In 2019, Jane Slater found out that her (now-ex) boyfriend was cheating, after noticing repeated spikes in his Fitbit heart rate data at 4 a.m. whenever he was not home. In 2020, a civilian employee at Fort Bragg used the Army Installation’s official Twitter account to publicly reach out to an OnlyFans model. Later that year, a high school student seeking medical advice accidentally posted a picture of her morning constitution for the entire school to see. These are but a small sampling of the cavalcade of embarrassing bits of data collected by the Internet. While these sometimes disturbing disclosures seem trivial in the moment, they highlight a critical problem in our increasingly digital society. Giving people the ability to erase embarrassing escapades from digital existence comes at a cost — free speech.
To address the relentless deluge of technological advances, there are two prominent legal approaches. The first, exemplified by the European Union, prioritizes consumer protections. Under this strategy, EU citizens can delete practically any and all digital data about themselves. Under the second approach, the United States prioritizes free speech over national laws regulating online activities to protect consumers’ digital data.
The primary problem for legal systems is that these two approaches are mutually exclusive. For example, the EU’s strategy would allow Susan Boyle to protect her privacy by requiring people to take down posts promoting her album with an unintentionally risqué hashtag, but doing so restricts the free speech of those who find the hashtag’s accidental meaning amusing. On the contrary, favoring free speech means Boyle cannot prevent people from seeing search results that question what type of party she actually promoted.
To understand whether American citizens will ever be able to permanently purge from the Internet that embarrassing picture they took “dabbing” at a party while wearing a pukka shell necklace and crocs, it is important to know why this data creates an issue in the first place. We can then analyze how the EU addressed it through their consumer protection approach. Next, we can investigate why an identical approach may be impossible in the United States. Finally, despite this challenge, we can consider how America could still recognize the “right to be forgotten.”
Google is not just a search engine. The tech powerhouse is a well oiled machine that leverages the data it collects through its various products to run a highly lucrative ad service that is personalized to each user. This process is how a one-off search to buy a cookbook entitled Microwave Cooking for One leads to a month-long torrent of ads for dating websites, HelloFresh subscriptions, and an assortment of therapists. That one search shared information about someone’s life that online companies use to better target that individual through advertisements and services. In fact, each and every interaction with the internet shares something about ourselves. Posting pictures can share your location, friends, and schedule. Using fitness devices reveals information about your health. Clicking on this article highlights your great taste in writing.
Alone, these pieces of information are harmless. Together, they paint a complete picture of a person, right down to the most private aspects of who they are. In her United States v. Jones Concurrence, Justice Sotomayor described the threat of using data collected through people’s interactions with the Internet to piece together clear pictures of individuals. Despite being more than a decade old, Justice Sotomayor’s analysis aptly describes the primary privacy problem posed today. By compiling genetic information from various databases, law enforcement successfully identifies criminals without obtaining a warrant for their DNA. Social media companies use data to make their products individually addictive for each user. Bars pool data on patrons to deny service to any customers who might act disorderly based on their previous behavior at other bars. Employers skim social media accounts and other pieces of digital information to determine whether they want to hire an applicant before they ever meet.
Essentially, once someone interacts with the Internet, they lose control over any data collected from that interaction. They lose any right to privacy for that data. Even when people do not interact with the Internet, they can still lose this right if someone else shares the same information. For some topics — such as the cookbook — this is no big deal. But others — like smart watches sharing your health data, apps sharing information about your sexual orientation, and smart phones sharing the location of the top secret military base you work at that you are not even allowed to tell your mother about — represent people losing their right to privacy for things they may not even share with those closest to them. But once this right is gone, is it possible to regain it?
The Ballad of Mario Gonzalez
There once was a man in Spain named Mario Gonzalez. Mario was dismayed to find the first results that appeared when anyone Googled his name were about his recently foreclosed and auctioned home. Unlike the aforementioned Fort Bragg employee, Mario was concerned that his digital data might hurt his reputation. So he sued Google to remove the search results. In Google Spain v. Agencia Española de Protección de Datos, Mario presented the Court of Justice of the European Union with the issue of whether companies have the right to publicly display citizens’ data against their will. The court ruled for Mario, holding that there is a “right to be forgotten.” This meant that EU citizens could require companies to delete any digital data about themselves. In other words people could require Instagram to remove the horrifying pictures that their high school prom date posted to celebrate the ten year anniversary of the one dance they spent together.
To more permanently enshrine this right, the EU ratified the General Data Protection Regulation (GDPR) in 2016 and began enforcing the provisions in 2018. The law requires companies to alert consumers about how their data is collected and used in a way that is easy for people to understand. It also gives consumers the right to delete their data and opt out of collection. However, the “right to be forgotten” is not without drawbacks. Protecting this right means allowing people to control what others can say or post online; it means giving people the power to restrict others’ right to free speech. For example, the aforementioned subject of the ten-year-promaversary photos could restrict the poster’s – likely named Alex Forrest – free speech right to digitally publicize pictures of the pair together.
Free Speech, Restricted Privacy
The United States adopts the opposite approach. Free speech is so important to the foundation of America that it is protected by the First Amendment. For this reason, any law that recognizes a “right to be forgotten” would be dead on arrival. Only on rare occasions has the Supreme Court upheld restrictions to the First Amendment. In Schenck v. United States, the Court held that the First Amendment does not protect speech posing an impending threat. In Morse v. Frederick, the Court upheld a school policy prohibiting students from displaying a banner that read “BONG HiTS 4 JESUS” because the policy protected people from illegal drug use. Therefore, the government could only require people take down pictures without violating the First Amendment if the pictures posed an imminent threat to safety.
However, Americans’ right to privacy still has protections. In Katz v. United States, the Supreme Court held law enforcement officers need a warrant when a search or seizure infringes on someone’s reasonable expectation of privacy. In Riley v. California, the Court recognized that individuals have a reasonable expectation of privacy over their digital data under certain circumstances. But these rulings only protect Americans from the government; unlike the GDPR, they do not prevent invasions of privacy by the private sector.
Many states passed laws to fill this legal gap. As of 2022, six states have digital privacy protections against the private sector. These laws give consumers more control over their data but stop short of recognizing the “right to be forgotten,” partially because it infringes on free speech. Consequently, it seems that any attempt to protect consumers from data collection must uphold free speech.
Since a new law or precedent would likely violate the First Amendment, the best way to create EU adjacent protections of American consumers against the private sector must ironically start with the private sector. Whereas case law provides that the government can only restrict free speech in limited circumstances, private businesses are under no such obligation. They are free to adopt practices identical to the ones required by the GDPR. Pursuing this avenue would give consumers control over their data without violating a key constitutional protection.
A concerned reader might ask how this change will occur without a law to ensure companies comply. The short answer is through economics. So long as privacy is an important priority for consumers, companies are incentivized to offer products with privacy protections in order to keep attracting buyers and making money. This trend is already visible. In 2021, the Wall Street Journal predicted that Apple’s sales would jump compared to its rivals because of an upcoming plan for the company’s products to emphasize consumer privacy. By 2022, Apple’s strategy fully came into effect through ad campaigns that promoted the data privacy of iPhones and other new pieces of technology, such as giving users the ability to delete text messages they sent that were already on someone else’s phone. Just as the Wall Street Journal predicted, Apple’s sales jumped above its competitors because the iPhone 14 was the highest selling smartphone of 2022 in the US despite only being released in September.
Although this solution may not bring change as quickly to America as the EU’s approach, it still protects consumers while upholding the important constitutional right of free speech. Recognizing the “right to be forgotten” through private companies will ultimately achieve the same goal as the GDPR by allowing people to delete harmful digital data. More importantly, this strategy will finally allow the stars of The Grand Tour to delete from the Internet their ill-conceived promotional campaign.
Author Biography: Ben Gould is a moderator of the International Law Society’s International Law and Policy Brief (ILPB) and is a J.D. candidate at The George Washington University Law School. He has a B.A. in Political Science and Communication from the University of Southern California.
Editor: Samantha Hoover