish publication of the information, absent a need to further a state interest of the highest order." 1 3 '
124. See William J. Clinton & Albert Gore, Jr., A Frameworkfor Global Electronic Commerce, WHITE HOUSE (July 1, 1997), http://clinton4.nara.gov/ WH/New/Commerce /read.html [https://perma.cc/ZFH4-ZWJZ]. 125. See Peter Fleischer, Call for Global Privacy Standards, GOOGLE PUB. POL'Y BLOG (Sept. 14, 2007), http://googlepublicpolicy.blogspot.com/2007/09/call-for-global- privacy-standards.html [https://perma.cc/FR9Y-L38F]. 126. See Richard J. Peltz-Steele, The New American Privacy, 44 GEO. J. INT'L L. 365, 383-93 (2013). 127. See Emily Adams Shoor, Narrowing the Right to be Forgotten: Why the European Union Needs to Amend the ProposedData Protection Regulation, 39 BROOK. J. INT'L L. 487, 498-502 (2014). 128. See generally David M. Rabban, The First Amendment in Its Forgotten Years, 90 YALE L.J. 514, 522-42 (1981) (discussing Supreme Court free speech cases before World War I). 129. Okla. Publ'g Co. v. Dist. Court In & For Okla. Cty., 430 U.S. 308, 311-12 (1977) (per curiam). 130. Cox Broad. Corp. v. Cohn, 420 U.S. 469, 496-97 (1975). 131. Fla. Star v. B.J.F., 491 U.S. 524, 533 (1989). 20161 SOVEREIGNTY IN THE INFORMATION AGE 89 Indeed, a U.S. court likely would not have granted Costeja Gonzdles relief.132 Costeja Gonzdles's debt and auction records were public and accurately reported by La Vanguardia.133 A string of U.S. Supreme Court cases affirm that the Constitution's outright promise of free expression protects newsworthy, true stories though they may embarrass or otherwise harm the stories' subjects.134 The fact that Google did not generate the content, but merely acted as a "newsstand" 3 for its dissemination does not itself forestall First Amendment protections.13 The U.S. historical preference for free expression is not absolute, just as the European historical preference for individual privacy rights is not absolute. 37 The gap between them, however, deepens under "the right to be forgotten" and global legislation implementing it. As one Facebook executive remarked, "Technology didn't create the tension but just revealed it in a dramatic way."l 38
IV. THE RIGHT TO BE FORGOTTEN AS UNILATERALLY DECREED AND UNIVERSALLY APPLIED It is acceptable, even optimal, for different cultures to promote certain values over others and to effectuate such preferences through democratic governance. But digital data
132. See Rustad & Kulevska, supra note 33, at 355 (characterizing the right to be forgotten as "antithetical to the First Amendment of the U.S. Constitution"). 133. See Case C-131/12, Google Spain SL v. Agencia Espailola de Protecci6n de Datos ¶ 14-15 (May 13, 2014), http://curia.europa.eu/juris/ document/document.jsf? text=&docid=152065&doclang=EN [https://perma.cc/8YA9-52SM] (stating that Costeja Gonziles challenged the newspaper on the ground that the published information was irrelevant). 134. See, e.g., Fla. Star, 491 U.S. at 533; Smith v. Daily Mail Publ'g Co., 443 U.S. 97, 105-06 (1979); Okla. Publ'g Co., 430 U.S. at 311-12; Cox Broad. Corp., 420 U.S. at 496-97. 135. Toobin, supra note 50 ("We like to think of ourselves as the newsstand, or a card catalogue."). 136. See, e.g., Bartnicki v. Vopper, 532 U.S. 514, 535 (2001) (holding that dissemination of illegally obtained content does not create liability for the media entity when the media entity itself did nothing illegal to obtain the content). 137. See Peltz-Steele, supra note 126, at 382; see also Data Regulation Proposal, supra note 71, at 6-7. 138. See Toobin, supra note 50. 90 ARKANSAS LAW REVIEW [Vol. 69:71] flow does not stop at territorial borders.1 39 Companies adversely affected by one nation's restrictive digital data laws need only relocate out of jurisdictional reach and continue business as usual.1 40 To avoid circumvention, European policymakers openly seek to impose the right to be forgotten worldwide.141 As Viviane Reding told the U.S. Chamber of Commerce, "All companies that operate in the E.U. must abide by our high standards of data protection and privacy."' 42 This international claim is not new. When the E.U. adopted the seminal 1995 Directive, it recognized that the protections it afforded were ephemeral if tethered to territorial boundaries. 143 As a result, the Directive purports to apply beyond European borders.1 4 4 The European Commission concedes as much: "Without such precautions, the high standards of data protection established by the Data Protection Directive would quickly be undermined, given the ease with which data can be moved around in international networks." 45
A. Inclusive Definitions The Directive and the forthcoming Regulation contain multiple mechanisms designed to ensure compliance from both data processors in the E.U. and those around the world. The Directive broadly defines those who fall within its ambit, as
139. See Paul M. Schwartz, The EU-US. Privacy Collision: A Turn to Institutions and Procedures, 126 HARV. L. REV. 1966, 1972-73 (2013) ("Globalization of world data flows called for EU action with just such an international reach."); see also A.T. KEARNEY, WORLD ECON. FORUM, RETHINKING PERSONAL DATA: A NEW LENS FOR STRENGTHENING TRUST 3 (2014), http://www3.weforum.org/docs/WEFRethi nkingPersonalDataANewLensReport 2014.pdf [https://perma.cc/YMN6-Q3G2] ("The growth of data, the sophistication of ubiquitous computing and the borderless flow of data are all outstripping the ability to effectively govern on a global basis."). 140. See Transferring Your Personal Data Outside the EU, EUR. COMMISSION, http://ec.europa.eu/justice/data-protection/data-collection/data-transfer/index-en.htm [https://perma.cc/W2QM-AWR7] (last visited Feb. 4, 2016). 141. See Kuner, supra note 9, at 61-63. 142. See Viviane Reding, Vice President, Eur. Comm'n Responsible for Justice, Fundamental Rights and Citizenship, Speech at the American Chamber of Commerce to the EU (June 22, 2010), http://europa.eu/rapid/press-releaseSPEECH-10-327_en.htm [https://perma.cc/9HGX-FXLK]. 143. See Data Protection Directive, supra note 10, at 39. 144. See id; see also Kuner, supra note 9, at 61. 145. See Transferring Your Personal Data Outside the EU, supra note 140 (emphasis omitted). 2016] SOVEREIGNTY IN THE INFORMATION AGE 91 illustrated by three key definitions. The Directive applies to personal data that is processed by controllers or processors. 14 6 Personal data is defined as "[a]ny information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."1 47 Personal data certainly includes names, national identification numbers, birth certificates, and residential addresses, but it captures much more by equating "identified" with "identifiable," such as information that can identify a data subject directly or indirectly.1 4 8 Data is considered personal when it enables anyone to link information to a specific person even if the entity holding that data cannot itself make the link.143 European authorities deem data "personal" when, "althou the person has not been identified yet, it is possible to do it." 0 As a result, "information need not identify an individual directly to constitute 'personal data,' but the mere fact that the information is related to an individual capable of being identified results in the data being 'personal data' under the Directive.""s1 The forthcoming data Regulation does not attempt to curb this definition; if anything, it broadens "personal data" by defining it as "any information relating to a data subject." 52 The Directive and Regulation marry this broad definition of personal data with an equally broad definition of data "processing," defined as "any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or
146. See Data Protection Directive, supra note 10, at 40. 147. Id at 38. 148. See Paul M. Schwartz & Daniel J. Solove, The PH1 Problem: Privacy and a New Concept ofPersonallyIdentifiable Information, 86 N.Y.U. L. REv. 1814, 1874 (2011). 149. Opinion 1/2008 on Data ProtectionIssues Related to Search Engines, at 3, 8 (Apr. 4, 2008), http://ec.europa.eu/justice/policies/ privacy/docs/wpdocs/2008/wpl48 en.pdf [https://perma.cc/CM5B-4W6N]. 150. See Opinion 4/2007 on the Concept ofPersonalData, at 12 (June 20,2007), http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf [https://perma.cc/G9HQ-UUGW] (emphasis omitted). 151. McKay Cunningham, Privacy in the Age of the Hacker: Balancing Global Privacy andData Security Law, 44 GEO. WASH. INT'L L. REV. 643, 657 (2012). 152. Data Regulation Proposal, supra note 71, at 41. 92 ARKANSAS LAW REVIEW [Vol. 69:71] alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction." 5 "Processing" includes collection and transfer of personal data.1 54 It includes redaction, deletion, storage, and automatic processing of personal data.155 The Directive and the Regulation define those deemed to have "processed" personal data as either data controllers or data processors.' 56 A data controller is "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes conditions and means of the processing of personal data."i53 Data controllers include not only Google and Axciom, but capture "neighborhood children who record orders for Girl Scout cookies." 5 8 The Directive's operative terms are defined not by how they differ or exclude concepts, but rather how they are inclusive of them, leaving commentators wondering what, if anything, is not "personal data" and who, if anyone, is not "processing" that data.' 59 Anyone engaging in any commerce within the E.U. or with E.U. residents would rightly presume the Directive's application.
B. Extraterritorial Reach The Directive, and soon the Regulation, bolster these broad definitions with compliance requirements that are purposefully extra-jurisdictional. By restricting the transfer of personal data out of the E.U., the Directive constrains data flow to the international community. 160 The Directive begins broadly by prohibiting personal data transfers to all "inadequate"
153. Id. 154. Data Protection Directive, supra note 10, at 38. 155. Id. 156. Data Regulation Proposal, supra note 71, at 41-42; Data Protection Directive, supra note 10, at 38. 157. Data Regulation Proposal, supra note 71, at 41. 158. Cate, supranote 64, at 183. 159. See id. at 182 (discussing the broad application of "personal data"); see also Schwartz & Solove, supra note 148, at 1873-74. 160. Data Protection Directive, supra note 10, at 45; see also Data Regulation Proposal, supra note 71, at 69 ("A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection."). 20161 SOVEREIGNTY IN THE INFORMATION AGE 93 countries.161 As a result, European companies conducting business outside the E.U. require assurance that the home country of all business partners adequately complies with the Directive.162 Notably, only eleven countries are "adequate" according to the E.U., and the U.S. is not among them.1 63 Because reducing data flow to eleven countries would severely diminish continental commerce,1 64 the Directive allows data transfers to organizations located in nations that have "inadequate" privacy laws if the organization receiving and processing that data complies with the Directive. 165 Rigid contractual agreements and binding corporate rules are two avenues the Directive allows that facilitate data transfer outside the E.U.1 66 Both require that the receiving entity comply with the Directive's strictures. In addition to inhibiting the transfer of personal information outside the E.U., the Directive reaches beyond E.U. borders through extraterritorial provisions. The Directive requires compliance from data controllers located outside the E.U. if they "make[] use of equipment" located in the E.U. Each Member State shall apply . .. this Directive to the processing of personal data where ... the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for
161. Data Protection Directive, supra note 10, at 45-46. 162. See Shaffer, supra note 67, at 22. 163. See Commission Decisions on the Adequacy of the Protection of PersonalData in Third Countries, EUR. COMMISSION, http://ec.europa.eu/justice/data-protection/intemat ional-transfers/adequacy/index en.htm [https://perma.cc/9AB6-FK44] (last visited Feb. 4, 2016) (listing Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, and Uruguay). 164. See Shaffer, supra note 67, at 39. 165. The principal avenues for U.S. companies seeking to comply with the E.U. Directive-and thereby receive personal information from the E.U.-include obtaining actual consent of the data subject, standard contractual clauses, binding corporate rules, and participation in the Safe Harbor program. See Data Protection Directive, supra note 10, at 46; Working Document: Transfers of PersonalData to Third Countries:Applying Article 26 (2) of the E. U. Data ProtectionDirective to Binding CorporateRules for International Data Transfers, at 5-6 (June 3, 2003), http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2003/wp74_en.pdf [https://perma.cc/923A-DPYZ ] [hereinafter Transfers ofPersonalData] 166. See Data Protection Directive, supra note 10, at 46; Transfers of PersonalData, supra note 165. 94 ARKANSAS LAW REVIEW [Vol. 69:71]
purposes of transit through the territory of the Community.16 7 Online businesses, companies engaging in e-commerce, and entities with E.U. employees likely "process" the "personal data" of E.U. residents. If those E.U. residents use their laptops, smart phones, or other such device, the transaction "makes use of equipment" within the E.U. and arguably places such entities within the Directive's purview.' 6 8 The Regulation, interestingly, drops the "equipment" nexus and extends its extra-jurisdictional reach by purporting to control all non-E.U. entities that offer goods or services to persons in the E.U. 16 9 As one scholar suggests, this "seems likely to bring all providers of Internet services such as websites, social networking services and app providers under the scope of the E.U. Regulation as soon as they interact with data subjects residing in the European Union."' 0 Organizations with only one domestic office have been historically insulated from being haled into the court of a foreign country to account for actions under that country's law.'7 1 But both the Directive and Regulation stretch normal jurisdictional law.1 7 2 In light of the flattening effect of e-commerce, the internationalization of markets, and the estimation that over ninety percent of commercial websites collect personal data from web users, these extraterritorial provisions encompass much of the developed world. 7 1 The impact of these provisions is evidenced by trending international law. Nineteen new omnibus privacy laws spouted
167. Data Protection Directive, supra note 10, at 39. 168. John T. Soma et al., An Analysis of the Use of BilateralAgreements Between Transnational Trading Groups: The US./EU E-Commerce Privacy Safe Harbor, 39 TEX. INT'L L.J. 171, 208 (2004). 169. See Data Regulation Proposal, supra note 71, at 41. 170. Kuner, supra note 9, at 61 (quoting DAN JERKER B. SVANTESSON, EXTRATERRITORIALITY IN DATA PRIVACY LAW 107 n.41 (2013)). 171. See Glenn R. Sarno, Haling Foreign Subsidiary Corporationsinto Court Under the 1934 Act: JurisdictionalBases and Forum Non Conveniens, 55 L. & CONTEMP. PROBS. 379, 381-82 (1992). 172. Article 4 of the Directive states that if a data controller is located outside the E.U., but uses equipment within the E.U. for any purpose other than transmission, the law of the Member State where the equipment is located will apply. Data Protection Directive, supra note 10, at 39. 173. See Peppet, supra note 6. 2016] SOVEREIGNTY IN THE INFORMATION AGE 95 up in the 1990s, and thirty-two more emerged in the 2000s.1 74 At the current rate of expansion, fifty new laws will emerge in this decade.175 As Professor Graham Greenleaf notes, "The picture that emerges is that data privacy laws are spreading globally, and their number and geographical diversity accelerating since 2000." 176 The Directive's extraterritorial reach arguably spurs non-E.U. countries to enact data privacy laws commensurate with the Directive.1 7 7 In fact, the great majority of countries that have enacted data privacy laws within the last two decades have tracked, to a large degree, the language of the E.U. Directive.' 7 8 If the Directive prevents non- E.U. organizations from "processing" E.U. data, it effectively truncates access to the E.U. market. At a certain level of abstraction, European officials designed the Directive and Regulation to require discrete protections of E.U. residents' personal data no matter where that data is processed.180 As one scholar stated, "[B]ecause of the scope of the Data Protection Directive, any business that has contact with E.U. residents on anything other than an anonymous cash-only basis has effectively collected some form of personal data and thus would be subject to the Data Protection Directive."' 8 '
V. THE RIGHT TO BE FORGOTTEN AS DISGUISED CENSORSHIP Many characterize the right to be forgotten as censorship in the name of privacy.1 82 The new law empowers E.U. residents
174. See Graham Greenleaf, 76 Global Data Privacy Laws, PRIVACY L. & BUS., Sept. 2011, at 2. 175. Id. 176. Id. 177. Rotenberg & Jacobs, supra note 51, at 642 ("The practical consequence of compliance is to raise privacy standards for customers both within and without the European Union, thus 'ratcheting up' the standards for data privacy regulation globally."). 178. Kuner, supranote 9, at 60. 179. See Shaffer, supra note 67, at 39 ("Were a country that attracted little U.S. trade and investment to restrict data transfers to the United States, a ban would pose little harm to overall U.S. commercial interests because of the small size of the country's market."). 180. See Kuner, supra note 9, at 60. 181. Soma et al., supra note 168, at 205. 182. See Ambrose, supra note 94, at 11; Jeffrey Rosen, The Deciders: The Future of Privacy and Free Speech in the Age of Facebook and Google, 80 FORDHAM L. REV. 1525, 1533 (2012); Svantesson, supra note 48, at 165; Peter Fleischer, Foggy Thinking About the 96 ARKANSAS LAW REVIEW [Vol. 69:71] to delete their personal data from public access if search engines deem the data "irrelevant" or no longer "necessary," subverting neutral search results, creating content gaps, and according to some scholars, "rewriting history."' 83 Deleted information need not be untruthful, defamatory, or inaccurate.' 84 No legal oversight or official authority determines whether data should be deleted.' 8 5 The Wikimedia Foundation's executive director, Lila Tretikov, warned of "an internet riddled with memory holes," 86 while other academics contend that a less searchable Internet "derogates the role of counterspeech," and "disrupt[s] the natural process of communication"-both necessary for a robust marketplace of ideas.' 8 7 Search engines, bloggers, websites, and news media face significant fines for non-compliance. The current data Directive allows fines up to two percent of worldwide turnover, which will increase to the greater of C100 million or five percent of annual worldwide turnover under the new Regulation.' 8 Such imposing fines generate a chilling effect;1 89 search engines like Google would sooner delete wholesale links than pay debilitating fines for each refused request.' 90 Perhaps in light of such fines, Google promptly instituted the mechanisms necessary to comply with the CJEU ruling, opening the way for large-scale data erasures.
Right to Oblivion, PETER FLEISCHER: PRIVACY (Mar. 9, 2011), http://peterfleischer.blog spot.com/2011/03/foggy-thinking-about-right-to-oblivion.html [https://perma.cc/2AGH-U HT3]. 183. See Rustad & Kulevska, supra note 33, at 372-73 ("An overly expansive right to be forgotten will lead to censorship of the Internet because data subjects can force search engines or websites to erase personal data, which may rewrite history."). 184. See Peltz-Steele, supra note 126, at 382. 185. See Fleischer, supra note 182 (emphasis omitted) ("It used to be that people would invoke libel or defamation to justify censorship about things that hurt their reputations. But invoking libel or defamation requires that the speech not be true. Privacy is far more elastic, because privacy claims can be made on speech that is true."). 186. Loek Essers, Wikimedia: Right to be Forgotten Results in "Internet Riddled with Memory Holes ", PC WORLD (Aug. 6, 2014, 9:55 AM), http://www.pcworld.com/artic le/2462220/wikimedia-right-to-be-forgotten-results-in-internet-riddled-with-memory- holes.html [https://perma.cc/VT38-VHUP]. 187. Larson III, supra note 48. 188. Data Regulation Proposal, supra note 71, at 93. 189. See Shoor, supra note 127, at 505 (stating that data "controllers will be incentivized to take content down even when it may in fact be permissible"). 190. Jeffrey Rosen, The Right To Be Forgotten, 64 STAN. L. REV. ONLINE 88, 90-91 (2012). 2016] SOVEREIGNTY IN THE INFORMATION AGE 97 A. Applying the Right to be Forgotten Google first created software enabling link removal, which was not novel since Google already employs similar systems for copyrighted and trademarked works. 191 The trickier task called for an administrative system to facilitate and determine the validity of removal requests.1 92 Google created and posted a request form, which was itself controversial.1 9 3 The form appears in at least twenty-five languages within the various European search domains. 94 It is not currently available on Google's website, a fact likely to spawn legal disputes.1 95 The form requires claimants to give their name and submit a photograph of their driver's license or national ID, which seems antithetical to the request for erasure, but is nevertheless required due to "fraudulent removal requests from people impersonating others, trying to harm competitors, or improperly seeking to suppress legal information."l 9 The form also requires claimants to identify the "country whose law applies" to the request, " reflecting Google's determination to limit the right to be forgotten to country-specific search domains. Finally, claimants must explain why the "inclusion of that result in search results is irrelevant, outdated, or otherwise objectionable."' 9 8 Google received 12,000 requests to delete information within one day of publishing the form; those requests grew to 41,000 over the next three days.1 99 Fraud accusations and other serious crimes constituted over half of those requests, and
191. See Toobin, supra note 50. 192. See Shoor, supra note 127, at 505-07. 193. See The Right to be Forgotten: Drawing the Line, ECONOMIST (Oct. 4, 2014), http://www.economist.com/news/intemational/21621804-google-grapples-consequences- controversial-ruling-boundary-between [https://perna.cc/L3JE-EUHR]. 194. See Toobin, supra note 50. 195. Id Instead of posting a form allowing petitions for content deletion, Google's legal page states that "Google.com is a US site regulated by US law," and "Google provides access to publicly available webpages, but does not control the content of any of the billions of pages currently in the index." See Removing Contentfrom Google, GOOGLE SUPPORT, https://support.google.com/legal/troubleshooter/I 114905?rd= l#ts= 1156 55,6034194,1115974 [https://perma.cc/FWK4-K75V] (last visited Feb. 18, 2016). 196. See Dewey, supra note 16. 197. Id. 198. See Toobin, supra note 50. 199. See Preece et al., supra note 17. 98 ARKANSAS LAW REVIEW [Vol. 69:71] another twelve percent related to child pornography.200 As of May 2016, Google has evaluated 432,097 requests to remove URLs and has removed 549,624 URLs,201 refusing for now to comply with the Working Party's exhortations to delete the information fully, including deletions from Google's website.202 As a result of these deletions, an identical query under differing domain extensions renders disparate results. The Internet of Spain is not the Internet of Germany and certainly not the Internet of the U.S., marking "the beginning of an Internet where there are national networks, where decisions b governments dictate which information people get access to."2 A Google search using someone's name in European countries now prompts a warning at the bottom of the page: "Some results may have been removed under data protection law in Europe. ,,204 Google is not the only search engine to comply with the CJEU's ruling. As early as November 2014, search engine rivals Bing and Yahoo announced plans to comply with the ruling. 205 Both companies have created a process for Europeans to claim deletions and both have deleted links in compliance with European law.2 06 Perhaps predictably, deleting information in the digital age has proven difficult. The website "Hidden from Google" archives deleted links, along with the relevant search term and the source that revealed the missing information.20 Media stories involving a financial scandal, a shoplifter, and a sexual predator have disappeared from Google search results only to reappear on the "Hidden from Google" webpage. 208 Media
200. Id 201. See Transparency Report: European Privacy Requests for Search Removals, supra note 19. 202. See Van Alsenoy & Koekkoek, supra note 34, at 15. 203. See Toobin, supra note 50. 204. See Charles Arthur, What is Google Deleting Under the "Right to be Forgotten" - and Why?, GUARDIAN (July 4, 2014, 12:45 PM), http://www.theguardian.c om/technology/2014/jul/04/what-is-google-deleting-under-the-right-to-be-forgotten-and- why [https://perma.cc/4DLD-7BZW]. 205. See Dredge, supra note 20. 206. See id 207. See A List of Links Affected by the "Right to be Forgotten", HIDDEN FROM GOOGLE, http://hiddenfromgoogle.afaqtariq.com/ [https://perma.cc/HUR9-8JDF] (last visited Feb. 4, 2016). 208. See Jeff Roberts, "Hiddenfrom Google" Shows Sites Censored Under EU's Right-to-be-ForgottenLaw, GIGAOM (July 16, 2014, 6:41 AM), https://gigaom.com/2014/0 2016] SOVEREIGNTY IN THE INFORMATION AGE 99 outlets have followed suit. The British Broadcasting Corporation (BBC) now publishes the links to its stories that have been deleted from Google searches.209 In the short time since the 2014 ruling that recognized the right to be forgotten, well over 100 BBC stories have disappeared from Google searches2 1-an alarming number given the erasure of presumably newsworthy content. Indeed, the BBC articles removed include stories about the sentencing of a rapist, the murder of an heiress and a court case defining what constitutes a game of football." The publication of Google's delisted stories perhaps presage a "black market Google," a searching application that grows in proportion with the increase of deleted links under the right to be forgotten.
B. Search Engines, Webmasters, and Application of an Ambiguous Standard Characterizing the right to be forgotten as censorship grows in part from the amorphous standard that Google and other data controllers must apply. They are called to ferret the relevant from the irrelevant, the outdated from the germane.212 In one instance, BBC's Robert Peston claimed he was "cast into oblivion" when his blog post seemingly disappeared from Google searches. 213 Peston's blog post discussed chief executive Stanley O'Neal's departure from investment bank Merrill Lynch, which raised censorship allegations due to the newsworthy content and whitewashing implications.214 Indeed, Google has removed links to numerous news articles, 2 15 one
7/16/hidden-from-google-shows-sites-censored-under-eus-right-to-be-forgotten-law/ [https://perma.cc/FH9F-667U]. 209. Neil McIntosh, List of BBC Web Pages Which Have Been Removed from Google's Search Results, BBC: INTERNET BLOG (June 25, 2015, 2:40 PM), http://www.bbc.co.uk/blogs/intemet/entries/1d765aa8-600b-4f32-bl 10-d02fbf7fd379 [https://perma.cc/AX9H-FZK3]. 210. Id. 211. Jamie Condliffe, BBC Is Listing Pages Removed by Google Under EU Right- To-Be-Forgotten, GIZMODO (June 29, 2015, 6:00 AM), http://gizmodo.com/bbc-is-listing- pages-removed-by-google-under-eu-right-t- 1714610528 [https://perma.cc/E95Q-DXAH]. 212. See Abril & Lipton, supranote 70, at 380-81. 213. Robert Peston, Why has Google Cast me into Oblivion?, BBC (July 2, 2014), http://www.bbc.com/news/business-28130581 [https://perma.cc/ZC2L-TUP8]. 214. Id. 215. See Uki Goni, Can a Soccer Star Block Google Searches?, TIME (Nov. 14, 2008), http://content.time.com/time/world/article/0,8599,1859329,00.html 100 ARKANSAS LAW REVIEW [Vol. 69:71] about a sales director antagonizing a couple before a sports game, another about a teenager responsible for almost forty percent of the crime in his town.2 A page about former criminal Gerry Hutch was removed, as well as data about the Italian gangster Renato Vallanzasca. 2 17 Two convicted murderers in Germany sued Wikipedia's parent organization for refusing their requested anonymity in the English-language article that memorialized the victim's murder.2 1 8 The deletion of data generated by news media bolsters censorship allegations and reflects the precarious position data controllers occupy in attempting to honor the right to be forgotten-and thus avoid E.U. fines-while not offending an array of other national laws that protect free expression and freedom of the press. 2 19 Members of the United Kingdom's House of Lords argue that it is 'wrong in principle' to leave it to search engines to decide whether or not to delete information, based on 'vague, ambiguous and unhelpful' criteria." 220 Adding to allegations of censorship, data controllers have no obligation under either the CJEU ruling or the Directive to alert webmasters that links to their pages have been delisted.221 In fact, E.U. officials discouraged Google from giving such notice. 2 Although Google has nevertheless committed to notification, data controllers are under no obligation to do so, suggesting that links removing access to data may disappear
[https://perma.cc/MN5H-5KBA] (reporting that various public figures sought data deletion under Argentina's version of the right to be forgotten). 216. See Preece et al., supra note 17. 217. Alex Hern, Wikipedia Swears to Fight 'Censorship'of'Right to be Forgotten' Ruling, GUARDIAN (Aug. 6, 2014, 8:40 AM), http://www.theguardian.com/technolo gy/2014/aug/06/wikipedia-censorship-right-to-be-forgotten-ruling [https://perma.cc/9LNT- R8DS]. 218. See John Schwartz, Two German Killers Demanding Anonymity Sue Wikipedia's Parent,N.Y. TIMES (Nov. 12, 2009), http://www.nytimes.com/2009/11/13/us/ 13wiki.html [https://perma.cc/H8XS-5HPB]. 219. See Shoor, supra note 127, at 505-07. 220. Catherine Baksi, Right To Be Forgotten "Must Go", Lords Committee Says, L. GAZETTE (July 30, 2014), http://www.lawgazette.co.uk/law/right-to-be-forgotten-must-go- lords-committee-says/5042439.fullarticle [https://perma.cc/P4QP-E6U9]. 221. See, e.g., Jef Ausloos & Aleksandra Kuczerawy, From Notice-and-Takedown to Notice-and-Delist: Implementing the Google Spain Ruling, 14 COLO. TECH. LJ. (forthcoming Spring 2016). But see Data Regulation Proposal, supra note 71, at 51 (requiring data controllers to notify third parties of requested deletion). 222. See Toobin, supra note 50 (citing objections from the Article 29 Working Party to "Google's practice of informing publishers when links that individuals objected to were deleted"). 2016] SOVEREIGNTY IN THE INFORMATION AGE 101 without knowledge of their removal. Wikipedia postulates that links have been removed without its knowledge, drawing unequivocal disapproval from its executive director: "We find this type of veiled censorship unacceptable. But we find the lack of disclosure unforgivable. This is not a tenable future. We cannot build the sum of all human knowledge without the world's true source, based on pre-edited stories. Finally, requests for data removal belie the varied and complex ways in which data originates to the Internet. The offensiveness of the censorship often depends on the data subject's relationship to the information. 224 Requesting removal of a data subject's own photograph of himself that he posted prompts a different assessment than requesting removal of information posted about the data subject by someone else.225 Personal information collected by cookies or logs used to facilitate transactions on a particular website pose different concerns than personal information volunteered by the data subject years ago, but later copied or transformed into a different format by others.226 Must Google remove links to a family photograph when only one member wants the photograph taken down? When a data subject requests removal of her "tweet," must Google also remove links to a blog posting that incorporated that "tweet"? The Directive and forthcoming Regulation do not address these complexities directly. The Regulation contains specific exceptions that limit the right to be forgotten, including freedom of expression, public interest, and historical, statistical, and scientific research.227 These exceptions arguably prohibit politicians and other public figures from whitewashing past indiscretions but, as mentioned above, data generated through journalism and news media have already been deleted under the right to be forgotten. Public figures have successfully deleted deprecating links.228 Perhaps such deletions only reflect the
223. Hern, supra note 217. 224. See Fleischer,supra note 182. 225. See id 226. See Abril & Lipton, supra note 70, at 382-84. 227. See Data Regulation Proposal, supra note 71, at 52. 228. See, e.g., Preece et al., supra note 17; Right to be Forgotten: Google Raise Concern with BBC Link Removal, TELEGRAPH (July 4, 2014, 10:44 AM), http://www.telegraph.co.uk/technology/google/10945597/Right-to-be-forgotten-Google- raise-concern-with-BBC-link-removal.html [https://perma.cc/S7LW-BS93]. 102 ARKANSAS LAW REVIEW [Vol. 69:71] growing pains associated with the roll out of a newly conferred right. Google, in fact, has publicly confessed missteps in its attempted compliance. 22 9 But even if news media eventually obtain better exemptions, and even if data controllers gain a fuller awareness of the inapplicability of the erasure requests of data pertaining to public figures, data controllers still decide.23 0 The Regulation provides little guidance for data controllers when determining whether a given request implicates the free-expression exception sufficient to allow rejection of the request. 231 For example, the Regulation requires that Member States provide an exemption for "journalistic purposes," 232 but it does not define "journalist," leaving vulnerable data published by bloggers, tweeters, and other non-traditional media.233 Moreover, the Regulation directly binds all E.U. Member States, 234 but each has differing free-expression laws,235 necessarily requiring that data controllers become international legal experts. No European official or authority first assesses these often legally complex issues. Since data controllers confront "ruinous monetary sanctions" if they "do[] not comply with the right to be forgotten," 236 close calls and requests that provoke nuanced legal analysis will likely result in data deletion.
C. Restricting the Innocuous; Exempting the Harmful The right to be forgotten is also flawed in application because the law is both over- and under-inclusive. The Directive's and the Regulation's expansive definitions of
229. See Preece et al., supra note 17 ("Only two months in, our process is still very much a work in progress. It's why we incorrectly removed links to an article last week."). 230. See Data Regulation Proposal, supra note 71, at 51-52. 231. Abril & Lipton, supra note 70, at 371 (stating that the Regulation "sketches only faint boundaries for the right to be forgotten"). 232. Data Regulation Proposal, supra note 71, at 94. 233. Abril & Lipton, supra note 70, at 382 (asking whether information "published in a formal news media outlet" would be "treated differently from that published in a personal blog, social media website, or chat group"); Rustad & Kulevska, supra note 33, at 375. 234. Data Regulation Proposal, supra note 71, at 94-95. 235. Id. ("Member States shall provide for exemptions or derogations from [Article 17] . . . for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression."). 236. Rosen, supra note 190, at 90. 2016] SOVEREIGNTY IN THE INFORMATION AGE 103 "personal information" and those who "process" personal information 237 dilute their effect. Teens posting pictures of friends on Facebook, companies cataloguing business contacts, and students using websites to register volunteers qualify as data controllers.238 IP addresses-the nine digits assigned to devices logged onto the Internet-are "personal information," as are web cookies. 239 Data constitutes "personal information" when it enables the holder to link information to a specific person, even if the holder herself has not made the link. 24 The broad definition of "personal information" stretches even further with re-identification software. Information that tangentially relates to a person, but does not include the person's name, likeness, address, social security number, or other direct identifier can be readily de-coded.24 1 Commenters have noted, "The emergence of powerful re-identification algorithms demonstrates ... the fundamental inadequacy of the entire privacy protection paradigm based on 'de-identifying' the data."242 The more data we have, the less any of it can be considered "private." 243 Location data, commercial transactions, web browsing histories and much more populate de- anonymizing algorithms, prompting the observation that "any attribute can be identifying in combination with others."24 4 By defining "processing" and "personal information" so broadly and thereby capturing a sea of harmless behavior, the law is disconnected from the violations it seeks to redress, diluting its effectiveness and inviting uneven enforcement. 24 5
237. See Data Regulation Proposal, supra note 71, at 41-42; Data Protection Directive, supra note 10, at 38. 238. See Cate, supra note 64, at 183. 239. Opinion 1/2008 on Data Protection Issues Related to Search Engines, supra note 149, at 6-9. 240. Schwartz & Solove, supra note 148, at 1817. 241. Paul Ohm, Broken Promises of Privacy: Responding to the SurprisingFailure of Anonymization, 57 UCLA L. REV. 1701, 1706-18 (2010) (discussing the prevalence of identifying individuals through anonymized data). 242. Arvind Narayanan & Vitaly Shmatikov, Privacy and Security: Myths and Fallaciesof "PersonallyIdentifiable Information", COMM. ACM, June 2010, at 24-26. 243. Patrick Tucker, Has Big Data Made Anonymity Impossible?, MIT TECH. REV. (May 7, 2013), http://technologyreview.com/news/514351/has-big-data-made-anonymity- impossible/ [https://perma.cc/XJF3-TBVF]. 244. Narayanan & Shmatikov, supra note 242, at 26 (emphasis omitted). 245. Enforcement of laws that incriminate a disproportionately large ratio of those individuals governed by it, or that are so broad as to capture the entire body politic, have historically been declared invalid. See, e.g., People v. Golb, 15 N.E.3d 805, 464-68 (N.Y. 104 ARKANSAS LAW REVIEW [Vol. 69:71] The right to be forgotten's scope is expanded with the application of this definition of "personal information." It amplifies the range of data that is subject to deletion since the right to be forgotten is tethered to an E.U. resident's personal information. 246 As noted above, the definition and subsequent interpretation of that term reaches far beyond its denotation.247 It reaches beyond a request to delete photographs or links to Facebook profiles. It includes IP addresses, search histories, anonymized locational data, metadata, and a host of other data because that data could enable the holder to eventually link it to the data subject.248 The over-inclusiveness of the Directive is also illustrated by its application to providers of data security.249 The most effective data security protocols require large data sets to detect miniscule aberrations or abnormal data processing, which often attend malware. 2 50 Given the need to analyze massive data sets in order to detect malware, the likelihood of processing personal information in so doing is high.2 5 But the over-inclusive Directive allows no exception for processing personal data- which could be as innocuous as IP addresses-for purposes of data security. Requiring that data security providers notify each data subject and obtain unqualified consent slows, if not completely forestalls, those security protocols that require analysis of large data sets. Failing to allow an exception for data security runs counter to the Directive's privacy goal since data that cannot be protected cannot be private. Security breaches
2014); People v. Dietze, 549 N.E.2d 1166, 1168 (N.Y. 1989) (striking down a similar harassment statute which prohibited the use of abusive or obscene language with the intent to harass, annoy, or alarm another person). 246. See Data Regulation Proposal, supra note 71, at 51-52. 247. See supra Section IV.A. 248. Id.; see also Schwartz & Solove, supra note 148, at 1819. 249. See Cunningham, supra note 151, at 646. 250. SYMANTEC CORP., INTERNET SECURITY THREAT REPORT: 2011 TRENDs 44 (2012), http://www.symantec.com/content/en/us /enterprise/other resources/b- istr main report 2011_21239364.en-us.pdf [https://perma.cc/CTP6-9FC8] (describing strategies where "multiple, overlapping, and mutually supportive defensive systems ... guard against single-point failures in any specific technology or protection method"). 251. See Technology: Defense in Depth, SYMANTEC, http://securityres ponse.symantec.com/about/profile/star technology.jsp [https://perma.cc/7BN9-45AA] ("Unlike file-based protection, which must wait until a file is physically created on a user's computer before scanning it, network-based protection analyzes all incoming data streams before they can [sic] processed by the computer's operating system and cause harm.") (last visited Feb. 18, 2016). 2016] SOVEREIGNTY IN THE INFORMATION AGE 105 from Sony to top U.S. agencies occur with increasing regularity. 2 Commentators, journalists, and government officials "all agree that inadequate security is an emerging threat-perhaps a catastrophic one .. . .,253 The Directive's broad reach captures an unnecessarily high percentage of "data processors" whose use of E.U. "personal information" is disassociated from the harms the Directive seeks to alleviate.254 While the Directive's over-inclusive scope captures many innocent uses of "personal information," it is also under- inclusive, exempting many of privacy's worst offenders. The Directive and the Regulation do not apply, for example, to data processing relating to national security and criminal investigations. 255 Although both pursuits often require secrecy, the Directive grants wholesale exemptions with no parameters.256 Edward Snowden's revelations about U.S. domestic and international interception programs, data mining, surveillance, and third-party data collection unveiled privacy violations to an extent previously unknown. 2 57 Of course, the U.S. is not the only nation exploiting privacy and personal records under the guise of "national security. An individual's right to access should "never be totally excluded, but rather can at most be partially restricted or temporarily suspended in a series of unequivocally defined and exhaustively listed cases." 259 The Directive offers no such definition to the
252. See Devlin Barrett & Danny Yadron, Sony, US. Agencies Fumbled After Cyberattack, WALL STREET J. (Feb. 22, 2015, 4:43 PM), http://www.wsj.com/ articles/sony-u-s-agencies-fumbled-after-cyberattack-1424641424 [https://perma.cc/PT5N- N5H2]. 253. Derek E. Bambauer, Conundrum, 96 MINN. L. REV. 584, 586-87 (2011). 254. See Cate, supra note 64, at 183. 255. Data Regulation Proposal, supra note 71, at 40; Data Protection Directive, supra note 10, at 39. 256. Data Protection Directive, supra note 10, at 42. 257. Stephanie K. Pell & Christopher Soghoian, A Lot More than a Pen Register, and Less than a Wiretap: What the StingRay Teaches Us About How Congress Should Approach the Reform of Law Enforcement Surveillance Authorities, 16 YALE J.L. & TECH. 134, 136-43 (2013). 258. See Zachary W. Smith, Privacy and Security Post-Snowden: Surveillance Law andPolicy in the United States and India, 9 INTERCULTURAL HUM. RTS. L. REV. 137, 210 (2014) (discussing India's expansion of surveillance at the cost of privacy). 259. Spiros Simitis, From the Market to the Polis: The EU Directive on the Protection ofPersonalData, 80 IOWA L. REV. 445, 460 (1995). 106 ARKANSAS LAWREVIEW [Vol. 69:71] national security and criminal investigation exceptions, leaving government surveillance largely unchecked. The right to be forgotten does not curb these privacy violations. It has no effect on them. Private information gathered or retained for purposes of national security are immune from a data subject's erasure requests. 26 0 Under the banner of national security, governments have no duty to reveal, turn over, and certainlKno obligation to delete a data subject's personal information. It borders on irony to exempt government exploitation of personal records in the name of national security when the font of European privacy vigilance stems from similar exploitation. The other notable exception revealing the law's under- inclusiveness is the Directive's Safe Harbor provision. After years of negotiations, the European Commission agreed to a less-demanding version of the Directive for application in the U.S.262 Given U.S. reliance on self-regulation and free expression, European officials hoped to bridge the gap with a Safe Harbor program that incorporated the Directive's principles but remained voluntary and required little oversight. 263 The less-exacting version of the Directive has thus far resulted in pro forma compliance from the relatively few U.S. companies that have chosen to participate. 2 64 Safe Harbor invites hollow compliance because it is voluntary and largely unenforced.265 Government officials do
260. See Data Regulation Proposal, supra note 71, at 40 (providing that the new data protection regime will not apply to the processing of personal data in the course of any activity concerning national security). 261. Id. 262. See Christopher Kuner, Onward Transfers of PersonalData under the U.S. Safe Harbor Framework, PRIVACY & SEC. L. REP. Aug. 2009, at 2, https://www.wsgr.com /attorneys/BIOS/PDFs/kuner-0809.pdf [https://perma.cc/R68B-98JM]. 263. See Welcome to the U.S.-EU & US.-Swiss Safe HarborFrameworks, EXPORT, http://export.gov/safeharbor/ [https://perma.ccIY8HQ-WN7B] (last updated Feb. 11, 2016); see also Opinion 7/99 On the Level of Data Protection Provided by the "Safe Harbor" Principles, at 2, 11-13 (Dec. 3, 1999), http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/1999/wp27_en.pdf [https://perma.cc/4FKW-4SFR]; Morey Elizabeth Barnes, Falling Short of the Mark: The United States Response to the European Union's Data Privacy Directive, 27 Nw. J. INT'L L. & Bus. 171, 179-80 (2006). 264. See Angela Vitale, Note, The EU Privacy Directive and the Regulating Safe Harbor: The Negative Effects on U.S. Legislation Concerning Privacy on the Internet, 35 VAND. J. TRANSNAT'L L. 321, 339 (2002). 265. See McKay Cunningham, Next Generation Privacy: The Internet of Things, Data Exhaust, and Reforming Regulation by Risk of Harm, 2 GRONINGEN J. INT'L L. 115, 2016] SOVEREIGNTY IN THE INFORMATION AGE 107 not analyze or otherwise certify that an applicant complies with Safe Harbor principles before awarding certification. A company need only declare compliance publicly and mail a notification of self-certification to the U.S. Department of Commerce.266 U.S. businesses that self-certify in this manner are then afforded automatic approval to process the personal information of E.U. residents. This approach does not foster compliance with the Directive's privacy principles.268 One 2008 study scrutinized each of the 1597 companies that self-certified as compliant with Safe Harbor principles. 269 The study focused on one of the seven Safe Harbor principles, finding that only 348 of 1597 companies complied with that single principle. 27 The voluntary nature of the Safe Harbor program also dissuades potential applicants who view self-certification as inviting unnecessary liability and oversight. 27 1 Professor Joel R. Reidenberg concludes that "self-regulation is not an appropriate mechanism to achieve the protection of basic political rights. Self- regulation in the United States reduces privacy protection to an uncertain regime of notice and choice."2 What little protection the Safe Harbor program has engendered has been minimally enforced. As one commentator notes, "The heaviest criticism is levied against the Safe Harbor's inadequate internal and external enforcement mechanisms." 27 3 While Safe Harbor became effective in 2000, the Federal Trade
130 (2014); Daniel R. Leathers, Note, Giving Bite to the EU-US. Data Privacy Safe Harbor: Model Solutions for Effective Enforcement, 41 CASE W. RES. J. INT'L L. 193, 195-96 (2009). 266. See Safe HarborOverview, EXPORT, http:// www.export.gov/safeharbor/ sh overview.html [https://perma.cc/5VFD-A6ZB] (last visited Feb. 5, 2016). 267. See id. 268. See Soma et al., supra note 168, at 185. 269. See CHRIS CONNOLLY, GALEXIA, THE US SAFE HARBOR - FACT OR FICTION? (2008), at 4 (2008), http://www.galexia.com/public/research/ assets/safe harbor fact or _fiction 2008/safe harbor fact or fiction.pdf [https://perma.cc/V79B-834S]. 270. Id. 271. See David Raj Nijhawan, Note, The Emperor Has No Clothes: A Critique of Applying the European Union Approach to Privacy Regulation in the United States, 56 VAND. L. REv. 939, 957 (2003) (noting that "in order to comply, companies must incur substantial costs to ensure that their data management processes meet threshold requirements"). 272. Joel R. Reidenberg, E-Commerce and Trans-Atlantic Privacy, 38 HOUS. L. REv. 717, 727 (2001). 273. See Leathers, supra note 265, at 195. 108 ARKANSAS LAW REVIEW [Vol. 69:71] Commission-charged with its enforcement-did not bring an enforcement action until 2009.274 Given the large number of U.S. organizations engaged in e-commerce, data analytics, or otherwise processing large amounts of data, the Safe Harbor "exception" effectively insulates a significant faction of privacy offenders. A right to be forgotten that applies in the U.S. but is not respected by U.S. companies or enforced by U.S. authorities subverts the Directive's primary goal. This Safe Harbor flaw mirrors the critical defect plaguing the overall European approach to privacy. The Directive and the Regulation aspire to a universal right to privacy. 275 In so doing, they pronounce sweeping privacy rights that encompass all processing of all E.U. personal data. But the privacy rights are unmoored from the harms associated with the absence of privacy. The laws restrict harmless data controllers, and in so doing reduce incentive to respect the law and enforce it.2 77 The Directive and the Regulation then carve out considerable exemptions for entities that propagate harms deriving from the exploitation of private data. By including almost all data controllers irrespective of whether they cause privacy harms and by excluding many data controllers that in fact harm individuals by misusing their private data, the Directive and Regulation undermine their core objective.
VI. ALTERNATIVES TO THE RIGHT TO BE FORGOTTEN Better legal frameworks exist, though they are more complex and therefore less readily enacted. Instead of a unilateral privacy law declaring all personal data protected and requiring data controllers to delete personal information deemed "irrelevant," privacy law should target specific harms that attend specific privacy violations. Regulation that bars entities from surreptitiously collecting a user's browser history and sharing it
274. See LISA J. SOTTO, PRIVACY AND DATA SECURITY LAW DESKBOOK § 18.02[B] (Supp. 2015); see also Press Release, Fed. Trade Comm'n, Court Halts U.S. Internet Seller Deceptively Posing as U.K. Home Electronics Site (Aug. 6, 2009), https://www.ftc.gov/news-events/press-releases/2009/08/court-halts-us-internet-seller- deceptively-posing-uk-home [https://perma.cc/9SX5-QQ2Q]. 275. See Data Regulation Proposal, supra note 71, at 40; Data Protection Directive, supra note 10, at 38. 276. See infra Part IV.A. 277. See Cate, supra note 64, at 184. 2016] SOVEREIGNTY IN THE INFORMATION AGE 109 with advertisers or creating a user profile for marketing purposes, for example, entails a closer nexus between user privacy and potential harm from its violation. A private data usage regulation "as it relates to particular risks or harms better comports with consumer law generally and permits the needed adaptability to reflect context and evolving technology."2 7 8 Instead of a ubiquitous E.U. law that captures all data processing, privacy regulation should reflect user expectations. Users expect that purchases made with vendors, online banking deals, geolocation logs captured by telephone carriers, search activity logs, and email addresses divulged for singular commercial transactions will remain with the relevant parties for the original and intended uses. 279 The undisclosed collection, transfer to third parties, and monetization of this personal data for marketing and profiling should be prevented. Calibrating the risk of harm based on the use of personal data reveals the value of that data and allows local regulatory regimes to adopt protective policies incrementally. Such policies must abandon the all-encompassing definition of "personal information" and adopt a privacy taxonomy that reflects the complexity and transferability of digital information. As Professor Daniel Solove notes, "Privacy seems to be about everything, and therefore it appears to be nothing.... [N]obody seems to have any very clear idea what it 99280 Slv iie is. Professor Solove divides informational privacy into categories and contexts, including information collection, information processing, information dissemination, and . 281 information invasion. Others posit taxonomies directly applicable to the right to be forgotten. For example, meaningful distinctions attend regulation of data that is passively created (e.g. clickstream data) versus actively created data (e.g. "tweets").282 Likewise, policymakers craft more precise laws when distinguishing "internal" data, which "derive[s] from the data subject about
278. Cunningham, supra note 265, at 142. 279. See Joshua J. McIntyre, Comment, Balancing Expectations of Online Privacy: Why Internet Protocol (IP) Addresses Should Be Protected as Personally Identifiable Information, 60 DEPAUL L. REv. 895, 895-96 (2011). 280. Daniel J. Solove, A Taxonomy of Privacy, 154 U. PA. L. REv. 477, 479-80 (2006). 281. Id. at 489. 282. Ambrose, supra note 94, at 11. 110 ARKANSAS LAW REVIEW [Vol. 69:71] herself," from "external" data, "which is generated by someone else about the data subject." 283 Accounting for the data's origination and initial publication as compared to its "downstream" integration would similarly facilitate more nuanced privacy regulation.284 Identifying and defining the diverse avenues in which personal data is created, published, transferred, and used enables policymakers to more effectively protect it. Viable privacy regulation that honors these complexities is not beyond reach. To a degree, U.S. law already envisions such a multi-tiered legal framework.286 Inlaid within the many exceptions to free expression, privacy advocates see common ground with European sentiments promoting the right to be 287 forgotten. The law distinguishes public figures from private persons, for example, and addresses harms that derive from defamatory publications.288 In criminal law, assorted procedural rules insulate an individual's reputation, including secrecy in grand jury proceeding, 2 8 9 pre-sentencing reports, and search warrant applications. Numerous states permit some form of criminal record expungement, 292 similar in spirit to the right to be forgotten. Access to civil court records are limited in various instances, including access for "improper purposes," like
283. Id. 284. Id. 285. See generally Peltz-Steele, supra note 126 (describing privacy norms within the United States that resemble those in Europe). 286. Id. at 409. 287. See id. at 410; see also Bennett, supra note 96. 288. See, e.g., Gertz v. Robert Welch, Inc., 418 U.S. 323, 342-43 (1974); N.Y. Times Co. v. Sullivan, 376 U.S. 254, 279-80 (1964). 289. See, e.g., FED. R. CRIM. P. 6(e)(2). 290. See FED. R. CRIM. P. 32(e). Upon conviction, the federal code and most state criminal procedure codes provide for a pre-sentence investigation and report, usually researched and written by a probation officer to guide the judge's sentencing ruling. Id.; see also Ricardo J. Bascuas, The American Inquisition: Sentencing After the Federal Guidelines, 45 WAKE FOREST L. REV. 1, 60 (2010). The pre-sentencing reports often contain hearsay, opinion, and speculation. See id. at 64-66. As a result, most criminal procedure codes call for confidentiality of pre-sentence reports. See id. at 66. 291. See Peter A. Winn, Online Court Records: Balancing Judicial Accountability and Privacy in an Age ofElectronic Information, 79 WASH. L. REv. 307, 309 (2004). 292. See Anna Kessler, Comment, Excavating Expungement Law: A Comprehensive Approach, 87 TEMPLE L. REV. 403, 417 (2015); see also Fruqan Mouzon, Forgive Us Our Trespasses: The Need for FederalExpungement Legislation, 39 U. MEM. L. REv. 1, 31-34 (2008). 2016] SOVEREIGNTY IN THE INFORMATION AGE 111 "gratify[ing] private spite." 293 In 2004, the Supreme Court suggested that a legal privacy right was "at its apex" when records involve private citizens. 294 Even copyright law has been invoked to erase data.2 95 When Jennifer Lawrence, Kate Upton, and other celebrities scrambled to contain leaked photographs, copyright law was their most potent legal tool in convincing Google and other websites to take down posted pictures.2 96 These laws already alleviate some of the harms that the right to be forgotten addresses. But there is a meaningful distinction between outlawing defamatory statements or publication of copyrighted material and a right to erase all "irrelevant" personal information. A right to be forgotten promotes withdrawal from society and, in its extreme form, is antisocial.297 It is differentiated from a right to privacy from prying eyes, which itself is not antithetical to societal engagement. Even those fully immersed in public life require occasional respite from it. The right to be forgotten, by contrast, does not mediate the relationship between individual and society, it truncates it.29 8 While it is true that the Internet to some extent better "remembers" past indiscretions, and that the second chances enjoyed by our ancestors by merely relocating cross-country are not ours to enjoy, it is not justification enough to scrub published truthful data from public access. Instead, the public
293. See, e.g., Nixon v. Warner Commc'ns, Inc., 435 U.S. 589, 598 (1978); see also U.S. Dep't of Justice v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 769 (1989). 294. Nat'1 Archives & Records Admin. v. Favish, 541 U.S. 157, 166 (2004); see also Whalen v. Roe, 429 U.S. 589, 599 (1977) (noting "individual interest in avoiding disclosure of personal matters"); Dep't of the Air Force v. Rose, 425 U.S. 352, 381 (1976) (stating republishing of information that may have been "wholly forgotten" can cause separate harm, which "cannot be rejected as trivial"). 295. Copyright Act, 17 U.S.C. § 107 (2006); Universal City Studios, Inc. v. Corley, 273 F.3d 429, 458-61 (2d Cir. 2001). 296. See Eriq Gardner, Google Responds to Jennifer Lawrence Attorney's $100 Million Lawsuit Threat, HOLLYWOOD REP. (Oct. 2, 2014, 12:23 PM), http://www.holly woodreporter.com/thr-esq/google-responds-jennifer-lawrence-attomeys-737656 [https://perma.cc/K5FY-TEWL] (claiming Google "isn't abiding by its responsibilities under the Digital Millennium Copyright Act to expeditiously remove owned images on platforms that include YouTube and Blogspot"). 297. See Tessa Mayes, We Have No Right to be Forgotten Online, GUARDIAN (Mar. 18, 2011, 10:16 AM), http://www.theguardian.com/commentisfree/ libertycentral/201 1/ mar/i 8/forgotten-online-european-union-law-intemet [https://perma.cc/843A-4S2U]. 298. See id 112 ARKANSAS LAW REVIEW [Vol. 69:71] must and will evolve to the information age.299 Already we recognize that a teenager's drunken Facebook photograph has little to do with her employability eight years later. "Like other resources, information is perishable, depreciating in value over time. Depreciation will occur at different rates for different pieces of information, which correlates to the content's relevance and accuracy." 30 1 Moreover, claims that the "the web collects nearly everything and everyone " and that "Internet postings" are "now impossible to forget" 30 are wrong. 3 0 3 The Internet sheds tremendous amounts of digital data, often in short order. Those tasked with archiving Internet data say "the Internet is quite fleeting," and note that the life span of the average link is forty- four to 100 days.304 In one study, 77% of content remained accessible after one day. 30 5 In another study, only 50% of content remained accessible after 100 days. 306 Between 2009 and 2012, researchers selected tweets on publicly significant events, including the Syrian revolution and the H1N1 virus.30 7 As time passed, content disappeared: 11% disappeared within a year, increasing to 27% after two years.308 The dissolving nature of digital data casts the right to be forgotten in a different light. Why exacerbate data loss with additional deletions? Does the natural decay of digital data better protect individuals and society from the harms of lingering data than allowing purposeful content manipulation by those with the most bias towards it? The harms associated with deleting digital content seem especially severe when considering the universal impact. Although undecided by Google Spain SL, the E.U. Regulation
299. Jessica Winter, The Advantages of Amnesia, Bos. GLOBE (Sept. 23, 2007), http://www.boston.com/news/globe/ideas/articles/2007/09/23/theadvantagesof amnesia/ ?page=full [https://perma.cc/LPC7-LLNY] ("People, particularly younger people, are going to come up with coping mechanisms. That's going to be the shift, not any intervention by a governmental or technological body."). 300. See Ambrose, supra note 94, at 13. 301. Id 302. Rustad & Kulevska, supra note 33, at 352-53. 303. See Ambrose, supra note 94, at 11-12. 304. Id. 305. Id. at 12. 306. Id. 307. See id. 308. Ambrose, supra note 94, at 12. 2016] SOVEREIGNTY IN THE INFORMATION AGE 113 signals worldwide applicability.309 If a German resident convinces Google of information irrelevancy, E.U. officials require "effective and complete" erasure.310 The data must not only disappear from searches conducted through Germany's domain name, it must also disappear from every Google domain, including Google.com. 3 11 The Article 29 Working Party stated, "limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects .... ."312 The extra-jurisdictional impact undermines national sovereignty and democratic principles. Uruguayans had no vote on the right to be forgotten, but they will feel its impact. One European scholar observes: [W]e may be tempted to say that when our courts conclude that certain content is to be blocked or removed, we want that blocking or removal to be global. However ... [many people] may not necessarily wish for Internet intermediaries to engage in global blocking/removal based on court orders from other countries in the world - particularly where such court orders stem from restrictive, undemocratic laws with an extraterritorial effect. 3 13 European officials claim their extraterritorial law harmonizes international privacy law, a claim supported by the number of countries that have scrambled to comply with it.3 14 But "harmonization" can substitute as homogeneity. The inherent value in cultural diversity diminishes when one culture unilaterally imposes its values on others. Perhaps the international "flattening" of economies and information systems signals inevitable homogeneity. Linguistic anthropologists have long associated increased interconnectivity with increased language extinction.3 15 But preserving conflicting cultural values through democratic governance remains viable through nuanced privacy regulation that targets harms associated with
309. See European Commission Factsheet, supra note 12. 310. Guidelines, supra note 32, at 9. 311. See id 312. Id 313. Svantesson, supra note 48. 314. See Greenleaf, supra note 174, at 3. 3 15. See generally Marco Jacquemet, Transidiomatic Practices: Language and Power in the Age of Globalization, 25 LANGUAGE & COMM. 257 (2005). 114 ARKANSAS LAW REVIEW [Vol. 69:71] privacy violations. European privacy regulation that effectively protects E.U. citizens can meaningfully co-exist with robust free expression rights. The right to be forgotten as currently envisioned, however, upsets the balance and invites controversy rather than mediates accord. VII. CONCLUSION Censorship in the name of privacy is well underway. As of May 2016, hundreds of thousands of requests to deactivate more than 1.5 million links have resulted in Google's deletion of 549,624 links. 3 16 This number will further increase due to growing European awareness of their newly conferred right to be forgotten and in light of the high rate in which deletion requests are granted by Google, Yahoo, and Microsoft. While content disappears only from European domain searches for now, the Article 29 Working Party has clearly signaled dissatisfaction with that approach and pushed for data erasure across the board, including Google. The forthcoming Regulation will likely require such universal deletions by 2017, effectively crowning the E.U. as the self-anointed keeper of the Internet. European filtering of Internet content worldwide through the right to be forgotten is objectionable on several counts. It undermines the sovereignty of other nations as well as democratic, representative governance generally. It effectuates international censorship in the guise of privacy, diluting the Internet's promise in its adolescence. Through flawed implementation, it requires data merchants like Google to decide whether to delete content based on an amorphous "relevance" standard-a standard imbalanced by large fines that can be levied for failure to erase irrelevant content. Finally, it promotes a European privacy law in need of complete overhaul. The E.U. Directive and forthcoming Regulation fail to protect E.U. privacy by restricting a multitude of innocent Internet users while simultaneously excluding the worst privacy violators. Alternatives exist. Through a modern Internet taxonomy that better reveals how data is communicated over the Internet, privacy harms can be articulated. Lawmakers need only tailor
316. See Transparency Report: European Privacy Requests for Search Removals, supra note 19; see also supra note 202 and accompanying text. 2016] SOVEREIGNTY IN THE INFORMATION AGE 115 legislation to those harms, most of which stem from unauthorized surveillance and undisclosed secondary use. Moreover, privacy laws that track discrete privacy harms are not dissonant with U.S. free expression jurisprudence. Shadows of the right to be forgotten have been legitimized in various forms in U.S. law from copyright to juvenile criminal proceedings. These in-roads reveal that bridging European privacy and American free speech is not as formidable as conventionally supposed. The European drive for privacy protection in the digital age is laudable and needed, but the legal means employed to that end poorly achieve it. The right to be forgotten, emblematic of E.U. privacy law, threatens more harm than help and will led to entrenchment in the ongoing international debate between privacy and free expression. If we are, in fact, "still in the first minutes of the first day of the Internet revolution,"317 laws regulating the Internet should be cognizant to its workings.
317. See Stephen Levingston, Internet Entrepreneurs Are Upbeat Despite Market's Rough Ride, N.Y. TIMES (May 24, 2000), http://www.nytimes.com/ 2000/05/24/busine ss/worldbusiness/24iht-hype.2.t.html [https://perma.cc/RHA6-K3SC]. ARKANSAS LAW REVIEW