EU Court Backs “The Right to Be Forgotten” Online: Each week, Educating Modern Learners will pick one interesting current event – whether it’s news about education, technology, politics, business, science, or culture – and help put it in context for school leaders, explaining why the news matters and how it might affect teaching and learning (in the short or in the long run). We’re not always going to pick the biggest headline of the week to discuss; the application to education might not be immediately apparent. But hopefully we can provide a unique lens through which to look at news stories and to consider how our world is changing (and how schools need to change as well). This week (the week of May 12), Audrey Watters looks at a ruling by the Court of Justice of the European Union that says Google must honor people’s “right to be forgotten.”
The European Union’s highest court, the Court of Justice, ruled on Tuesday that Google must comply with the EU Data Protection Directive and remove links that contain “inadequate, irrelevant or no longer relevant” data from its search results if and when an individual requests it.
The ruling comes in a 2010 case brought again Google by a Spanish man, Mario Costeja González, who demanded Google remove from search results links to an auction notice for his home, repossessed to cover his social security debts at the time. Costeja González contended that, as the home had since been auctioned and his debts paid, the information should no longer come up when his name was searched on Google.
The EU high court agreed.
Privacy Law in the EU
The European Union has long had fairly strict privacy laws (although data privacy is a growing concern elsewhere, even in the United States). The “right to privacy” there is governed in part by the EU Data Protection Directive, adopted in 1995, which regulates the possession of personal data within the European Union. The law covers “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” This can include physical addresses, banking information, political and religious affiliation, and so on. When a company gathers this data in the EU, it must inform an individual it is doing so.
Furthermore, an individual has the right to access all the data that is collected and processed about her or him. “The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or isn’t being processed in compliance with the data protection rules.”
The EU Court of Justice ruled in this case that the data about Costeja González was out-of-date and needed to be removed — interestingly and importantly, from Google and not from the newspaper where the auction notice was originally posted.
What are the Implications for Google (and the Web)?
While Tuesday’s ruling was meant to preserve the privacy and integrity of individuals in the EU, it’s not clear how the ruling will work technologically. Indeed, the court observed that one of the features of the Web is that it’s difficult to identify a legal jurisdiction for digital materials:
Given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites.
As the EFF (Electronic Frontier Foundation) writes in its response to the decision, “In other words, the Internet’s ability to route around censorship is a reason why the court doubled down on local censorship, rather than come to a decision that accommodates that fact.”
It remains unclear how the request and deletion process will work in practice (although Google says it plans to launch a link removal tool by the end of the month). It is not always straightforward to determine what data is “accurate” or “out-of-date” or “incomplete,” nor is it clear the precise point when data moves from being “embarrassing” to “damaging.” How much of a website would need to be “inaccurate” before it was taken down? How might this impact other information on that same site? How will fraudulent claims about accuracy be policed? Who will benefit most? And who will this ruling most likely hurt?
The EU court did say that there should be a “balancing public interest defense against deletion, especially if the individual is involved in public life.” But again, the method by which the court will balance the rights of the public and the private individual is just not clear here.
What are the Implications for Schools?
As we have noted several times here at EML, questions about data collection and privacy are being raised more and more frequently with schools, particularly as schools are being asked in turn to become more “data-driven” themselves, to make instructional and administrative decisions based on data collection and analysis.
The EU decision, while lauded by some groups and decried by others, does raise plenty of questions about the ways in which students’ right to privacy could be shaped (and reshaped) by changing technologies and policies. What right do students (and their parents) have to correct incorrect data? What right do students have to have records removed? How long do schools (and third party providers that schools work with) get to retain student data?
How do we balance the public’s rights to access data with private rights surrounding education data?
Image credits: Kate Ter Haar