Early next year, the European Union’s highest court is expected to rule on one of the Internet’s most controversial topics: the right to be forgotten. The judges should curb their ambition, lest they open a can of worms that will spill well beyond Europe.
The right, enshrined in privacy law, allows Europeans to demand that information about them be removed from online search results if it’s outdated, irrelevant or “excessive”. The case in question involves a dispute between Google and French regulators, who in 2015 ordered the company to respect this right on all its sites worldwide — not just google.fr, but also google.com and so on.
Google naturally objects. So does much of the tech industry, a wide swath of civil society, and the EU itself. Rightly so. Extending the right to be forgotten globally threatens free speech, burdens private companies, intrudes on sovereignty and is fraught with looming risks. Not incidentally, it would also do next to nothing to advance its stated goals.
The right is ill-conceived to begin with. Censoring lawful and factual information is dubious on principle and flawed as a method of protecting privacy. It’s also a substantial imposition: since 2014, Google has had to adjudicate more than 727 000 delisting requests, spanning some 2.8 million Web addresses. Each request must be evaluated by humans to determine if it’s reasonable or if keeping the information available would be in the public interest — a process that can take days per request.
Google has no obvious aptitude for making such judgment calls. And countries naturally have varying preferences about how to balance free speech and privacy. Just three places — France, Germany and the UK — generate 51% of all delisting requests, for instance, while Greeks barely assert the right all. In the US, enforcing the right could well be unconstitutional. Confronting such a complicated and nuanced challenge is a matter for legislatures, not private companies.
A related worry is that this idea could spread. Plenty of authoritarian governments would like to control information beyond their borders. Will Google respect similar demands from Turkey? Or enforce Thailand’s lèse-majesté law? An apt phrase often applied to this possibility is “race to the bottom”: countries with the most severe restrictions would effectively determine policy worldwide. Although that would benefit no one, it’s a fully logical outcome of this case.
Waste of time
And yet a ruling against Google won’t do much to protect anyone’s privacy. France’s regulator asserts that the right is meaningless if the information still turns up on searches conducted through a VPN or by manually using overseas versions of Google. Yet fewer than 1% of searches in France actually evade Google’s measures in this way — meaning that this global decree, whatever its merits, would accomplish nearly nothing.
This case is useful in one regard: it’s magnifying a worsening global tension. A growing number of jurisdictions are attempting to exploit tech companies to export their own laws and values. Europe’s new privacy regime, for instance, applies to all companies worldwide that touch the data of European citizens. Similarly, courts in Austria and Canada are trying to force social media companies to take down objectionable information globally, foreign legal opinion notwithstanding.
No good can come of this trend. The Internet works so splendidly precisely because it’s borderless; commandeering tech platforms to enforce national priorities will jeopardise that openness for everyone. Companies must respect local laws wherever they operate. But requiring them to adhere to one jurisdiction’s preferences worldwide would be legally dubious, conceptually flawed and loaded with unintended consequences. If Europe goes down this road, there’s no going back. — By The Editors, (c) 2018 Bloomberg LP
