There are two rights issues that stoke the flames in the heart of European Commission Vice President and Justice Commissioner Viviane Reding. One is something she's dubbed the "right to be forgotten:" the ability for an individual to tell an online collector of personal data to destroy its data about her. The other involves the rights of the media to express itself freely, an issue that Europe could not ignore during last week's SOPA protests.
But what about when those two rights collide, when personal data is being collected by a source that qualifies as the media, can that person still ask to be forgotten? In a speech at a conference in Munich last Sunday night, a preview of a draft of new E.U. data protection legislation to be formally introduced tomorrow, Comm. Reding said this quite clearly: "The right to be forgotten is, of course, not an absolute right."
"There are cases where there is a legitimate and legally justified interest to keep data in a database," Reding told attendees of Germany's Digital / Life / Design conference. "The archives of a newspaper are a good example. It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media. The new E.U. rules will include explicit provisions that ensure the respect of freedom of expression and information."
You'd think these freedoms were the same
That pairing of freedom of expression with freedom of information will be acutely important for anyone wanting to know where the loopholes could lie for data collecting resources. The E.U. perceives any company that does business within its boundaries as subject to its own existing and future data protection laws. As Reding says she will propose tomorrow, the next wave of those laws will prevent any Web site anywhere from collecting data on a citizen of an E.U. member state without express consent given by that person. (Though earlier on, it appeared that consent might have to be given each and every time it happens, it now appears that legislation won't be that harsh, enabling a site to simply announce that data collection is happening and remind the user that she's consented to it already.) The two biggest entities that could be affected by such new laws could be Google, which uses DoubleClick's behavioral ad targeting system; and Facebook.
But a growing plurality of Web users perceive Google and Facebook as the media, or as "new media." They are the two biggest aggregators of news content on the Web; and when individuals are asked where they get their news from online, rather than answering with CNN or Huffington Post or ReadWriteWeb, they say Google and/or Facebook. During last week's SOPA protests, Google and Facebook aligned themselves with the protestors in the name of preserving free media, a move which European legislators evidently perceive as successful.
If the new data protection law is to have a loophole protecting what the Internet perceives as media, then that loophole could be huge enough to drive an entire global network through. If, on the other hand, the law ends up being crafted to protect essentially newspapers which Web users perceive as the "old media," then the very existence of that loophole could spark a new wave of popular opposition, especially in the wake of the ongoing News of the World scandal.
"I will never compromise in the fight for the fundamental rights of freedom of expression and freedom of the media," stated Comm. Reding. "This also holds true in the field of data protection, which is another important fundamental right, but not an absolute one."
Do you know where your DPO is?
In a speech last November, Reding implied that data protection rules might not only suggest, but compel, companies doing business online to hire exclusive "data protection officers," individuals answerable for how a company manages personal data it does collect from customers. A partial draft of the proposed legislation circulating this week indicate that companies with 250 officers or more must appoint someone to that position. The extent to which the EC perceives such a requirement to apply to U.S. or other foreign companies is indicated elsewhere in the same draft, which effectively renders the U.S. Patriot Act null and void inside E.U. boundaries. American law enforcement authorities could not investigate data belonging to citizens of E.U. member states through their ISPs.
Google and Facebook already have officers who serve in this capacity. Other U.S. companies may be asked to comply, in an arm-wrestling match between E.U. data protection law and U.S. anti-terrorism law. However, if those companies also serve as media entities, then E.U. law might have to be structured in such a way that the companies' "media divisions" would be exempt from having to answer to these particular officers or follow data protection policy.
The reasons Facebook and Google collect this data in the first place is to better determine what their users read. Both companies have a keen interest in establishing themselves as identity brokers, not only authenticating their own users, but users of other sites as well. If these entities continue to represent "new media," not just in the public's mind but for legislators as well, they could end up getting by with a free pass.