p ratt’s privacy -...
TRANSCRIPT
Privacy & cybersecurity
LawRepoRt
sePteMber 2020
VOL. 6 • NO. 7
AN A.S. PrAtt PubLicAtiON
P r a t t ’ s
S
EditOr’S NOtE: PriVAcy ANd cOVid-19 Victoria prussen Spears
cONgrESS iNtrOducES twO PriVAcy biLL tO rEguLAtE cOVid-19 rELAtEd dAtA J.C. Boggs, phyllis B. Sumner, Scott Ferber, and Michael Dohmann
E bEyONd bOrdErS: cOVid-19 HigHLigHtS tHE POtENtiAL widESPrEAd imPAct Of tH iLLiNOiS biOmEtric iNfOrmAtiON PriVAcy act p. Russell perdew, taylor Levesque, andBrandan Montminy
cON tAct-trAciNg APPS: A dELicAtEbALANciNg Act Of wOrkPLAcE SAfEty ANd PriVAcy rigHtS Scott Ferber, Michael W. Johnston, phyllis B. Sumner, Benjamin K. Jordan, and Bailey J. Langner
tHE rigHt tO bE fOrgOttEN iN tHE uNitEd states – Part ii C. W. Von Bergen, Martin S. Bressler, andCody Bogard
tHE SEc’S cybErSEcurity ENfOrcEmENt APPrOAcH: wHAt fiNANciAL firmS NEEd tO kNOw elizabeth p. Gray and Nicholas Chanin
PriVAcy triAgE: fiVE tiPS tO idENtify kEy PriVAcy riSkS Of NEw PrOductS ANd services Alexander B. Reynolds
pR
At
t’S
Pr
iva
cy
& c
yb
er
se
cu
rit
y L
aw
Re
po
Rt
se
Pt
eM
be
r2
02
0v
oL
. 6 •
NO
. 7
Pratt’s Privacy & CybersecurityLaw Report
Editor’s Note: Privacy and COVID-19 Victoria Prussen Spears
Congress Introduces Two Privacy Bills to Regulate COVID-19 Related DataJ.C. Boggs, Phyllis B. Sumner, Scott Ferber, and Michael Dohmann
Beyond Borders: COVID-19 Highlights the Potential Widespread Impact of the Illinois Biometric Information Privacy ActP. Russell Perdew, Taylor Levesque, and Brandan Montminy
Contact-Tracing Apps: A Delicate Balancing Act of Workplace Safety and Privacy Rights Scott Ferber, Michael W. Johnston, Phyllis B. Sumner, Benjamin K. Jordan, and Bailey J. Langner
The Right to Be Forgotten in the United States – Part IIC. W. Von Bergen, Martin S. Bressler, and Cody Bogard
The SEC’s Cybersecurity Enforcement Approach: What Financial Firms Need to KnowElizabeth P. Gray and Nicholas Chanin
Privacy Triage: Five Tips to Identify Key Privacy Risks of New Products and ServicesAlexander B. Reynolds
201
NUMBER 7 SEPTEMBER 2020VOLUME 6
227
223
215
211
208
203
QUESTIONS ABOUT THIS PUBLICATION?
For questions about the Editorial Content appearing in these volumes or reprint permission, please contact:Deneil C. Targowski at ....................................................................................................... 908-673-3380Email: .............................................................................................. [email protected] assistance with replacement pages, shipments, billing or other customer service matters, please call:
Customer Services Department at .............................................................................. (800) 833-9844Outside the United States and Canada, please call .................................................. (518) 487-3385Fax Number ....................................................................................................................... (800) 828-8341Customer Service Web site ................................................................... http://www.lexisnexis.com/custserv/For information on other Matthew Bender publications, please call
Your account manager or ............................................................................................... (800) 223-1940Outside the United States and Canada, please call ......................................................... (937) 247-0293
ISBN: 978-1-6328-3362-4 (print) ISBN: 978-1-6328-3363-1 (eBook)
ISSN: 2380-4785 (Print) ISSN: 2380-4823 (Online)
Cite this publication as: [author name], [article title], [vol. no.] PRATT’S PRIVACY &CYBERSECURITY LAW REPORT [page number](LexisNexis A.S. Pratt); Laura Clark Fey and Jeff Johnson, Shielding Personal Information in eDiscovery, [5] PRATT’S PRIVACY & CYBERSECURITY LAW REPORT [245] (LexisNexis A.S. Pratt)
This publication is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought.LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license.A.S. Pratt is a trademark of Reed Elsevier Properties SA, used under license.
Copyright © 2020 Reed Elsevier Properties SA, used under license by Matthew Bender & Company, Inc. All Rights Reserved.No copyright is claimed by LexisNexis, Matthew Bender & Company, Inc., or Reed Elsevier Properties SA, in the text of statutes, regulations, and excerpts from court opinions quoted within this work. Permission to copy material may be licensed for a fee from the Copyright Clearance Center, 222 Rosewood Drive, Danvers, Mass. 01923, telephone (978) 750-8400.
An A.S. Pratt Publication Editorial
Editorial Offices 630 Central Ave., New Providence, NJ 07974 (908) 464-6800 201 Mission St., San Francisco, CA 94105-1831 (415) 908-3200 www.lexisnexis.com
(2020–Pub. 4939)
Editor-in-Chief, Editor & Board of Editors
EDITOR-IN-CHIEFSteven A. Meyerowitz
President, Meyerowitz Communications Inc.
EDITORvictoriA PruSSen SPeArS
Senior Vice President, Meyerowitz Communications Inc.
BOARD OF EDITORS
eMilio w. cividAneS
Partner, Venable LLPchriStoPher G. cwAlinA
Partner, Holland & Knight LLPrichArd d. hArriS
Partner, Day Pitney LLPJAy d. KeniSberG
Senior Counsel, Rivkin Radler LLPdAvid c. lAShwAy
Partner, Baker & McKenzie LLPcrAiG A. newMAn
Partner, Patterson Belknap Webb & Tyler LLPAlAn chArleS rAul
Partner, Sidley Austin LLPrAndi SinGer
Partner, Weil, Gotshal & Manges LLPJohn P. toMASzewSKi
Senior Counsel, Seyfarth Shaw LLPtodd G. vAre
Partner, Barnes & Thornburg LLPthoMAS F. zych
Partner, Thompson Hine
iii
Pratt’s Privacy & Cybersecurity Law Report is published nine times a year by Matthew Bender & Company, Inc. Periodicals Postage Paid at Washington, D.C., and at additional mailing offices. Copyright 2020 Reed Elsevier Properties SA, used under license by Matthew Bender & Company, Inc. No part of this journal may be reproduced in any form—by microfilm, xerography, or otherwise—or incorporated into any information retrieval system without the written permission of the copyright owner. For customer support, please contact LexisNexis Matthew Bender, 1275 Broadway, Albany, NY 12204 or e-mail [email protected]. Direct any editorial inquires and send any material for publication to Steven A. Meyerowitz, Editor-in-Chief, Meyerowitz Communications Inc., 26910 Grand Central Parkway Suite 18R, Floral Park, New York 11005, [email protected], 646.539.8300. Material for publication is welcomed—articles, decisions, or other items of interest to lawyers and law firms, in-house counsel, government lawyers, senior business executives, and anyone interested in privacy and cybersecurity related issues and legal developments. This publication is designed to be accurate and authoritative, but neither the publisher nor the authors are rendering legal, accounting, or other professional services in this publication. If legal or other expert advice is desired, retain the services of an appropriate professional. The articles and columns reflect only the present considerations and views of the authors and do not necessarily reflect those of the firms or organizations with which they are affiliated, any of the former or present clients of the authors or their firms or organizations, or the editors or publisher.
POSTMASTER: Send address changes to Pratt’s Privacy & Cybersecurity Law Report, LexisNexis Matthew Bender, 630 Central Ave., New Providence, NJ 07974.
iv
215
* C. W. “Von” Von Bergen, Ph.D., is the John Massey Professor of Management at Southeastern Oklahoma State University. Martin S. Bressler, Ed.D., is the John Massey Professor of Entrepreneurship at the university. Cody Bogard, J.D., is an assistant professor of business law at the university. The authors can be reached at [email protected], [email protected], and [email protected], respectively. The Footnotes in this article are continued from Part I.
49 California Consumer Privacy Act of 2018. Assembly Bill No. 375, California Civil Code § 1798.100 (2018).
50 Id.
The General Data Protection Regulation (“GDPR”) is a European Union-wide law on data protection and privacy that applies to European Union citizens and organizations based outside the EU that offer goods or services to European Union residents, monitor their behavior, or process their data. Article 17 of the regulation looks at the right to be forgotten, otherwise known as erasure, delisting, or de-referencing. This and similar legislative initiatives are increasingly inducing some in the United States to implement similar data protection plans; however, such initiatives may conflict with the First Amendment. The first part of this two-part article, which appeared in the July-August 2020 issue of Pratt’s Privacy & Cybersecurity Law Report, discussed the history on the right to be forgotten, the applicability of the GDPR to the issue, and concerns about personal data privacy. This second part of the article discusses privacy initiatives and legislation in the United States, and the right to be forgotten and the First Amendment.
PRIVACY INITIATIVES IN THE UNITED STATES
The California Consumer Privacy Act of 2018
California passed a data privacy law – the California Consumer Privacy Act of 2018 (“CCPA”)49 – that replicates many of the GDPR principles, like rights to access and deletion of personal data. The state law, which now is in effect, is aimed at giving consumers more control over how companies collect and manage their personal information. The CCPA establishes a legal and enforceable right of privacy for every Californian:50
• Requires businesses to make disclosures about the collection of personal information, the categories of personal information collected, the purposes for collecting and selling personal information, and the categories of third parties with which personal information is shared;
• Authorizes consumers to opt-out of having their personal information sold by a business while prohibiting that business from discriminating against the consumer for exercising this right;
By C. W. Von Bergen, Martin S. Bressler, and Cody Bogard
The Right to Be Forgotten in the United States: Part II
Pratt’s Privacy & Cybersecurity Law Report
216
51 Id. 52 Privacy Rights for Minors in the Digital World, CALIFORNIA SENATE BILL 568 (2013).53 New York State Assembly, A05323 Summary. (Nov. 29, 2019), https://nyassembly.gov/leg/?
default.fld=&leg.video=&bn=A05323&term=2017&Summary=Y&Actions=Y&Committee% 2526nbspVotes=Y&Text=Y.
54 Id.
• Authorizes businesses to offer financial incentives for the collection of personal information;
• Prohibits businesses from selling the personal information of consumers under the age of 16 years; and
• Requires data breach notification.
Furthermore, under the CCPA, all companies that serve California residents and have at least $25 million in annual revenue must comply with the law. Also, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under the law. Companies do not have to be based in California or have a physical presence there to fall under the law. They do not even have to be based in the United States. These companies are required to let California consumers view the data they have collected on them, request the deletion of data, and opt-out of having the data sold to third parties. Each violation carries a $7,500 fine on big companies that fail to disclose data collection practices or to receive users’ permission to sell their information.51
OTHER PRIVACY LEGISLATION
California Senate Bill 568 Privacy: Internet minors52 requires “the operator of an Internet website, online service, online application, or mobile application to permit a minor, who is a registered user of the operator’s Internet website, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the operator’s Internet website, service, or application by the minor.” As written, the law is about giving a specific group, prone to unwise decisions, the ability to delete information they do not like. In this, it comes very close to the European Union’s proposed right to be forgotten. The most probable side effect of this is that companies will start to make users of their site, service, or application verify that they are 18 years of age or older before the company allows the use of its product. This will have a two-fold effect. Either the adolescents will lie about their age, thus negating the “actual knowledge” requirement of the bill, or they will not use the product.
Other states are similarly adopting data privacy laws, and the varying state law regulations may prove more difficult for industry compliance than one comprehensive federal law. For example, the New York State Assembly53 has come nearest to an American version of a right to be forgotten. The bill, A05323,54 in large part, mimics the
The Right to be Forgotten in the U.S.: Pt II
217
55 Removemymugshot.com, https://removemymugshot.org/updated-comprehensive-list-mugshot-removal-laws-state-state/.
56 Chad Brooks, Best online Reputation Management Services 2019. BUSINESS DAILY NEWS (Nov. 29, 2019), https://www.businessnewsdaily.com/7901-best-reputation-management-services.html.
57 Matthew Ingram, Twitter just implemented its own “right to be forgotten” for politicians’ tweets. FORTUNE (Dec. 4, 2019), https://www.fortune.com/2015/08/24/twitter-right-to-be-forgotten/.
58 Mariel Alper, Matthew R. Durose, & Joshua Markham, Update on Prisoner Recidivism: A 9-Year Follow-Up Period (2005-2014. U.S. DEPARTMENT OF JUSTICE (Nov. 29, 2019), https://www.bjs.gov/content/pub/pdf/18upr9yfup0514.pdf.
59 C. W. Von Bergen & Martin S. Bressler, Ban the Box: Protecting Employer Rights While Improving Opportunities for Ex-offender Job Seekers. 42(1) EMPLOYEE RELATIONS LAW JOURNAL, 26-50, (2016).
European Union’s right to erasure. The bill requires search engines, indexers, publishers and any other persons or entities which make available, on or through the Internet or other widely used computer-based network, program or service, information about an individual to remove such information, upon the request of the individual, within 30 days of such request. The Assembly’s government operations committee is currently reviewing the legislation for the second time.
Several U.S. states also have enacted legislation to combat mugshot websites.55 Although jail booking mugshots are a staple of news reporting and are generally publicly available, some state legislatures have objected to websites that post mugshots for entertainment or charge the subjects of the mugshots a fee to have them removed. Additionally, a cottage industry of reputation management services has sprung up.56 For a fee, these businesses will assist individuals in improving their online profiles by taking measures to drive negative results lower in search-engine lists related to their names. Moreover, the micro-blogging site Twitter57 instituted its version of the right to be forgotten for politicians’ deleted tweets. Twitter shut down the account of “politiwoops,” a widespread handle that preserved politicians’ deleted tweets. Twitter’s rationale was that politicians’ free speech rights included the right to delete their messages and not have those tweets still appear on Twitter, under another account.
Relatedly, there seems to be increased attention on issues concerned with ex-offenders. Studies58 find that the stigma of an arrest, criminal conviction, or incarceration in prison all act to reduce a person’s earnings in the labor force, which is salient when one considers that unemployment or a low wage amplifies criminal activity generally, and criminal recidivism specifically. Moreover, with the Internet today, people who may have committed a crime a few years ago now find that it is the only thing they are known for and effectively defines their life.
This has resulted in increased calls for criminal justice reform. One such initiative that has gained popularity and becoming somewhat of a national crusade is the so-called ban-the-box (or fair chance) laws that have been adopted by over 100 jurisdictions.59
Pratt’s Privacy & Cybersecurity Law Report
218
60 Chris Baraniuk, Tim Cook Blasts ‘Weaponisation’ of Personal Data and Praises GDPR, BBC NEWS (Nov. 29, 2019), https://www.bbc.com/news/technology-45963935.
61 Justin Jaffe & Laura Hautala, What the GDPR Means for Facebook, the EU, and You. CNET (Nov. 29, 2019), https://www.cnet.com/how-to/what-gdpr-means-for-facebook-google-the-eu-us-and-you/.
62 Martin v. Hearst, 777 F.3d 546 (2d Cir. 2015).
Governmental entities and officials and advocates have promoted these regulations for ex-offenders (e.g., All of Us or None) and involve removing inquiries about criminal history from preliminary job applications and encouraging employers to consider applicants based on their qualifications first and their conviction history second. It is anticipated that there will be increased calls for limiting information found on the world wide web for ex-offenders.
It appears that many technology company executives are similarly beginning to recognize the benefits of having strict data privacy laws. Tim Cook, Apple’s chief executive officer, recently praised the GDPR and suggested that the U.S. implement a stronger privacy law, explicitly noting that “We at Apple are in full support of a comprehensive federal privacy law in the United States.”60 Mark Zuckerberg, Facebook’s CEO, similarly stated: “I think the GDPR, in general, is going to be a very positive step for the Internet.”61 If these large technology players have the power to incentivize Congress to implement legislation, it appears that the U.S. may be moving toward a comprehensive federal data privacy regulation.
These actions suggest that U.S. citizens should also be able to keep their past histories private under certain conditions. In short, they suggest the right to be forgotten – the idea that one should have the right to privacy of one’s past and have some legal remedy should that past be revealed – exists not only in the EU but may in time also apply in America and may eventually become part of U.S. federal law.
NOT SO FAST IMPLEMENTING THE RIGHT TO BE FORGOTTEN IN THE UNITED STATES: THE FIRST AMENDMENT
The right to be forgotten is a legal concept recognized in the European Union and other parts of the world but a concept foreign and contrary to established First Amendment principles in the United States. The push for the right to be forgotten comes from the idea that one’s prior misdeeds or acts of bad judgment should not come up on Google searches or other online search engines forever, and that individuals ought to have the ability to remove negative references. This concept places tension between privacy and free expression.
The decision by the U.S. Court of Appeals for the Second Circuit in Martin v. Hearst Corporation is instructive.62 In that decision, Lorraine Martin was arrested along with her two sons on drug charges. News articles appeared online about Martin’s arrest. The state declined to prosecute Martin and she had the arrest removed from her record pursuant to the state’s Criminal Records Erasure Statute. Because her arrest had been expunged,
219
The Right to be Forgotten in the U.S.: Pt II
63 Id.64 Florida Star v. B.J.F., 491 U.S. 524 (1989).65 Id.66 First National Bank of Boston v. Bellotti, 435 U.S. 765 (1978).67 The First Amendment: Congress shall make no law respecting an establishment of religion, or
prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
68 Florida Star, supra n. 64.
Martin asked the news media to remove the articles, which she considered false and defamatory. The news media corporation refused, and Martin sued for defamation. A federal district court rejected Martin’s claims. On appeal, the Second Circuit affirmed, reasoning that the erasure law “does not render historically accurate news accounts of an arrest tortious merely because the defendant is later deemed as a matter of legal fiction never to have been arrested.”63 The court’s decisions show that there is no recognized claim for a right to be forgotten and forcing service providers to remove material from the Internet generally would constitute an impermissible form of compelled speech under the First Amendment.
In 1989, the U.S. Supreme Court rendered a decision in the case of The Florida Star v. BJF64 where it stated, “We do not hold that truthful publication is automatically constitutionally protected, or that there is no zone of personal privacy within which the State may protect the individual from intrusion by the press, or even that a State may never punish publication of the name of a victim of a sexual offense. We hold only that where a newspaper publishes truthful information which it has lawfully obtained, punishment may lawfully be imposed, if at all, only when narrowly tailored to a state interest of the highest order.”65 This case did indeed concern a newspaper, and that newspaper was publishing police reports, but the holding is still relevant U.S. case law. It is not a stretch to extend its relevance to online publications. This would mean that if the information is truthful, search engines that contained information that revealed past facts about an individual cannot be sued.
The Supreme Court in 1978 rendered an equally compelling holding in the case of First National Bank of Boston v. Bellotti,66 where it interpreted what the First Amendment67 means regarding the right to be forgotten here in the U.S. before the concept had even been considered. The Court stated, “[T]he First Amendment goes beyond protection of the press and the self-expression . . . of individuals to prohibit government from limiting the stock of information from which members of the public may draw.”68 Taken at its most literal interpretation possible, and without qualification, this means that any law that would prohibit people from accessing any information possible would be in direct violation of one of Americas most fundamental rights – free speech.
In the United States, a right to de-reference publicly available information on data protection grounds would be unconstitutional: the First Amendment to the U.S. Constitution guarantees the right of people to publish information on matters of public
Pratt’s Privacy & Cybersecurity Law Report
220
69 Smith v. Daily Mail Publishing Co., 443 U.S. 97 (1979).70 Oklahoma Pub. Co. v. Distr. Court, 430 U.S. 308 (1977).71 Landmark Communications, Inc. v. Virginia, 435 U.S. 829 (1978).72 Bartnicki v. Vopper, 532 U.S. 514 (2001). 73 Langdon v. Google, 474 F. Supp. 2d 622 (D. Del. 2007).74 Court of Justice of the European Union, Judgment in Case C-507/17, Google LLC, successor in law
to Google Inc. v. Commission nationale de l'informatique et des libertés (September 24, 2019).
interest that they acquire legally, even in the face of significant interests relating to the private life of those involved.69 This reasoning extends to those situations where there is a significant governmental interest in maintaining the confidentiality of the information in question,70 where the information concerns judicial procedures,71 and even where the publisher of the information knows that her or his source obtained the information illegally.72 The First Amendment also guarantees the right to receive information, including by means of a search engine.73
SUMMARY AND CONCLUSION
Data privacy has increasingly become a hot-button issue for Americans, especially after recent developments in the EU which recently created the right to be forgotten. Now enshrined in EU law, the right enables citizens and residents of the bloc to demand that a search engine or website delete or unlink personal information they deem obsolete or excessively intrusive, even if true, and even in the absence of a finding of prejudice. Google and other search engines must delink offending webpages from a search of an individual’s name, even if the underlying article or webpage is lawful and remains online. It, in effect, provides a right of curation – enabling individuals to manage their own reputation online, and to avoid having an embarrassing news article, or an arrest on a charge that was later dropped, follow them around throughout their life.
However, the right to be forgotten, which is a centerpiece of the European Union’s Internet privacy laws, was recently limited by The European Court of Justice, Europe’s highest court, which ruled that the right to be forgotten cannot be enforced beyond the European Union.74 The ruling to limit the geographical reach of the right to be forgotten is considered a victory for Google against a French effort to force the company and other search engines to take down links globally.
Nevertheless, the right to be forgotten puts data privacy advocates and free speech advocates in direct conflict with each other. Free speech advocates indicate that the right to be forgotten, in the wrong hands, could allow dictators to rewrite history, and prevent the public record from being complete. Privacy advocates, on the other hand, declare that the right to be forgotten is vital for protecting people from things like revenge porn, or having their names attached to stories about, for example, having been charged with crimes that they were ultimately never convicted of.
221
The Right to be Forgotten in the U.S.: Pt II
75 Index on Censorship, Index Blasts EU Court Ruling on “Right to be Forgotten.” INDEX (Nov. 29, 2019), https://www.indexoncensorship.org/2014/05/index-blasts-eu-court-ruling-right-forgotten/.
76 House of Lords EU Committee, 2nd Report of Session 2014-15. (Nov. 29, 2019), http://www.publications.parliament.uk/pa/ld201415/ldselect/ldeucom/40/40.pdf.
77 Sophie Curtis & Alice Philipson, Wikipedia Founder: EU’s Right to Be Forgotten Is “Deeply Immoral.” THE TELEGRAPH (Nov. 20, 2019), https://www.telegraph.co.uk/technology/wikipedia/11015901/EU-ruling-on-link-removal-deeply-immoral-says-Wikipedia-founder.html.
While the supporters of free speech seem today to hold the upper hand in the U.S., the door is not completely closed to the importation into America of the notion that certain truths may not be set forth by certain entities. California and New York have introduced legislation that would create a version of the EU right to be forgotten law. Such initiatives will face an uphill battle due to the overwhelming influence of the First Amendment. Indeed, U.S. courts have consistently held that the First Amendment’s protections for expression, petition, and assembly necessarily also protect the rights of individuals to gather information to fuel those expressions, petitions, and assemblies. Although there seems little doubt that the courts would hold any such legislation to be unconstitutional, the fact that it has even been introduced illustrates the appeal of limitations on the dissemination of older information, however accurate the data may be.
Even though American lawmakers seem to talk more than act about regulating tech-related topics, their European counterparts have been much more active in protecting employee rights. A few years ago, several European countries implemented the right to disconnect – the right of workers to not respond to employers’ calls, texts, or emails after official work hours – to decrease work-related stress and achieve an enhanced work-life balance. More recently, the EU has implemented the GDPR to help safeguard its citizens’ privacy. One element of this regulation and the topic of this paper involves the right to be forgotten – a rule that gives EU nationals the ability to demand electronic data about them to be deleted or removed from search engines.
Despite its passage, the right to be forgotten is not without its detractors. For instance, the Index on Censorship denounced Google Spain as “akin to marching into a library and forcing it to pulp books.”75 The European Union Committee of the British House of Lords responded to Google Spain by concluding (in bold-faced type) that “the ‘right to be forgotten’ . . . must go. It is misguided in principle and unworkable in practice.”76 Jimmy Wales, the co-founder of Wikipedia, condemned the right to be forgotten as “deeply immoral” because “[h]istory is a human right.”77 Critics of EU data privacy laws claim that requests for information removal could quickly lead to over-censorship through search engine de-linking and Byrum questions how transparent communication
Pratt’s Privacy & Cybersecurity Law Report
222
78 Kristie Byrum, The European Right to Be Forgotten: A Challenge to the United States Constitution’s First Amendment and to Professional Public Relations Ethics. 43(1) PUBLIC RELATIONS REVIEW, 102-111 (2017), at 102.
79 Jeffrey Rose, The Right to be Forgotten. THE ATLANTIC (Nov. 20, 2019), https://www.theatlantic.com/magazine/archive/2012/07/the-right-to-be-forgotten/309044/.
“could occur in an ecosystem that allows for arbitrary information removal and the creation of memory holes.”78
American legal scholar Jeffrey Rosen has observed that Google Spain and the GDPR portend a “titanic clash” with American free speech principles.79 The appeal of erasing certain facts is understandable. But the danger of allowing governmental suppression of truth is real. Nevertheless, the concept of the right to be forgotten appears to be making some inroads in America.