More Crap From the E.U.

Guest post by Jane Yakowitz

Now that the European Union’s member states are flailing around attempting to implement their miserable cookie directive, the European Commission has decided it’s a good time to retard the Internet some more.

Today the European Commission will release an already-leaked new version of the Data Protection Directive which firmly establishes a European right to data erasure, or “right to be forgotten.” Article 17 will give EU residents an unprecedented inalienable right to control and delete facts that were once voluntarily communicated by the subject. Moreover, the right to erasure covers all publications of the personal information. As the preamble explains:

To strengthen the ‘right to be forgotten’ in the online environment, the right to erasure should also be extended in such a way that any publicly available copies or replications in websites and search engines should also be deleted by the controller who has made the information public.

The European Commission’s Vice President for Justice has clarified that the data deletion rule applies even to information that the data subject communicates herself on a public web forum like Facebook.

The right to be forgotten supposedly has some limits:

However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for exercising the right of freedom of expression, when required by law, or where there is a reason to restrict the processing of the data instead of erasing them.

But this exception is undermined both by the necessity language (when, exactly, is a single factum “necessary” for history or expression?) and by the downright draconian fines that are imposed for noncompliance. Article 79 instructs EU authorities to collect 1% of an enterprise’s annual revenue in fines for failure to comply with the right to be forgotten.

I am disappointed, but not surprised, to see the EU continue a misguided attack on the information economy. The right to be forgotten unequivocally favors the interests of the data subject, no matter how selfishly motivated, over the interests of data controllers and other consumers. Moreover, by making the right of erasure inalienable, the EU prevents its own citizens from participating in a business model that allows consumers to trade their information for stuff they want—convenience, discounts, or content. EU residents have no unencumbered information to sell.

The popular understanding in U.S. privacy discourse is that the EU does a better job protecting consumers from big corporations than the U.S. On the surface this looks right—after all, the regulations speak almost exclusively of “rights” granted to consumers, and almost exclusively of “obligations” imposed on business entities. But on closer inspection, Europe’s approach to information privacy is more emblematic of a desire to hold technology fixed, as if the amount of information people had about one another just before the advent of the Internet was the right amount for some reason. Sooner or later, the policies motivating the EU Data Protection Directive will prove to be counter-productive and regressive. The negative right against automated processing is a good example:

Every natural person should have the right not to be subject to a measure which is based on profiling by means of automated processing.

Article 20 gives every EU resident has an absolute right to stop a company from using predictive analytics concerning employment, creditworthiness, or health decisions. (These examples come straight from the text of the new regulations.) This sounds like a good deal for data subjects until one thinks for a moment about who the local losers would be. There are two possibilities. The opt-out might create a market for lemons where the person’s decision to opt out serves as a reliable signal of some sort of problem. This quite obviously cuts against the goals of the opt-out right.  Alternatively, opt-outs will simply muddy the predictive models for everybody. Credit, for example, will be extended to applicants who are slightly more likely to default. The lower income applicants who might have looked more were creditworthy in comparison will pay higher interest rates, if credit is extended at all. Hooray.

Allegedly, one of the motivations for amending the directive is to make consumers feel more comfortable with e-commerce.

Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe.

Complete and utter hogwash. And it’s old hogwash, too. Consumer mistrust and timidity has been trotted out as a threat to e-commerce for as long as there have been public opinion surveys about the Internet. The theory refuses to die despite ample evidence to the contrary.  Now I am not suggesting that everything consumers do is per se good for them; law can and should occasionally force producers and service providers to take precautions that consumers would not choose to pay for if they could help it.  Information asymmetries and optimism bias are among the justifications. But the claim that consumers are shying away from Internet commerce and services does not comport with actual consumer behavior.

Google and other major Internet companies might want to start coordinating a protest similar to the effective campaign we saw here in the states in response to SOPA. If Google makes every person with the first name “John” ungoogleable for a day, and if online retailers refuse to access cookie data for a day, and if content providers double the amount of advertising for a day, pressure can build before the Directive comes to a vote.

For European Internet users, the deal is getting worse all the time. Pray the European Commissioners don’t alter it any further.

 

UPDATED: The draft that was released today is modified from the late November draft I used for my original post. The right to be forgotten is now found in Article 17, the right to object to processing is contained in Articles 19 and 20, and the Article 79 fines have been lowered from 3% to 1% of annual global revenues. I have edited this post accordingly. Here is the current draft.

12 Responses to “More Crap From the E.U.”

  1. The link to the update is not a public site.

  2. [...] This is a guest post from Jane Yakowitz, a visiting law professor at Brooklyn Law School. It originally appeared on Harvard’s Info/Law blog. [...]

  3. Personally, I wish we’d get a “right to be forgotten” law in the US. This is particularly important when it comes to the large data aggregators such as, but not exclusively, Google. There is an enormously important issue. Data aggregators present one of the most extreme privacy problems. You can learn far more about someone by correlating the huge amount of individually insignificant data items with each other.

    The right to be forgotten addresses one small part of this much larger issue — who owns the data about me? I assert that, by and large, I do.

  4. [...] online) is too silly to even contemplate, think again! Following up the topic, Nick points us to a post from Jane Yakowitz, a Visiting Assistant Professor at Brooklyn Law School, on Harvard’s [...]

  5. [...] But Yakowitz argues the limits are undermined by restrictive wording and draconian fines. [...]

  6. [...] But Yakowitz argues the limits are undermined by restrictive wording and draconian fines. [...]

  7. [...] But Yakowitz argues the limits are undermined by restrictive wording and draconian fines. [...]

  8. Yakowitz’s post reminds me of the idea of the synecdoche, the rhetoric figure in which a part is used for the whole; in the same way Yakowitz considers only the right to be forgotten and forgets the other ninety articles of the EU proposal of general regulation on data protection. She also forgets the entire EU legal framework on the protection of individuals (Treaty on Functioning of the European Union) and the historical evolution of data protection in the last thirty years.
    There in no motivation to declare that “the European Commission has decided it’s a good time to retard the Internet some more”. This is not the place to compare the US and the EU legislation, but if we intend to do so a certain number of US political and legislative initiatives with a negative impact on internet should also be noted.
    A high level of protection for individuals does not retard the Internet. Legal scholars know that personal rights are the milestones of a democratic system. If the Internet is part of our life, we must also affirm the rights of individuals in the Internet environment, otherwise the Net will develop into the market for large companies without any rules apart from the maximization of profits.
    How can we be sure that an Internet with lower protection for individuals will work well? People know the value of their data and the value of their privacy; are they interested in entering a world that does not assure high protection in these areas?
    Personal data are the modern currency of Internet, but they must be negotiated and not stolen; to negotiate people need to be informed and to be free to choose; for this reason it is necessary to have a system of legal rules that assure adequate protection.
    The data protection will not retard the Internet, but will create a more secure and transparent context for the user, in the same way as the Brandeis’s right to privacy did not retard the history of the press and the business of the media industries, but induced the media to exercise their power in a more democratic way, respecting individuals.
    We can not forget that the proposal goes far beyond the “right to be forgotten”, giving a uniform regulation, adopting the principles of privacy by default and privacy by design, promoting data portability, introducing the data protection impact assessment process and the data protection officer, etc. It is not possible to describe in a few words the whole scope of the EC proposal and the number of years spent in preparing this new framework, but any opinion on this topic should be expressed after having read the EC proposal and the related documents. In the same way it is necessary to read Article 17 before analyzing the limited aspects of the right to be forgotten.
    From this perspective, it is important to consider that this right is not an “an unprecedented inalienable right to control and delete”, since the Article 12(b) of Directive 95/46/EC provides “the right to obtain from the controller… as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive”.
    We should also consider that the proposal does not recognize an unlimited right to erasure of data, but admits the right to be forgotten only where the retention of the data is not in compliance with the law, when the reasons that legitimate processing are not or no longer existent (the data are no longer necessary in relation to the purposes, the data subject withdraws consent, the storage period has expired, the processing is illegal or does not comply with the law, the data subject exercises the right to object provided by article 19).
    Finally the right to be forgotten does not impact on freedom of expression, which represents an explicit exception, as provided by Article 17(3).
    Undoubtedly the right to be forgotten implies some technical problems related to the erasure of any links to, or copy or replication of personal data, but it is not possible to accept any processing of data which does not comply with legal provisions. In the information age, where a lot of data are available on-line, we can not underestimate the flow of information on the Internet and we must involve in an active role those who disseminate personal information on-line.

  9. [...] More Crap From the E.U. [...]

  10. [...] Yakowitz’s post reminds me of the idea of the synecdoche, the rhetoric figure in which a part is used for the whole; in the same way Yakowitz considers only the right to be forgotten and forgets the other ninety articles of the EU proposal of general regulation on data protection. She also forgets the entire EU legal framework on the protection of individuals (Treaty on Functioning of the European Union) and the historical evolution of data protection in the last thirty years. [...]

  11. [...] Visiting Assistant Professor, Jane Yakowitz of Brooklyn Law School has arguably the strongest opposition to the EU data protection regulation, particularly the ‘Right to be Forgotten’, calling it a “miserable cookie directive.” Yakowitz casts serious doubts over the limits it places on data that won’t be erased if it is necessary for research purposes, freedom of expression or when required by law claiming it is “undermined both by the necessity language and by the downright draconian fines.” She calls for a SOPA and PIPA style protest to raise awareness before the draft is passed into law. [...]

  12. s too silly to even contemplate, think again! Following up the topic, Nick points us to a post from Jane Yakowitz, a Visiting Assistant Professor at Brooklyn Law School, on Harvard’