Conducted and Transcribed by Nashi Gunasekara (SC ’19)
Helene Jackobsen and Ulrik Graff are professors at the Danish Institute of Study teaching Online Surveillance, Privacy, and Cybersecurity. Jackobsen earned her Masters in Law at the University of Copenhagen in 2014 and is the Head of Section, Danish Defense Command. In different capacities, Graff has served as a legal advisor to the Danish Defense since 2006 focusing on international and human rights law.
CJLPP: Do you think the right to be forgotten should be a universal right?
Jakobsen: I believe the right to be forgotten already exists within the right to privacy and the right to personal data, which is found in the European Convention of Human Rights.
Graff: The right to be forgotten should be seen as an aspect of the right to privacy, which is already a universal human right. So, I think it depends on what your definition of the right to be forgotten is. I think aspects of the right to be forgotten are already protected under the right to privacy. However, I think it is important to take into consideration the context and the content in question. For example, if there’s a politician who has a lot of content about him—newspaper articles, etc.—I think if he were to request to be forgotten online with respect to articles with his name and etc., I don’t think there is such a right because that is newsworthy material. I do not think you have a right to be forgotten in that sense. Even in a wrongful article, even if it has an aspect of newsworthiness—I do not think you have a right to be forgotten.
CJLPP: What is the typical process of exercising this right?
Graff: The GDPR [Global Data Protection Rights] outlines the different mechanisms an individual can go through to ask private companies to delete any data and content that they may have on him/her. If they don’t have a legitimate reason to have that data on him/her, then that individual can request for the private company to remove that data. In this case, individuals have a higher degree of protection, but it is more administratively difficult for to go through that process. For example, I can go to Google and ask them to block access to different kinds of content on me or I can go specifically to public administration and private companies to actually get that content deleted, which is a much more involved process.
CJLPP: What are the current policies in place that either infringe on or support the right to be forgotten?
Graff: In Europe, we have the Global Data Protection Rights (GDPR) and you have the case from 2014 concerning the right to be forgotten, which are the two forces driving this field of data protection and privacy.
There are policies in place that urge private companies and public organizations to sanitize the data they already have on file. An example of this would be requiring private companies to delete data that they no longer need. If I am working at a private firm and they have acquired this data on me from performance reports, general administrative data, or what have you, as soon as I quit that job, that company is obligated to delete my data from its archives.
However, it is difficult to know how long companies actually need that data for. For example, if you are a headhunting company and have ten candidates for a single position, at the end of the recruiting process, the company will have nine datasets of those who did not get the position. However, some companies will want to keep this information on file for future openings and so on. You see companies more and more trying to negotiate this regulation on how long they are able to retain this information before destroying it.
The same holds true for public organizations. If the police had investigated me for a crime and it had either been acquitted in a court of law or the investigation was put down because they found that I was not suspect anyways, law enforcement agencies would have an obligation to delete the data they had collected on me during that process.
CJLPP: For what reasons do you think individuals would want to be forgotten on the internet? And who makes up the profiles of these individuals?
Graff: Individuals like you and me have social media profiles that produce a lot of data. If I wrote something on a friend’s wall years ago and I no longer believe in that sentiment, I would have the right to have that removed. Even if we don’t have a social media profile ourselves, one of our friends might. Say that my friend posts a picture of me partying that I would rather not have online. I could request to have that piece of data on me removed. This right to be forgotten is especially relevant in the private sphere, but can also be exercised in the public space as well.
Jakobsen: They are primarily private individuals. Criminals are often wary of being detected and, therefore, take the necessary precautions to protect their identity and data online. However, they could also be politicians, business people, or celebrities—basically any individual who has content about them that they want gone.
CJLPP: So if these new regulations are made to protect individuals, why do you think some individuals are against the right to be forgotten?
Jakobsen: I think that private companies would be the primary actors against the right to be forgotten. Many companies will earn money on personal data that is published online and customizing commercials from that retrieved data. So, I think private actors like companies are against the right to be forgotten because they would lose money. Of course, the right to be forgotten could also affect private individuals. The right to be forgotten also conflicts with freedom of speech and that includes the right to receive information. So, if I were to make a request to remove all my personal data online, that means other individuals would no longer be able to access that information on me. And there are individuals who would see this as a problem.
CJLPP: Do you think that there is a difference between the right to be forgotten and the right to be anonymous? And if so, what is it?
Jakobsen: The right to be forgotten is pertinent in terms of data you have uploaded yourself, whereas the right to be anonymous is publishing data of yourself while being protected under anonymity.
Graff: I do not think there is a right to be anonymous online. You do not have a right to be anonymous out in the physical world, so I do not think it applies online either.
With the right to be forgotten, if you do or say something you regret out in the physical world, you say it and do it with the people around you in mind. Whereas the internet is different in that if a video is taken of you out in the physical world and then posted, the reproduction of that video is persistent in a way that is not seen in the physical world. So, I think that is why you can contrast the right to be forgotten with the right to be anonymous in regards to its physicality.
The right to be anonymous conflicts with many more human rights than the right to be forgotten because you would be able to conduct criminal activities and such online without ever being held accountable. Being anonymous online also exempts individuals from consequences, which I do not think individuals have in the physical world. In the physical world, you might not be caught for conducting criminal activities, but there is always the risk of being detected.
CJLPP: What do you think the economic implications, if any, that the right to be forgotten will have?
Jakobsen: There is a reason why private companies sell personal data. For example, when you use Snapchat and send a picture, Snapchat claims that it has the right to this picture and can actually sell that picture to a third-party. I would assume that this is because Snapchat and other companies are profiting in some way—most likely through advertisements. I mean Mark Zuckerberg is the fifth richest person in the world and it does not cost a thing to be on Facebook, but I suppose you pay with your personal data.
CJLPP: What do you think are the political implications, if any, that the right to be forgotten will have?
Jakobsen: It is a balance between the protection of the individual and the protection of the state. And with these expanding counter-terrorism laws, I think discussion over individual protection and state protection with regards to being forgotten online will be one that the politicians will have to prepared for in the upcoming years.
CJLPP: How do you think stakeholders should navigate this conversation?
Jakobsen: I think they should start with discussing this as an international issue. Cyberspace moves across borders and most of the webpages we use have servers in other countries, so it is important to have regulations that apply to a broader range of countries.
CJLPP: Why do you think stakeholders are hesitant to have a conversation about the right to be forgotten?
Graff: It takes a lot of resources to enforce rules that permit individuals to request being forgotten online. If you open the doors and make it more accessible for people to write to companies and say, “hey what data do you have on me? I want it gone,” it would take a lot of resources to protect these rights. But then again, it is a really bad look to allow companies to essentially hoard people’s data and keep it forever without any room for transparency or agency. So, I think this is why you will often see private and public stakeholders skirting around the topic.
CJLPP: Do you think the right to be forgotten conflicts with any other human rights? If so, what are they?
Graff: The right to be forgotten could be seen as under the umbrella of the right to privacy. And the right to privacy sometimes conflicts with freedom of expression—especially when it comes to the press. When it comes to the press—at least in a democratic society—freedom of press has a higher degree of protection than individual expression because of the important role the press often plays in society as a fourth state power.
CJLPP: How does the right to be forgotten pose a threat to everyday individuals? National security?
Graff: Obviously if you take the right to be forgotten to its greatest extent, where you can have virtually every piece of data about you removed from the internet and destroyed, this can pose a threat to individuals and national security. For example, if someone is committing or planning to commit terrorist activities, then wants to write to the CIA and say “I have a right to be forgotten please delete all the data you have of me”—that would obviously pose a threat to national security. And for this reason, there are regimes that exempt certain government agencies and law enforcement agencies from deleting data for national security purposes.
