The right to be forgotten – private law enforcement

Abstract

Private law enforcement of the right to be forgotten should be considered in light of the general characteristics of private law. This highlights advantages and limitations, and underlines the need to explicate the actual interests involved in the right to be forgotten. As case law and real-life examples show, enforcement is mostly feasible but may be costly. The right to be forgotten is most effective against large, bona fide corporations. This analysis provides a more realistic view of the possibilities of private law enforcement of newly proclaimed rights.

Keywords:

• enforcement
• private law
• right to be forgotten

1. Introduction

One of the more contested elements of the 2012 EU proposal for a new regulation on data protection is the so-called right to be forgotten (Proposal for a Regulation on data protection 2012). As I will try to show, there are considerable complications with this ‘right’, when seen from the viewpoint of private law. The right to be forgotten appears to be constructed more as an ideal rather than an effective tool for enforcing a desirable state of affairs. The right may not add much to the current legal instruments for removing undesirable personal data. Nonetheless, the introduction of the right to be forgotten may at least provide a coherent ideal in this area and, in incidental cases, additional relief.

For my argument I will start with theoretical considerations, after which I will discuss the obstacles in the practical application of the right to be forgotten. I will use the two general cases as examples to illustrate my reasoning. The argument will be based on general principles of private law that – it is my contention – hold for all Western jurisdictions behind the various divergent specific rules. Sometimes I will refer to specific examples, mostly from Dutch law.

2. General aspects of private law and private remedies

A common critique of European Union legislation in the area of private law is that it is strongly instrumentalist. (cf. Collins 2008, 108–120; extensively Schmid 2010; and more generally Tamanaha 2006). This tendency is explicit in documents such as the Green Paper – Damages actions for breach of the EC antitrust rules.¹ The disagreement between civil lawyers and governance-oriented legislation in effect has ancient roots, and can be traced back to the duality between natural law and positive law (for example, Samuels 2003, 21–35, 65–71) as well as the authority of law professors from the middle ages onwards (for example, Jansen 2010 and Koschaker 1966). The self-image of private law practitioners and scholars is that, although private law can and is formed by decisions from the legislator (state), the material content of private law should rather be decided by private law experts, striving for coherence or systematic structure, with minimal influence of state policy. Although this dichotomy appears to be more a matter of political theory or public law, it is driven by a fact that is not always fully acknowledged – the fact that private law is ill suited to function as an instrument of state governance (cf. Collins 2008, 108–115). To substantiate this statement, we need to highlight several aspects of private law and relate these to the right to be forgotten.

Private law, as it is traditionally known, is often said to fulfil two primary aims: protection of interests (particularly where this is done by rights such as the right to property) and enforcement of contracts (see the general survey in Tjong Tjin Tai 2010, 396–404; and for example Locke 1988, nr. 85 and 134; Smith 1979, 910 (s. V.iii); MacCormick 2007, 228). Although many private law rules have other goals (such as facilitating transactions, providing certainty), it is true that the aforementioned two goals form the core of private law. In this categorisation, the right to be forgotten is a form of protection of interests.

The protection and enforcement that private law provides is provided in individual cases, at the request of specific individuals. The litigation of such cases does not intrinsically serve public policy aims, except insofar as providing individual remedies simultaneously accords with public policy. The advantage of the private law approach is that enforcement is left in the hands of individuals, and is only invoked where this serves the actual interests of the individual in question. Indeed, it would hardly be desirable if the government would sua sponte have to intrude in every case to check for possible infringement of a right, in particular as apparent infringements of bodily integrity or privacy may actually be voluntarily accepted (such as in the case of medical treatment or romantic engagements). Both to keep individual privacy free from unnecessary government intrusion as well for reasons of efficiency² the essential private law reliance on individual claims is desirable.

A major disadvantage of relying on individual claims is that such claims may fail because the costs of litigation is too high, or for other individual reasons, even where there would be a public benefit if certain actions were to be discouraged. Government supervision may in such cases be beneficial as a supplementary safeguard, in particular in cases of large-scale infringement or when the individual victim is unable to actually defend his rights (for example with children). Government supervision can and often does take place outside private law, or is done by government organisations that use private law instruments, which sometimes are tailored to facilitate such supervision, as in the case of private law proceedings by a Consumer Authority.

The traditional view of private law is nowadays challenged by a different approach, which (in Europe) can be found particularly in European Union legislative initiatives, in which private law is considered primarily as a regulatory instrument (Collins 2008, 108–115). According to this approach, the value of private law lies in its fitness to promote policy aims. Admittedly, such aims may be furthered also by creating and enforcing individual rights. However, in the traditional view new rights are implemented by fine-tuning a system of rights in which rules are shaped by balancing interests with a view to coherence. In contrast, the governance approach operates by demanding that the right is effective.³ It is up to the national legislator and courts to realise this effectiveness within the national legal system. It is therefore not the sole availability of private claims in theory that counts, as well as the actual effectiveness of such claims when they are made. This reasoning may lead to making available additional remedies or setting aside inordinate restrictions on claims.

Before closing this general overview, we have to consider another angle. The ‘right to be forgotten’ is a right, but what kind of right? The very act of calling it a ‘right’ implies a protected core. Various authors have discussed the construction of a right to personal data as analogous to a property right (for example, Purtova 2011 and various articles: Schwartz 2004). Provisionally we may follow this approach, which seems to rest primarily on the notion of property as an erga omnes claim against intrusions and concomitant immunity (no changes in legal relations without consent). We should note, however, that property has a positive aspect for the owner, to wit the enjoyment of a thing (for example Penner 1997; also Alexander and Peñalver 2012, referring to the lawyer's view as property involving ‘resources’, a ‘thing’ (Alexander and Peñalver 2012, 2), versus some theorists who focus on the ‘right to exclude’ (Alexander and Peñalver 2012, 3)). Property rights seek to protect this enjoyment. Personal data do not have a positive value as such; the right to be forgotten is a defensive right without a core notion of what it protects (see further Section 3). This is important, as declaring a right is not sufficient for how it turns out in practice: rights are balanced against competing interests, and the underlying interests in the right are weighed in that balancing.

3. The right to be forgotten as a private law right

At first sight, the right to be forgotten seems to be simply another new right that can be assimilated into the existing body of private law. The logical place is within tort law,⁴ as the right can exist without a contractual agreement. In the absence of specific rules, the individual will have to take recourse to tort law and its concomitant remedies. The rules of tort law may – given the need to make the right effective – be supplemented with additional rules for new remedies or for exceptions to the general rules. As we shall see, the proposed right follows this structure. Hence, we should look at the interest harmed, and the remedies that have to be provided.

Within private law, we have a large array of remedies, in particular claims to (specific) performance, damages, injunctions and other interim measures. However, in order for these to be awarded, there must be sufficient justification. The general basis of a claim in tort law is to be found in harm to a certain interest,⁵ which may include the violation of a right.⁶ Such harm is to be balanced against the other interests involved in the case.⁷ The Proposal, cons. 53, explicitly allows for overriding reasons against the right to be forgotten. In particular, art. 80 Proposal provides an exception for media, which allows processing of personal data ‘solely for journalistic purposes or the purpose of artistic or literary expression’. This, in effect, means that in a significant number of cases the right to be forgotten does not apply (Van Hoboken 2012, 127–128).

According to the general rules of private law, a sufficient interest for removing personal data is to be found in significant harm; the mere possibility of fraud, etc., would, in the absence of specific statutory rights, probably be insufficient for obtaining remedies. If we look at the two example cases in particular, the first case may be successful, provided that the non-defamatory material still leads to non-negligible harm. Dutch case law provides several examples, (cf., in general, Pinckaers 1996; also HR 14 June 2013, NJ 2015/112 (Cruijff)) such as psychological harm following publication of a photograph of a kissing couple,⁸ or the interest of famous persons in commercially exploiting their fame.⁹ With the second case, general private law would probably provide insufficient grounds for an action to have data removed. Such an action is to my knowledge only successfully instigated on the basis of specific statutory provisions, in particular (for the Netherlands) in the Wet bescherming persoonsgegevens,¹⁰ which is the implementation of the Data protection Directive (95/46/EC). These provisions¹¹ contain explicit exceptions¹² that give expression to a balance between opposing interests, as determined by the legislator.

So what are the relevant interests? The problem is that the right to be forgotten is still not theorised very well. The interests harmed appear to be more theoretical and immaterial than actually concrete, material (see also more generally Purtova 2011, 43–5]).¹³ We can identify four interests at the basis of the Proposal:¹⁴

1. the fundamental right of control over personal data,¹⁵

2. material damage because of identity fraud,¹⁶

3. immaterial and material damage because of possible risks regarding abuse of data and incorrect or unlawful conclusions on the basis of such data.¹⁷

4. the general diminishing of autonomy because of the existence of uncontrolled personal data.¹⁸

Given the fact that the materially most important of these interests are actually risks,¹⁹ not actualised harm, the weighing of interests is not so much fundamental and right-based²⁰ as based on a balancing of the interests involved: is there a lawful interest in collecting, storing and processing the data, or not? In the former case, the rather intangible interests supposedly protected by the right to be forgotten could easily be overridden, in particular when sufficient safeguards have been installed or when stronger interests rise at the opposing side. For example, the rather stringent right to privacy of Princess Caroline of Monaco²¹ could be overridden when she again becomes the object of relevant contemporary public interest.²²

The possibility of an unsatisfactory balancing act is greater than with the right to property, as the paradigmatic kind of property (real property) is usually not often the subject of a conflicting legitimate interest.²³ Storage and use of personal data, on the other hand, are useful and even unavoidable in today's information society. For these reasons, the right to be forgotten appears intrinsically weaker than a property right.

4. Enforcing the right to be forgotten

It is with respect to enforcement that the right to be forgotten may really come into its own, as the right should be effective in order not to be illusory. However, it is in this area that significant problems arise, even disregarding technical problems. (On which see, among others, the report ENISA 2012. The report also discusses practical problems.) Two example cases may illuminate these problems.

4.1. The first case

The first case involves an individual who wants to remove (non-defamatory) personal information from the internet. In order to do so, he has to know where the data actually is stored, and then approach all relevant parties in order to have the data removed.²⁴ This is no easy task, as the data may be stored all over the world, and the responsible actors may similarly be located anywhere. Even if these actors respond to polite requests, this takes a significant effort. If requests are not followed, legal proceedings become necessary, the costs of which may well be prohibitive, in particular when litigating in numerous jurisdictions (since one usually needs at least one lawyer for each jurisdiction).

Assuming the plaintiff is awarded an order for removing data (and a corresponding injunction), the question is whether the order is followed. The execution of such orders is costly, and may in fact be difficult to achieve in jurisdictions with ineffective judicial systems in this respect. Also, it may seem easy to check whether the order has been complied with (as the data then would no longer be present at its original location), but that is not necessarily true. It is possible that the data can still be found at another part of the website. Furthermore, the data may still be stored on back-ups (ENISA 2012, par. 4.3) a data carrier or in cloud storage, which is practically impossible to prevent. Finally, there remains the possibility that as yet unknown third parties have kept private copies (ENISA 2012, par. 4.2) and that these copies will in the future be put online.

Despite these difficulties, it is by and large feasible to have undesirable data removed from the internet if one is sufficiently persistent,²⁵ in particular when money is no object.²⁶ It should be noted that this mostly applies to cases in which there is only a national interest. If the case involves an internationally well-known person, chances are that infringements are made internationally as well, which may prove much harder to combat.

4.2. The second case

The second case involves an individual who wants to have a company remove his personal data that was obtained from the internet. This case is even more difficult to enforce.

First of all, the individual has to know (and be able to prove) that the company has his personal data stored. Except where the individual has specific access to that company's data storage, it is difficult and costly to obtain such proof, as that would require proceedings to obtain a court order for obtaining evidence. The corresponding costs far exceed what most individuals would pay for such a slight intrusion. Hence, enforcement could only proceed if the individual would not have to bear these costs,²⁷ either because the company freely admits the fact, or because the costs are spread out by collective action or are born by a representative agency. Otherwise he is dependent on government agencies.

Secondly, if proof is available but the company remains unwilling to act, there are significant costs to obtaining a court order. Again, the costs have to be shared or shifted if private enforcement is to be efficacious.

Finally, after obtaining the court order, we meet the same obstacles as with the first case in ensuring actual compliance with the order. These obstacles are higher than in the first case, as the direct harm of a company possessing such data is even more slight than with undesirable information on the internet, hence the costs are not easily justified by the benefit.

4.3. Further considerations

Enforcement therefore is a hazardous enterprise for private citizens.²⁸ Indeed, even for right-holders in the somewhat similar field of IP-rights, enforcement is often difficult and costly to achieve.²⁹ Only if the company complies with its duty to inform the individuals, and is willing to follow individual requests, may the aims of the regulation be fulfilled. Hence, the proposed regulation is only effective in the case of bona fide companies that are willing to cooperate and comply with the law. We should not belittle this achievement, as such companies can still have a major impact on individual lives (e.g. insurance companies, health care, banks, major internet service providers as Facebook and Google). Nonetheless, this has little effect on the more egregious abusers. This conforms to the experiences with the current regulations on privacy.

In fact, the current rules already provide most of the tools to enforce a right to be forgotten on the basis of existing private law (similarly, see Van der Sloot 2012, 254). The right to be forgotten is therefore more symbolic than a major improvement.

An alternative to individual private enforcement is collective action, which might provide a useful supplement to companies who only reluctantly respond to legal pressure. Such collective action may be instigated by private parties, and provides an additional level of protection and enforcement above public law.

Furthermore, the public law route by supervisory entities exists and may be useful on occasion. However, in general, it appears that privacy supervisory agencies are unable to enforce more than a relatively small proportion of the market. As this chapter concerns the private law viewpoint, I will not discuss this further.

These considerations imply a rather limited scope of the right to be forgotten. It appears that the right is easily limited by competing legitimate interests, in particular as there is no clear or traditionally known positive content of the right, in contrast to property rights. Furthermore, even if the right to be forgotten should prevail, it is difficult to enforce. The strength of private law is that it empowers individual citizens, the flip side of this is that it needs to be invoked by individuals. Hence, it only works if there is sufficient individual interest to make the effort of a procedure worthwhile (besides collective claims). We might say that private law appropriately bars trivial claims, hence it ensures that there is a worthwhile case to consider. However, for the right to be forgotten this barrier may be too high for ordinary individuals, and may prohibit action in precisely the kinds of cases that the proposed right is intended to cover.

Nonetheless, we should not be too pessimistic. The right to be forgotten may also be viewed as an important step towards recognition and ultimately proper enforcement of the interests contained in such a right (therefore I agree with authors such as Purtova 2011 and Schwarz 2004).

5. Conclusion

The right to be forgotten appears to be more a symbolic gesture than an actually effective set of rules regarding private law enforcement. Simply stating a right without considering how it can actually be enforced is a political act, which needs legal sophistication to ensure results. Probably the most significant result will be that legitimate large companies are being called out for infringements, while more shady actors are left alone. This is not useless: the activities of Google and Facebook are indeed worrying from the point of view of privacy, and there is some solace in the idea that a specific regulation provides ground for claims towards such companies. In particular, it makes it easier to prove that there is an actual legitimate interest that is harmed and deserves protection, as up to now this might be doubtful. However, we should not forget that existing law already goes a long way to provide a certain amount of protection, and could be developed further to accommodate this new ‘right to be forgotten’.

Conflict of Interest Disclosure

No potential conflict of interest was reported by the author.

ORCID

T.F.E. Tjong Tjin Tai http://orcid.org/0000-0001-7683-1474

Notes

1 COM(2005) 672, 19 December 2005.

2 Hence the need to discourage negligible claims: de minimis non curat praetor.

3 As embodied in the principle of effectiveness, both operative in EU-law (Tridimas 2006, 418–476) and in the case law of the ECHR (for example EHCR 9 October 1979, case 6289/73 (Airey v. Ireland), par. 24). The contemporary ascendance of human rights is therefore not a return to the classic mode of private law reasoning, even though it also involves primarily individual rights.

4 I use this in the neutral sense as the law of non-contractual liability, or law of delict, not in the specific meaning of a category within English law.

5 Cf. art. 2:101 PETL and compare the approach of the BGB in enumerating specific protected interests. In common law, harm is also a requirement for a claim, just like dommage in French law. Art. VI.I:101 DCFR uses the concept of legally relevant damage, which in this context is sufficiently close to harm to a protected interest.

6 This also encompasses violation of a property right.

7 There may be special rules that lay down a specific balance, or the balancing may be left to the judge on the basis of case law. Proposal, cons. 53 (‘when required by law') allows exceptions on the basis of (statuary or case) law.

8 HR 1 July 1988, NJ 1988/1000 (Vondelpark).

9 HR 14 June 2013, NJ 2015/112 (Cruijff), HR 19 January 1979, NJ 1979/383 ('t Schaep).

10 Or its predecessor, the Wet persoonsregistratie.

11 For example art. 10-12, 14-15, 22-23 Data protection directive 95/46/EC, and the implementation of these articles in national legislation.

12 For example in art. 11(2), 13, 15(2), 23(2) Data protection directive 95/46/EC, and the implementation in national legislation.

13 See also more generally Purtova (2011, 43–50).

14 There is an additional constraint by the demand of effectiveness (cons. 9).

15 Cons. 1-2, 6, 129, 133 Proposal.

16 Cons. 67, 116ff. Proposal.

17 See cons. 16ff, in particular 38, also 121-126 Proposal.

18 This seems to be implied in cons. 55 and 70 Proposal. This interest in fact is already recognised partially in the guise of the interest in a good reputation, protected through actions against defamation. However, these actions can generally only be invoked for serious violations, not for more mundane acts like publicising a person's hobbies (as was inter alia at stake in ECJ 6 November 2003, case C-101/01 (Lindqvist).

19 As seems to be recognised explicitly (cons. 53 Proposal).

20 Which would imply a principled rejection of all intrusions.

21 ECHR 24 June 2004, case 59320/00 (Von Hannover/Germany).

22 ECHR 7 February 2012, case 40660/08 and 60641/08 (Von Hannover/Germany no. 2).

23 And where it is, this may in fact quite well justify the intrusion. Furthermore, even for property in tangible objects the mere risk of future intrusions does not quickly justify a prohibition.

24 Admittedly a short-cut may be through taking action against gatekeepers such as ISPs, however this is only of limited value given the sheer possible number of ISPs. To be true, it may be partly effective only to take on the largest search engines (in particular Google), as that may for most purposes lead to the non-visibility of the data for the larger public, which may be what is desired.

25 A Dutch example is the removal of a video clip of a drunk student, which was originally made available through geenstijl.nl. After an injunction was obtained, the video appeared at other places, publicised by anonymous individuals, for which geenstijl.nl was not responsible. See Rb Amsterdam 14 July 2010, LJN BV4359, 10 August 2011, LJN BT1877, and 10 February 2011, LJN BP3926. In the end the efforts seem to have succeeded: the video is at present not easily found, if it can be found at all.

26 An example is an incorrect allegation regarding an abduction victim, which was removed completely from all public records, due to the lawyer's efforts paid for by her millionaire father (see generally http://www.netkwesties.nl/249/miljonair-steekt-tonnen-schoonwassen.htm, and for case law, for example, Hof Amsterdam 8 May 2008, LJN BD1356).

27 This issue is similar to what was found for private enforcement of competition law, where it was recommended to find ways to lower the costs (White Paper on Damages actions for breach of EC antitrust rules, COM(2008) 165 final, p. 9).

28 The analogy with property is misleading as ‘real’ property infringement is relatively easy to prove, as well as to enforce against. This is not to gainsay the motivational advantages of a property right to personal data, which Purtova (2011) stresses.

29 See the additional remedies in Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights, OJ L 195 of 2 June 2004, see Cornish et al. (2003, 447–449). The similarity lies in the fact that IP-infringement is also not directly perceived, in contrast to infringement (trespass) to real property.