In Judaism, One Must Work for the Right to Be Forgotten
With the Jewish High Holidays around the corner, researcher Dov Greenbaum considers the process of Teshuva (repentance) and earning a digital clean slate courtesy of the GDPR
Europe, in contrast, has created a relatively straightforward path to being forgotten: a chance to literally erase past sins, which in some jurisdictions is even known as a right to erasure. This right is a relatively new European concept in the area of privacy, the most recent restatement of which comes principally under the auspices of new continent-wide privacy and security rules, the General Data Protection Regulation (GDPR).
Broadly, under the GDPR, EU member states must grant any individual the right to demand that links to online memories of their failures and fiascos be deleted, without necessarily requiring the individual to prove that they have bettered themselves.
Under this current iteration of the right, through simply filling in a form, past misdeeds can be simply removed from the shared history of the world, i.e., Google. Data suggests that most of these requests are submitted by regular citizens who simply want to limit access to personal and private information that might put them in a bad light.
Regardless of the background of those wishing to be forgotten, whether they are regular citizens, celebrities, or reformed criminals, data controllers like Google typically review the submitted applications and make a decision, often in a less than transparent fashion. Even if Google denies a request, it could still be appealed via the relevant national data protection agency. Problematically, at least for those requests that are initially authorized, it is Google, a private company, that gets to make the determination as to what information remains part of the easily accessible record, and what is no longer part of that record. The judgment as to how you will be metaphorically inscribed often falls to a low-level employee at a large multinational.
Notably, other jurisdictions outside of Europe offer some versions of the right to be forgotten. For example, California has the Minor Eraser Law, which took effect on January 2015. The law requires that internet services allow all users under the age of 18 who reside in California to erase content and information that they post online. This largesse is apropos to Google CEO Eric Schmidt’s 2010 tongue-in-cheek comment that the current generation should be offered the opportunity to change their identity once they turn 18, given how fastidiously their youthful indiscretions are recorded for posterity online.
Back to Europe. Given the season, the European Court of Justice’s (ECJ)most recent ruling on the right to be forgotten seems almost perfectly timed. The case, decided just days before Rosh Hashanah, on September 24, 2019, required the court to determine whether a successful right to be forgotten decision obligates Google to remove undesired web links, known as de-referencing, exclusively in Europe, or on all of Google’s search engine result pages worldwide. Further, the court considered whether Google must automatically remove some particular sensitive information from their search results, regardless of a supporting demand from a potentially affected individual.
Thus, in an unintended homage to our non-trivial process of repentance, the court ruled in a landmark decision that it would not require the global application of the European law, although EU member states are free to elect to do so. As per the ECJ, there is currently no simple path to a divine-like universal clean slate.
Commentators had been particularly fearful of the alternative, a position championed by France, that once Google agreed to take down an offending link, it must make the link inaccessible everywhere. The French position would have effectively allowed everyone to suppress everything negative about them everywhere, limiting the usefulness and effectiveness of a Google search.
Notably, though, the court cabined its decision by requiring Google to include measures “which effectively prevent or, at the very least, seriously discourage” a European-based internet user from circumventing the right to be forgotten by simply going to a site outside of European Jurisdiction. Google had already placed geoblocking technologies that do not allow requests coming from within Europe to access the non-European versions of the disavowed links, but in the end, that might not be sufficient, given the many simple workarounds.
Even with these new judicial limitations, the application of the right to be forgotten will continue to keep Google and other search engines busy. Google has had to remove millions of links stemming from hundreds of thousands of requests.
One could easily imagine how such requests could be used strategically or as a retaliatory effort against a search engine, without any underlying substance, as has been proposed via another onerous component of the GDPR, the data access request.
Further, even with this confined scope of the law, the right to be forgotten, as well as other aspects of the GDPR, still have to be balanced with free speech and data access rights.
This need for balance predates the GDPR version of the right to be forgotten, harkening back to a 2014 ruling of the ECJ which itself was based on a 1995 European Data Protection Directive. And, even now, under the current legal framework, the right to be forgotten can be viewed as an established human right, that has limits that ostensibly are designed to restrict its ability to trump other rights.
However, in practice, the right to be forgotten’ s balancing seems to be often more honored in the breach than in the observance. Empirical data has shown that people tend to be overzealous in asking databases such as Google to remove content. And, depending on the jurisdiction, it can also be relatively easy to use the blunt force of GDPR enforcement fines to hide past wrongdoings.
It would be interesting to see how far these rights can be pushed. For example, can someone employ the right to be forgotten to delete links to deep fake videos, text, and images? Are the fakes in those videos legally considered to be the relevant data subjects, in GDPR parlance, who are protected under the right to be forgotten? Would applying the right to be forgotten to fake representations of yourself effectively grant you a de facto right of publicity in yourself?
Finally, the recent ruling regarding the right to be forgotten seems to relate only to the search engine references to the underlying data held on another website. Thus, even if you successfully petition Google to remove offending content from their search pages, the source of that content still remains online via direct access, and accessible outside of EU member states even via search engines. In contrast, in Judaism, true repentance grants a total wipe, with all references of the offense universally and completely removed from all the books. Shana Tova.
Dov Greenbaum, JD PhD, is the director of the Zvi Meitar Institute for Legal Implications of Emerging Technologies and Professor at the Harry Radzyner Law School, both at the Interdisciplinary Center (IDC) Herzliya.