And Then There Were None: Europe, the Internet, and the Right to Be Forgotten

Posted on by John Linkous

The European Court of Justice's ruling in May said that individuals have the "right to be forgotten" could fundamentally change Internet privacy and security.

The case involved a Spanish attorney, Mario Costeja González, who was troubled that public notices were being posted in his local newspaper regarding the repossession and auction of his home. He appealed to the Court, which ruled that, generally speaking, an individual's privacy rights trump the public's interest in the individual. The Court stated that search engines such as Google (the specific target in this case) must remove links to sites containing personal information on EU citizens upon request and mandated that the EU member nations come up with a way to do so.

Conceptually, the privacy and security of our personal data is not a bad thing. Who among us wouldn't like to eliminate from the Internet forever that late-night post to an ex on Facebook, the lengthy argument with a troll on Reddit about why Rush is the best Canadian rock band of all time, or that awkward prom photo that was posted online? Certainly, the idea of retaining our privacy is a good one. Unfortunately, the European Court's ruling does absolutely nothing to make that happen, while placing blame for the problem on the wrong party.

The biggest problem with the ruling is a logistical one. The court's ruling seems to think of the Internet as a single-instance repository of information; it decidedly is not. Search engines such as Google, Bing, Yahoo, and others are not primary repositories of content (although they do often cache content ... but more on that later). They are simply connecting to information that can be reached in one of several ways. Forcing search engines to remove links to information about individuals does not in any way remove the actual content. The content itself remains online and can still be linked by other aggregation sources.

Let's think for a moment what some of those aggregation sources might be: Imagine a world in which anyone could have a legal right to request removal from an aggregation point. While this is an EU-only ruling, what if it applied in the United States? Would corporate executives be able to request links to their 10-K filings on the site be removed from search results served up by Yahoo, Google, and Bing if the company had a bad quarter? What about sites that provide links to public information on individuals from primary sources, such as databases of criminal activity or registered sex offender lists? The ambiguity of the ruling in its present state makes it difficult to assess of how these situations will be handled.

Another issue is one of content linking, versus content caching. While it's true that search engines such as Google provide links to content, they also cache content from target sites so that sites and pages can be viewed in a "last seen" state in the event that the linked content goes offline. While the ruling was limited in scope to links, it did not specifically address cached content, which would still likely show up in a search query—rendering the point of eliminating links moot from a practical perspective. If it turns out at a later date the scope of this ruling extends to cached content, it's not hard to see how this slippery slope could lead to future row-level deletion of content from primary data sources. Much of the research functionality of the Web as we know it would be rendered useless.

Perhaps the most difficult question to answer is how this ruling will be applied and enforced. Because the ruling is very vague, individual EU member nations will have the authority to interpret it in their own way. For a political body such as the European Union that prides itself on consistency of policy—and justice—among its member countries, this ruling could lead to implementation havoc. It's not difficult to imagine some nations demanding the removal of links to information regarding their citizens, and other nations recognizing a different interpretation of the ruling and refusing to comply. And, of course, enforcement is limited to only search engines in the EU—a search engine with infrastructure based entirely outside the EU (say, South America or Asia) would be able to keep the the links to the original content, and Europeans would still be able to access the information.

There's no doubt that privacy is a good thing; many of us are uncomfortable with the amount of information available to the public about us, even when we put minimal information out there voluntarily. However, the EU ruling doesn't really provide a reasonable solution to the question of the "right to be forgotten." Instead, it will likely result in massive amounts of data migration efforts by search engines that are essentially "drive-by" victims in the equation, and confusion on the part of both consumers and citizens of EU nations . . . all with almost no possibility of actually making the Internet "forget" anything. That's not privacy—it's just bureaucracy.

John Linkous

, Technology Advisor


law legislation privacy

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community