Humanizing the Digital Age: A Right to Be Forgotten Online? An EU–U.S. Comparative Study of Tomorrow's Privacy in Light of the General Data Protection Regulation and Google Spain v. AEPD

Abstract: Rapid technological developments and globalisation have profoundly changed the way people entrust their personal data to social media websites and search engines. As a result, the European Commission has proposed a General Data Protection Regulation (GDPR), to enhance online privacy rights for the citizens of the European Union. As the GDPR will most likely enter into force in 2016, one of the major extensions from the existing Directive 95/46/EC is the so called right to be forgotten. This implies a right for data subjects to request data controllers to delete all personal data related to them on the Internet, or to remove search results linking to their personal data. The right to be forgotten raised intense discussions in the media on May 13, 2014, when the Court of Justice of the European Union in Google Spain v. AEPD interpreted Directive 95/46/EC as granting EU citizens such a right against search engines. As many EU citizens engage in the daily use of these services provided by U.S. online companies, this paper scrutinizes, in a fashion comparing the EU and the U.S.A, how the differentiating attitudes towards privacy and freedom of expression will challenge the implementation of a right to be forgotten in the EU. This thesis also investigates whether such a right could exist in the U.S.A., given that the freedom of expression historically has prevailed in privacy cases. The right to be forgotten will most likely lead to an enhanced transatlantic clash with regard to personal data protection, and this thesis questions whether the U.S.–EU Safe Harbor Agreement is still viable in the wake of Google Spain v. AEPD and the upcoming GDPR.
This potentially broad conflict is in fact an existing issue within the EU. It is considered in Article 17(3) of the GDPR, where freedom of expression is stated, in a somewhat unspecific manner, as an exception from erasure. EU Commissioner Viviane Reding stated that “there is no right that is absolute. A right always goes as far as it can until it comes in conflict with another right.” The purpose of this thesis is to find out how far a right to be forgotten can be extended before it interferes with freedom of expression. This thesis concludes that the proposed right to be forgotten needs to be narrowed, and that the only feasible extension of such a right appears to be to solely permit deletion of content posted by the data subjects themselves. An application any broader in nature might violate the right of freedom of expression, and risk putting an equal sign between privacy and online censorship. This thesis therefore scrutinizes the great responsibility requirement for websites and search engines, provided for in Article 17(2) of the GDPR and in Google Spain v. AEPD, to hide or delete lawful and legitimate content. One complicating factor is the enforcement process for the proposed right. The process does not appear to be satisfactorily worked out by the European Commission, since erasure of this magnitude will be technically hard to pursue. To humanize the digital age, where a flawless digital memory is the new default and the proposed right to be forgotten appears to be practically hard to enforce, this thesis proposes non-legislative solutions. These alternative solutions, such as best practice agreements, contextualization, and cognitive adjustment, will work to not only protect our digital persona, but will better balance the competing rights of privacy and freedom of expression.