Could a Right to Be Forgotten Online Kill Libraries?

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George R. Lynch

Oct. 13 — International efforts to make it easier to remove links to personal information online could doom traditional U.S. library services, privacy professionals told Bloomberg BNA.

Libraries perform a unique function in organizing information to make it useful for the public—a responsibility made more crucial in the internet era when people's main information source is full of unindexed and disorganized data, they said.

The idea is that people should be able to request that links to their online information be removed unless the public's interest in accessing the data outweighs individual privacy rights. It's that push for what's known as a right to be forgotten (RTBF) that could hamstring libraries.

The role of libraries is to “preserve the integrity of the historical record, preserve the ability to index and find information for the purposes of research and education,” Deborah Caldwell-Stone, deputy director of the American Library Association's Office for Intellectual Freedom, told Bloomberg BNA.

Companies collecting huge amounts of data may learn a thing or two from the debate. The disconnect between making a vast data stream accessible to the public and making it harder to trace in order to protect privacy is at the heart of the RTBF debate. It raises many of the same conflicts between big data and privacy that make the pursuit of truly anonymized or de-identified information the prize of researchers and privacy advocates alike.

Right to Be Forgotten

“The right to be forgotten right now is about a 10-20 year view of the world,” Anne Klinefelter, privacy law professor and director of the law library at University of North Carolina School of Law, said. Librarians “take a much longer view of the value and relevance of information.”

Alphabet Inc.'s Google has been the main subject of RTBF enforcement in the European Union. The search engine giant faced scrutiny by data privacy regulators in Spain and France, which were intent on making it remove search links to certain personal data. In the case of Costeja v. Google ( Google-Spain), the EU's top court in 2014 recognized a strong RTBF principle and compelled Google to remove search links.

“The library community is aware of the RTBF and it's a topic of concern,” Caldwell-Stone said.

That role becomes much more difficult when search engines are forced to deindex information, making information on the internet harder to find, she said.

Tom Smedinghoff, privacy and data security of counsel at Locke Lord LLP in Chicago, said the RTBF “raises questions about the traditional role of libraries.”

Privacy professionals said that even if the reach of the RTBF was confined to the personal data of individuals in foreign jurisdictions where the principle is recognized, it still could have a detrimental affect on the ability of U.S. libraries to give the public the services it has traditionally provided.

Attorneys should understand that the RTBF is already at play in the U.S. in a limited way, Smedinghoff said, citing provisions that require some amount of data erasure to preserve privacy in the federal Fair Credit Reporting Act and California's statute allowing for the erasure of certain web postings by children.

Emergence of RTBF

The Google-Spain case was referred to the Court of Justice for the European Union (CJEU) from Spanish courts to clarify the RTBF provisions of the EU Data Protection Directive (95/46/EC) (EU Directive) (13 PVLR 857, 5/19/14). The CJEU issued a ruling that required Google to deindex articles involving the auctioning of Mario Costeja González's house from a search for his name, but didn't force the newspaper to delete the references from its online archive.

The CJEU held that a data subject can request the deindexing of information where the links are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue.” Though the rights of the data subjects generally override the interest of internet users, requests for deindexing should be balanced with “the legitimate interest of internet users potentially interested in having access to that information,” the CJEU said.

EU General Data Protection RegulationRight to Be Forgotten

Grounds upon which individuals may request information to be “forgotten” include:

  •  the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  •  the individual withdraws consent on which the processing of his or her personal data was based, or there is no other legal ground for the processing;
  •  the individual objects to the processing and there are no overriding legitimate grounds for the processing;
  •  the personal data have been unlawfully processed.

Similar to the EU Directive, the new General Data Protection Regulation (GDPR)—which is set to take effect in May 2018 as a replacement for the EU Directive (15 PVLR 791, 4/18/16)—includes the RTBF. The GDPR gives EU citizens the right to request that data controllers remove information about them for a variety of reasons.

Google-Spain didn't establish which entities may be considered DATA controllers and have RTBF obligations. The GDPR doesn't add any more clarity.

It's unclear how broad this exemption will stretch, but there is reason to believe that it could reach libraries, privacy professionals said.

As of Oct. 6, Google had received 564,627 EU requests for search removals, and it has complied in the removal of 43.2 percent of those requests.

Does Accessibility of Information Matter?

One question is whether the RTBF is about indexing that is too good, Klinfelter said.

Libraries haven't yet been targeted in RTBF cases because they aren't currently able to index information to make it as accessible on the web as Google can, Klinefelter said. Though pointing to the GDPR's exemption for archiving in the public interest, she said “as libraries digitize and index more materials and make those resources widely available, these libraries might be seen as offending the rights of EU citizens, particularly if the library has contacts that bring it under EU jurisdiction. So we'll have to see how this exemption could be applied.”

“We're accustomed to the idea that risk of someone finding a needle in a haystack is low,” Klinefelter said. “We have relied on practical obscurity to protect privacy.”

International privacy analysts considering the RTBF in the age of big data and omnipresent social media say the conflicts in data collection and use are perplexing and difficult to regulate (15 PVLR 757, 4/11/16).

Caldwell-Stone said that the job of the librarian is almost impossible when the tools to find information are taken away and the information is essentially rendered invisible.

The International Federal of Library Associations released a statement in February that said that making information more difficult to find can, “in some cases, have the same effect as removing information.”

“The whole point of librarianship is to organize and present content so the user can easily find information that's relevant to their research and their interests,” and to promote the freedom of access to information and freedom of expression, Caldwell-Stone said.

How Libraries Are Affected

One implication for U.S. libraries of the RTBF in the EU is that it hinders their ability to preserve foreign digital information, Klinefelter said.

Additionally, Klinefelter said that libraries form consortia to carry out projects, such as preserving material on a particular topic. If libraries in a such a coalition have a jurisdictional link to the EU, the entire project could be subject to the RTBF, so U.S. libraries may want to be cautious about partnering with covered libraries, she said.

The CJEU acknowledged in Google-Spain that there could be exceptions to the RTBF depending on “the role played by the data subject in public life.” In such a case, “the interference with his fundamental rights is justified by the preponderant interest of the general public” in having access to the information, the CJEU said in its opinion.

International Federal of Library AssociationsCode of Ethics for Librarians and Other Information Workers—Preamble

“The role of information institutions and professionals, including libraries and librarians, in modern society is to support the optimisation of the recording and representation of information and to provide access to it. Information service in the interest of social, cultural and economic well-being is at the heart of librarianship and therefore librarians have social responsibility.”

The GDPR also has RTBF exemptions “for reasons of public interest” and “for archiving purposes in the public interest, scientific or historical research purposes.”

It isn't at all clear, however, who is considered a public figure and what information is considered to be in the public interest to justify refusing to delist.

Libraries' main concern is the possibility of losing the ability to find information and preserve the historical record, especially as it concerns public figures, Caldwell-Stone said. “Is this a right that will be extended to public figures or quasi public figures? Who is a public figure?”

Libraries are also concerned about the historical record for non-public figures.

Transparency in the private marketplace, for example, could take a hit. When a customer does research on a business, Caldwell-Stone asked whether public information on the financial history of the proprietor of the business will remain available. She asked whether court records that have traditionally been publicly available would remain available.

For libraries committed to preserving the historical record and ensuring information remains available about public figures, a full and vigorous implementation of RTBF would deny access to a whole wealth of information that should otherwise be available, Caldwell-Stone said.

RTBF in U.S.?

Even if the U.S. never adopts a broad RTBF principle, its existence in so many other jurisdictions opens the possibility that information deindexed in any one country will become unavailable globally.

The question of whether information deindexed in one jurisdiction will need to be indexed globally is problematic for two reasons, Smedinghoff said. On the one hand, if the RTBF is enforced globally, EU law will be extended globally. On the other hand, if it isn't extended globally and the information is still available in other jurisdiction, the law hasn't accomplished much, Smedinghoff said.

Privacy professionals agreed that the RTBF hasn't had much of an impact in the U.S. yet, but U.S. libraries will feel the impact of RTBF even if it remains confined to overseas jurisdictions.

Smedinghoff said that the odds of the RTBF being adopted in the U.S. are close to zero.

“But that may change if the right is interpreted, as I think it will be, under the GDPR to be much broader and give individuals the right to request that any data controller erase information,” Smedinghoff said.

To contact the reporter on this story: George R. Lynch in Washington at glynch@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.