Where Next for the Right to Delete: Stepping Out of the Shadow of the Right to be Forgotten.

• Author: Harrison, Alan

TABLE OF CONTENTS I. Introduction 321 II. Background 322 A. The Right to Be Forgotten 323 1. The European Origins of the Right to Be Forgotten 323 2. A Rough Landing: The Right to be Forgotten in the United States 326 B. The Right to Delete 329 1. The Right to Delete as Discussed Before the California Consumer Privacy Act 329 2. The Right to Delete as Shaped by the California Consumer Privacy Act 330 C. Contrasting the Right to be Forgotten and the Right to Delete 332 III. Analysis 334 A. The Harm of No Standard Technical or Legal Definition of "Delete" 334 1. There is No Standard Legal Rule Governing Deletion and Data Disposal 335 2. The Right to Delete is Opposed to the Core Design of Legal and Technical Data Disposal Rules 337 3. Technical Definitions and Methods of Deletion Vary 339 4. Recommendations 340 B. The Risk of De-identification Exemptions to The Right to Delete 341 C. An Alternative Path: Market Incentives To Collect & Retain Less Consumer Data 343 IV. Conclusion 344 I. INTRODUCTION

In 2018, California enacted the California Consumer Privacy Act ("CCPA"), granting California consumers a number of rights against data-holders to give them "more control over [their] personal data." (1) One of these rights is the right to request that a business or organization delete one's personal information. (2) Concerns linger regarding how to implement the statute's right to delete ("RTD"); of particular concern are the numerous exceptions to the right. (3) Other states have enacted their own state privacy statutes with Virginia, Colorado, and Utah all including the RTD with similar exemptions within their state privacy bills. (4)

While the RTD has been gaining traction in current and pending privacy bills in the United States, there has been little focus on its scope, effect, and technical implementation. This Note delves into the RTD with the intent of analyzing its immediate limitations that prevent the right from realizing its full effectiveness within a consumer privacy regime of rights.

The first step in analyzing the RTD in its current form is to clearly define the right. Imbedded with that step, however, is an antecedent step of distinguishing the RTD from the right to be forgotten ("RTBF"). The RTD (which is the European functional equivalent to the right of "erasure") is often either conflated with the RTBF or analyzed in relation to the RTBF. (5) While they share similar characteristics, in part because of the technical nature of implementing each right, they are clearly distinct rights with different purposes.

The second step for this Note--once the RTD has been clearly distinguished from the RTBF--is to address the most critical issues that will help ensure the effectiveness and full scope of the RTD. The most significant issue is the lack of standardization in the definition and the technical process of "deletion" once a consumer submits a request to an entity to delete their personal data. This lack of consistency stems from the variety of state data disposal laws (which will control in each state that passes a state privacy law) and the absence of a standard definition of deletion within privacy bills that aligns with technical definitions of deletion. Almost as critical is the issue of exemptions to consumer requests to delete personal data when an entity deidentifies (or pseudonymizes) personal data in lieu of deletion. This Note suggests that this exemption grants a false sense of security to the consumer and potentially defeats the purpose of the RTD due to recent leaps forward in reidentification science. Thus, consumer deletion requests that are exempted in this way defeat the purpose of the right, which is to shift the balance of control over privacy towards consumers and away from data holders.

2. BACKGROUND

   This part of the Note will discuss the scope and contours of (1) the RTBF's European origin and its unsuccessful story in the United States; and (2) the RTD as established within the CCPA and subsequent U.S. state privacy bills. A contextual approach is necessary to distinguish the RTD from the RTBF and to map the similarities and differences between them. By distinguishing the two rights, it becomes clear that the act of deletion serves a different purpose within each right. Whereas the RTBF views the act of deletion as a mechanism to achieve the substantive goal of digitally forgetting data (akin to human memory's natural retention limitation), the RTD views the act of deletion as the goal itself in order to empower greater consumer control over one's personal data.

   1. The Right to Be Forgotten

      1. The European Origins of the Right to Be Forgotten

         The ambiguity of distinguishing between the RTBF and the RTD is in part due to terminology used to describe the evolution of the RTBF prior to (and during) the digital age. As recently as 2010, a European Commission Communication described the RTBF as "the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes." (6) The RTBF addresses the indefinite retention of digital information to theoretically grant a "dimension of oblivion, granting individuals a 'fresh start.'" (7) A natural tool to redress this harm is data deletion, whether cyclical and automatic or on an ad hoc and individual basis. The animating policy argument is that in the digital age, society must actively delete (and thus forget) information in order to mitigate the societal consequences created by external memory, which makes it cheaper to remember than to forget. (8) This need, advocates argue, has been amplified with trends such as "smart" devices extending from TVs, to doorbells, to lightbulbs that can integrate into Google Home-, Siri-, or Alexa-enabled networks. (9) To address this data permanence and restore digital memory to levels comparable to pre-digital society levels, digital storage devices (e.g., cameras, cellular devices, or computers) "should automatically delete information that has reached [a designated] expiration date." (10)

         The RTBF itself can be traced to French law, which recognizes le droit a l'oubli (the "right of oblivion," which allows a convicted criminal who has served his time and been rehabilitated to object to the publication of the facts of his conviction and incarceration), (11) as well as the Italian diritto all'oblio (which has been described as "the right to silence on past events in life that are no longer occurring"). (12) Similar rights developed in the jurisprudence of other European countries over the 20th century. In the United Kingdom, for example, the Rehabilitation of Offenders Act of 1974 reflects a principle of this right in the rehabilitation of past offenders. (13)

         The RTBF, while not explicitly stated, can also be found by implication in various German legislation and jurisprudence. In 2013, German courts found that the RTBF, as an extension of the modern right to data protection under the Data Protection Directive of 1995, could be sourced not only from the idea of privacy, but also the German constitutional right to self-determination. (14) Specifically, the German Constitution guarantees that "every person shall have the right to free development of his personality." (15) Prior to the Data Protection Directive, in 1984, the Federal Labor Court linked the constitutional right of self-determination to the conventional European RTBF. (16) The court addressed whether a person had a "right to erasure of data that the data subject had disclosed himself" and held that a "job applicant's right to informational self-determination would be violated if a company who denied the applicant kept his or her data indeterminately." (17) The Federal Labour Court's ruling built on the decision in "Lebach I," where the German Federal Constitutional Court in 1973 reviewed a challenge by a murder convict against a television station for a documentary production that allegedly impinged the plaintiff's rights of personality and self-determination. (18) The court was asked to balance two competing constitutional rights: (1) the "freedom of the media under Article 5 of the Basic Law," and (2) the "personality rights of the convicted criminal under Article 2." (19) In Lebach I, the court held the encroachment of freedom of information "should not go any further than required to satisfy what was necessary to serve the public interest," opining that reports of events long since passed have less public interest if they pose new disproportional risks and "endanger[] the social rehabilitation of the criminal who has" a conviction. (20)

         In 1995, the European Council passed Directive 95/46/EC (the "Directive") regarding the "protection of individuals[']... processing of personal data." (21) The Directive did not expressly include the right to be forgotten. Nonetheless, in 2014, the Spanish High Court asked the Court of Justice of the European Union ("CJEU") to determine "the scope of the right of erasure and/or the right to object, in relation to the 'derecho al olvido' ("RTBF")" under the Directive. (22) In Google Spain SL and Google Inc. v. Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez (hereafter "Google Spain"), the CJEU considered whether the Directive created a right of erasure of true (but prejudicial) information that the subject "wishes... to be 'forgotten' after a certain time." (23) In the original complaint, Mr. Gonzalez argued that under the Directive, "fundamental rights to the protection of those data and to privacy--which encompass the 'RTBF'--override the legitimate interests of the operator of the search engine and the general interest in freedom of information." (24) The CJEU found that the Directive's fundamental privacy rights included the right of a private citizen to request that his or her private name be removed from lists of "links to web pages published lawfully by third parties and containing true information...