The Right to Be Forgotten – California ≠ Europe
July 2, 2018
Types : Alerts
The European Union has endorsed a “right to be forgotten” since May 2014 when the European Court of Justice upheld a Spanish citizen’s complaint that an article about an unpleasant incident in which he was involved, published some time ago, was still easily accessible to the Internet thanks to widespread indexing and easy retrieval using search engines such as Google. As a result of such search engine listings, the citizen continued to be haunted by his past. The article regarding the Spanish citizen itself was true, which was partly his point – he just wanted to put the matter behind him, but due to the persistence of computer memory he could not do so. Many others have been subject to the same predicament. In fact, on February 28, 2018, Google’s Transparency Report stated that the company had received close to 700,000 requests to remove approximately 2.6 million URLs from its search results. The Right to be Forgotten (RTBF) provided the right for such inquiries, and as of May, 2018, the EU’s General Data Protection Regulation (GDPR) codified the RTBF as the law of the lands.
Since then other jurisdictions have adopted RTBF. Most recently, California enacted its own version as part of its Consumer Privacy Act of 2018 (CCPA). Scheduled to take effect in 2020, the CCPA diverges from the EU’s system in important ways. Those who have connections in both locales will be compelled to tread carefully to reconcile the different standards and processes.
The EU’s GDPR
Under Article 17, the GDPR establishes that an individual has the right to obtain “erasure without undue delay” and that the entity that has control of the data has an obligation to “erase without undue delay” when asked, so long as one of these grounds applies:
- The data are no longer needed for the purpose for which they were originally obtained;
- The individual has withdrawn the consent they originally gave, and no other legal ground for processing the data exists;
- The individual objects to processing, and “no overriding legitimate grounds” exist for processing the data;
- The data has been unlawfully processed;
- The data must be erased for the controller to comply with a legal obligation;
- The data were obtained from minors
In addition to requiring that the data be deleted by the entity, Article 17 requires “reasonable steps, including technical measures” to pass the erasure request to whoever else is processing the same data.
The GDPR does provide safe harbors where RTBF requests will not apply;
- where continued processing is necessary for exercising “freedom of expression and information”;
- to comply with legal requirements or to perform a task “in the public interest or in the exercise of official authority vested in the” entity;
- for reasons of public health;
- for archiving “ in the public interest, scientific or historical research purposes” if erasure would make such work impossible, or seriously impair it;
- if necessary for bringing or defending legal claims.
California’s Right to Deletion
While aiming at the same general target – giving individuals more control over their own information – California has created a very different system for achieving that objective under the CCPA. For example:
- To initiate a request for deletion requires a “verifiable request” and the recipient of the request is required to determine whether it qualifies before complying. CCPA gives the recipient 45 days in which to do so (which can be extended), and requires that the recipient be in communication with the requester during this time frame to provide notice about the process.
- Assuming a valid request has been made, the recipient is required to forward the request to any other entity that is handling the data, with the clear expectation that any/all other such entities will comply immediately (i.e. without determining on their own whether they have received a “verifiable request”).
The differences between the two systems are most apparent when it comes to the carve-outs. In California, the recipient of a request need not comply if they are required to retain the information in order to do any of the following:
- Complete an ongoing transaction, or anticipated transactions (based on a context of an ongoing relationship);
- For operational security purposes;
- To repair errors in functionality;
- To exercise free speech, or preserve others’ free speech rights, or to exercise another legal right;
- To comply with the law;
- To permit solely internal uses that are “reasonably aligned” with the consumer’s expectations.
Free speech advocates will prefer California’s approach. The combination of California’s threshold requirement for a “verifiable request,” coupled with its express recognition of and protection for free speech rights of both the recipient and others, make the CCPA much less of a blunt instrument than the GDPR and provides much-needed flexibility for resisting malevolent efforts to censor information which the RTBF has already triggered. This flexibility comes at a cost, of course, since the broad brush employed by the EU gives primacy to the requester’s interests and requires fewer human filters before putting truth into a memory hole. By contrast, those who are covered by the California law will have to jump through that law’s sequential hoops, and will be compelled to do it in a sharply constrained amount of time, which will no doubt impose significant costs on recipients. And unless there’s clear evidence of abuses, the California law expressly prohibits charging requesters for the cost of those processes, on the theory that doing so would be discriminatory. (1798.125) Moreover, the law anticipates and bars efforts to avoid its terms by artful clickwrap, expressly stating that its provisions cannot be waived (1798.192).