Robert Post (Yale Law School) has posted Data Privacy and Dignitary Privacy: Google Spain, the Right to Be Forgotten, and the Construction of the Public Sphere (Duke Law Journal, Forthcoming) on SSRN. Here is the abstract:
In 2014, the decision of the European Court of Justice in Google Spain SL v. Agencia Española de Protección de Datos (“Google Spain”) set off a firestorm by holding that the fair information practices set forth in EU Directive 95/46/EC, which is probably the most influential data privacy text in the world, require that Google remove from search results links to websites containing true information on the grounds that persons possess a “right to be forgotten.” As a result of Google Spain, Google has processed 703,910 requests to remove 1,948,737 URLs from its search engine, and some 43.2% of these URLs have been erased from searches made under the name of the person requesting removal. The world-wide influence of Google Spain is likely to become even greater when the EU promulgates it General Data Protection Regulation (“GDPR”) in 2018.
At stake in Google Spain were both privacy values and freedom of expression values. Google Spain inadequately analyzes both. With regard to the latter, Google Spain fails to recognize that the circulation of texts of common interest among strangers makes possible the emergence of a “public” capable of forming “public opinion.” The creation of public opinion is essential for democratic self-governance and is a central purpose for protecting freedom of expression. As the rise of American newspapers in the 19th and 20th Century demonstrates, the press establishes the public sphere by creating a structure of communication that is independent of the content of any particular news story. Google underwrites the virtual public sphere by creating an analogous structure of communication.
With regard to privacy values, EU law, like the law of many nations, recognizes two distinct forms of privacy. The first is data privacy, which is protected by Article 8 of the Charter of Fundamental Rights of the European Union. Data privacy is safeguarded by fair information practices designed to ensure (among other things) that personal data is used only for the specified purposes for which it has been legally gathered. Data privacy operates according to an instrumental logic, and it applies whenever personal information is processed. Its object is ensure that persons retain “control” over their personal data. Google Spain interprets the Directive to give persons a right to have their personal data “forgotten” or erased whenever it is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine.” It is not necessary to show that the processing of such data will cause harm.
In contrast to data privacy, Article 7 of the Charter of Fundamental Rights of the European Union is entitled “Respect for Family and Private Life.” Article 7 should be interpreted analogously to how the European Court of Human Rights interprets Article 8 of the European Convention. Article 7 of the Charter therefore protects the dignity of persons by regulating inappropriate communications that threaten to degrade, humiliate or mortify them. The privacy at issue in Article 7 follows a normative logic that tracks harms to personality caused by violations of civility rules. Article 7 protects the same privacy values as those safeguarded by the American tort of public disclosure of private facts. It protects what we may call “dignitary privacy.” Throughout the world, courts protect dignitary privacy by balancing the harm a communication may cause to the integrity of a person against the importance the communication may have to the public discourse necessary for democratic self-government.
The instrumental logic of data privacy is inapplicable to public discourse, which is why both the Directive and GDPR categorically exempt journalistic activities from the reach of fair information practices. The communicative action characteristic of the public sphere is made up of intersubjective dialogue, which is antithetical both to the instrumental rationality of data privacy and to its aspiration to ensure individual control of personal information. It was therefore a mistake for Google Spain to apply the fair information practices of the Directive to the Google search engine.
But the Google Spain opinion also glancingly mentions Article 7, and in the end the opinion creates doctrinal rules that are inconsistent with the Directive and roughly reminiscent of those used to protect dignitary privacy. The Google Spain opinion is thus deeply confused about the kind of privacy it wishes to protect. The opinion is pushed in the direction of dignitary privacy because courts have for more than a century sought to impose the values of dignitary privacy on both public discourse and the press. Although the normative logic of dignitary privacy is in tension with freedom of expression, because it limits what can be said, it is not ultimately incompatible with a right to freedom of expression insofar as that right seeks to foster democratic self-government. Public discourse cannot become an effective instrument of self-governance without a modicum of civility.
The Google Spain decision recognizes dignitary privacy only in a rudimentary and unsatisfactory way. It inadequately theorizes both the harm a Google link might cause and the contribution a link might make to public discourse. If it had more clearly applied the doctrine of dignitary privacy, moreover, Google Spain would not have held that the right to be forgotten should apply to Google and not necessarily to the underlying websites to which the Google search engine creates links. Google Spain would not have outsourced the enforcement of the right to be forgotten to a private corporation like Google. Only government agencies are authorized to determine the balance between civility and freedom appropriate for these underlying websites.
Highly recommended. Download it while it's hot!