If there is information about you on the Internet, do you have the right to get it deleted? If you did something a decade, two decades ago that is still showing up in searches when people Google you, do you have the right to ask Google to stop showing it? That’s the central question of the “right to be forgotten.”
The European Union (EU) has always been well ahead of other jurisdictions on the road to privacy rights and the establishment of individuals’ control over their own data. Not only over the existence of any data about them that resides with third parties, but also what those third parties can do with that information in terms of using it, sharing it, storing it, and deleting it.
But in May 2014, the top court in the EU codified what has become popularly known as “the right to be forgotten” with its definitive ruling against Google in which a plaintiff requested specific information about himself be deleted from the results returned on a relevant query—in essence, the Court overruled Google’s defense and cemented any individual’s right within the EU itself to have Google delete unwanted records about himself or herself, regardless of the veracity or age of those records.
Aside from the legal and compliance aspects of this question, this ruling really informs an important discussion we should all be having about how much institutional memory is appropriate in an age where we are all connected.
This really boils down to user choice, in my opinion. Often people’s desire to be forgotten is at odds with data companies. How so?
- Search engines wish to preserve any and all information they can get their hands on, which ultimately increases the usefulness of their search engine (more people find what they are looking for with their query strings) and benefits the company financially if, for instance, it is trying to monetize its user base in the form of advertising.
- Private sales and retail companies and institutions generally want to keep information on an individual for as long as possible so as to better understand his or her habits, intentions, purchasing behavior, likelihood to pay back loans or perform under contractual agreements, and more. More voluminous and more extensive data, simply put, is better for these entities.
- Many companies find there is a market for data on their customers and prospects, whether it is simply a list of contact information or more extensive purchase and demographic data sharing among affiliated companies. There is money to be made in the exchange of data between entities, and not all of it—perhaps even not most of it—is for the ultimate benefit of the consumer or individual, but rather the entity selling it or facilitating the exchange.
That is a lot of inertia and momentum for privacy to overcome, to be sure.
Ultimately, I think we all need to understand the bottom line: users and individuals are increasingly wanting to be in control of this information, and this is a reasonable position for them to take as well. After all, the data is very much about them, so why shouldn’t they have a say in how it is stored and used? And this is an issue at the forefront of many minds, too, as the New York Times recently reported:
“Since the ruling in May, Google — which holds close to 85 percent of Europe’s online search market — has received roughly 175,000 requests, from people in Europe and outside the region, to remove links to online material, according to the company’s transparency report.”
What can data companies take away from the Right to be Forgotten rulings and enact in their own dealings? I have four recommendations.
- Offer your users a choice. Explain in plain English without your lawyers rewriting into legalize exactly what you do with their data. Explain what types of data you collect about your users, customers, and prospects, and allow them to limit as much sharing as you can. To borrow (and then perhaps kill) a phrase, allow data collection to be limited until it hurts, and then limit it a little bit more too.
- Allow your users to delete the information you have on them if that is their wish. While in the EU this is probably a legal requirement for you, go the extra mile and allow this even if your business is not under the jurisdiction of the EU. Ultimately, this is about consumer trust and providing service to customers. If you can’t demonstrate the value to the consumer of you processing their data, and they don’t trust you to hold their data, then you have bigger problems than complying with new legislation.
- Do not get in the business of being an arbiter of what is relevant and what is not. As part of the 2014 EU ruling, Google put into place restrictions on whether it would in fact delete content or not, putting the burden on individuals to demonstrate that content was no longer relevant and that no public interest was served in continuing to return links to the content in question. I am confident this is not a core competency of your business, so avoid getting into these types of disputes with consumers.
- Monitor what’s going on with this issue. As recently as this past November, the EU has asked Google to implement its deletion techniques in its worldwide databases and not just on sites with EU-oriented front ends. The right to be forgotten is a global one, and surely other countries will catch on to the phenomenon. Do not be caught flat footed.