THE BLOG
01/11/2015 07:34 pm ET Updated Dec 06, 2017

Can 'User as Owner' Policy Prevent Need for 'Right to Be Forgotten'?

2015-01-08-UserasOwner.jpg

The complexities of Europe's Right to be Forgotten law is causing a lot of confusion due to the vagueness and ambiguity of recent rulings, its impact on the freedom of expression, its interaction with the right to privacy, and concerns about whether it would decrease the quality of the Internet through censorship and a "rewriting of history."

In a nutshell, the Right to be Forgotten allows individuals to request the removal of things linked to their name (e.g. information, photos, videos), which is "inadequate, irrelevant or excessive; not kept up to date; or kept for longer than necessary." It has been defined as the right to silence on past events in life that are no longer occurring.

Sounds simple enough, right? Perhaps at first glance it is, but things start to get hairy when you really start thinking about all the possibilities. With freedom of information, freedom of expression, freedom of speech, right to privacy, and right to be forgotten, which freedoms or rights trump the other?

On May 12, 2014, the European Court of Justice ruled against Google in the Costeja case, a case brought by a Spanish man, Mario Costeja Gonzalez, who requested the removal of a newspaper article link about an auction for his foreclosed home, for a debt he subsequently paid off the debts on. When the court ruled in favor of Costeja, a flurry of controversy over the ruling flooded the Internet and more than 75,000 requests from European citizens to remove information had been submitted to Google. Courts across Europe can expect to stay busy for quite some time considering each case needs to be assessed with its own merits. Each case will need to consider sensitivity for the individual's right to privacy, type of information in question, and the interest of the public in having access to that information.

The Right to be Forgotten addresses an urgent problem in the digital age. We are in the Internet's infancy, and people are being forced to quickly understand what personal information is being shared, how they can control who sees what, and how to safeguard private information. A lack of understanding may result in harsh consequences such as termination of a job, friction in relationships, damaged reputation, or expensive lawsuits. Deleting a photo, status update, or tweet doesn't mean it's removed from the Internet forever, and a lot of people are learning that the hard way.

In the world of big data, flippant sharing of information, and abundance of search technologies, is there a way data can be managed by the individual to ensure compliance with fundamental freedoms, rights and laws? Should a private, commercial company such as Google be the final arbiter in determining an individual's online identity and reputation?

The concept of identity management by the individual isn't far-fetched. In fact, when it comes to consumer data, the User as Owner concept has started to gain traction. The idea is that personal information can be aggregated, collected or stored by an organization but cannot be released without consumer consent, thereby placing the responsibility and power into the hands of the consumer. It enables standardized privacy policies that work across borders under the assumption that the individual owns their own personal identifying information (PII). This means that companies and governments can store an individual's information, but are not permitted to use the information or share it without the individual's consent.

This is not a new idea. Commonwealth privacy policies follow a similar process when dealing with personal credit data. For example, the Credit Reporting act of Canada requires credit-reporting agencies to receive consumer consent prior to divulging credit information to a credit grantor. This hinders the sharing of personal information without the individual's knowledge and provides one with privacy in regards to financial information. But many countries do not have this hedge of protection for their citizens, and rely instead on "permissible purpose" and legislation that is oftentimes broad and filled with loopholes.

User as Owner negates the need for governments to create individualized and quickly outdated regulations that govern the use of personal data. It ensures that policy makers and businesses like Google are not deciding how a person's information is used in any context.

If an individual's personal information can only be released with their consent, then that person decides what information will be made available, to whom, and for what purpose. An organization, government, or institution either providing or accessing an individual's personal information will be responsible for obtaining permission from the individual before releasing it to third parties. This will create an environment of accountability, which naturally leans in the favor of consumer privacy. Knowing that there are penalties for the mishandling of personal information will spur data aggregators and relying parties to proceed only with the individual's knowledge.

How does a User as Owner policy affect the Right to be Forgotten law? Consumer consent shifts the responsibility to the individual, and therefore, the person in question is aware of the circumstances surrounding their personal information that is to be released. A framework of trust built into the Internet regarding personal information will mitigate the amount of private information making its way onto the web. This means that there will be less information that needs to be purged from online channels and less chance that data needs to be "forgotten."

Data aggregation and collection is now a reality in our online world due to data prevalence and technological advancements. In a global economy, the creation of multiple data privacy laws from country to country is problematic and hinders inclusion and commerce for both businesses and individuals. Having a one-size-fits-all data protection policy that empowers the individual no matter where they are in the world and at the same time protects privacy and the publication of inaccurate consumer information would be the ideal first step in solving this complicated issue.