This article courtesy of guest blogger Michael Ferron, a student at Roger Williams University School of Law
The recognition by the European Union of a “Right to be Forgotten” has caused much controversy, but seemingly progress is being made. The Right, which entitles Europeans to petition data controllers to prevent harmful information about them from appearing in web searches, has been criticized for opening the door to bad-faith claimants to silence legitimate journalism. Recently an international effort has produced the Oblivion Framework, capable or sorting hundreds of claims for merit in mere seconds. However these advances ignore a much larger problem regarding the Right to be Forgotten; the EU has yet to announce any meaningful regulations respecting what information is actually protected.
This is problematic for multiple reasons. Unclear guidance from the EU regarding what is entitled to be forgotten places large data controllers like Google in the unenviable position of making educated guesses about how to comply with the law. But is greater cause for concern. Google’s process for vetting claims involves a number of experts and officials from across the data privacy field, but how it works remains unknown. This current system allows data controllers to self-regulate, unless an individual with the time and resources to press major litigation forces the case to the EU Court of Justice.
This is not to say that the Right to be Forgotten is intrinsically flawed. Similar processes are used to routinely seal criminal records in expungement proceedings. But there the requirements and procedures are clearly defined by statute. With clear guidance, individuals in the EU could tell when and how to they are entitled to protect their information and move on from the ghosts of their pasts.
However, until the EU provides such guidance, Europeans only have a Right to be Forgotten to the extent that data controllers are prepared to give them one.