Computers, Privacy & the Constitution


-- By AmaneKawamoto - 04 Mar 2013


As one of the solutions to privacy issues rising in the internet, the “right to be forgotten” is suggested and gaining support in EU and other countries.

Not really. This "right to be forgotten" is really just a clumsy metaphor for regulatory data accountability. Commissioner Redding said a stupid thing one day while mangling her briefing paper.

Here, I will consider the meaning and the position of the right to be forgotten in the context of risks arising from the cumulated personal information in the cloud.[1]

It would perhaps be more informative for the reader to drop the metaphor and discuss the underlying subject. One property of data managed accountably is that it expires, and its expiration has verifiable operational meaning. But describing that as "the right to be forgotten" conceals more than it explains.


Several risks arise from cumulated information regarding your past in both of your public and private relationships. You might get excluded from your school (or lose your job) if your school (or employer) comes to know your private behavior which was against the rule or policy of such organizations.[2] You might be refused to enter into transactions due to your activity in the past.

Also, it is obvious that the relationship between your friends and family members might get worse if your past activity is known to them. Your past will damage your self-esteem if you are feeling shame on it, too. Moreover, even if such information is not known to others yet, you have to live in fear of being found out, which must give you psychological burden.

This is a strange way to categorize risks. It isn't analytical, or comprehensive: it's just a couple of peculiarly limited observations.



The “right to be forgotten” is suggested as a legislative response which enables to delete your personal information recorded on the internet that you want to forget.

No, not at all. Here's the metaphor doing harm. You can't delete contracts you've signed, or marriages you've had, or convictions you've suffered. That's why talking about the "right" as personal makes so little sense. What is meant instead is that some data expires. That those maintaining data must accountably deal with data expiration. That there is regulatory jurisdiction to make rules and to receive audit data on compliance with the rules.

While there seems to be no universal definition of the “right to be forgotten”, according to Viviane Reding, the Vice President of the European Commissioner for Justice, Fundamental Rights, and Citizenship, the core provision of the “right to be forgotten” is explained as follows:

“If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.”[3]

Which, as I said, is an idiotic statement reflecting a policy figurehead not understanding a statement written by staff. It means, as delivered, that intermediaries shouldn't keep data unless they want to.

There is, of course, a limitation of this right. Not all information you want to delete will fall within the range of this right. We also have to consider the conflict between this right and other values, including our constitutional right of free speech. Further, there are many practical issues within the right; for instance, it is not clear how the right actually could be enforced.

But all those difficulties are less difficult once you've gotten rid of the metaphor, and inquired into how data existing data governance regimes actually work.


Instead of deleting your information physically from the internet, it would be one solution to restrict certain disadvantageous actions (a dismissal, an expulsion from a school, suspension of business transaction, etc.) based on your behavior in the past.

Legally, we can arrange such restriction, for example, as a rule of evidence; no one shall give disadvantageous treatment based on information (including any derivative information collected based on such information) which falls within the scope of the right to be forgotten.

Thus making every adjudication of every factual issue in each litigation depend not only on the evidence adduced, but also on a determination as to each item of evidence whether its existence has been vetoed by the adversary? Are you sure you've thought through the consequences of this suggestion?


Considering that removing your personal information completely would be quite hard once it has been disseminated, avoiding such situation in advance would be a reasonable answer.

Ethically speaking, I believe that we should be more cautious about posing information in the internet among others when such information contains someone else’s data. We might also be more reluctant to allow our friends to record any information about us (e.g. taking photos).

In the legal context, a cyber-law scholar in Japan proposes that we should establish a right to refuse digitization of our personal information.[4] We can by no means know what kind of risk will arise in future from our personal information in the internet. We cannot predict precisely how serious the risk would be and cannot determine whether we would be able to accept such risk. Each individual’s decision to refuse digitization of his/her personal information with or without any cause should be respected as a fundamental human right in this century.

But that's nonsense, right? How could a decision that can only be made or unmade _en bloc_, with respect to everything, make any operational difference? Everyone will find it necessary, sooner or later, for one or another reason, to permit digitization of data. Probably after approximately one nanosecond, since no financial system on earth can continue to do business with ink on paper. Then the regulation has terminated, and no data accountability at all has resulted.


If your personal information remains in the cloud and cannot be deleted, it is reasonable to seek a way to separate that information from your identity. This may sound extreme; however, a similar system of changing one’s identity already exists; two guys in England who killed two-year-old boy when they were at the age of ten were given new identities when they were released.

Legally speaking, we can consider a right to change one’s identity if your personal information remaining in the cloud will damage your character seriously. It may become common to change your identity a few decades later.

What sort of solution is that? Families will dissolve and children will change parents? How is this a more sensible suggestion than simple data accountability regulation?


To cope with the issues regarding your private relationships, becoming tough enough to pay no attention to your past and ignore any reaction of others to your past seems to be an answer. Just laugh at your behavior in the past! Ignore what your frineds will think about it! Do not care about what your fiancée did before! This is not a “solution” but an acceptance of situation; however, I cannot help but believing that such cognitive adjustment will be inevitable.


The right to be forgotten is understandable as a legal measure to deal with risks arising from your personal information in the internet. While we should further develop the theory of this right, it is necessary to deal with this risk from a broad set of perspectives together with other measures, not only legal ones but also ethical approaches and cognitive adjustments.

If you lose the metaphor and reconsider this in light of architectures for information accountabiility, I think the next draft will be more informative and closer to reality.

1 For the purpose of this paper, I will focus on issues other than surveillance.





Webs Webs

r3 - 14 Jan 2015 - 22:44:39 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM