The Court of Justice of the E.U.’s right to be forgotten ruling, which subjected search engines to the Data Protection Directive’s restrictions, was controversial from the moment it was delivered. Free speech advocates claimed that the ruling authorized needless censorship, while privacy rights advocates argued that the ruling provided much-needed privacy protection in the internet age. The right to be forgotten ruling is deliberately broad, yet reinforces the Directive’s journalistic exception to protect free speech. However, the CJEU’s failure to define the term “search engine” in its decision unintentionally allows the Directive’s exception to be circumvented. More countries outside the E.U. are beginning to express an interest in recognizing a right to be forgotten within domestic laws, it is important that the right to be forgotten’s scope be clarified sooner rather than later. A few countries are skeptical of recognizing a right to be forgotten due to its breadth, which could be made worse if the term “search engine” is not refined. While the right to be forgotten could be incorporated into existing international law, having search engines apply their right to be forgotten policies internationally is the most realistic way of meeting the growing demand. Therefore, these concerns must be addressed so that search engines can comfortably satisfy the global community’s need to protect citizens’ data privacy.
I. Search Engines and the Right to be Forgotten
In May of 2014, the Court of Justice of the E.U. (CJEU) jeopardized the fundamental right to free speech in order to protect the individual’s privacy rights. In its groundbreaking right to be forgotten ruling, the CJEU clarified the E.U.’s Data Protection Directive (Directive),1 holding that the Directive applied not only to source websites, but also to search engines.2 Many European countries already vehemently protect their citizens’ individual privacy, and this ruling further entrenches this protection. The U.S., on the other hand, prizes the right to free speech above many fundamental human rights, including privacy.3 Because the Directive is now understood to apply to the most basic and easily-utilized medium of accessing information,4 free speech advocates are worried. And while many consider bringing search engines within the Directive’s scope to be over-inclusive, the CJEU’s ruling may be even broader than scholars initially thought. The right to be forgotten ruling provides only one example of a search engine—Google, the defendant in the case—but its description of a search engine is ambiguous and broad, making it ripe for exploitation. If this characterization remains unrestricted, expanding privacy rights could further restrict rights to freedom of speech. However, the E.U. is unlikely to be so dismissive of the right to free speech.
The E.U. enacted the Directive to protect privacy.5 With an emphasis on personal autonomy and an eye toward the rapid technological evolution, the Directive established legal standards for data processing that ensured that individuals could maintain a degree of control over their data and reputation.6
Even though the Directive authorizes online content removal in the name of privacy protection, it still considers the fundamental importance of the right to free speech. The Directive limits its purview to include exemptions––for example, for “solely . . . journalistic purposes”––to complying with right to be forgotten requests.7 However, since these limitations are confined to specific data uses, they are unlikely to restrain the scope of search engines subject to the Directive’s mandate. By identifying specific exceptions, the Directive intends for courts to apply them narrowly.
There is a general assumption that a search engine is a stand-alone website dedicated solely to indexing the World Wide Web and providing organized hyperlinks to web pages in response to search terms.8 Web giants like Google and Yahoo are frequently cited examples illustrating this assumption.9 Contrary to this usage, the E.U. Courts and the CJEU Advocates General have adopted a broader interpretation of what a search engine is. They refer to any search feature—even internal ones operating solely within other websites10––linking users to websites based on the user’s choice of search terms as a “search engine.”11 Such a nebulous interpretation can pose a problem for free speech advocates: subjecting any and all search features to the Directive could entirely suppress even purely journalistic information, despite any exemptions.12
The CJEU’s right to be forgotten ruling failed to define “search engine” for purposes of the Directive; Google was the defendant in the case, therefore the assumptions described above were not challenged. There are three resulting problems from this assumption. First, when this ruling is taken to its logical limit, the Directive could apply to the internal search engines operating within government, police, and court websites, among others, forcing these websites to delink and remove content specifically published for public benefit. Some lawyers have alleged that others within the industry have already abused the right to be forgotten.13 The right may be further exploited if “search engine” is intended to be an all-inclusive term: it will increase the pool of potential clients whom lawyers may seek to needlessly represent in right to be forgotten actions.
Second, administrative costs from sorting through removal requests will be much greater if the CJEU intended for “search engine” to apply to a larger pool of data controllers under the Directive. Google’s Transparency Report reveals that people have eagerly invoked the right to be forgotten ruling: 419,516 recent requests have already been made to remove 1,458,691 URLs from Google as of April 20, 2016.14 Defining the scope of the applicable entities could affect how many more requests can be made and of which entities. On small-scale or governmental websites containing internal search engines, publishers may hesitate to post information whether or not it violates the Directive due to these costs.
Third, broadly defining “search engine” could nullify the effectiveness of virtually all resources connecting the public to information that is otherwise difficult to find. Freedom of speech concerns become apparent in this context: publishing web content freely would mean little if its exposure and accessibility is limited or non-existent. Almost every (American) article written on the right to be forgotten decries the right’s imposition on freedom of speech and the “rewrit[ing of] history” it allows.15 Free speech advocates are particularly concerned about rewriting history in the internet context since the internet is celebrated for its ability to preserve and disseminate information to a wide audience.16 Because of the Directive’s impact on information produced on the internet, and the growing international interest in the right to be forgotten, it is important to clarify what “search engine” means for the Directive’s purposes.
It is very likely that the CJEU understood the Directive as broadly including all forms––internal and external––of search engines to maintain the high level of commitment and protection European states traditionally afford to personality rights.17 Member States’ balancing of personality rights against the freedom of speech supports this position. France and Germany explicitly protect personality and privacy rights18 in their constitutions,19 and the E.U.’s Charter of Fundamental Rights also protects these rights.20
This Comment will look to European values, case law, and legislation to predict whether the Directive applies to search engines in their broadest sense, or if some restrictions can be implied from the CJEU ruling. Part II will describe the right to be forgotten ruling that sparked the debate over whether privacy and speech rights can coexist. Part III of this Comment will explore how the term “search engine” has been applied within the European judicial and legislative contexts. Part IV will examine the Directive and how European Courts have interpreted it. Part V will examine European case law and legislation balancing privacy rights against the freedom of speech for guidance on how broad the Directive is intended to be. Finally, Part VI will expand the right to be forgotten analysis to the international context to predict what the global future of this Right might be.
In this technology age, States face the novel challenge of how to maintain the free flow of communication while balancing the need to protect their citizens’ privacy and data distribution rights.21 The E.U. enacted the Directive to tackle this problem. The Directive’s legal standards apply to any entity or person that handles personal data.22 It requires that personal data be lawfully processed, legitimately and purposefully collected, relevant, accurate and complete, and that it identify the “data subject for no longer than necessary.”23 If a data controller does not comply with these requirements, an individual can request the “erasure or blocking of [unlawfully processed] data.”24 As with most E.U. laws, the Directive is meant only as a floor upon which Member States, while incorporating the Directive into domestic legislation, may flesh out the particularities for their national needs and values.25 Therefore, the Directive was intentionally drafted with flexibility, necessitating clarification by national legislation and the E.U. courts. This section will describe the CJEU’s 2014 right to be forgotten ruling, which was a major step toward refining the Directive’s applicability.
The Directive may apply to websites creating and publishing source information. Therefore, Google argued that since search engines do not actually produce online content, but instead act as a conduit to distribute that material to internet users, they cannot qualify as data controllers under the Directive.26 The CJEU, in what has since been referred to as the right to be forgotten ruling, instead held that search engines must remove links to qualifying personal information upon a valid request.27 The CJEU noted that, by providing links to information relating to an individual in response to searching their name, search engines could negatively infringe on that individual’s privacy rights.28 The CJEU justified its holding by relying on the Directive’s purpose and terminology therein, including definitions for “controller,” “personal data,” and “processing of personal data.”29
The Directive defines a “data controller” as any “natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.”30 The Directive defines “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”31 This includes identification numbers and “physical, physiological, mental, economic, cultural[, and] social identity” characteristics.32 The Directive defines the “processing of personal data” as particular actions including the “collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction” of personal data, whether automatic or not.33
Therefore, in order for the Directive to apply to search engines, search engines must be considered data controllers that process personal data.34 The CJEU explicitly characterized a search engine’s activities as “‘collect[ing]’ such data which it subsequently ‘retrieves,’ ‘records’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and . . . ‘discloses’ and ‘makes available’ to its users in the form of lists of search results.”35
Since these activities mirror the Directive’s definition of “personal data processor”, the CJEU found that search engines clearly perform that function.36 And by processing personal data, search engines fall squarely within the “data controller” classification.37
The CJEU acknowledged that, while the Directive intended for the definition of “controller” to be broad,38 there are limits to accommodate purely journalistic data.39 However, this exemption may only apply to publishers of such data. Therefore, the CJEU held that search engines cannot benefit from this exemption because, while search engines can link users to journalistic articles, search engines themselves do not publish that data.40 Further, the Directive is concerned with data processers that needlessly impinge upon privacy rights; journalistic data is necessary to inform the public, making it exempt from the Directive’s restrictions. Therefore, the CJEU argues that search engines are precisely the type of data processors the Directive intends to regulate: search engines are widely used, allowing them to encroach on privacy rights far more easily than website publishers can on their own.41 Search engines play an active role when linking information to users; they archive websites containing personal data and disseminate information to an audience that may not otherwise have direct access to this personal information.42 This easy access to personal data, which has the potential to harm an individual’s reputation, is precisely what the Directive and the CJEU target.
III. Application of the Term “Search Engine”
Determining how broad the CJEU intended the scope of “search engine” to be is a difficult task. The term “search engine” has been used in a variety of legal contexts within the E.U. Generally, E.U. courts have defined and used the term broadly and have applied it to internal search engines within websites. For example, in a European Court of Human Rights (ECtHR) case involving the alleged interception of certain communications, the court loosely referred to a search engine as “[a]n automated sorting system.”43 This definition includes systems with a wide range of search features and does not exclude those operating internally within websites. Reviewing E.U. case law, officials’ statements, and legislation for common definitions of “search engine” will provide guidance on how to interpret the usage of “search engine” in the right to be forgotten ruling.
Former Advocate General of the CJEU,44 Niilo Jääskinen,45 delivered an Opinion on the right to be forgotten case. In his Opinion, he further clarified the court’s explanation of how search engines operate.46 According to Advocate General Jääskinen, a search engine processes internet content “from existing websites, [by] cop[ying], analy[zing] and index[ing] that content on its own devices,”47 but is not involved in the actual creation of web content. When the search engine receives search terms from a user, it provides that user with hyperlinks to existing web content based on the search terms.48 This inclusive definition does not restrict the types of search engines subject to the Directive. And since many internal search engines operate similarly––linking users to results from the sites’ own archives––it appears that they also must comply with right to be forgotten requests.
Advocate General Kokott of the CJEU49 continued along this broad vein. In a non-binding Opinion, she referred to the ECtHR’s own internal search feature as a “search engine.”50 This reflects, in the E.U., the common usage of “search engine” as applying to all forms of search engine, without limitation. Since the Directive would apply to even the ECtHR’s internal search engine,51 it is possible that a right to be forgotten request, albeit legitimate, would force the suppression of data published by the ECtHR.
In another case involving Google, the CJEU described Google’s search engine as a tool that guides users to relevant webpages based on their search queries.52 This characterization also applies to internal search engines within websites also provide the same function to users of those websites.
Therefore, the E.U. legislative and judicial contexts would suggest that the CJEU likely intended for the term “search engine” to be broadly read, without restrictions to its applicability.
IV. The Data Protection Directive
The Directive arose out of a growing concern that advancements in the Internet and its global reach necessitated that the right to be forgotten be modernized to keep up with these developments.53 The Directive is binding and most Member States have implemented it through domestic legislation.54 A few Member States––including France, Ireland, Lithuania, Sweden, and Spain––already had data protection and privacy legislation before the Directive’s enactment. But the European Commission felt that it would be beneficial to enact a uniform, current data protection law to reduce the administrative and economic burdens resulting from disparities between member states.55 This Part will closely examine the Directive to determine how broad the right to be forgotten was intended to be, and if there are any conceivable limits to the right.
By implementing the Directive, as well as adhering to the right to be forgotten ruling, Member States’ data protection and privacy legislation must contemplate search engines as data controllers. However, the right to be forgotten ruling is not the only case requiring the CJEU’s guidance on the Directive’s parameters. Since its enactment, the Directive has faced backlash regarding its potential transgression on the freedom of speech.56 Some of this criticism has found its way into the CJEU’s docket. Therefore, it is useful to examine the CJEU’s approach to dealing with the issue of the Directive’s conflict with the freedom of speech as it may illuminate how comprehensive the Directive’s scope is.
A Swedish case involving the publishing of personal information on the Internet without the subject’s permission dealt with the interaction between free speech and privacy rights.57 In 1998, Bodil Lindqvist launched a website containing information about herself and her colleagues.58 Ms. Lindqvist had not obtained her colleagues’ consent before publishing the information.59 Despite the need to protect personal data, the importance of balancing this interest with the freedom of speech was not lost on the court.60 The CJEU acknowledged that Member States had the authority to enact stricter regulations than those contained in the Directive when implementing the Directive into their legislation.61 But the domestic regulations must maintain the Directive’s balance between the individual’s right to have personal data protected and the right to free speech.62 Therefore, the Directive itself, as well as member states’ implementation thereof, cannot be so broad as to flatly obstruct the freedom of speech, even for the sake of data privacy.63 The CJEU asserted that the Directive’s privacy objective is not wholly supreme over the freedom of speech.64 However, the CJEU provided no guidance as to where the balance between the two competing rights lies, leaving the Member States to solve this conundrum on a case-by-case basis.65
In a Finnish case involving a newspaper’s publication of public tax information, the CJEU declared the freedom of speech to be a broadly interpreted fundamental right.66 A local newspaper enlisted the company Markkinaporssi to provide the surnames and personal tax data of individuals exceeding a certain income threshold.67 Markkinaporssi collected the information from sources that the Finnish tax authority made public.68 Some of those individuals requested Markkinaporssi to cease collecting their information under the Directive; it refused, and the individuals sued.69 The court examined the Directive’s position on privacy rights versus the freedom of speech to decide whether processing personal data with the purpose of publishing the tax data was protected by the Directive’s free speech exemptions.70 The court found that the Directive does not impinge upon the individual’s freedom of speech for the sake of privacy rights since the Directive specifically aims to “reconcile” the two.71 In fact, the court acknowledged that the freedom of speech is a broad right.72 The Directive upholds freedom of speech, according to the court, by providing exemptions for purely journalistic purposes.73 This exemption protects the public’s interest in accessing information. However, the freedom of speech is protected only to the extent it is used for purely journalistic purposes.74
Therefore, the Directive makes clear that protecting privacy rights is often the default and exceptions to it are narrow. Because the CJEU likely understood the Directive this way, the right to be forgotten ruling probably intended to continue this broad reading of the Directive.75
Having control over one’s image is a fundamental––even constitutional––principle in many European countries.76 Yet, the freedom of speech is also a constitutional guarantee.77 Often the two rights conflict where information identifying an individual is published through an online medium, potentially damaging the individual’s reputation. In the U.S., the freedom of speech is a deeply entrenched and protected right;78 in Europe, if an individual’s personality rights are truly at stake, those rights will take precedence over the freedom of speech.79 This Part will examine the E.U.’s view of personality rights, as well as particular member states’ attempts to balance the competing principles.
Looking to the broader European context, Article 8 of the European Convention for Human Rights (Convention) provides a legal guarantee of privacy rights, stating that “[e]veryone has the right to respect for his private . . . life.”80 The ECtHR has concluded that privacy rights protection, as guaranteed by Article 8, is meant to allow each person to develop their personality “without outside interference.”81 The Directive specifically seeks to recognize these fundamental personality and privacy rights included in the Convention.82
The E.U.’s Charter of Fundamental Rights (Charter) also reinforces the sanctity of privacy and personality rights. Article 1 of the Charter protects human dignity above all else.83 Article 7 of the Charter protects the individual’s private life (like Articles 1 and 2 of Germany’s Basic Law, and Article 9 of France’s Civil Code, discussed below); Article 8 of the Charter protects data subjects by granting them the right to consent, access, and to rectify personal information.84
Because Member States have valued these privacy rights for decades, the E.U. was likely inspired to formally recognize these rights. Both France and Germany have a strong tradition of protecting personality and privacy rights. Article 9 of the French Civil Code recognizes the right to privacy in everyone.85 But it also recognizes the freedom of speech in Article 10 of the French Civil Code.86 France places an enormous value on privacy rights: privacy rights are guaranteed and viewed “as essential to the defense of human dignity against the onslaught of electronic technology.”87 France’s highest court, the Cour de Cassation,88 has held that “French courts must . . . plac[e] limits on free expression to protect privacy.”89
Germany’s Basic Law recognizes personality rights in Articles 1 and 2.90 Article 1 declares that “[h]uman dignity shall be inviolable.”91 Article 2 states that “[e]very person shall have the right to free development of his personality insofar as he does not violate the rights of others or offend against the constitutional order or the moral law”92 and “[f]reedom of the person shall be inviolable.”93 Privacy rights can be found within personality rights: courts protect privacy rights to ensure the protection of personality rights.94 The Federal Constitutional Court of Germany summarized personality rights as the following:
The general right of personality and its special manifestations, like the right to one’s own picture and the right to one’s name, protect not only non-material but also commercial personality interests. If these components of the right of personality which are of financial value are culpably infringed by an unauthorized use of a picture, name or other characteristic feature of the personality, the holder of the right of personality is entitled to a claim to compensation for harm, [independent] of the severity of the interference.95
This emphasizes the importance Germany places on personality and privacy rights. The Federal Constitutional Court of Germany has held that human dignity is inviolable, even in the face of the freedom of speech and art.96 Personality rights can supersede the freedom of speech in the following circumstances:
[T]rue statements . . . are likely to have a negative effect on the person or his reputation, which is disproportionate to the interest of disseminating the truth. This is in particular the case where statements reach a wide audience and lead to a stigmatisation of the person concerned in such a way that he is likely to suffer from social exclusion or isolation.97
However, there are limits to personality rights. The Court has held that “[p]ersonality interests must as a rule take second place to freedom of opinion if the disputed statement has as its subject facts which are to be regarded as true.”98 The Court’s statements are not definitive, objective guidance; therefore, this leaves the determination of which way the balance swings on a case-by-case basis.99
Privacy rights in Europe are broad, “cover[ing] the physical and psychological integrity of a person[, including] a person’s right to their image[, and thus] personal information which individuals can legitimately expect should not be published without their consent.”100 The desire to protect personality rights is strongly entrenched within European society and is reflected in the Directive, which is meant to protect individual privacy, and by extension personality, rights against data controllers. This emphasis likely influenced the CJEU to interpret the Directive as broadly encompassing all data controllers, including internal search engines.
The right to be forgotten in the European context is broad, and likely includes both general and internal search engines. It affects all E.U. member states now and will likely spill outside Europe’s borders in the future. Many States have expressed an interest in adopting this right to protect their citizens’ online privacy. The right to be forgotten can be a useful tool to protect individuals’ online privacy rights. Currently, no international law that applies outside the E.U. contains an explicit right to be forgotten, and it would be a difficult feat to enact such a provision due to the extreme variances in each country’s fundamental values, legislation, and case law.
However, there may be some options available to the international community to effectuate this as a growing number of States seek to implement personal data protections for their citizens. First, existing international treaties can incorporate the right to be forgotten and, like the Directive, act as baselines upon which countries can expand with their own local legislation. The best vehicle for this will likely be the International Covenant on Civil and Political Rights, which recognizes a person’s right to privacy.101 Second, the international community could leave it up to the search engines to make available their delisting practices globally, thereby avoiding the need to overhaul national laws.
The prospect of developing an international right to be forgotten convention seems daunting due to disparate experiences and values across the globe. However, scholars have noted a trend: while Germany is a pioneer and champion of recognizing privacy rights, a growing number of countries have adopted these rights into their constitutions, legislation, and case law.102 Humanity has been revitalized in light of past and recent atrocities, such as Apartheid and the Holocaust.103 When fundamental rights compete, many States protect human dignity and privacy rights at the expense of unrestrained speech.104
Because the Internet makes it easier to invade individual privacy and tarnish reputations, many countries, including Hong Kong, South Korea, Canada, Russia, and South Africa, are actively pushing to adopt right to be forgotten-type legislation.105 Some have called for search engine giants, such as Google, to make their right to be forgotten policies and practices universal. This will likely be the most practical means of globally implementing the right before attempting to establish a law that considers each State’s unique prioritization of fundamental rights.
This Part will survey several countries and regions outside the E.U., to determine whether and how the right to be forgotten could expand globally. It will also examine possible means of implementing this right internationally, if the right to be forgotten expands.
Although the rhetoric in the media appears to strongly oppose the right to be forgotten ruling, many governments act in favor of it. The international response to the right to be forgotten ruling has ranged across a spectrum. On one side, the E.U.’s Directive is expansive, including virtually every form of search engine within its scope in order to protect privacy rights. At the other end of the spectrum is the U.S., which rejects the right to be forgotten and broad privacy rights in favor of maintaining its expansive freedom of speech rights.106
As this is a developing right, not every country or region has a history of privacy rights or is taking definitive steps in either direction. But the international trend appears to be moving more toward the European approach of prioritizing privacy rights over free speech regarding online activity. The rest of this Part will attempt to organize various countries along the spectrum.
First, on the E.U.-side of the spectrum, are Russia, Japan, and Hong Kong. Russia recently signed into law the right to be forgotten. This law specifically requires “search engines to delete links leading to spurious or dated information about Russian citizens should they request.”107
Both Hong Kong and Japan have also expressed a desire to create a right to be forgotten for their citizens.108 In 2014, the Privacy Commissioner of Hong Kong, Allan Chiang Yam-wang, announced that he intended to lobby for Google to extend its right to be forgotten policy to Hong Kong and surrounding Asian countries.109 He admitted that, while freedom of speech is important, the right to be forgotten is equally important.110 Hong Kong has data privacy laws, but search engines do not fall under the law’s definition of “data user,”111 which is analogous to the Directive’s usage.112 This is why Hong Kong’s Privacy Commissioner has appealed to Google directly for their delisting service rather than attempt to create new legal means.113 Hong Kong’s privacy protection ordinance certainly provides some basis for the right to be forgotten. If Google were to deny the Privacy Commissioner’s request, Hong Kong could easily amend its privacy ordinance to formally adopt the right to be forgotten as against search engines.114
Recently, a Hong Kong court decision brought the territory one step closer to solidifying the right to be forgotten within its jurisdiction.115 In that decision, David Webb operated a website in Hong Kong containing certain Hong Kong business-related information.116 The website provided links to a case that listed the parties’ full names, even though a judicial order redacted their names 10 years after the case closed.117 Users could access the names by searching the “Who’s Who” search of Mr. Webb’s website.118 Under Hong Kong’s data privacy act, the Privacy Commissioner ordered Mr. Webb to remove the links from his website.119 The Administrative Appeals Board upheld the Privacy Commissioner’s enforcement order on July 13, 2015.120 Therefore, in certain circumstances Hong Kong is willing to protect privacy rights over the freedom of speech.
Moving toward the middle of the spectrum are countries that have privacy laws or case law that applied right to be forgotten-type principles against search engines, but have not completely embraced the right. These include Singapore, various South American countries, Australia, and Canada.
Both South Korea and Singapore protect data privacy.121 For example, Singapore adopted the Personal Data Protection Act, which it strictly enforces.122 The Act allows individuals to have their online information corrected and for personal data to be destroyed.123 Therefore, it is conceivable that Singapore may soon apply the Act against search engines and adopt its own right to be forgotten.
South American countries have bowed to pressure from the E.U. to enact data privacy laws that comply with the Directive.124 However, South American countries have not been vigilantly enforcing their data privacy laws, unlike Singapore and the E.U.125 South America may be more inclined to recognize the right to be forgotten within its own countries if the rest of the world follows the E.U.; however the region does not appear to prioritize privacy rights enough to independently take the charge.126
Australia lacks a right to be forgotten law, but it has begun to conceive of search engines’ active role in spreading potentially defamatory information. The Australian Law Reform Commission has proposed a “right to be deleted,” which would be analogous to the E.U.’s right to be forgotten.127 Support for this proposed law is varied.128 Some believe that Australia’s current data privacy and defamation laws are sufficient to address internet privacy concerns.129 But Australia’s current data privacy law merely allows individuals to receive compensation from an entity that breaches their privacy or have their information corrected.130 And while Australia’s judiciary applies the local defamation laws against search engines,131 there is currently no mechanism by which individuals can disassociate themselves from online information.132 The proposed right to be deleted would address this concern.
Despite being a close physical and cultural neighbor of the U.S., Canada aligns more closely with the E.U. regarding privacy rights. While neither the Canadian Constitution nor the Charter of Rights and Freedoms has an explicit privacy right,133 the right has cemented its place in case law. Following quickly on the heels of the right to be forgotten ruling, the Supreme Court of Canada held in R. v. Spencer that individuals have a “reasonable expectation of anonymity.”134 This language reflects the theme behind the right to be forgotten. In that case, the Supreme Court of Canada dealt with questions regarding individual privacy rights where a man kept a file of child pornography on his computer.135 The man’s internet provider handed over his IP address and subscriber information, against his wishes, to the police upon their request when investigating him.136 The court acknowledged that individuals’ privacy rights must extend to their online data, stating that “[t]he identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information.”137
However, Canada also exhibits skepticism about creating a right to be forgotten law––especially against search engines––which differs from the E.U.’s attitude. There is some doubt as to whether the CJEU’s right to be forgotten ruling can be applied just yet in Canada. In 2011, the Supreme Court of Canada distinguished between producing defamatory content and providing a hyperlink to already published data.138 It held that the latter did not itself cause harm.139 Thus, Canadian privacy laws do not automatically require search engines to remove personal data under the current privacy laws; publishers of personal data are, on the other hand, required to do so.140
Notably, Canada’s privacy act, the Personal Information Protection and Electronic Documents Act, provides the basis for adopting a future right to be forgotten. Like the Directive, Canada’s privacy act requires personal data to be “accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.”141 And it applies its provisions broadly to “organizations,”142 which could include search engines in the future. The Office of the Privacy Commissioner of Canada, which is typically the first stop for a data privacy complaint, has hinted that this could be the direction Canada is headed. In one instance, the Privacy Commissioner made a search engine remove the URL link to the complainant’s resume after she had posted it on a job search website.143 This happened after the 2011 case mentioned above, which illustrates how Canada’s view of search engines is changing.
In another case dealing with a search engines, the Privacy Commissioner recommended that a website “remove [the] decisions from search engine caches.”144 The website collected and stored Canadian court and tribunal cases through its search engine, thus allowing users to find the information by searching for individuals’ names.145 The website itself did not add or publish additional personal information aside from providing links to the court cases.146 To date, the website has refused to comply with the Privacy Commissioner’s recommendation, but the Privacy Commissioner maintains its continued interest in this matter and may pursue it through the courts.147 Canada appears to be cognizant of personal data privacy threats, but is taking a conservative approach to applying a right to be forgotten-type rule.
Finally, New Zealand is perhaps the closest to the U.S.-end of the spectrum in that it has not recognized a right to be forgotten. However, it is not ruling the possibility out.148 Instead, the Office of the Privacy Commissioner in New Zealand is adopting a wait-and-see approach.149 New Zealand, like most countries, has its own privacy act and tort, which the Privacy Commissioner believes adequately addresses Internet privacy concerns for the time being.150 Yet New Zealand’s Privacy Act only allows for individuals to demand that their online personal data be corrected if it is “[in]accurate, [outdated], [in]complete, [ir]relevant, or . . . misleading.151 The right to be forgotten is more than just ensuring personal data is accurate; it provides a means for individuals to disassociate themselves from their past. Overall, New Zealand is skeptical of the right to be forgotten’s efficacy and likely will not adopt it anytime soon.
A number of countries are seriously considering the right to be forgotten, or at least online privacy rights. Perhaps the challenge will be implementing this right under the varying international legal regimes. However, there is real concern over the serious impact caused by having search engines of all forms forever linking a person’s name to past negative associations. Yet the U.S. remains one of the clearest regime contrasts to countries that have adopted the right to be forgotten due to its opposing prioritization of freedom of speech. Despite this, at least one poll suggests that Americans actually want the U.S. to recognize a right to be forgotten.152 This may be impossible to achieve, however, under the current understanding of the First Amendment.153 Although human dignity, and by extension privacy rights and the right to be forgotten, is an important value in the U.S., it does not supersede the Constitutional freedom of speech.154
The U.S. Constitution is the supreme law in the United States.155 Human dignity and privacy rights may be implied in the Constitution under the 9th, 13th, and 14th Amendments’ recognition of equality.156 However, the 14th Amendment, for example, applies strictly against the State but does not restrict the actions of private citizens or entities, including search engines like Google.157 No constitutional basis exists to apply human dignity rights against private search engines.158
And ultimately freedom of speech still has the upper hand over implied human dignity rights, as the latter apply only in narrow circumstances.159 U.S. case law reinforces the idea that the right to be forgotten and privacy rights fall in the shadows of the right to free speech.160
Over time the U.S. could become more amenable to protecting broader privacy rights. On September 23, 2013, California enacted a right to be forgotten-type law specifically for minors, whereby minors may demand that an internet website operator remove certain personal data.161 This does not apply to search engines at the moment, although it appears that the door toward a nationwide right to be forgotten law has been opened a crack. Ultimately, however, the U.S. appears steadfast in promoting the First Amendment’s freedom of speech over privacy rights, which are merely implied and limited in scope.162
Even if the U.S. never adopts a right to be forgotten, American data controllers, including search engines, operating in jurisdictions that recognize the right to be forgotten, will have to operate within the right’s parameters. This may place Americans at a disadvantage: people around the world will be able to protect their reputations and control their personal data, but Americans will not enjoy this right. Considering the international trend, the U.S. can choose either to remain an outlier or acknowledge the value in protecting privacy rights and the right to be forgotten over the freedom of speech in certain circumstances. The right to be forgotten does not mean the end of free speech—freedom of speech is not absolute even within the U.S.—and it will likely endure refining due to the overbroad application to search engines.
Regardless of how the U.S. acts, it is apparent that the E.U. will not be alone in implementing the right to be forgotten. And with growing international support, the right will evolve to accommodate new notions of privacy.
To truly comply with the right to be forgotten and ensure the protection of personal privacy rights, it may be constructive for Google and other search engines to expand delisting practices into a global policy. The fact that there are many countries around the world that support, and actively lobby for, this benefit may make this a popular choice. Currently, the right to be forgotten is ambiguous, with little case law providing guidance as to its compliance. Imposing an international right to be forgotten law against all forms of search engines is not practical. Countries are still in the process of determining how the right to be forgotten fits in with their current data privacy laws, and whether search engines should even be subject to those laws. If left up to each country to incorporate the right to be forgotten into their legislation, global adoption of this right will not likely occur any time soon, if at all, due to the lengthy process involved in drafting and implementing new laws. Therefore, as the Privacy Commissioner of Hong Kong has suggested, search engines themselves could apply their delisting practices across the world.
Google has already had to develop its own metric to sort through which right to be forgotten requests are valid. It may be beneficial to take New Zealand’s wait-and-see approach to observe how well that metric adheres to the right to be forgotten’s objectives. Google has already independently extended its right to be forgotten services to Switzerland, Iceland, Norway, and Lichtenstein.163 Additionally, Google now “remove[s] pages from [its] search results when required by local law.”164 For example, Google obliged when the Tokyo District Court “ordered Google to delete about half of the search results for a man linked to a crime he didn’t commit” under Japan’s privacy laws.165
Following the CJEU’s ruling, Google assembled an Advisory Committee to Google on the right to be forgotten to determine how Google should proceed under the ruling, and where.166 The Committee published its findings in January 2015.167 Geographically, the Committee recommended that Google apply its delisting practices to “nationally directed versions of Google’s search services [for example, google.de for Germany] within the E.U.168 However, it did not rule out the possibility of expanding this practice to countries outside the E.U.
It is important to note that, even where Google delists a particular website per a right to be forgotten request from the appropriate national version of Google, the data can still be accessed through other national versions of Google, or simply Google.com. Therefore, the efficacy of Google’s delisting practices is called into question since the delisted personal data is not truly “forgotten.” It is possible for Google to prevent this circumvention by blocking E.U. Internet users’ access to delisted personal data across all European national Google searches.169 However, Google may not necessarily be able to prevent users outside the E.U. from accessing that data within the E.U. through their own national Google searches.170 Therefore, so long as this restriction would only apply to E.U. territory, and leaves the rest of the world’s Internet users free to access the data, the right to be forgotten’s purpose is not truly met. Further, the Committee raised concerns of a “repressive regime[ ]” if Google were to control only E.U. citizens’ access to online data.171
However, Peter Fleischer, Global Privacy Counsel for Google, opined that Google would delist personal data only from the particular national Google search where the request was made.172 He cited the perceived threat to freedom of speech, and variations in local laws as to what speech is not legal, as justification.173 This suggests that local governments must clearly define the right to be forgotten’s limits within their jurisdictions, and move toward a more international consensus on the need for this right’s protection and possible restrictions on free speech. Once that happens Google, and other large search engines, can lead the charge in extending their delisting practices to citizens across the globe.
Ever since the CJEU published its right to be forgotten ruling, much debate has surrounded its scope. Both the Directive and the right to be forgotten ruling fail to define what a search engine is. This is an important oversight. If the Directive is over-inclusive, it will allow censorship of virtually the entire Internet. However, if it is under-inclusive, it may not protect individuals’ privacy rights. While general search engines like Google and Yahoo are better able to shoulder the financial costs of complying with the right to be forgotten, the ruling suggests it also applies to internal search engines. Therefore, as it stands, the right to be forgotten encompasses not only source websites, but every form of search engine and feature, thereby providing citizens with multiple avenues to suppress their online personal data.
This is quite an extreme implication of the right to be forgotten. Since the concerns over privacy rights, which provide the basis for the right to be forgotten, are shared around the world, the question is whether the right will become a global phenomenon. Based on how many countries currently view privacy rights in relation to freedom of speech, it appears that they are open to adopting some sort of right to be forgotten. Perhaps the right to be forgotten ruling can be seen as defining the outer bounds of the right, leaving it up to individual countries to narrow the scope over time.
And while it appears as though the right to be forgotten will eventually have a stronger international presence, it will take time for it and privacy rights to develop at the local level. Through trial and error, limits and balances will be established to maintain the public’s need to know while also protecting individuals’ privacy rights. Once this happens, the international community may choose to make the right to be forgotten an official part of the privacy rights guaranteed by the International Covenant on Civil and Political rights. Until then, search engines instead will have to take the lead on implementing a global delisting practice, thereby eliminating difficult negotiations between countries and creating the groundwork for the right’s international acceptance.
Problems with data privacy are increasing rapidly as people upload more and more of their lives onto the internet. More countries will therefore be motivated to protect their citizens’ data privacy. Countries interested in recognizing a right to be forgotten will likely want search engines to honor their citizens’ right to be forgotten requests, as they do with E.U. citizens’ requests. Eventually, more of these countries will demand that search engines geographically expand their delisting practices; in turn, search engines will grow more willing to do so.
- 1. It is important to note that, although the CJEU decision was based on its interpretation of the Directive, the E.U. is currently in the process of adopting a reform that would update the Directive. The E.U. refers to the reform as the General Data Protection Regulation. One of the biggest changes the General Data Protection Regulation will make to the Directive is its formal inclusion of the right to be forgotten, although the right’s boundaries still remain vague. Otherwise, the General Data Protection Regulation’s reforms do not affect this Comment’s analysis. See Commission Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regards to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final (Jan. 25, 2012) [hereinafter General Data Protection Regulation].
- 2. Case C-131/12, Google Spain SL v. Agencia Espanola de Proteccion de Datos, (2014), http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pa... (last visited Apr. 19, 2016).
- 3. Kitsuron Sangsuvan, Balancing Freedom of Speech on the Internet under International Law, 39 N.C.J. Int’l. & Com. Reg. 701, 716 (2014).
- 4. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31 [hereinafter Parliament and Council Directive on Processing of Personal Data].
- 5. See generally id.
- 6. See generally id.
- 7. Id. art. 9.
- 8. See What is a Search Engine, B.B.C., (June 6, 2013), http://www.bbc.co.uk/webwise/0/22562913 .
- 9. See, e.g., Google Spain SL, supra note 2, ¶ 20; Case C-202/12, Innoweb BV v. Wegener ICT Media BV, ¶ 24 (2013), http://curia.europa.eu/juris/document/document.jsf?text=&docid=145914&pa... (last visited Apr. 19, 2016); Case C-657/11, Belgian Electronic Sorting Technology NV v. Bert Peelaers, ¶ 21 (2013), http://curia.europa.eu/juris/document/document.jsf?text=&docid=135471&pa... (last visited Apr. 20, 2016); Case C-324/09, L’Oréal SA v. eBay International AG, 2011 E.C.R. I-6011, ¶¶ 31, 38; Opinion of Advocate General Jääskinen, Interflora Inc v. Marks & Spencer plc, Case C-323/09, 2011 E.C.R. I-8630, ¶ 16.
- 10. For example, these internal search engines may be featured within legal research sites, social media, and even court websites. For examples on how the Advocates General of the CJEU have used “search engine” broadly, see, for example, Opinion of Advocate General Kokott, Proposed Accession of the E.U. to the European Convention for the Protection of Human Rights and Fundamental Freedoms, ¶ 224 (2014), available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62013CP0002&from=EN (last visited Apr. 20, 2016) (referring to HUDOC’s search feature as a search engine); Yvette Ostolaza and Ricardo Pellafone, Applying Model Rule 4.2 to Web 2.0: The Problem of Social Networking Sites, 11 J. High Tech. L. 56, 66 (2010) (referring to social networksearch features as “internal search engine[s]”); Katja Weckström, Liability for Trademark Infringement for Internet Service Providers, 16 Marq. Intell. Prop. L. Rev. 1, 12 (2012) (referring to eBay’s search feature as an “internal search engine”).
- 11. Liberty v. United Kingdom, App. No. 58243/00, 2008 Eur. Ct. H.R. ¶ 43, http://hudoc.echr.coe.int/eng?i=001-87207 (last visited April. 20, 2016) (referring to HUDOC’s search feature as a search engine); Opinion of Advocate General Jääskinen, Google Spain SL v. Agencia Espanola de Proteccion de Datos, Case C-131/12 ¶ 33 (2013), http://curia.europa.eu/juris/document/document.jsf?text=&docid=138782&pa... (last visited Apr. 20, 2016); Case T-186/12, Copernicus-Trademarks Ltd v. Office for Harmonisation in the Internal Market (Trade Marks and Designs) (OHIM), ¶ 72 (2015), http://curia.europa.eu/juris/document/document.jsftext=&docid=165226&pag... (last visited Apr. 20, 2016) (using “search engine” to apply to two non-Google Internet sites, one of them being private); Case C-202/12, supra note 10, ¶¶ 8–9 (referring to websites other than Google as providing or containing search engines); Thaddeus J. Holynski, Legal Research on the World Wide Web, 52 Syracuse L. Rev. 1141, 1143 (2002) (including LawCrawler and LawRunner as examples of search engines).
- 12. For example, while an individual may not request that a news article mentioning that individual’s name be removed, that individual may request standard search engines, such as Google, along with any other internal search engine that may archive that information, to remove links to it such that the information becomes virtually inaccessible. See Factsheet on the "Right to be Forgotten” Ruling (C-131/12), http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_d... (last visited Apr. 15, 2016); Google Court Decision: The Right to be Forgotten?, http://www.dentons.com/en/insights/alerts/2014/may/29/google-court-decis... (last visited Apr. 15, 2016).
- 13. These claims include accusing “ambulance-chasing lawyers” of capitalizing on the breadth of CJEU’s right to be forgotten ruling and manipulating people into believing that they must hire a lawyer to help them remove their data from the Internet. In actuality, people can make right to be forgotten requests on their own, for free. See Chris Green, Law Firms Exploiting E.U. ‘Right to Be Forgotten’ Ruling to Help Individuals Remove Awkward Newspaper Articles from Google, Independent (Apr. 17, 2015), http://www.independent.co.uk/news/world/europe/law-firms-exploiting-eu-r....
- 14. European Privacy Requests for Search Removals, https://www.google.com/transparencyreport/removals/europeprivacy/?hl=en (last visited Apr. 20, 2016).
- 15. Michael L. Rustad & Sanna Kulevska, Reconceptualizing the Right to be Forgotten to Enable Transatlantic Data Flow, 28 Harv. J. L. & Tech. 349, 354 (2015) (declaring that the Right to be Forgotten “cannibalize[s] free expression”). For some examples see Patricia Sánchez Abril & Jacqueline D. Lipton, The Right to be Forgotten: Who Decides What the World Forgets?, 103 Ky. L.J. 363, 384 (2015) (“Asking entities . . . [to implement] a right to be forgotten is, in some ways, asking for the right to . . . overtake other rights, like freedom of expression”); Emily Adams Shoor, Narrowing the Right to be Forgotten: Why the European Union Needs to Amend the Proposed Data Protection Regulation, 39 Brook J. Int’l L. 487, 493 (2014) (noting that European countries “place a greater premium on individual privacy,” which affects how the Directive prioritizes the Right to be Forgotten over freedom of speech).
- 16. Fundamental Freedoms: Internet Privacy and Speech, Canadian Civil Liberties Association, https://ccla.org/issues/fundamental-freedoms/internet-privacy-and-speech/ (last visited April 15, 2016).
- 17. Personality rights protect “various attributes of personality [including] privacy, image, voice, bodily integrity, name, and reputation.” Eric H. Reiter, Personality and Patrimony: Comparative Perspectives on the Right to One’s Image, 76 Tul. L. Rev. 673, 680 (2002).
- 18. Personality and privacy rights developed out of the recognition that individuals need to develop their character independent of outside influences. See Von Hannover v. Germany, App. No. 59320/00, 2004 Eur. Ct. H.R. ¶ 25, http://hudoc.echr.coe.int/eng?i=001-109029 (last visited Apr. 21, 2016).
- 19. See generally Grundegesetz Für die bundesrepublik deutschland [Grundegesetz] [GG] [Basic Law], May 23, 1949, BGBl. I (Ger.) translation at https://www.btg-bestellservice.de/pdf/80201000.pdf; CODE CIVIL [C. CIV.] art. 9 (Fr.).
- 20. Charter of Fundamental Rights of the European Union arts. 1, 7, 2012 O.J. (C 326) 1, 9.
- 21. Parliament and Council Directive on Processing of Personal Data, supra note 4, art. 1.
- 22. Id. art. 6.
- 23. Id.
- 24. Id. art. 12(b).
- 25. Id. art. 4 (authorizing member states to enact their own national legislation incorporating the Directive).
- 26. Case C-131/12, supra note 2, ¶ 22.
- 27. Id. ¶ 41.
- 28. Id. ¶¶ 37, 38.
- 29. Id. ¶¶ 25, 26, 32.
- 30. Parliament and Council Directive on Processing of Personal Data, supra note 4, art. 2(d).
- 31. Id. art. 2(b). The General Data Protection Regulation’s definition of data controller is virtually the same as the Directive’s definition of the term. See General Data Protection Regulation, supra note 1, art. 4.
- 32. Parliament and Council Directive on Processing of Personal Data, supra note 4, art. 2(a).
- 33. Id. art. 2(b).
- 34. Id. art. 2(d).
- 35. Case C-131/12, supra note 2, ¶ 28.
- 36. Id. ¶ 26.
- 37. Id. ¶ 32.
- 38. Id. ¶ 34.
- 39. Parliament and Council Directive on Processing of Personal Data, supra note 4, art. 9. An example of this exception would be a news article published on the B.B.C.
- 40. Parliament and Council Directive on Processing of Personal Data, supra note 4, arts. 17, 37; Case C-131/12, Google Spain SL v. Agencia Espanola de Proteccion de Datos, 2014 E.C.R. ¶ 36-38, ¶ 85.
- 41. Id. ¶ 36-38.
- 42. Case C-131/12, Google Spain SL v. Agencia Espanola de Proteccion de Datos, ¶¶ 37–38 http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pa... (last visited Mar. 16, 2016).
- 43. Liberty v. United Kingdom, supra note 12, ¶ 43, http://hudoc.echr.coe.int/eng?i=001-87207 (last visited Apr. 21, 2016).
- 44. At the CJEU, there is one judge from each of the E.U. countries, and 11 Advocates General. During the public hearing stage, the CJEU may decide that the Advocate General must publish an opinion regarding the case at issue, which is to be delivered after the hearing. See Court of Justice of the European Union, http://europa.eu/about-eu/institutions-bodies/court-justice/index_en.htm (last visited Apr. 21, 2016).
- 45. Former Members, http://curia.europa.eu/jcms/jcms/Jo2_9606/ (last visited Apr. 21, 2016).
- 46. Opinion of Advocate General Jääskinen, supra note 10, ¶¶ 32–35.
- 47. Id. ¶ 34.
- 48. Id. ¶ 33.
- 49. Advocate General Kokott is one of the 11 working for the CJEU. See Presentation of the Members, http://curia.europa.eu/jcms/jcms/Jo2_7026 (last visited Mar. 30, 2016).
- 50. Opinion of Advocate General Kokott, supra note 11.
- 51. The Directive’s exception will not apply to the ECtHR’s internal search engine because the ECtHR is not a publisher of purely journalistic data.
- 52. Case C-236/08, Google France Google Inc. v. Louis Vuitton Malletier, 2010 E.C.R. I-2417, ¶ 22.
- 53. Factsheet on the “Right to be Forgotten” Ruling (C-131/12), http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_d... (last visited Apr. 21, 2016).
- 54. E.U. directives act as baselines for the member states that they must implement within their jurisdictions. However, they can expand upon the directives to suit their needs. See E.U. Legislation: What is an E.U. Directive?, http://www.europeanlawmonitor.org/what-is-guide-to-key-eu-terms/eu-legis... (last visited Apr. 21, 2016).
- 55. Parliament and Council Directive on Processing of Personal Data, supra note 4, art. 1; Reform of the Data Protection Legal Framework in the E.U., http://ec.europa.eu/justice/data-protection/reform/index_en.htm (last visited Apr. 21, 2016).
- 56. Chelsea E. Carbone, To Be or Not to Be Forgotten: Balancing the Right to Know with the Right to Privacy in the Digital Age, 22 Va. J. Soc. Pol’y & L. 525, 560 (2015).
- 57. Case C-101/01, Lindqvist, 2003 E.C.R. I-19271.
- 58. Id. ¶¶ 12, 13.
- 59. Id.
- 60. Id. ¶¶ 10, 14.
- 61. Id. ¶ 84.
- 62. Id. ¶ 85.
- 63. Parliament and Council Directive on Processing of Personal Data, supra note 4, art. 1(37), art. 9.
- 64. The Directive allows member states to “restrict[ ] the scope of . . . the obligations” of data controllers in certain circumstances, including where national or public security are primary concerns. See id. ¶ 7; Parliament and Council Directive on Processing of Personal Data, supra note 4, art. 13.
- 65. Case C-101/01, Lindqvist, 2003 E.C.R. I-19271, ¶ 90.
- 66. Case C-73/07, Tietusuojavaltuutettu v. Satakunan Markkinaporssi Oy, 2008 E.C.R. I-9831, ¶ 56.
- 67. Case C-73/07, Tietusuojavaltuutettu, 2008 E.C.R. I-9831, ¶¶ 25, 26.
- 68. Id. ¶ 25.
- 69. Id. ¶¶ 31, 32.
- 70. Id. ¶ 1.
- 71. Id. ¶ 54.
- 72. Id. ¶ 56.
- 73. Id.
- 74. Id.
- 75. Aidan Forde, Implications of the Right to be Forgotten, 18 Tul. J. Tech. & Intell. Prop. 83, 105 (2015) (observing that the CJEU broadly interpreted the Directive’s definition of “controller”).
- 76. Information Society, Privacy and Data Protection, European Union Agency for Fundamental Rights, http://fra.europa.eu/en/theme/information-society-privacy-and-data-prote... (last visited Mar. 30, 2016).
- 77. Id.
- 78. Jeanne M. Hauch, Protecting Private Facts in France: The Warren & Brandeis Tort is Alive and Well and Flourishing in Paris, 68 Tul. L. Rev. 1219, 1227 (1994).
- 79. Scott J. Shackelford, Fragile Merchandise: A Comparative Analysis of the Privacy Rights for Public Figures, 49 Am. Bus. L.J. 125, 160–61 (2012).
- 80. Convention for the Protection of Human Rights and Fundamental Freedoms art. 8, Nov. 4, 1950, 213 U.N.T.S. 221 (entered into force Sept. 3, 1953) [hereinafter European Convention on Human Rights].
- 81. Von Hannover v. Germany, ¶ 95. This can be understood as protecting individuals’ expectation to carry on certain aspects of their lives in a manner they choose, without involving anyone else. See Niemietz v. Germany, App. No. 13710/88, 1992 Eur. Ct. H.R., ¶ 29, http://hudoc.echr.coe.int/eng?i=001-57887 (last visited Apr. 21, 2016).
- 82. Parliament and Council Directive on Processing of Personal Data, supra note 4, ¶ 1.
- 83. Charter of Fundamental Rights of the European Union, supra note 21, art. 1.
- 84. Id. art. 8.
- 85. Code Civil [C. civ.] art. 9 (Fr.).
- 86. Id. art. 10.
- 87. Hauch, supra note 82, at 1223.
- 88. About The Court, Cour De Cassation https://www.courdecassation.fr/about_the_court_9256.html (last visited Apr. 21, 2016).
- 89. Cour de cassation [Cass.] [supreme court for judicial matters], 2e civ., July 8, 1981, Bull. civ. II, No. 152, ¶ 98 (Fr.). In that case, an Italian magazine had published a story concerning, not only public facts regarding actress Romy Schneider’s second marriage and pregnancy, but also private information about her psychological state regarding the events. The court held that, despite Ms. Schneider’s fame, she was entitled to certain expectations regarding her private life, which had been violated by the magazine. So while the magazine would ordinarily be allowed to publish material by relying on freedom of speech, it could not do so where that publication infringed upon an individual’s private life.
- 90. Grundegesetz Für die bundesrepublik deutschland, supra note 20, at arts. 1, 2.
- 91. Id. art. 1.
- 92. Id. art. 2.
- 93. Id.
- 94. Id.
- 95. Bundesgerichtshof [BGH] [Federal Court of Justice] Dec. 1, 1999, Entscheidungen Des Bundesgerichtshofes in Zivilsachen [BGHZ] 50, 133, translation at https://law.utexas.edu/transnational/foreign-law-translations/german/cas....
- 96. Id.
- 97. Lawrence Siry & Sandra Schmitz, A Right to Be Forgotten? – How Recent Developments in Germany May Affect the Internet Publishers in the US, 4 Eur. J. L. and Tech. 1, 4 (2012).
- 98. Bundesverfassungsgericht [BVerfG] [Federal Constitutional Court] Mar. 24, 1998, Entscheidungen Des Bundesverfassungsgerichts [BVerfGE] 97, 391 (Ger.), translation at http://germanlawarchive.iuscomp.org/?s=lebach&submit=.
- 99. Sirv & Schmitz, supra note 101, at 4.
- 100. Axel Springer AG v. Germany, App. No. 39954/08, 2012 Eur. Ct. H.R., ¶ 83, http://hudoc.echr.coe.int/eng?i=001-109034 (last visited Apr. 21, 2016).
- 101. International Covenant on Civil and Political Rights, art. 17, Dec. 16, 1966, 999 U.N.T.S. 171 [hereinafter “ICCPR”].
- 102. Marc Rotenberg, Preserving Privacy in the Information Society, United Nations Educational, Scientific and Cultural Organization, http://www.unesco.org/webworld/infoethics_2/eng/papers/paper_10.htm (last visited Apr. 22, 2016).
- 103. Thomas J. Webb, Verbal Poison—Criminalizing Hate Speech: A Comparative Analysis and a Proposal for the American System, 50 Washburn L.J. 445, 463 (2011).
- 104. Id.
- 105. Carbone, supra note 60, at 545.
- 106. Shoor, supra note 16, at 492–93.
- 107. Putin Signs “Right to be Forgotten” Bill into Law, RT (July 14, 2015, 2:41pm), http://on.rt.com/i4qc9r.
- 108. As mentioned previously, Japan has ordered a search engine to delink data associated with a Japanese individual under its data privacy laws. This certainly lays the groundwork for adopting the right to be forgotten explicitly within Japan. See Cheryl Kemp, Right to be Forgotten Spreads to Japan as Google Deletes One-Third of E.U. Requests, Whir, (Oct. 10, 2014), http://www.thewhir.com/web-hosting-news/right-forgotten-spreads-japan-go....
- 109. Cannix Yau, Hong Kong to Lobby Google Over the ‘Right to be Forgotten,’ South China Morning Post (June 16, 2014, 9:31am), http://www.scmp.com/news/hong-kong/article/1533618/privacy-chief-allan-c....
- 110. Id.
- 111. A data user is defined as “a person who . . . controls the collection, holding, processing or use of the data.” Since search engines cannot be classified as persons, the data privacy act cannot apply to them. See Personal Data (Privacy) Ordinance § 2, (2013) Cap. 486, 1 (H.K.) [hereinafter Personal Data Ordinance].
- 112. Yau, supra note 113.
- 113. Id.
- 114. Hong Kong’s data privacy act allows for the removal of personal data as a remedy to violations of the act. This is of course closer to the right to be forgotten than other privacy acts that only allow for the correction of personal data. See Personal Data Ordinance, supra note 115.
- 115. Mark Parsons, Eugene Low, and Dominic Edmondson, A Right to be Forgotten in Hong Kong?, Hogan Lovells (Aug. 14, 2015), http://www.hlmediacomms.com/2015/08/14/a-right-to-be-forgotten-in-hong-k....
- 116. Id.
- 117. Id.
- 118. Id.
- 119. Id.
- 120. Id.
- 121. Mark Parsons and Peter Colegate, 2015: The Turning Point for Data Privacy Regulation in Asia?, Hogan Lovells (Feb. 18, 2015), http://www.hldataprotection.com/2015/02/articles/international-eu-privac....
- 122. Constance Gustke, Your Private Data is Showing, B.B.C. (June 26, 2013), http://www.bbc.com/capital/story/20130625-your-private-data-is-showing.
- 123. Personal Data Protection Act 2012 pt. 5, 26 Gov. Gazette Acts Supplement 1, Republic of Singapore.
- 124. Gustke, supra note 126.
- 125. Id.
- 126. Cf. id.
- 127. Experts Fear a European ‘Right to be Forgotten’ Online Ruling May Be Duplicated in Australia, The Sydney Morning Herald (Nov. 19, 2014), http://www.smh.com.au/technology/technology-news/experts-fear-a-european....
- 128. Id.
- 129. Jarrod Bayliss-McCulloch, Does Australia Need a “Right to be Forgotten?”, 33 Communications Law Bulletin 1, 10 (2014).
- 130. Privacy Act 1988 § 25, 20S, (Austl.), available at https://www.comlaw.gov.au/Details/C2015C00598/Html/.
- 131. See Duffy v. Google Inc (2015) SASC 170 (Sup. Ct. S. Austl.).
- 132. Serious Invasions of Privacy in the Digital Era: Issues Paper 43, Australian Law Reform Commission ¶¶ 169–171 (Oct. 8, 2013), http://www.alrc.gov.au/publications/invasions-privacy-ip43 (inferring that new protections could give individuals more control over their private information).
- 133. H.A. Harris, Privacy Rights According to the Supreme Court of Canada: Office of the Privacy Commissioner of Canada to CAPA Conference 1997, https://www.priv.gc.ca/media/sp-d/archive/02_05_a_971030_e.asp (last visited Apr. 23, 2016).
- 134. R. v. Spencer,  2 S.C.R. 212, 215 (Can.).
- 135. Id. at 213.
- 136. Id.
- 137. Id.
- 138. Crookes v. Newton,  3 S.C.R. 269, 271 (Can.).
- 139. Id.
- 140. Id.
- 141. Personal Information Protection and Electronic Document Act, S.C. 2000, c. 5, First Schedule (Can.) [Hereinafter “PIPEDA”]. See also Findings Under the Personal Information Protection and Electronic Documents Act (PIPEDA): Website That Generates Revenue by Republishing Canadian Court Decisions and Allowing Them to be Indexed by Search Engines Contravened PIPEDA, Office of the Privacy Commisioner of Canada, https://www.priv.gc.ca/cf-dc/2015/2015_002_0605_e.asp (last visited Apr. 23, 2016).
- 142. Id. at First Schedule.
- 143. Summaries of Early Resolved Cases: Web Posting that was Removed by Individual Retained by Internet Search Engine, Office of the Privacy Commisioner of Canada, https://www.priv.gc.ca/cfdc/ser/2014/er_005_140123_e.asp (last visited Apr. 23, 2016).
- 144. PIPEDA, supra note 145, ¶ 95.
- 145. Id. ¶¶ 2–5.
- 146. Id.
- 147. Id. ¶¶ 103–107.
- 148. In a case about betrayal and cake, the New Zealand Tribunal noted the negative effects of having one’s reputation be constantly associated with potentially damaging information, or in this case, a vulgar baked good. This association can of course be fortified through the overview search engines provide in connection with an individual. The Tribunal seemed to hint at the fact that the lack of a Right to be Forgotten law in the jurisdiction meant that this type of association might not be remedied. See Hammond v Credit Union Baywide (2014)  NZHRRT 56, ¶ 7.5 (N.Z. Human Rights Review Tribunal).
- 149. Joy Liddicoat, The Right to be Forgotten, Office of the Privacy Commissioner 9 (May 7, 2015), https://www.privacy.org.nz/assets/Files/Speeches-presentations/2015-05-7....
- 150. Id. at 8.
- 151. Id. at 7 (citing Privacy Act 1993 pt. 2, (N.Z.)).
- 152. See Carbone, supra note 60, at 554 (citing Letter from John M Simpson, Privacy Project Dir., Consumer Watchdog, to Lary Page, Google Chief Exec. Officer, and Eric Schmidt, Google Exec. Chairman (Oct. 13, 2014), http://www.consumerwatchdog.org/resources/ltrpagertbf101314.pdf).
- 153. Shoor, supra note 16, at 492–93.
- 154. Id.
- 155. See, for example, Russel L. Weaver, Duncan Fairgrieve, & Francois Lichere, The Creation of Transnational Administrative Structures Governing Internet Communication, 78 Mo. L. Rev. 527, 530 (2013).
- 156. Webb, supra note 107, at 473–74.
- 157. U.S. Const. amend. XIV. This includes being supreme over international treaties. Therefore, if an international right to be forgotten law were enacted and conflicted with the U.S. Constitution, it would not govern within the U.S.
- 158. Webb, supra note 107, at 474.
- 159. For example, the 13th Amendment’s human dignity implication applies only in regards to “badges and incidents of slavery.” It is true that the Constitution also includes certain privacy rights, but these too are narrow in scope, such as applying to one’s home against housing soldiers. The same cannot be said for the First Amendment’s freedom of speech. See U.S. Const. amends. I, III, XIII, § 2.
- 160. Carbone, supra note 60, at 555–59. However, these cases involve newspaper publications and censoring the information therein. The E.U.’s Right to be Forgotten explicitly excepts purely journalistic endeavors, including newspapers, thus balancing freedom of speech. So it is not entirely accurate to say that the Right to be Forgotten conflicts with U.S. case law. However, it does appear to conflict with the Americans’ prioritization of the freedom of speech and the absolute minimal restrictions upon it that are allowed.
- 161. See Cal. Bus. & Prof. Code § 22580 (West 2015).
- 162. Shoor, supra note 16, at 492–93.
- 163. Carbone, supra note 60, at 545.
- 164. Kemp, supra note 112 (quoting a Google spokesman).
- 165. Id.
- 166. The Advisory Council to Google on the Right to be Forgotten, 1, http://docs.dpaq.de/8527-report_of
_the_advisory_committee_to_google_on_the_right_to_be_forgotten.pdf (last visited Apr. 24, 2016).
- 167. Read the Advisory Council’s Final Report: How Should One Person’s Right to be Forgotten by Balanced with the Public’s Right to Information, Google, https://www.google.com/advisorycouncil/.
- 168. The Advisory Council to Google on the Right to be Forgotten, supra note 170, at 20.
- 169. Id. at 18–19.
- 170. Id. at 19–20.
- 171. Id. at 20.
- 172. Peter Fleischer wrote this opinion in response to a request by France’s data protection regulator that Google delist links from all of its search engines, not just the French version. He references the laws of Thailand, Turkey, and Russia as examples of differences in what is considered allowable speech and what is not. This is meant to illustrate that there can be no realistic way for Google to be able to determine how to apply its delisting practices to accommodate what each country deems allowable and unallowable. See Implementing a European, Not Global, Right to be Forgotten, Google Europe Blog (July 30, 2015), http://googlepolicyeurope.blogspot.ca/2015/07/implementing-european-not-... (last visited Apr. 24, 2016).
- 173. Id.