Search Engines under Attack: Examining the European Union’s Right to be Forgotten (Parts II & III)

By Tisunge (Sunga) Mkwezalamba*

Part II: Interpreting the Right to be Forgotten

This section provides a case summary of Google Spain v. González. In its holding, the Court of Justice of the European Union determined that search engines are responsible for the removal of personal data upon request, regardless of how the data was obtained, so long as processing of the personal data would not be in compliance with the principles of Directive 95/46/EC.

(a). Google Spain v. González[1]

In 2010, Mario Costeja González, a Spanish citizen, filed a complaint against a local Spanish newspaper with the Spanish Data Protection Authority (AEPD).[2] González sought to have the newspaper remove a disfavoring news article published in 1998 regarding an auction of his home in connection with the recovery of his debts. González argued that the matter concerning his debts had been fully resolved for a number of years, and therefore, the contents of the article, which were his personal data under the definition of Article 2(a) of Directive 95/46/EC, were now irrelevant and should be erased and blocked pursuant to Article 12(b) of the same directive.[3] González named Google Spain and Google as co-defendants in his complaint. González argued that Google should remove all links to the article pursuant to the same provisions of the directive.[4]

The AEPD rejected the complaint as it related to the newspaper, reasoning that the newspaper was legally justified in publishing information regarding the auction because it took place under the order of a government authority and was intended to achieve maximum publicity in order to secure as many bidders as possible.[5] Astonishingly, the AEPD did not extend the same coverage that it afforded the newspaper to Google Spain and Google, and in fact ruled against them.

Google Spain and Google appealed the decision before Spain’s National High Court (Audiencia Nacional).[6] Google argued that Directive 95/46/EC did not apply to Google Spain because Google Spain’s activities in the EU were advertising, which Google contended was not processing of personal data pursuant to the directive.[7] Further, Google argued that even if the court found Google Spain to have engaged in the processing of personal data, the company was established outside of the directive’s jurisdiction.[8]

Spain’s National High Court decided to stay the proceedings and referred questions to the Court of Justice of the European Union (CJEU) for a preliminary ruling regarding Directive 95/46/EC.[9] The questions submitted to the CJEU were: (1) whether Google Spain was established in Spain within the meaning of Article 4(1)(a), and therefore subject to the directive; (2) whether Google’s activities in Spain fell under the Article 2(b) definition of processing of personal data; and (3) if the aforementioned questions were in the affirmative, whether Article 12(b) obligated Google to erase or block the processing of personal data lawfully published by a third party.[10]

On May 13, 2014, the CJEU reached a decision against Google. The decision opened the floodgates for similar claims against large search engines.

Regarding whether Google Spain was established in Spain within the meaning of Article 4(1)(a), the court found that Google was subject to its jurisdiction because it was established in Spain through the activities of its subsidiary in a member state. The court reasoned that application of the directive did not require that Google Spain, the entity established in the EU, carry out processing. The court held that processing by the established entity was not a requirement so long as the established entity’s activities were closely linked to the processing activities.[11]

Next, concerning whether Google’s activities fell under the Article 2(b) definition of processing of personal data, the court concluded that a search engine’s activity of finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily, and making it available to internet users according to a particular order of preference must be classified as “processing of personal data” within the meaning of Article 2(b), and the operator of the search engine must be regarded as the “controller” with respect to that processing, within the meaning of Article 2(d).[12]

As a result, the court held that a search engine is obligated to remove personal data pursuant to Article 12(b) to comply with the rights in the directive regardless of whether the data was obtained lawfully. In its holding, the court expanded the scope of personal data that is to be erased or blocked outside of personal data that is particularly inaccurate or incomplete in nature. The court, through its decision that the right to be forgotten exists where the personal data is not in compliance with the rights of the directive, provided circumstances that it believed were in accordance with the principles of the directive. The court held that the right to be forgotten should be afforded when the personal data is “irrelevant or no longer relevant, or is excessive in relation to the purposes of the processing at issue carried out by the search engine, even if the information is not erased beforehand or simultaneously from those web pages, and even when its publication in itself on those pages is lawful.”[13] Interestingly, the court found that its list of circumstances included disfavoring personal data such as the auction, which it found fell under relevance.

(b). Aftermath of González

Though the right to be forgotten previously did not explicitly exist in EU law, the CJEU interpreted it in Article 2(b) of Directive 95/46/EC.[14] In its holding, the court expanded the definition of processing to include closely related activities such as advertising, and held that the activities of a search engine in providing links to websites with personal data constituted the processing of the personal data available through those links. Further, the court provided a list of circumstances where the right to be forgotten could be exercised, which included disfavoring information that was no longer relevant.

Most troublesome in the court’s interpretation of when the right could be exercised was its determination that search engines are to remove personal information that is lawfully obtained and privileged to the original publisher. Thus, if an individual wanted to remove his or her personal data online, he or she could simply apply to search engines, which are then to remove the link. Considering the number of individuals who use search engines to locate personal data, it only makes sense that individuals will be inclined to appeal to search engines directly.

As it relates to the GDPR, this is problematic because the language about the right to be forgotten is similar to the broad definition provided in González. Thus, search engines remain the misguided targets of the right to be forgotten.

Part III: Why the Right to be Forgotten is Bad Policy and Bad Law

In this section, I argue that the EU’s creation of a right to be forgotten is bad policy and bad law. First, the EU’s interpretation of the right to be forgotten is bad policy and bad law because its application does not remove access to the personal data that has been requested for removal. Second, it is likely to lead to instability in capital markets where investments and extensions of credit rely on personal data of an individual’s market participation. Third, as currently interpreted, the right compels large search engines to enforce the international right at their burden. This is significant because search engines then have to create a judiciary to judge EU law where only one precedent stands for a broad interpretation of a newly created privacy right. Lastly, the CJEU’s interpretation of the law disregards guaranteed freedoms, mainly the freedom of expression, in favor of the right to be forgotten.

1.The EU’s interpretation of the right to be forgotten does not remove access to the personal data that has been requested for removal.

The EU’s creation of a right to be forgotten is bad policy and bad law because it does nothing to actually restrict access to personal data. In a globalized society, search engines with the capabilities of Google provide regional services. However, access to the search engines’ services across regions remains possible. For instance, following the decision in González, no links to the newspaper article containing the auction of González’s home should have been available by searching González’s name in Google’s Spanish search domain URL (google.es). Despite the article’s removal from Google’s Spanish domain, the newspaper article remained available through Google’s US search domain URL (google.com). Essentially, once a search engine is required to remove the link, it is only the link that is removed, and the content remains. Further, other search engines will still provide links to the personal data that has been requested for removal. Thus, following González, a search through Yahoo! would have provided access to the article detailing the auction. Consequently, by the CJEU providing protections to the publisher and not search engines as it had done in González, the right to be forgotten is left for search engines to deal with.

There are also other concerns with the impracticality of the rule. These days, embarrassing information is shared on many mediums. At any moment, embarrassing content can be rapidly disseminated throughout the internet, reaching far and wide in a small amount of time. When content is disseminated rapidly throughout the internet, it is said to “go viral” or be “trending”. Locating personal data to de-link it becomes a long, painstaking process, particularly when the data can become undetectable or irretrievable due to the rate at which that information is shared. For instance, a trending photo that identifies an individual could be traced easily when those sharing the information share it with identifiers such as the name of the individual who the photo belongs to. However, once it is shared numerous times, that name may be misspelled or omitted, making it more difficult for search engines to locate it. This is the case in an age when embedding content rather than linking or sharing is gaining ground in digital information sharing. Further, it is unclear from the ruling in González and the text of GDPR as to what mediums controllers are supposed to remove content from and to what extent. Assume a video from a news channel discussing González’s auction was spliced into a video that is uploaded onto YouTube.com. Would Google, an owner of YouTube, be required to take down the entire video? These answers are still left unanswered, and are likely to lead to a slippery slope for search engines.

2. Removal of lawfully published personal data linking individuals to market decisions affects markets and democratic decision-making.

We live in a world where markets make decisions based on personal data. Thus, the availability of personal data, whether or not it is disfavoring, has significant value in the market. For example, decisions in the labor market are becoming increasingly influenced by personal data published willfully on social media sites. CareerBuilder, a US-based employment website, reported that more than 40 percent of employers research job candidates’ personal data on social media sites.[15] Employers use the personal information available on social media accounts to evaluate candidates. Some may argue that employers only look for information that reveals a candidate’s moral character. However, CareerBuilder’s report found that employers are more concerned with information that supports a candidate’s qualifications for the job to ensure they are able to recruit the best available candidates.[16] In a competitive job market, this is a good thing. If individuals are able to remove personal data when it is disfavoring or does not attest to their qualifications, such as personal data indicating that an individual did not work in the capacity his or her résumé attests, then employers may risk making costly employment decisions.

The most important reason why we need markets to have access to personal data relates to capital investments and extension of capital. Buyers need confidence in personal data available in the market to make purchasing decisions. Personal information is needed in order to ascertain the fair market value of an item,[17] such as a vehicle’s history. The history of the vehicle is personal data because it identifies the vehicle’s conditions under its prior owners. Thus, buyers should be able to retrieve all information necessary regarding their purchase before making a decision. If the right to be forgotten is exercised to detach a seller’s identity from a market decision because it is disfavoring, such as González’s home auction from bad debts, then the buyer will not be able to make a well-informed decision.

Alexa, a company that provides web traffic and data analytics, publishes a list of the most frequently used websites. Of the top ten, three are search engines.[18] This is significant because it indicates how much individuals trust the information available on search engines. In 2011, more than 75 percent of individuals used search engines to find local business information.[19] Thus, proponents of enforcing or creating the right to be forgotten seem to overlook how reliant individuals are on the information available on search engines. As it relates to making decisions in the market, this is of particular concern where individuals are likely to perform their own market research to save costs. For instance, if a homeowner is interested in purchasing the services of a lawn care business owner they may be interested in conducting market research on previous works of the lawn care provider before contracting for her services. Researching all potential lawn care providers in her area will be time consuming. Thus, the homeowner is likely to visit websites that offer reviews of lawn care providers. If the lawn care owner has received unsavory reviews on her work and exercises her right to be forgotten arguing that the reviews are disfavoring and excessive, the information will be removed and the buyer will be unable to make an informed decision.

Further, by extending the right to be forgotten to personal data such as debt history, creditors could be less willing to extend credit. Creditors extend credit based on personal data regarding an individual’s ability to repay them with interest. A history of bad debts is a type of personal information that creditors rely on. By allowing individuals to remove personal data relating to bad debts that have already cleared, as was the case in González, creditors may suffer if they extend credit to individuals who are unable to repay them.

In addition to the necessity of personal data in the market, personal data is needed to make decisions in matters where an individual’s moral character is significant. In a democratic society, we rely on a person’s past to make judgments as to whether it is supportive of a high position in society. For instance, individuals who run for public office must provide access to some of their public records. In addition, lawyers have to complete a character and fitness report where they disclose their personal data, whether or not it is disfavoring. If the public no longer has access to or cannot rely on the information made available, we will be unable to make informed decisions and distrust the democratic process.

3. The EU’s interpretation of the right to be forgotten asks search engines to enforce EU privacy law and risk liability for content published by third parties.

A quick overview of the resources Google has added in response to González helps demonstrate the burdensome consequences of the decision. In response to González, Google has had to employ a full-time staff to review applications to de-link content sources.[20] Google has also established an advisory council which includes legal, data protection, and human rights experts. The advisory board assists the staff responsible for effecting the right to be forgotten. Google has essentially been forced to serve as the judge and jury of what are still unclear privacy terms with not much case precedent. This is alarming considering Article 8 of the Charter of Fundamental Rights of the European Union (which affords the right to protection of personal data) states that compliance with the protection of personal data is subject to control by an independent authority.[21] In Directive 95/46/EC, the regulation provides for data protection authorities who are to determine data privacy matters on multiple levels. Nonetheless, the language of GDPR and the González court’s opinion interpreting the right to be forgotten never considered that member states’ privacy authorities should act as the judiciary to determine whether applicants for the right to be forgotten should be afforded that right, which unfairly places the burden on search engines like Google.

The EU’s neglect of the text of the law will undoubtedly lead to an insurmountable case load appearing before Google’s newly appointed judiciary. Since the González ruling, Google has received nearly half a million requests to have personal data removed.[22] Google’s costs go up if it fails to comply adequately with the brazen regulation. If Google does not de-link all content it can reasonably de-link, the GDPR could fine it an amount equivalent to two percent of Google’s annual worldwide turnover for noncompliance with the rule.[23]

4. The right to be forgotten disregards other guaranteed freedoms, mainly freedom of the press.

Article 11 of the Charter of Fundamental Rights of the European Union provides for a right to freedom of expression.[24] Free speech, alongside freedom of assembly, facilitates open discussion, which is seen as a necessity for a functioning democracy such as the US. However, as was the case in González, the right to privacy appears to trump the right to free speech in the EU.

Most search engines are based in the US, where the right to free speech is strong.[25] A fundamental right, free speech is closely protected in the US, with few exceptions such as the famous “clear and present danger” rule. This is problematic to search engines acting as a judiciary because they would be required to exercise censorship that they do not support in the name of privacy rights granted in the EU. There is a danger that search engines, when faced with a country’s demand to comply with privacy regulations they do not agree with, may choose to say “no thanks” instead of continuing operations in that country. This occurred in 2010, when Google decided to abandon its operations in China because it fundamentally disagreed with China’s level of censorship.[26] If in the future search engines decide not to do business in countries enforcing the right to be forgotten, citizens will be the ultimate losers.

 


*Tisunge (Sunga) Mkwezalamba. University of Illinois College of Law, J.D. candidate, Class of 2016. Data privacy focus. Many thanks to Maxwell and Hilda Mkwezalamba.

[1] Directive 95/46 was transposed into Spanish Law by Organic Law No 15/1999 of 13 December 1999 on the protection of personal data (BOE No. 298 of 14 December 1999, p. 43088).

[2] “Agencia Española de Protección de Datos”

[3] Case C-131/12, Google Spain v. González, 2014 EUR-Lex CELEX-LEXIS 317, ¶ 15 (May 13, 2014).

[4] Id. at ¶ 14-15.

[5] Id. at ¶ 16.

[6] Id.

[7] Id. at ¶ 51.

[8] Id.

[9] Id. at ¶ 20.

[10] Id. at ¶ 21.

[11] Id. ¶ 52.

[12] Id. ¶ 41.

[13] Id. at ¶ 94, 62; Council Directive 95/46, art. 12(b), 14(a) 1995 (L 281) 31 (EC) [hereinafter “Directive 95/46/EC”], available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=en.

[14] Case C-131/12, Google Spain v. González, at ¶ 20.

[15] Press Release, CareerBuilder, 35 Percent of Employers Less Likely to Interview Applicants They Can’t Find Online, According to Annual CareerBuilder Social Media Recruitment Survey (May 14, 2015), available at http://www.careerbuilder.com/share/aboutus/pressreleasesdetail.aspx?sd=5%2F14%2F2015&id=pr893&ed=12%2F31%2F2015.

[16] Id.

[17] John A. Enahoro and Jumoke Jayeoba, Value Measurement and Disclosures in Fair Value Accounting, 3(9) ASIAN ECON. & FIN. REV. 1170 (2013), available at http://www.aessweb.com/pdf-files/3(9)%201170-1179.pdf.

[18] The Top 500 Sites on the Web, ALEXA, http://www.alexa.com/topsites (last visited Mar. 22, 2015).

[19] As Media Habits Evolve, Yellow Pages and Search Engines Firmly Established As Go-To Sources for Consumers Shopping Locally, PR NEWSWIRE (June 13, 2011, 9:10 AM), http://www.prnewswire.com/news-releases/as-media-habits-evolve-yellow-pages-and-search-engines-firmly-established-as-go-to-sources-for-consumers-shopping-locally-123740559.html.

[20] The Advisory Council to Google on the Right to Be Forgotten, GOOGLE, https://www.google.com/advisorycouncil (last visited Mar. 22, 2016).

[21] 2000 O.J. (C 364) 1, available at http://www.europarl.europa.eu/charter/pdf/text_en.pdf.

[22] European Privacy Requests for Search Removals, GOOGLE, https://www.google.com/transparencyreport/removals/europeprivacy/?hl=en (last updated Mar. 22, 2016). Since last visited on March 22, 2016, Google has evaluated 1,420,812 URLs for removal based on 406,329 requests. Google has removed 42.6 percent of those URLs.

[23] Press Release, European Commission, Stronger Data Protection Rules for Europe (June 15, 2015), available at http://europa.eu/rapid/press-release_MEMO-15-5170_en.htm.

[24] Charter of Fundamental Rights of the European Union supra note 21, at art. 11.

[25] See, e.g., The Florida Star v. B.J.F., 491 U.S. 524 (1989) (holding that imposing damages on a newspaper for publishing the name of a rape victim violates the First Amendment).

[26] Henry Blodget, China Surprisingly Rattled by Google’s Clever Pullout, HUFFINGTON POST, http://www.huffingtonpost.com/henry-blodget/china-surprisingly-rattle_b_509428.html (last updated May. 25, 2011).

Curing Americans’ Kleptomania: An Empirical Study on the Effects of Music Streaming Services on Piracy in Undergraduate Students

By John G. Moustis Jr.* & Austin Root*

I. Introduction

Music piracy is widely considered to be the greatest problem faced by the music industry worldwide.[1]  According to a 2007 study conducted by the Institute ty Policy Innovation, Americans’ music pirating habits have caused:

• An annual reduction in the U.S. economy by $12.5 billion;
• The loss of 71,060 jobs in the sound recording industry and downstream retail;
• The loss of $2.7 billion in annual earnings by workers in the sound recording industry and downstream retail; and
• The loss of at least $422 million in state and federal tax revenue.[2]

Studies suggest new technologies like internet radio and interactive streaming services could significantly reduce piracy.[3]  Although this topic is at the center of many legal comments, little empirical research has been conducted to answer this question.

In response to this gap in the literature, the author conducted a survey on the music consumption habits of 252 college students.  The results demonstrate that while music piracy is still widespread on college campuses, streaming services have already begun to reduce the amount of music pirated per year.  If streaming is in fact responsible for this shift away from piracy, Congress would do well to implement a compulsory licensing system for music streaming webcasters.  Such a structure could help music distributors stabilize their business model and incentivize music consumers to use their services in place of alternative, illicit means.

After briefly discussing the modern tools of music pirates and the current state of digital music distribution technologies, this study presents empirical data showing that music piracy is alleviated by internet streaming services.  The methodology used for data collection follows, along with a statistical analysis.  The paper concludes with a discussion on the effects of internet technologies on music piracy and how enacting a compulsory licensing scheme would help streaming services to succeed, in turn lowering music piracy.

II. America’s Addiction to Music Piracy

A. What is Music Piracy?

While music piracy may be committed in a number of ways under copyright law, this study focuses on digital music piracy.  Digital music piracy is committed specifically through the copying, distributing, transmitting, or making available of copies of digital audio files.[4]  This may be done by uploading or downloading a copyrighted song from an unlicensed or unauthorized webpage, P2P network, or file-exchange server;[5] burning a CD, other than for archival use;[6] or converting a video hosted on a webpage into a digital audio file.[7]

B. The Extent of Music Piracy Today

Illegally downloading music is rampant throughout the United States today.  Forty percent of Americans aged eighteen and older have copied CDs or downloaded music files for free.[8]  Eighty-seven percent of students currently in college conduct some form of illegal copying, with each college student maintaining on average over 800 illegally downloaded songs.[9]

Torrent file trackers estimate that around 70 million people have been found across all formats of file-sharing programs on a daily basis,[10] while 30 million people engage specifically in torrent file-sharing every day.[11]  It is safe to conclude that music piracy is more prevalent in America than ever before.

Media piracy is most common among youth.  Specifically, undergraduate college students are the most active music pirates.[12]  However, while young people are the most active pirates, they are also more likely to adopt new technologies.[13]

III. Today’s Music Technologies

The physical size of consumers’ music libraries and listening devices has continuously shrunk over time.  From records and phonographs to ephemeral radio waves and pocket-sized stereos, it is now easier for people to access as much music as possible, at all times, wherever they are.

MP3s were the original solution to the demand for portable music until MP3 players and phones became integrated.  The age of the iPod was quickly brought to a close as the smart phone era was ushered in.[14]  However, the desire for smaller, slimmer smart phones, in addition to the presence of tens or hundreds of apps on a phone, reduced the amount of hard drive space available for music storage.  This drove the need for a music format that took up even less physical space.

People today are switching by the millions[15] to new music streaming services such as internet radio,[16] interactive streaming services,[17] and on-demand music videos.[18]  Via these distribution mediums, consumers are able to access all of the music they desire without having to store the music files directly on the device they are carrying.  We can see the high demand for music streaming today as the market continues to shift from CD and digital purchases, while streaming and internet radio revenues continue to increase.  In 2014, the number of paying streaming subscription users rose by 46 percent, while digital downloads decreased by eight percent.[19]  In the same year, the streaming service webcasters alone earned $1.6 billion.[20]  Streaming is gaining popularity at a rate that is even faster than the rate at which digital downloads overtook physical mediums.[21]

IV. The Uncertain Future of Interactive Music Streaming Services

Copyright law compartmentalizes streaming services into three distinct groups:[22] (i) interactive;[23] (ii) non-interactive, subscription;[24] and (iii) non-interactive, non-subscription.  In accordance with copyright law, streaming services that fall under categories (ii) and (iii) are subject to compulsory licensing, meaning those types of webcasters may stream a copyrighted sound recording so long as the webcaster pays the licensing fee set forth by the copyright royalty board.[25]  In contrast, category (i) services must negotiate directly with sound recording copyright owners to obtain digital performance licenses.[26]  These interactive services suffer from the increased transaction costs that come with having to deal with each copyright owner individually,[27] such as unpredictable price schemes.[28]  For example, in 2012 the interactive streaming company Spotify came to an agreement with record labels to pay the higher of $200 million or 75 percent of total revenues.[29]  It is expected that Spotify and other interactive streaming webcasters’ costs will continue to rise as their revenues continue to increase.[30]

The current licensing scheme for interactive streaming services has resulted in the concentration of certain artists’ music within some streaming services and not others.[31]  If sound recording copyright holders do not want their songs played via an interactive streaming service, they are not required by law to issue a license to the service.  Under the current scheme, for example, if a person purchases a subscription to Spotify, that person will not be able to listen to almost all works by mega-artists such as Taylor Swift, Jason Aldean, and Garth Brooks, who either pulled their music from Spotify or never made it available on Spotify to begin with.[32]  This current scheme forces consumers to use multiple channels or mediums to listen to their favorite songs. Many individuals turn to piracy as an alternative to this cumbersome process.

V. Previous Literature on Music Streaming Services and their Effects on Music Piracy

As new music consumption technologies began to develop, researchers shifted their focus towards the effects of these new services on music piracy.  So far, the results have been mixed.  One study asked respondents to self-report how much they pirated music before and after starting to use the Spotify streaming service.[33]  Seventy-five percent of subjects reported pirating music less after beginning to use the interactive streaming service.[34]  Other studies have shown that streaming and internet radio users are the demographic most likely to purchase physical or digital albums after hearing music via online mediums.[35]  However, one survey of college undergraduates found that those who use streaming services are more likely to engage in music piracy.[36]

Legal scholars have written a number of articles on this topic.  Some suggest that supporting interactive streaming service growth in the music industry by developing a compulsory licensing scheme for interactive webcasters can help combat diminishing revenues in the music industry.[37]  How exactly these schemes should look is widely debated. Most articles published by legal scholars on this topic are limited in scope to policy analyses and do not make use of empirical data.[38]

VI. The Present Study

This study hopes to build upon and inform previous legal comments through the use of empirical data. In the current study, the author attempts to expand on existing research by asking the following question:

What effects does the rapid popularization of music streaming services have on (a) the amount of students who pirate music and (b) the amount of music illegally downloaded?

In exploring the previous question the following hypotheses are proposed:

H1 – A student’s use of music streaming services does not affect whether that student pirates music.

H2 – A student’s use of music streaming services does affect the amount of music that student pirates.

VII. Experimental Design & Methodology

This study is based on a survey conducted in the fall of 2015 at the University of Illinois in Champaign, Illinois.  In total, 252 participants responded.  The participants’ ages range from 18 to 32 years old, with the mean age of the sample being approximately 20 years old.  Of the sample population 140 participants were male, 107 participants were female, and 5 gave no response.

The data were collected through a questionnaire distributed to the students near the end of classes they were currently attending.  The survey consisted of 11 questions.  The first part of the survey gathered general information concerning the music consumption habits of the respondent.  The second part collected asked the respondents about their use of streaming service account subscriptions and piracy habits.[39]  The third part of the survey measured the respondent’s knowledge of policy and punishment, along with perceptions of their peers’ piracy habits.  The last section gathered demographic information.

To capture the undergraduate students’ levels of participation in music piracy, the survey asked respondents to indicate approximately how many files they had illegally downloaded in the past year.  Potential responses included: not applicable (none); 1–10; 11–100; 101–1000; more than 1000 files.

The next variable measured how respondents consumed music.  Individual respondents were given a list of distributional mediums (e.g. CDs/Vinyl Records, Analog Radio, Satellite Radio, Internet Radio, Interactive Streaming Services, MP3s, and Other) and asked to mark all that apply.

The next variables were based off more specific data regarding the respondent’s use of internet radio and streaming service accounts.  To measure the students’ habits regarding the use of internet radio and streaming service accounts, the survey asked them to indicate whether they had ever purchased a streaming service account subscription.  These data allowed us to categorize individuals as account purchasers or those who just use internet radio and streaming services to consume music.

To analyze the data, the study used descriptive statistics, inferential statistics, and regression analyses.  First, the descriptive statistics of the sample population were analyzed.  Then each dependent variable was analyzed using inferential statistical techniques and regression analysis.

VIII. Results

The most common medium used by participants was Interactive Streaming Services (75.79 percent).  Digital MP3s (65.87 percent) and Internet Radio (63.10 percent) are the next most popular mediums.

Approximately 40.48 percent of the participants reported that they had purchased a streaming service subscription, meaning a majority of the participants (59.52 percent) either choose to use the free version of streaming services or not to use such mediums at all.  Of the participants who purchased streaming service subscriptions, 38.24 percent allowed others to use their account while 59.80 percent said that they do not.  Further, 42.46 percent of sample population indicated that other people allow them to borrow a streaming service subscription.

A vast majority of the respondents (82.94 percent) reported that they have pirated music.  Only 17.06 percent indicated that they have never engaged in the activity. Of those who have engaged in music piracy, most students (38.76 percent) pirated 11-100 files in the past year, 29.29 percent pirated 101-1000 files, 12.92 percent pirated 1-10 files, and 9.57 percent pirated more than 1000 files in the past year.  7.18 percent of the respondents who said they have pirated music reported they had pirated zero music files in the past year.  This indicates that they likely have stopped engaging in music piracy.

A. Pirates

The first dependent variable analyzed was undergraduate students’ tendency to be a music pirate.[40]  In order to discern which variables, if any, affect the probability that a person is a music pirate, a regression analysis was conducted.[41]  The analysis showed no correlation between using a streaming service and whether a person engages in music piracy.[42]

Table 1
Table 1

B. Amount of Music Pirated

To determine which variables, if any, affect the probability that a person illegally downloads a certain amount of music, a Pearson’s chi-square statistic was conducted.  According to that test, consuming MP3s, either legally or illegally,[43] affected the probability that a respondent pirated more music per year.  In contrast, purchasing a streaming service subscription[44] affected the probability that a respondent pirated less music per year.  Further, the analysis revealed that those who do not purchase a streaming service subscription pirated more music per year than subscribers.

Table 2
Table 2

The statistical significance of these results was again confirmed through a multiple regression analysis (see Table 3 below).[45]  Further, this regression analysis revealed a negative correlation between purchasing a streaming service or internet radio account and the rate of music piracy,[46] meaning that purchasing a streaming subscription was less likely to cause a respondent to pirate music in large quantities per year.

Table 3
Table 3

IX. Discussion

Students who have purchased a streaming service subscription illegally download fewer songs per year.  The inferential statistical analysis and regression analysis confirm this conclusion because there is a negative relationship between purchasing an account and the amount of music pirated.  Although the data tended to show that purchasing a streaming subscription is related to the amount of music a student pirates, the results do not enable the author to confirm the hypothesis that using a streaming service affects the amount of music a student pirates.[47]

Further, the inferential statistics tend to show that individuals who purchased a streaming account were less likely to continue illegally downloading music altogether.  Of the individuals surveyed, 4.27 percent of students who have pirated music in the past, but have not purchased a streaming subscription, no longer pirate music.  11.50 percent of people who have pirated music and have purchased a streaming subscription no longer pirate music.  Further, only 5.07 percent of students who said they consume MP3s no longer pirate music.  In contrast, 12.12 percent of students who do not consume MP3s no longer pirate music.  These statistics demonstrate that subscribers who pay for their streaming accounts are less likely to pirate music, and that those who are not dependent on MP3s are less likely to pirate music.  Therefore, as more consumers purchase streaming subscriptions, a significant number of individuals will reduce the number of songs they illegally download per year or will eliminate their pirating habits altogether.

However, streaming subscriptions, in their current form, are far from a panacea to music piracy.  88 percent of streaming subscribers still engage in music piracy.  The author hypothesizes that this is largely because the song choices within streaming webcasters’ libraries are limited.

Currently there is no effective solution to bring music listeners all of the songs that they want to listen to on one platform that is accessible by any device, anytime, anywhere.[48]  Because sound recording copyright owners are not compelled by law to license to streaming services, many major streaming services like Spotify lack comprehensive song libraries.  In a market where streaming services lack the most popular songs, consumers will be forced to use multiple streaming platforms or turn to alternative, often illicit, technologies.  Absent affordable licensing agreements, streaming services will never be able to provide the vast amount of content desired by consumers.

These failures of copyright law could be remedied with a new licensing scheme.  Many variations on a compulsory licensing system have been proposed to remedy the issues caused by the current scheme.[49]  One compelling system, crafted by James Richardson, suggests a three-part model which secures a minimum royalty rate to sound recording copyright owners, sets a maximum licensing fee for webcasters, and then taxes the licensing fees collected by content owners based on a webcaster’s net revenue.[50]  This system provides content owners with a guaranteed licensing fee, protects webcasters from excessive licensing rates, and incorporates a tax penalty, thereby incentivizing both parties to negotiate fairly.  Such a system acknowledges the rights of both content owners and distributors equally.

X. Conclusion

In conclusion, the results of survey data collected on undergraduate students’ music consumption habits tend to show that those who purchase music streaming service subscriptions are less likely to download large amounts of music illegally.  This evidence supports the conclusion that music streaming subscriptions can help to reduce music piracy.  For the moment, as streaming services becomes more popular, digital audio formats will continue to phase out, concurrently decreasing music piracy.  If music streaming services are not provided with adequate legal footing, however, they will continue to slip further into debt and eventually fold.[51]  This will leave consumers with few desirable, legal music platforms and rouse consumers to pirate more music.  If music creators and webcasters can come to a compromise with regard to a fair compulsory licensing scheme for interactive streaming services, webcasters will be able to provide more comprehensive services to music listeners, removing the temptation to pirate music.  Therefore, policymakers should introduce a scheme similar to Richardson’s three-part compulsory licensing model.

 


*John G. Moustis Jr. University of Illinois College of Law, J.D. candidate, class of 2016. Former intern for SESAC, a US performance rights organization. Current member of a touring cover band.

*Austin Root. University of Illinois College of Law, J.D. candidate, class of 2016. Avid music listener and infamous music pirate. Many thanks to Professors Jennifer K. Robbennolt and Robert M. Lawless for their help and guidance on empirical methods.

[1] See, e.g., Jason R. Ingram & Sameer Hinduja, Neutralizing Music Piracy: An Empirical Examination, 29 DEVIANT BEHAV. 334 (2008); Jyh-Shen Chiou et. al, The Antecedents of Music Piracy Attitudes and Intentions, 57 J. BUS. ETHICS 161 (2005); Neil S. Tyler, Music Piracy and Diminishing Revenues: How Compulsory Licensing for Interactive Webcasters Can Lead the Recording Industry Back to Prominence, 161 U. PA. L. REV. 2101 (2012); Karla Borja et. al, The Effect of Music Streaming Services on Music Piracy Among College Students, 45 COMPUTERS IN HUM. BEHAV. 69 (2015).

[2] Stephen E. Siwek, The True Cost of Sound Recording Piracy to the U.S. Economy, INST. FOR POL’Y INNOVATION (2007), available at http://www.ipi.org/docLib/20120515_SoundRecordingPiracy.pdf (last visited Mar. 14, 2016).

[3] See, e.g., Borja, supra note 1; Tyler, supra note 1.

[4] 17 U.S.C. § 106. See also George E. Higgins et. al, Music Piracy and Neutralization: A Preliminary Trajectory Analysis from Short Term Longitudinal Data, 2 INT’L J. OF CYBER CRIMINOLOGY 324 (2008); Ingram, supra note 1.

[5] Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd., 545 U.S. 913, 919 (2005). See also In re: Aimster Copyright Litigation, 334 F.3d 643, 645 (7th Cir. 2003) (“If the music is copyrighted . . . swapping . . . infringes copyright.”); A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004, 1014 (9th Cir. 2001) (“Napster users who download files containing copyrighted music violate plaintiffs’ reproduction rights.”).

[6] Resources and Learning: About Piracy, RIAA, https://www.riaa.com/resources-learning/about-piracy (last visited Mar. 14, 2016).

[7] Id.

[8] JOE KARAGANIS & LENNART RENKEMA, COPY CULTURE IN THE US & GERMANY (2013), available at http://piracy.americanassembly.org/wp-content/uploads/2013/01/Copy-Culture.pdf.

[9] Zhiyong Yang & Jingguo Wang, Differential Effects of Social Influence Sources on Self-Reported Music Piracy, 69 DECISION SUPPORT SYS. 70 (2015).

[10] Ray Delgado, Law Professors Examine Ethical Controversies of Peer-To-Peer File Sharing, STANFORD REPORT (Mar. 17, 2004), http://news.stanford.edu/news/2004/march17/fileshare-317.html.

[11] Ernesto Van der Sar, Top BitTorrent Trackers Serve 30 Million Peers Across 4.5 Million Torrents, TORRENT FREAK (July 6, 2013), https://torrentfreak.com/top-bittorrent-trackers-serve-30-million-peers-across-4-5-million-torrents-130706.

[12] Rajiv K. Sinha & Naomi Mandel, Preventing Digital Music Piracy: The Carrot or the Stick?, 72 J. MKTG. 1 (2008). See also Yang, supra note 9.

[13] Tiana Tucker, What Influences Young Adults’ Decision to Adopt New Technology, 2 ELON J. OF UNDERGRAD. RES. IN COMM. 147 (2011); PETER ZOLLO, GETTING WISER TO TEENS: MORE INSIGHTS INTO MARKETING TO TEENAGERS (2004).

[14] See Sean Hollister, The Age of the iPod is Over, THE VERGE (Jan. 27, 2014, 7:57 PM), http://www.theverge.com/2014/1/27/5351918/apples-ipod-rides-into-the-sunset.

[15] IFPI, IFPI DIGITAL MUSIC REPORT 2015: CHARTING THE PATH TO SUSTAINABLE GROWTH (2015), available at http://www.ifpi.org/downloads/Digital-Music-Report-2015.pdf.

[16] E.g., Pandora, Slacker Radio, and iHeartRadio.

[17] E.g., Spotify, Apple Music, Google Play, Tidal, and Amazon Prime Music.

[18] E.g., Vevo.

[19] IFPI, supra note 15.

[20] Id.

[21] Charles Sykes, Album Sales Are Looking Up, USA TODAY, Jan. 5, 2012, at D3.

[22] Digital Performance Right in Sound Recordings Act of 1995, Pub. L. No. 104-39, 109 Stat. 336; Digital Millennium Copyright Act, Pub. L. No. 105-304, §§101-02, 112 Stat. 2860, 2861-63.

[23] These services are offered by webcasters like Spotify, Tidal, Rhapsody, Apple Music, Amazon Prime Music, and Google Play, among others.

[24] These services are offered by webcasters like Pandora, Slacker Radio, and iHeartRadio, among others.

[25] 17 U.S.C. § (c)(3)(A) (2012).

[26] 17 U.S.C. § 114(d)(3)(A) (2012).

[27] Tyler, supra note 1.

[28] James Richardson, Create a Compulsory Licensing Scheme for On-Demand Digital Media Platforms, 31 ENT. & SPORTS LAWYER 9 (2014), available at http://www.americanbar.org/content/dam/aba/publications/entertainment_sports_lawyer/esl31-2.authcheckdam.pdf.

[29] Eric Eldon, Spotify Is Having a Good 2012: Revenues Could Reach $500M As It Expands the Digital Music Market, TECH CRUNCH (Nov. 10, 2012), http://techcrunch.com/2012/11/10/spotify-is-having-a-good-2012-revenues-could-reach-500m-as-it-expands-the-digital-music-market.

[30] Richardson, supra note 28.

[31] See Steve Knopper, Taylor Swift Pulled Music from Spotify for ‘Superfan Who Wants to Invest,’ Says Rep, ROLLING STONE (Nov. 8, 2014), http://www.rollingstone.com/music/news/taylor-swift-scott-borchetta-spotify-20141108.

[32] This fact can be observed by visiting http://www.spotify.com and http://www.tidal.com and searching for “Taylor Swift” within the websites. Observe how limited the song selection of Spotify is compared to that of Tidal.

[33] Mehmet Delikan, Changing Consumption Behavior of Net Generation and the Adoption of Streaming Music Services: Extending the Technology Acceptance Model to Account for Streaming Music Services (June 1, 2010) (unpublished master’s thesis, Jonkoping International Business School), available at http://www.diva-portal.org/smash/get/diva2:324142/FULLTEXT01.pdf.

[34] Id.

[35] Kaitlin M. Pals, Facing the Music: Webcasting, Interactivity, and a Sensible Statutory Royalty Scheme for Sound Recording Transmissions, 36 J. CORP. L. 677, 692 (2011).

[36] Borja, supra note 1.

[37] Borja, supra note 1. See also John Eric Seay, Legislative Strategies for Enabling the Success of Online Music Purveyors, 17 UCLA ENT. L. R. 163 (2010).

[38] Tyler, supra note 1.

[39] In another paper the author discusses the how undergraduates’ knowledge of school and federal policies affect their propensity to pirate music. Those topics are not discussed in this paper. See John Moustis & Austin Root, Who Knows the Rules?: How Internet Technology and Perceptions of Policy Affect Music Piracy in Undergraduate Students (December 2015) (unpublished manuscript, University of Illinois College of Law).

[40] I.e., someone who currently pirates music.

[41] The independent variables accounted for were gender, streaming users, MP3 users, those who use others’ purchased streaming accounts and do not purchase their own, and overall knowledge level of government and university policies. The formula can be described as follows: Pirate = α + b1(Gender) + b2(Modern) + b3(Digital) + b4(UseNoPurch) + b5(OverPolicy) + ε.

[42] The analysis did reveal a correlation between being a music pirate and being male (p = 0.029) and also consuming MP3s (p = 0.035).

[43] p = 0.004

[44] p = 0.0018

[45] The variables accounted for were gender, MP3 users, those who purchased accounts, streaming users, and overall knowledge level of university and federal policies. The formula can be described as follows: PirateAmount = α + b1(Gender) + b2(Digital) + b3(PurchaseAccount) + b4(Modern) + b5(OverPolicy) + ε. There was a statistically significant relationship between gender and the level of participation in music piracy (p = 0.015). Also, we found that there is a positive relationship between consuming MP3s and the level of participation in music piracy (p = 0.010).

[46] p = 0.024

[47] H1: A student’s use of music streaming services does not affect whether that student pirates music (ACCEPT). H2: A student’s use of music streaming services does affect the amount of music pirated by that student (REJECT).

[48] Steve Knopper, Islands in the Stream: The 10 Biggest Holdouts in Digital Music, ROLLING STONE (Jan. 2, 2015), http://www.rollingstone.com/music/news/artists-refuse-stream-music-20150102.

[49] See, e.g., Richardson, supra note 28; Seay, supra note 37; Tyler, supra note 1.

[50] Richardson, supra note 28.

[51] See, e.g., Richardson, supra note 28; Seay, supra note 37; Tyler, supra note 1.

Search Engines under Attack: Examining the European Union’s Right to Be Forgotten (Part I)

By Tisunge (Sunga) Mkwezalamba*

Introduction

Personal data provides a legitimate business interest to an online global market.  For instance, personal data is needed for basic functions of a website operation, such as registering, retrieving individualized preferences, or making payments.  The use of personal data also improves user experience.  By collecting and storing personal data, a website can recognize visitors and respond to their preferences.  Moreover, personal data generates revenue by offering opportunities to third parties using the personal data to increase their customer base.  Generally, this is done through direct marketing.  Data privacy rights (sometimes referred to as data protection regulation) are in place to protect personal data because individuals have no control of their data after it is collected.

The European Union (EU) affords its citizens some of the strongest data privacy rights in the world.  EU citizens enjoy privacy rights so strong that they have the option to have their data disappear from the Internet.  This disappearing power is known as the “right to be forgotten”.

This paper will argue that the EU’s interpretation of the right to be forgotten is bad policy and results in bad law that burdens search engines.  Part I introduces the pieces and functions of European Union (EU) data privacy law and some underlying policies.  This section also introduces pending data privacy legislation.  The pending data privacy legislation introduces a very broad and vague right to be forgotten, which can be interpreted through Google Spain v. González, the only case precedent interpreting the right.

Part II analyzes Google Spain v. González.[1]  In González, Mario Castejo González, a Spanish citizen, sued Google to have unfavorable personal data removed from search results pursuant to EU data privacy law.  The case began in Spanish high court, but the court referred questions to the Court of Justice of the European Union (CJEU) because it was unsure whether EU data privacy law applied to search engines that provide links to lawfully published personal data.  The CJEU held that it did, and ordered Google to remove all links to González’s unfavorable information from its search results.  In its analysis, the court defined the right to be forgotten so broadly that it now covers any personal information that an individual simply considers embarrassing.  The court also reasoned search engines, such as Google, are responsible for personal data wherever it was located on the server, regardless of how it was obtained.  As a result, this decision enlarged unforeseeable costs for search engines associated with enforcing the right to be forgotten.

Part III argues that the EU’s right to be forgotten is bad policy and bad law for four primary reasons.  First, the EU’s interpretation of the right to be forgotten does not remove access to the personal data that has been requested for removal.  Second, broadening the type of data that may be removed such as a history of bad debts is likely to lead to instability in capital markets where investments and extensions of credit are based on personal data, whether or not it is unfavorable.  In addition, removal of unfavorable personal data hurts the democratic process, which relies on such information when appointing individuals to high positions of society.  Third, as currently interpreted, the right compels large search engines to enforce the international right at their burden.  This is significant because search engines then have to create a judiciary to judge EU law where only one precedent stands and many variables exist when determining whether to remove personal data.  And lastly, the CJEU’s interpretation of the law disregards guaranteed freedoms, mainly the freedom of expression, for the right to be forgotten.

Part IV offers alternative policy and legal solutions for the EU’s interpretation of the right to be forgotten.  The first recommendation encourages online anonymity on the Internet, such as anonymous posting.  Anonymity would move information provided voluntarily outside of the EU’s definition of personal data since the definition requires that the information relate back to an individual in such a way that it identifies them.

The second recommendation discusses a draft of a right to be forgotten that would limit the right to individuals whom society and the law have a strong interest to forgive.  An example of such an individual is a minor.  This is important because a majority of requests to remove personal data is embarrassing in nature, and most individuals would prefer their past mistakes be forgiven.  However, forgiveness of past mistakes should not be afforded to every individual who is embarrassed by their past.

The concluding recommendation suggests that the EU should place the burden of determining when to afford the right to be forgotten on EU data authorities because the determination of most of the request requires a subjective test, which would lead to inconsistent application by search engines.

Part I: The European Union on Data Privacy Law

The EU provides its citizens some of the strongest data privacy and protection rights, particularly when compared with the United States.  In the EU, protection of personal data is a fundamental right to privacy provided by Article Eight of the European Convention for the Protection of Human Rights and Fundamental Freedoms.[2]  On the other hand, in the US, the specific right to privacy protection is not a fundamental right guaranteed to citizens by the Constitution.  In addition, the strength of EU data privacy law is highlighted in the policy underlying its promotion of the movement of personal data in the online global market where the collection and use of personal data generates revenue opportunities through online activities such as target advertising.  In the EU, the movement of personal data in the online global market is promoted by ensuring that processors are secure and individuals are given access to their personal data to verify, change, or erase their information.  The rationale for promoting security and access rights is based on a belief that individuals will be more willing to offer their personal data to online operators if they are confident that their privacy is secure and they are afforded access to their personal data.  In the US, in contrast, the movement of personal data in the online global market is promoted by limiting the amount of government regulation on the online market.  Thus, American laws are less voluminous than EU data privacy laws and individuals rarely have access to their personal data.  The rationale for the American style of governance is based on the belief that overregulation of markets stifles economic growth.

EU Directives on Data Privacy

In the EU, data privacy rights and the protection of personal data are governed by Directive 95/46/EC[3] and e-Privacy Directive 2002/58/EC.[4]  Collectively, they outline how an individual or entity can legally collect personal data from EU residents, the obligations that exist when using and storing the personal data, and the rights individuals have to access their personal data after it has been collected.

a. Directive 95/46/EC

In 1995, the EU enacted Directive 95/46/EC, its first directive on the protection of individuals with regard to the privacy and protection of their personal data.[5]  Directive 95/46/EC set out to follow the Organization for Economic Co-operation and Development’s (OECD) seven principles on the protection of Transborder Flows of Personal Data.  These principles ensure individuals are given notice that their personal data is being collected and for what purpose it is collected; individuals consent before their personal data is collected; data is kept secure; and subjects are given access to their personal data under certain circumstances.[6]  The underlying principle for access rights is that data subject are in the best position to determine whether their personal data is being misused.  Thus, they should be given access to make such an evaluation.

EU data privacy law applies to an individual or legal body that determines the processing of personal data, also known as the data controller.[7]  Directive 95/46/EC defines personal data as any information that relates to a natural person, known as a “data subject.”[8]  Information relates to a data subject when it can be used to identify an individual, such as an identification number, or his or her economic, cultural, or social identity.[9]

Directive 95/46/EC applies to the automated processing of personal data and other processing of personal data that form a part of a filing system.[10]  Processing of personal data is a broad term, and is essentially “any operation performed . . . upon personal data” such as collecting, storing, altering, or erasing the personal data.[11]  A filing system is the function that controls how the personal data is stored and retrieved.[12]  A controller is the operator of the filing system.  Therefore, controllers determine the purposes for processing and must uphold the certain OECD principles adopted by Directive 95/46/EC such as data security and access rights.

Article 12(b) of Directive 95/46/EC states that controllers are to provide data subject access to “erasure” or “block” access to their personal data when “it does not comply with the provisions of the Directive, particularly because of the inaccurate or incomplete nature of the data.”  The González case discussed below narrates how the CJEU recently interpreted Directive 95/46/EC access rights to have personal data blocked or deleted into a right to be forgotten.  However, the court found that the Directive compelled search engines to delete any disfavoring personal data that has been lawfully collected, regardless of whether it is incorrect or incomplete in nature.

b. E-Privacy Directive 2002/58/EC

In 2002, the EU enacted E-Privacy Directive 2002/58/EC (“E-Privacy Directive”). E-Privacy Directive was later amended by Directive 2009/136/EC.[13]  The E-Privacy Directive was enacted to address developments in technology since the enactment of Directive 95/46/EC.  The directive provides similar coverage as Directive 95/46/EC by extending the OECD principles to the field of telecommunications.  Further, the rule acknowledges developments in the means by which controllers are able to collect and process personal data through outlining the rights and obligations with regard to the use of cookies, location data, spam, and spyware.[14]

c. The future of European Union Data Privacy Law: General Data Protection Regulation

Directive 95/46/EC and the E-Privacy Directive are expected to merge under a new EU data privacy regulation in December 2017.[15]  The proposed regulation is called the General Data Protection Regulation (GDPR).[16]

In accordance with the underlying policy for the promotion of the movement of personal data in the online global market, the new set of rules gives citizens more control over their personal data and aims to simplify the regulatory environment for businesses through unification of the current data privacy regime.[17]

Though the GDPR intends to simplify the regulatory environment for businesses while providing more control to its citizens, some provisions in the draft are already drawing a lot of attention by those who argue that the data privacy and protection laws of the EU are already constraining on the online global market.[18]  Those who take a position against strengthening EU data privacy laws believe in a free market system, free from government oversight.  This position is similar to the policy underlying the U.S. data privacy regulation discussed above.

For instance, GDPR will mandate that processors hire a data protection officer.[19]  Currently, the average salary for a data protection officer is $75,899.[20]  This rule will greatly impact small business that cannot afford the additional costs during their developmental stages.  In addition, the rule disregards the communication costs for controllers who will be subject to new compulsory notification and access rights for which each data subject must have access to information that they can read.[21]  The EU recognizes 24 different languages, any of which EU citizens are to have access to documents in.[22]  Ensuring that communications regarding personal data is given in any of the 24 forms creates several additional costs to controllers.

However, the most unique addition to the GDPR, and perhaps also one of the most troublesome, is Article 17’s right to be forgotten.  This provision was included to clarify the right of erasure in Article 12(b) of Directive 95/46/EC.[23]  As was previously mentioned, Article 12(b) of Directive 95/46/EC affords EU citizens a right to erasure, interpreted in González as a right to be forgotten, regardless of whether the personal data is inaccurate or incomplete in nature.

In its clarification, Article 17 of GDPR provides a definition of the right to be forgotten that is similar to the CJEU’s interpretation in González.  In González, the court held that the right to be forgotten should be afforded to data subjects when such removal is pursuant to the principles of Directive 95/46/EC.  Similarly, Article 17 states that the right to be forgotten may be exercised in several situations, including when the personal data is no longer necessary, when the data subject withdraws consent or objects, or when processing does not comply with the principles of GDPR.

Further, GDPR’s right to be forgotten includes an obligation to the controller to inform third parties who have obtained the personal data as a result of the controller’s publication or processing, or third parties whose personal data the controller has obtained as a result of the controller’s processing mechanisms.  This language is similar to the effect of the decision in González, which held that search engines were obligated to de-link access to personal data it obtained through its processing mechanics (the storing and filing of websites containing personal data) from third parties.

An analysis of the landmark case of Google v. Mario Costeja González illustrates how the EU’s interpretation of a right to be forgotten is improper and requires large search engine operators, such as Google, to decide when to enforce EU citizen’s privacy rights.

 


*Tisunge (Sunga) Mkwezalamba. University of Illinois College of Law, J.D. candidate, Class of 2016. Data privacy focus. Many thanks to Maxwell and Hilda Mkwezalamba.

[1] Case C-131/12, Google Spain v. González, 2014 EUR-Lex CELEX-LEXIS 317 (May 13, 2014).

[2] 2000 O.J. (C 364) 1, available at http://www.europarl.europa.eu/charter/pdf/text_en.pdf.

[3] Council Directive 95/46, art. 25, 1995 (L 281) 31 (EC) [hereinafter “Directive 95/46/EC”], available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=en.

[4] Directive 2002/58, 2002 O.J. (L 201) 37, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:201:0037:0047:en:PDF.

[5] Id.

[6] Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013), OECD, http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf. (Last visited Feb. 5, 2016). The seven principles are (1) Notice, (2) Purpose, (3) Consent, (4) Security, (5) Disclosure, (6) Access, and (7) Accountability. Data subjects should be given notice when their data is being collected; data should only be used for the purpose stated and not for any other purposes; data should not be disclosed without the data subject’s consent; collected data should be kept secure from any potential abuses; data subjects should be informed as to who is collecting their data; data subjects should be allowed to access their data and make corrections to any inaccurate data; data subjects should have a method available to them to hold data collectors accountable for not following the above principle. Id.

[7] Id. at art. 2(d).

[8] Id. at art. 2(a).

[9] Id.

[10] Directive 95/46/EC, supra note 3, at art. 2(c).

[11] Id. at art. 2(b).

[12] Id. at art. 2(b)(c).

[13] Directive 2002/58/EC, supra note 4.

[14] Id. See paragraph 53 discussing traffic data; paragraphs 65, 66, and 70 addressing spyware; paragraph 68 discussing spam; and paragraph 66 for cookies. See Article 2(a)(c) of Directive 95/46/EC for more information on location data.

[15] Hunton & Williams, Hunton Releases Guide to the Proposed EU General Data Protection Regulation, HUNTON PRIVACY BLOG, (May 5, 2015), https://www.huntonprivacyblog.com/2015/05/05/hunton-releases-guide-proposed-eu-general-data-protection-regulation.

[16] Proposal for a Regulation Of The European Parliament And Of The Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final (Jan. 25, 2012) [hereinafter GDPR], available at. http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:52012PC0011, (last visited Feb. 6, 2016).

[17] Id.

[18] Ardi Kolah, British Government Delays Progress on GDPR as EU Pressure Mounts, BRANDREPUBLIC (Jan. 10, 2015), http://guruinabottle.brandrepublic.com/2015/01/10/british-government-delays-progress-on-gdpr-as-eu-pressure-mounts; Jeremy Whitaker, The Cost of the EU Data Law, DIGITAL MARKETING MAG. (Aug. 10, 2015), http://digitalmarketingmagazine.co.uk/digital-marketing-features/the-cost-of-the-eu-data-law/2334.

[19] GDPR, supra note 16, at art. 30.

[20] Data Security Analyst Salary, SALARY.COM, http://www1.salary.com/Data-Security-Analyst-Salary.html (last visited Feb. 5, 2016).

[21] GDPR, supra note 16, at art. 12.

[22] Official Languages of the EU, EUROPEAN COMM’N, http://ec.europa.eu/languages/policy/linguistic-diversity/official-languages-eu_en.htm (last visited Feb. 5, 2016).

[23] GDPR, supra note 16 at art. 17.