Implications of the right to be forgotten
Written by Jake Isakoff
The rapid expansion of digital technologies has led to an exponential increase in the collection and retention of personal data. This growing digital footprint, particularly in the context of the internet and social media, raises significant concerns about privacy rights and the potential harms associated with the long-term accessibility of personal data. A key development in this conversation is the “right to be forgotten,” a concept that has gained considerable attention since its inception in the European Union. With landmark cases such as Google LLC v. CNIL and ongoing legislative developments in the United States, such as the California Consumer Privacy Act, there is a growing focus on how U.S. privacy laws might adapt to increasing calls for stronger data privacy protections. This shift requires careful consideration of the complex balance between privacy rights and the First Amendment, raising questions about how the U.S. might incorporate a right to be forgotten while navigating the broader challenges of data control and deletion in a digital age.
The right to be forgotten is a legal concept that first emerged in the EU in 2019, specifically through the decision of the Court of Justice of the European Union in Google Inc. v. Commission Nationale de l’Informatique et des Libertés, Google LLC v. CNIL. The case addressed whether individuals could request the removal of personal information from search engine results, particularly in the event of that information being outdated, inaccurate, or irrelevant. The CJEU ruled that, under certain circumstances, individuals do have this right. The ruling was grounded in the EU’s General Data Protection Regulation, which envelopes the principles of data protection and privacy. The GDPR, effective May 2018, provides individuals with significant rights over their data, including the right to access, rectify, and erase it. The right to be forgotten is a subset of these broader privacy rights, designed to allow individuals to have more control over their digital identity and to ensure that personal data is not perpetually stored in ways that could harm an individual’s reputation or dignity.
In Google LLC v. CNIL, the CJEU essentially ruled that Google was required to comply with individual requests for data removal in search results within the EU. However, the ruling also clarified that this right was not absolute, and companies could refuse requests when there was a legitimate public interest in retaining the data, such as for freedom of expression or journalistic purposes. Freedom of expression ensures the public’s access to information, while journalistic purposes allow the retention and use of data necessary for reporting news, exposing wrongdoing, or fostering democratic accountability. This case has become a pivotal point of reference in global data privacy debates, particularly in light of the growing recognition of data as a fundamental human right.
In contrast to the EU, U.S. privacy laws have been historically fragmented and less protective of individual privacy. While there are some sector-specific privacy laws, like the Health Insurance Portability and Accountability Act for health care and the Children’s Online Privacy Protection Act for children’s data, there is no comprehensive federal data privacy legislation. As a result, the privacy landscape in the U.S. is shaped largely by state-level initiatives, with California leading the way through its California Consumer Privacy Act, passed in 2018.
The CCPA grants California residents several rights over their data, including the right to access, delete, and opt out of the sale of their data. However, it does not provide any specific right to be forgotten as conceived in the EU. In addition, the CCPA includes several of the same exemptions as the right to be forgotten, mostly for data that is necessary for the exercise of free speech and journalism. The delicate balance between privacy and freedom of expression continues to be at the heart of the discussion surrounding data privacy.
At the federal level, proposals for comprehensive privacy legislation, such as the Consumer Data Privacy Act and the American Data Privacy Protection Act, have struggled to gain traction, in part due to concerns about limiting free speech. The First Amendment of the U.S. Constitution guarantees the freedom of speech and the press, creating a significant challenge for any attempt to adopt a right to be forgotten in the United States. Critics argue that such a right would infringe on the ability of individuals and organizations to access and publicize information, especially in the context of search engines, news outlets, and social media platforms. Enforcing such a right could result in the removal of content that, while deemed irrelevant by some, may still hold value for others, potentially eroding the public record. Additionally, platforms could be burdened with navigating subjective and contentious requests, leading to delays, increased costs, or overly cautious content removals to avoid liability.
In Google LLC v. CNIL, the CJEU explicitly acknowledged that the right to be forgotten must be balanced with other rights, including freedom of expression. As mentioned, the Court emphasized that individuals do not have an unrestricted right to erase information from the internet, particularly when it serves a public interest, such as in news reporting. The Court also noted that information that is in the public domain or of significant public interest should not be subject to deletion. This balancing act is crucial in the U.S. as well. The First Amendment plays a central role in shaping the landscape of data privacy law in the U.S., especially when considering whether companies can be compelled to remove content or unlist search results. If the right to be forgotten were implemented, it would pose significant challenges in defining its boundaries and ensuring such a right works alongside strong free speech protections under the First Amendment.
In the U.S., several courts have grappled with similar issues involving data retention and deletion. In the 1997 case Reno v. American Civil Liberties Union, the U.S. Supreme Court recognized the unique nature of the internet as a forum for free expression and emphasized that government regulation of online speech would likely violate the First Amendment. While this case did not directly address data deletion, it laid the foundation for the principle that online content should be broadly protected from government interference. Moreover, in cases involving defamation or reputational harm, U.S. courts have generally been reluctant to compel platforms or search engines to remove content.
As calls for stronger data privacy protections continue to grow in the U.S., lawmakers and courts must navigate the complex intersection of privacy, free speech, and data retention. One potential model for a right to be forgotten within the U.S. could draw inspiration from the EU’s GDPR framework but also account for the unique First Amendment considerations that shape U.S. law. First, any proposal for a right to be forgotten in the U.S. would likely need to be framed within a more nuanced legal context, offering exceptions for freedom of expression, public interest, and journalistic practices. The legal precedent established in Google LLC v. CNIL suggests that companies should be required to evaluate deletion requests on a case-by-case basis, balancing the individual’s privacy rights with the public interest in retaining the data.
Moreover, U.S. privacy laws should also focus on empowering individuals with greater control over their data, as seen in the CCPA and other state laws. A robust privacy framework could incorporate principles such as transparency, accountability, and data minimization, or limiting data collection and retention to what is strictly necessary, ensuring that companies do not retain personal data for longer than necessary. However, the legal framework should avoid overly burdensome regulations that could stifle innovation or infringe upon free speech rights.
Finally, in light of the global nature of the internet and data flows, U.S. lawmakers must consider the extraterritorial reach of any proposed data privacy laws. The EU’s GDPR, for instance, applies to any entity processing the data of EU citizens, regardless of where the entity is based. Similarly, the U.S. must consider how domestic legal reforms could interact with foreign laws, creating a more harmonized global approach to privacy.
Overall, the right to be forgotten is a concept that has significant implications for data privacy, free speech, and the future of internet governance. While the EU has taken substantial steps to protect individuals’ privacy through the GDPR, the U.S. legal system faces unique challenges, particularly in balancing privacy rights with the First Amendment’s guarantees of free speech. As the U.S. continues to evolve its privacy laws, it will be essential to find a middle ground that allows individuals to have control over their data while respecting the fundamental rights of free expression. Drawing on global precedents like Google LLC v. CNIL and ongoing state-level privacy efforts like the CCPA, U.S. lawmakers will need to carefully consider how best to protect privacy in an increasingly data-driven world.
