I. INTRODUCTION
Despite the increasing prominence of data protection law, its status within or outside of privacy law remains contested. Most problematically, data protection law protects ‘personal’ rather than ‘private’ information, and so is, from the outset, directed at public personal information, or personal information which has become public to some extent. The argument made in this article is that data protection law is not an awkward off-shoot of privacy law properly so called, but rather a manifestation of the Continental European culture of privacy and reflects its robust openness to privacy-in-public. The discussion takes as its starting point James Whitman's comparative privacy studyFootnote 1 which situates the heart of American privacy culture in the literal ‘inner space’ of the home (building on its English common law roots) and the heart of Continental European privacy culture in a metaphorical ‘inner space’ in public.Footnote 2 The latter culture recognises privacy-in-public but the former does not. Although these two cultures share much common ground and have long been intermingled in different jurisdictions, this article shows their enduring difference in three contemporary privacy regimes. Using the right to be forgotten as an example of data protection law and its orientation towards privacy-in-public, it assesses the comparative openness to such claims, first, of the Court of Justice of the European Union (CJEU) as the authoritative voice on data protection law normativity; secondly, of the US judiciary and its commitment to the First and Fourth Amendment, and, thirdly, of the European Court of Human Rights (ECtHR) under Article 8 of the European Convention on Human Rights (ECHR) and its fusion of Anglo-American and Continental European privacy jurisprudence. The Strasbourg jurisprudence in particular highlights the tensions arising from trying to marry these two privacy traditions, or of merging data protection and ‘privacy’ law. At the same time, these tensions also offer—as encounters with ‘foreign’ normativity—insights and opportunities.
The wider context for the discussion lies in twenty-first-century socio-technological developments which have enormous potential for intrusion into privacy and which may be categorised into forms of overt and covert information practices. Overt information or data practices refer to digital disseminations and disclosures, such as revelations on social media or search results, that can have significant consequences for individuals.Footnote 3 As early as 1998 Lasica reflected on the repercussions of personal information being accessible online across time and space: ‘Our past now follows us as never before. For centuries, refugees sailed the Atlantic to start new lives; Easterners pulled up stakes and moved west. Today, reinvention and second chances come less easily: You may leave town, but your electronic shadow stays behind.’Footnote 4 For Rosen, the web's memory is ‘threatening, at an existential level, our ability to control our identities’ and is profoundly at odds with the individualism that emerged in the Renaissance and with it the ‘new conception of malleable and fluid identity’ as expressed ‘in the American ideal of the self-made man’.Footnote 5
Since then the argument in favour of a right of information bankruptcy,Footnote 6 or giving individuals a second chance, has been answered in the European Union (EU) by the right to be forgotten, first, in the judgment of the CJEU in Google Spain Footnote 7 and then, explicitly in the right to erasure, or the right to be forgotten, in the General Data Protection Regulation (GDPR).Footnote 8 This right allows individuals to ‘edit’ their online profiles when the internet has not forgotten that which ought to have been forgotten. Like a spent conviction, data is to be considered ‘spent’ if it is ‘inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that has elapsed’.Footnote 9 In the US, however, this right has not been legally recognised, as from a US perspective it is not for the State to facilitate such reinvention (as discussed below).
These approaches are reversed when it comes to covert information practices, or the ubiquitous and surreptitious collection, aggregation and analysis of personal data, including governmental surveillance. Here it is the EU that is moving towards creating governmental backdoors into encrypted data,Footnote 10 as shown by its relatively permissive stance towards bulk surveillance. In Big Brother Watch v UK Footnote 11 which concerned the legality of the US National Security Agency (NSA) and UK Government Communications Headquarters’ (GCHQ) surveillance programmes as revealed by Edward Snowden, the ECtHR held that bulk interception is not per se illegal—thus dispensing with the requirement of ‘reasonable suspicion’ for targeted interception—as long as it is justified by the need to protect against security threats and is accompanied by end-to-end safeguards against abuses of power.Footnote 12 It took a dissenting judge to make the point that the shift ‘from targeting a suspect who can be identified to treating everyone as a potential suspect, whose data must be stored, analysed and profiled … is more akin to a police state than to a democratic society’.Footnote 13
Similarly, in La Quadrature du Net and Other Footnote 14 and Privacy International Footnote 15 the CJEU held that although ‘general and indiscriminate’—or bulk—retention or transmission of personal data is unlawful under the EU Charter of Fundamental Rights,Footnote 16 bulk data retention may be justified to prevent ‘activities capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself, such as terrorist activities’.Footnote 17 These cases appear to close the door to indiscriminate State surveillance, yet in fact they leave it slightly ajar.
Meanwhile, the US responded to the Snowden revelations with the rather more pro-active and decisive step of the US Freedom Act 2015Footnote 18 that ended the governmental bulk surveillance programme of domestic telecommunications metadata and implicitly attests to quite how profoundly State surveillance jars with the American ideal of individual liberty.Footnote 19
The distinction between overt and covert information practices and resultant privacy threats, and the differences in the EU and US responses to them, roughly map onto the two Western cultures of privacy as set out in Whitman's comparative study. Yet, in so far as the EU and US responses affirm the continued presence of these cultures, they also contain the seeds for questioning their standing as insular responses to privacy threats that are transnational in nature and the validity of their underlying assumptions. As demonstrated in the discussion in the second half of the article on the right to be forgotten, the traditional legal cultures of privacy have, for quite some time, been challenged, reconfigured and even been displaced in response to changing informational demands, as well as economic or political changes.
II. TWO PRIVACY CULTURES AND THE ‘INNER SPACE’
There is a rich and complex jurisprudence on the concept of privacy, grappling both with the great variety of privacy interests and claims (for example, reproductive decisions, sexual orientation, surveillance, pollution, gun ownership, data protection, corporal punishment, search and seizure, to mention just a fewFootnote 20) and stark differences in cultural sensitivities about what is or is not ‘private’ and thus what ought to be protected.Footnote 21 This article builds on Whitman's framing of privacy around two dominant cultures which have emerged from divergent preoccupations in Western legal thought and which are located within ‘much larger and much older differences in social and political traditions’: one centres around liberty and the other around dignity. Footnote 22 The value of liberty is key to understanding the American privacy culture, whilst dignity underlies the Continental European one. These two values help explain the comparative differences as well as congruencies and overlaps between the two privacy traditions.Footnote 23 Even in their differences, both traditions seek to establish a literal or metaphorical inner space for self-authorship or self-sovereignty.
A. The Anglo-American Literal ‘Inner Space’
Whilst Whitman speaks of an American culture of privacy as being preoccupied with the home as the site of protection, the inviolability of the home as a place of security and liberty has a far longer common law history in England—a sentiment which would have chimed with early American settlers. So, the discussion here refers to the Anglo-American culture of privacy which goes as far back as Semayne's Case (1604)Footnote 24 which dealt with the power of the Sheriff to enter a house at the suit of a common person,Footnote 25 and in which Edward Coke captured the idea of the inviolate home:
That the house of every one is to him (a) as his castle and fortress as well for his defence against injury and violence, as for his repose … [E]very one may assemble his friends and neighbours (d) to defend his house against violence: but he cannot assemble them to go with him to the market, (e) or elsewhere for his safeguard against violence: and the reason of all this is, because domus sua cuique est tutissimum refugium [everyone's house is his safest refuge].Footnote 26
‘My home is my castle’ encapsulates the traditional common law understanding of privacy, even if not under that label.Footnote 27 In the home one has a right to be free from outside interferences, clearly articulated in terms of privacy in the US case of Katz v US: ‘a man's home is, for most purposes, a place where he expects privacy, but objects, activities, or statements that he exposes to the “plain view” of outsiders are not “protected” because no intention to keep them to himself has been exhibited’.Footnote 28
The home may be understood as an extension of the body, its armour or protective shell, which has constituted another core sphere of inviolability.Footnote 29 These intermeshed spheres of inviolability or non-interference have long been recognised and protected through civil causes of actions, such as trespass to land and trespass to the person, which are actionable per se, as the interference is itself the injury. In addition, traditional common law has also long protected secrets through breach of confidence actions, and these can be personal or trade secrets. Where such claims concern personal information, they again generally concern a person's home or body.Footnote 30
The idea of a person's seclusion from society within their home also lies at the heart of various theories seeking to explain privacy, such as those centred on the ‘intimate sphere’Footnote 31 or the right to be left alone.Footnote 32 By extension, claims to privacy in public places, such as having one's photograph taken by a stranger in a public street, are not easily accommodated within this common law view of privacy.Footnote 33 Feinberg observed: ‘My personal space, however, diminishes to the vanishing point when I enter the public world. I cannot complain that my rights are violated by the hurly burly, noise, and confusion of the busy public streets; I can always retrace my steps if the tumultuous crowds are too much for me.’Footnote 34 Such a retreat is, of course, to the home.
Whilst pursuant to Semayne's Case ‘the liberty or privilege of a house doth not hold against the King’,Footnote 35 William Pitt, the Earl of Chatham, famously reasserted the maxim in 1763, albeit in rather different terms:
The poorest man may in his cottage bid defiance to all the forces of the Crown. It may be frail—its roof may shake—the wind may blow through it—the storm may enter—the rain may enter—but the King of England cannot enter—all his force dares not cross the threshold of the ruined tenement.Footnote 36
It is this idea that the main threat to privacy comes from the State whose powers are presumptively restricted to the public realm, that is the realm outside the home, that has resonated most strongly in America. Although privacy as such is not explicitly recognised in the American Bill of Rights, it has emerged from an array of constitutional guarantees, all of which are directed against State exercises of power. The most important of these is the freedom from unlawful search and seizure, found in the Fourth Amendment: ‘The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated …’.
Whitman argued that ‘in forbidding the government to seize the documents of a merchant in a customs case, the Supreme Court [in Boyd v US Footnote 37] … issued an aggressive declaration of the “sanctity” of an American home’Footnote 38 and thus that ‘the standard history of modern American privacy rights should really begin, not with Warren and Brandeis's distant and dim echo of Continental ideas, but with Boyd v United States, four years earlier’.Footnote 39 The anti-State focus of American privacy is deeply inscribed with the settler mentality of self-reliance, self-rule and distrust of government. In this citizens-versus-government conception of privacy, governments cannot be trusted to not interfere unduly with individuals and thus their power must be curtailed. Privacy as liberty thus consists of liberty from government to emphasise the liberty to govern oneself, or self-sovereignty, with the home as the archetypal place where a person is their own master.
B. The Continental European Metaphorical ‘Inner Space’
In the Continental European culture of privacy, privacy does not attach to the home as the sacred space but is—as part and parcel of wider personality protection—preoccupied with one's public image as the foundation for self-authorship.Footnote 40 This view of privacy is at least as concerned with one's treatment within society as it is with one's entitlement to withdraw from society. It is not about seclusion per se but rather about controlling one's image in the public realm. Recognising the social context of individual flourishing, this conception of privacy sets boundaries to an individual's treatment in the public domain where such treatment fulfils ‘no reasonable social purpose and serves only to provoke a scandal and personal humiliation …’.Footnote 41 Here privacy is functionally delimited through the personal nature of the information.Footnote 42
Continental privacy is thus understood in terms of informational self-determination,Footnote 43 and protects a metaphorical ‘inner space’ against unwanted exposure. This conception of privacy guards against the threat of public in-dignities. In other words, dignity in public is the core value that underlies the Continental European culture of privacy. Its historical background lies in the strict hierarchical nature of European societies, where public humiliation was used as a tool of disempowerment. In The Politics of Humiliation: A Modern History,Footnote 44 the historian Ute Frevert shows how a gradual shift from humiliation to dignity occurred in Europe from the early nineteenth century:
[A]s lower-class people increasingly objected to disrespectful treatment … [they] used the language of honour and concepts of personal and social self-worth—previously monopolised by the nobility and upper-middle classes—to demand that they not be verbally and physically insulted by employers and overseers. This social change was enabled and supported by a new type of honour that followed the invention of ‘citizens’ (rather than subjects) in democratising societies. Citizens who carried political rights and duties were also seen as possessing civic honour. Traditionally, social honour had been stratified according to status and rank, but now civic honour pertained to each and every citizen, and this helped to raise their self-esteem and self-consciousness.Footnote 45
Against this social background, hate speech and anti-discrimination law can also be understood as legal regimes that intervene in practices of public humiliation.Footnote 46 Equally, the right to privacy—based on the Roman delict of injuria, concerned with a person's ‘fame, reputation and honour’Footnote 47 and directed against insult—is inscribed with the idea of levelling up, or democratisation of dignity, by giving everyone some control over their public image. In Whitman's words:
Germany and France have been the theater of a levelling up, of an extension of historically high-status norms throughout the population. As the French sociologist Philippe d'Iribame has elegantly put it, the promise of modern Continental society is the promise that, where there were once masters and slaves, now ‘you shall all be masters!’Footnote 48
While privacy as liberty supports the home as the space for one's own mastery, in Continental Europe being master of one's life demanded, first and foremost, equal respect and dignity in the public realm—or in Lord Hoffman's words: ‘Meddling with such matters [personal information] is metaphorically an invasion of my territory, a violation of the castle of my personhood.’Footnote 49 This contextualises why, for example, human dignity is the overarching value of the German Constitution (Art 1(1)) followed by ‘the right to free development of one's personality’ (Art 2(1)) from which privacy rights are derived. Given the preoccupation with one's dignified standing in public, the media is often the target against whom privacy is asserted.Footnote 50 However, the underlying threat which this conception addresses lies in social hierarchies and their formal and informal maintenance through public humiliation.Footnote 51 In its design, privacy as dignity challenges the elite's prerogative to honour and dignity.
Reflecting on the essential differences between the two approaches, Robert Post argued that:
[the] concept of privacy as freedom is an almost exact inversion of the concept of privacy as dignity. Privacy as freedom presupposes difference, rather than mutuality. It contemplates a space in which social norms are suspended, rather than enforced. It imagines persons as autonomous and self-defining, rather than as socially embedded and tied together through common socialization into shared norms.Footnote 52
Post's analysis is persuasive in so far as privacy as dignity is focused on mutuality or sameness through an entitlement to equal respect in the social realm, but it is misleading in suggesting that this view does not imagine persons as autonomous and self-defining and ‘seeks to eliminate differences by bringing all persons within the bounds of a single normalized community’.Footnote 53 The theoretical starting point for privacy as dignity is the Kantian idea of human personhood whose inalienable hallmark is free will,Footnote 54 that is the ‘unpredictably individual, creatures whom no science of mechanics or biology could ever capture in their full richness’.Footnote 55 So privacy as dignity flows from personal autonomy as a higher-order concept.Footnote 56
Privacy as dignity also recognises that personal autonomy as a lower-order concept may, as a matter of one's lived experience, be infringed, circumscribed or taken away in its entirety within social hierarchies that deny equal respect to all participants. Slaves or others in lesser forms of servitude have very limited autonomy. This aspect was undoubtedly less pressing to American settlers whose common immigration background acted as a powerful equaliser, even if the myth of equality could only stand with the significant blind spots of Native Americans and African slaves.Footnote 57
As a matter of substance, the Continental European idea of privacy set out to recognise everyone's basic entitlement to dignity in order to equalise life opportunities and public participation.Footnote 58 As a matter of process, privacy as dignity gives individuals the autonomy to decide what is and what is not an affront to their dignity in a dynamic, evolving way. Individuals can control the flow of their personal information and are free to withdraw their consent to the dissemination of such information, even where they initially consented, including through contract.Footnote 59 Personal autonomy cannot be abandoned or relinquished. Thus, Continental European privacy is also deeply concerned with self-authorship or, in Post's words, with the expression of the ‘spontaneous, independent, and uniquely individual aspect of the self’,Footnote 60 but asserts that this is only possible where there is equality of dignity in the public realm.
One can contrast and align the two conceptions of privacy on multiple levels. Both are broadly concerned with self-authorship but localise its flourishing in different realms, against the peculiar social and political traditions and background conditions in which they emerged and to which they responded. The Anglo-American version carves out the body, the home, and implicitly the family, as the space for self-sovereignty; meanwhile Continental European privacy fixes its attention on the public realm as the arena for personal self-determination under conditions of respect and dignity.Footnote 61
The conceptions make a natural fit with the jurisprudential tradition of each jurisdiction: privacy as liberty focused on a physical space is rooted in the empiricism, materialism and pragmatism of Anglo-American jurisprudence, whilst privacy as dignity and its preoccupation with a person's public image based on inalienable personhood reflects the idealism and rationalism of European thought. Furthermore, privacy as dignity understands the ‘public’ against which protection is sought as the social realm, in contrast to privacy as liberty where ‘public’ refers above all to governmental activities.
Still, even in their divergences, these two conceptions are united in their overall objective of protecting self-authorship and self-sovereignty,Footnote 62 which shines strongly through the Continental European privacy culture. Meanwhile in the Anglo-American privacy tradition, being the master in one's home is synonymous with self-determination,Footnote 63 and implicitly with self-authorship, although never put in such ‘vague and grandiose’ ways as in Continental European jurisprudence.Footnote 64 The ‘inner space’ of the person protected by German-style privacy law is the literal ‘inner space’ of the American and English home.
III. CONTEMPORARY PRIVACY REGIMES AND THE RIGHT TO BE FORGOTTEN
Whilst Anglo-American privacy limits protection to the private sphere and personal confidential information, in Continental European culture privacy is neither confined to intimate or personal confidential information nor necessarily limited to an a priori private sphere.Footnote 65 This is quintessentially the approach adopted in data protection law, which is ‘a privacy law all but in name’,Footnote 66 and which does not deny protection merely because the information is public. Indeed, data protection law is based on the assumption that there has been a disclosure of personal information and gives individuals a degree of control to oversee and manage that disclosure: ‘there would be no need for data protection if there was a general prohibition of information disclosure’.Footnote 67
Consistently, Fuster and Gutwirth have argued that the shift from privacy to data protection is one from ‘secrecy’ to ‘control’.Footnote 68 Data protection law delivers informational self-determinationFootnote 69 against an understanding that much personal information is necessarily in the public domain, or has been disclosed to public and private institutions, but protection should not be foregone simply because of that disclosure. Notably, the Council of Europe developed data protection law in the early 1980s in response to the increasing collection of personal data by a wide array of private bodies, against the perceived narrowness of Article 8 of the ECHRFootnote 70—which, as discussed below, draws heavily on the Anglo-American culture of privacy. Thus, although data protection law is framed in seemingly technical concepts and language (eg ‘data’ instead of ‘information’; ‘data subject’ or ‘data controller’; purpose limitation, or data minimisation) and presents as a form of data management, it is clearly an expanded version of privacy.
With its focus on ‘personal’ rather than ‘private’ information, data protection law largely bypasses controversies based on the private–public binary,Footnote 71 and showcases its capacity to recognise layers or degrees of publicness of personal information. Rights attach to information because it is personal, ie related to a person, not because it is ‘private’ in the sense of being both personal and confidential.Footnote 72 Even personal data that is necessarily in the public domain, such as one's name or image, is prima facie protected.Footnote 73 Whilst heightened protection is given to ‘sensitive personal data’,Footnote 74 again such information is often not intimate or confidential at all:
… personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.Footnote 75
Personal information concerning ethnic origin, political opinions or religious beliefs is generally public, and classifying it as ‘sensitive’ resonates with the Continental European focus on the levelling up of dignity. That some of the sensitive data grounds are also prominent categories in anti-discrimination law does not so much show that data protection law protects privacy and equality, but rather the strong egalitarian overtones of privacy in public as reflected in data protection law.Footnote 76 Privacy gives individuals the power to shield themselves from public indignities which generally affect minorities more significantly. The exposure of one's name, image or words in public creates the potential for humiliation and so is to be controlled by its ‘owner’; and just because personal information has legitimately entered the public realm for one purpose does not mean that it can be freely used by others, and forever.Footnote 77
A. The CJEU on the Right to be Forgotten within the GDPR
An archetypal data protection right that perfectly captures its privacy-in-public orientation is the right to be forgotten. Reflective of the Continental European culture of privacy, it allows individuals, in certain circumstances, to withdraw personal data which is already in the public domain, and thereby to manage their public image in the broad sense. The right to be forgotten also expresses the Zeitgeist of that tradition by responding to a socio-technical environment that amplifies the public visibility of personal information, and thus its harm potential. The CJEU first ‘found’ the right in Google Spain Footnote 78 based on the right to object to the processing of personal data in conjunction with the right to rectification, erasure or blocking of such data under the Data Protection Directive.Footnote 79 Now it is a fully fledged right in Article 17 of the GDPR.
In Google Spain the information about Mr González's bankruptcy and repossession proceedings a decade earlier, which could be found through a Google search, had already been in the public domain through the Spanish newspaper's publicly accessible archive. Yet, the visibility of that archive was significantly heightened and prolonged through the search engine: ‘it is undisputed that that activity of search engines plays a decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search on the basis of the data subject's name …’.Footnote 80 The Court thus recognised degrees of publicness of personal information. The legitimacy of the publication in the newspaper and its online archive did not prevent a claim in respect of the enlarged subsequent audience generated by the search engine.Footnote 81
Since the judgment Google has received more than 1.1 million delisting requests.Footnote 82 Most relate to private individuals seeking to shield themselves from continued unwanted public exposure based on ‘innocent’ information concerning, for example, family or work matters,Footnote 83 that entered the public domain and remained there. In these ‘ordinary’ claims the right to be forgotten does its core work. A small number of requests, however, involve public figures or perpetrators of ‘historic’ crimes who want to have their public record cleansed, and it is here that unwanted public exposure encounters the potentially strong competing public interest in having access to the information, as protected by the right to freedom of expression. These rare cases crystalise the tensions underlying the right to be forgotten, and how these tensions are resolved differently by the two conceptions of privacy.
They highlight that self-authorship generally is a social affair, in which the public self is an important counterpart to the private self. Individuals define themselves against others, and reflexively respond to other's perceptions of themselves.Footnote 84 Yet one's ability or entitlement to insist on how one is viewed by others is necessarily limited given that others also have, individually and collectively, a legitimate interest in information about members of their community, particularly public figures or those who have become publicly known due to their wrongdoing. There is room for reasonable disagreement on when the demands of self-authorship should trump the public interest in knowing about the behaviour of critical members of the community, and whether this should go beyond the protection from damaging false information, as provided for by defamation law.
These rare cases also make clear that personal responsibility entails taking responsibility for one's past actions and decisions: ‘It would be evading responsibility for what one is doing to permit one to say that the later self is not the same self as the earlier self …’.Footnote 85 So whilst personal autonomy, which underlies, and is protected by, privacy, assumes fluid personhood capable of change and reinvention, personal autonomy equally entails personal responsibility, which includes taking responsibility for one's past. As a result, wiping the slate clean cannot but be exceptional.
Again, there is room for reasonable disagreement on when the State should intervene to give an individual a second chance. Common law jurisdictions recognise ‘forgetting’ concepts, such as bankruptcy or the idea of spent criminal convictions,Footnote 86 according to which certain past actions are treated as having been sufficiently paid for and the community now has an interest in reintegrating the ‘wrongdoer’. Yet the GDPR's right to be forgotten takes ‘rehabilitation’ a step further by prima facie extending it to unwanted public exposure.Footnote 87
An authoritative interpretation of the right to be forgotten through the CJEU—well versed in the idea of privacy-in-public even in testing contexts—can be found in GC and Others v CNIL and Google Footnote 88 (GC and Ors). Here the CJEU was asked whether and how search engines could handle ‘sensitive personal data’ given the heightened compliance requirements under data protection law.Footnote 89 The case concerned four separate de-referencing requests:
• a satirical photomontage on YouTube of a former local political figure which revealed the existence of an intimate personal relationship with another political figure;
• historic news articles concerning the suicide of a member of the Church of Scientology and the data subject's previous role as a public relations’ officer in that church;
• dated news stories concerning a judicial investigation into the funding of a political party, with no follow-up news article to indicate that the proceedings against the data subject had since been closed; and
• a data subject's criminal conviction for sexually assaulting children under the age of 15 years.Footnote 90
For the comparative purposes of this article, the CJEU's interpretation of the right to be forgotten illustrates the nature and strength of the Continental European privacy tradition in challenging circumstances in a number of respects. First, the Court reiterated its previous holding in Google Spain that an individual's right to be forgotten overrides ‘as a general rule’ the public's interest in accessing information as an aspect of freedom of expression,Footnote 91 even if in the specific case:
[the balance may] depend on the nature of the information in question and its sensitivity for the data subject's private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.Footnote 92
As the right to be forgotten is designed to operate in the public realm and act as a restraint on public communications, it routinely clashes with the demands of freedom of expression. Thus, if it would not ‘as a general rule’ override freedom of expression, it would not, as a rule, discharge its function. The CJEU was, however, not insensitive to the public's interest in being able to access the relevant information, as underscored by the right's focused remedy of shielding individuals only from the results of searches of their names, and by otherwise leaving the personal information in the public domain, and also as explicitly secured by the right's public interest exception.Footnote 93
Secondly, in the controversies in GC and Ors, the personal matters in question had, with one exception, already and legitimately been in the public domain. By the same token, Google's privacy duties arose because as a search provider it was directly responsible for bringing the information to a new public. Its liability was thus not secondary, or depending on the wrongdoing by the original publisher, but wholly based on its role as an additional disseminator:
the activity of a search engine can be distinguished from and is additional to that carried out by publishers of websites … [and] plays a decisive role in the overall dissemination of those data in that it renders the latter accessible to … internet users who otherwise would not have found the web page …Footnote 94
Consistently, the Court never inquired whether the sensitive information was in ‘private’, that is, personal and confidential.
Thirdly, and related, the public role played by the data subject in the past or present was relevant to the issue of whether the public may have a continued interest in the information,Footnote 95 but having engaged in activities that brought public attention did not by itself negate the data subject's entitlement to exercise the right to be forgotten. Activities that attract public attention (and are thus ‘manifestly made public by the data subject’Footnote 96) may often legitimise the initial use and disclosure of the personal information, but subsequently the right to be forgotten returns to the data subject a degree of oversight over that information.Footnote 97 The CJEU recognised the sensitivity of privacy to time and context, including vis-à-vis criminal investigations and convictions, but framed that sensitivity in terms of the public's changing interest in the information.Footnote 98 It did not, however, try to argue that personal information which is in the public domain may re-acquire, after some time, a private or confidential quality, and may therefore be, once more, worthy of protection.Footnote 99 As will be seen in the discussion of Article 8 of the ECHR, the above points assume significance when information privacy is predicated on the ‘private’ status of the information in question.
B. US Courts on the Right to be Forgotten
From a US perspective, the right to be forgotten is an anomaly because it protects non-private information against intrusions by private actors. Neither fits within the US conception of privacy. At the constitutional level, the ‘negative’ right to be left alone is first and foremost enshrined in the Fourth Amendment that guards against search and seizure without a warrant, and as such is exclusively focused on governmental intrusions of the home with some limited extensions beyond the home (as shown below). Horizontal protection, which would construct ‘the right to be left alone’ not as ‘a claim for noninterference by the state … [but] for state interference in the form of legal protection against other individuals’Footnote 100 is virtually unknown in US constitutional law.
Meanwhile, intrusions by private actors, such as media companies, are covered by a selection of privacy tort actions, but these do not recognise invasions through disclosures of personal information which is already in the public domain. With a strong bias in favour of freedom of speech, US privacy protection necessarily assumes a sharp distinction between private and public information; it is not willing to recognise the possibility of degrees of publicness of personal information which could trigger legitimate privacy demands and thus restrictions on wider damaging publications.Footnote 101 In William Prosser's typology of US tort privacy actions the public–private dichotomy is the touchstone of liability for three out of his four categories: ‘1. Intrusion … into his private affairs. 2. Public disclosure of embarrassing private facts … 3. Publicity which places the plaintiff in a false light in the public eye …’;Footnote 102 the fourth category of ‘appropriation … of the plaintiff's name or likeness’ creates a type of intellectual property rather than a privacy claim.
When addressing the second category of ‘public disclosures of private facts’— a concern which prompted Warren and Brandeis 70 years earlier to declare a general right to privacy to protect one's personalityFootnote 103—Prosser concluded that its ambit was tightly circumscribed.Footnote 104 It certainly required a public disclosure of private or confidential facts:
The decisions indicate that anything visible in a public place may be recorded and given circulation by means of a photograph, to the same extent as by a written description since this amounts to nothing more than giving publicity to what is already public and what any one present would be free to see.Footnote 105
The same idea underlies the classic understanding of a breach of confidence claim. Personal information in the public domain—including public records of personal information—has irretrievably lost its entitling ‘private’ quality, and even a significant lapse of time cannot alter that fact:
The difficult question is as to the effect of lapse of time, and the extent to which forgotten records, as for example of a criminal conviction, may be dredged up in after years and given more general publicity. As in the case of news, with which the problem may be inextricably interwoven, it has been held that the memory of the events covered by the record, such as a criminal trial, can be revived as still a matter of legitimate public interest.Footnote 106
Once information is public, privacy entitlements are foregone. It makes no difference that personal information online is available for much longer and to a much wider and more diverse audience across social and physical spheres than information in the analogue world. Once public, always public. To be successful, the claimant also has to show—as part and parcel of their ‘reasonable expectations of privacy’Footnote 107—that ‘the matter made public must be one which would be offensive and objectionable to a reasonable man of ordinary sensibilities’.Footnote 108 So what matters is not what the claimant considers to be an undue exposure but what the community view is or would be.
By implication, historic convictions can be unearthed indefinitely by the press, no matter how damaging the revelation may be for the rehabilitated offender. In Briscoe v Reader's Digest Association,Footnote 109 the Californian Supreme Court allowed a privacy claim against a newspaper for its revelation of the claimant's long-forgotten criminal past as a hijacker which had the effect of alienating his daughter and friends from him. Yet, three decades later the same court held in Gates v Discovery Communications, Inc. Footnote 110 that Briscoe was no longer good law, given the US Supreme Court jurisprudence in the intervening years. The press could not be liable for publishing information that was neither false nor misleading and such information included information that was either part of a ‘public record’ or otherwise ‘lawfully obtained’Footnote 111 and, at times, even unlawfully obtained.Footnote 112 In Cox Broadcasting Corp. v Cohn Footnote 113 the US Supreme Court already had decided that ‘the interests in privacy fade when the information involved already appears on the public record [such as an official court record]’Footnote 114 and then restated this more firmly in subsequent decisions: ‘once the truthful information was “publicly revealed” or “in the public domain,” the court could not constitutionally restrain its dissemination’.Footnote 115 For the Court in Gates this was an ‘unqualified’ ruling of an ‘absolute right’ of the press which was unaffected by the age of the public record.Footnote 116
Prosser explained the US hostility to privacy in public on the basis that anyone ‘who is not a hermit must expect the more or less casual observation of his neighbours and the passing public as to what he is and does, and some reporting of his daily activities … The law of privacy is not intended for the protection of any shrinking soul …’.Footnote 117 In the internet age, however, public exposure is often far more extensive and damaging than the ‘casual observation of one's neighbours and the passing public’. Still, Americans whose reputation may potentially be damaged indefinitely due to online exposure are left to their own devices and to market-based solutions, with all their attendant inequities, to restore their public standing as honourable members of society.Footnote 118 Private initiatives must provide the answer to social rehabilitation, not the State. These private initiatives may come from platforms themselves, without any danger of offending US constitutionality. Despite its protest at the EU right to be forgotten, Google has now extended a limited version of the right of be forgotten to its users in the US.Footnote 119 Yet, there is, of course, a significant difference between a legal right and remedies, and a voluntarily granted corporate concession.
US jurisprudence on the right to be forgotten shows that the right could, in principle, exist within a standard privacy regime, assuming that regime recognised a legitimate privacy interest in public personal information. In other words, the right to be forgotten is not wedded to data protection law. Indeed, the technicality of data protection law merely obscures the fact that it is, like other privacy frameworks, concerned with striking an appropriate balance between competing private and public interests in accessing personal information (transparency) and in controlling such access (non-disclosure). Data protection law seeks to provide a tightly structured, comprehensive framework for that balancing act.
C. The ECtHR on the Right to be Forgotten within Article 8
In contrast to the clarity of the CJEU endorsement of the right to be forgotten and of the US rejection of the same right, a more muddled picture emerges from the jurisprudence on the right to privacy in Article 8 of the ECHR. A ‘merger’ of Article 8 privacy and data protection law (and its right to be forgotten) occurred in ML & WW v Germany Footnote 120 where the ECtHR deliberated on Article 8 privacy claims comparable to the GDPR's right to be forgotten. Such a merger has also occurred in cases decided by English courts on the right to be forgotten in data protection law, which they interpreted in light of Article 8 jurisprudence, as for example in NT1 & NT2 v Google LLC.Footnote 121 In other words, traditional Article 8 jurisprudence has responded to data protection law either by incorporating data protection normativity within Article 8 jurisprudence, or by developing the jurisprudence on data protection law in light of Article 8.Footnote 122
Much like GC and Ors, these two cases concerned sensitive personal data, and, in particular, prior criminal convictions that were kept fresh in the public's mind through their online availability. As ML & WW dealt with the claimants’ possible right to be anonymised in news articles which reported their prosecutions and convictions in a murder case in the online archives of the media organisations, these were claims against the primary publishers. As such, they were more problematic than ‘normal’ right to be forgotten cases against search engines, as the redaction of names in primary sources signals the full exit of the personal information from the public domain rather than its partial inaccessibility.Footnote 123
For present purposes, however, the points of interest lie in how these judgments have sought to bridge the divide between the GDPR and Article 8 jurisprudence—and implicitly between Anglo-American and Continental European cultures of privacy. Whilst the actual outcomes may well be defensible, the reasoning shows that Anglo-American ideas of privacy are not easily grafted onto Continental European privacy roots, or vice versa.
The starting point here is that, despite its location in the ECHR, Article 8 finds its roots in the American culture of privacy rather than in the Continental European tradition. Whilst Article 8 echoes Article 12 of the Universal Declaration of Human Rights (UDHR, 1948), Article 12 in turn speaks to the American influence in its drafting.Footnote 124 Not only was the first draft prepared by John P Humphrey, Director of the United Nations Division of Human Rights, and framed ‘in a language obviously borrowed from the US Constitution’,Footnote 125 albeit subsequently revised, the final draft followed recommendations by the US and was particularly guided by the ‘Statement of Essential Human Rights’ drafted under the auspices of the American Law Institute.Footnote 126
Article 12 of the UDHR is not a carbon copy of the Fourth Amendment, but there is, undoubtedly, a family resemblance between the two. Article 12 provides that ‘[n]o one shall be subject to arbitrary interference with his privacy, family, home or correspondence …’; whilst the Fourth Amendment provides that ‘the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches, shall not be violated …’ (emphases added). Thus both conceive of privacy as a bundle of related rights grounded in the overlapping concepts of person/privacy, house/home (family) and papers/correspondence. That family resemblance becomes more pronounced in comparison with Continental European constitutional grants of quasi-privacy rights at the time. Notably, equality—or equal dignity in Whitman's terminology—figured as the primary constitutional right and foundation of privacy, and the inviolability of the home and the secrecy of correspondence appeared much later in the documents as separate and distinct rights.Footnote 127
Furthermore, consistent with the American conception of privacy, the focus of Article 8 was firmly on State intrusions, with the specific intent of pre-empting the threat of totalitarian governments.Footnote 128 It took the ECtHR half a century to recognise privacy-in-public entitlements against private actors. In Von Hannover v Germany Footnote 129 that shift finally occurred, and Judge Zupančič expressly framed that recognition in terms of rolling back the American influence on Article 8:
[I]t is impossible to separate by an iron curtain private life from public performance. The absolute incognito existence is the privilege of Robinson; the rest of us all attract to a greater or smaller degree the interest of other people. Privacy … is the right to be left alone. One has the right to be left alone precisely to the degree to which one's private life does not intersect with other people's private lives. In their own way, legal concepts such as libel, defamation, slander, etc. testify to this right and to the limits on other people's meddling with it. The German … doctrine of Persönlichkeitsrecht testifies to a broader concentric circle of protected privacy. Moreover, I believe that the courts have to some extent and under American influence made a fetish of the freedom of the press. The Persönlichkeitsrecht doctrine imparts a higher level of civilised interpersonal deportment. It is time that the pendulum swung back to a different kind of balance … Footnote 130
The shift in the interpretation of Article 8 towards the recognition of privacy-in-public and, by implication, towards the express recognition of privacy threats emanating from the media, necessarily also prompted a more emphatic endorsement of the State's ‘positive obligations … [that] may involve the adoption of measures designed to secure respect for private life even in the sphere of the relations of individuals between themselves’.Footnote 131 Unexpectedly, the case arose from the (partial) refusal of the German Constitutional Court to recognise the privacy-in-public entitlements of Princess Caroline of Monaco on the ground that she had—as a ‘figure of contemporary society par excellence’—only limited privacy rights in public.Footnote 132 The ECtHR, however, intervened to affirm her privacy-in-public entitlement and thereby also expanded the sphere of protection of Article 8 more generally (even if some commentators argue that the ECtHR's decision went too far in the specific caseFootnote 133).
This expansion led to the creation of a similar cause of action in England and WalesFootnote 134 in Campbell v MGN.Footnote 135 Prior to this, there was a historic reluctance to extend privacy remedies beyond traditional common law quasi-privacy protections, which mainly covered the literal inner space of the home and body. However, there had been a gradual expansion of the concept of ‘confidential’ in recognition of the need to protect private–public scenarios, such as a kiss in a restaurant.Footnote 136
1. ‘Private’ information and ‘private’ harms
Despite the expanded reading of Article 8 and the fact that the ECtHR has for some time included data protection within its ambit,Footnote 137 Article 8 has remained firmly wedded to the idea that information must be ‘private’ in order to attract protection. Juliane Kokott, Advocate General at the CJEU, observed that ‘on closer inspection, it appears that Strasbourg requires an additional element of privacy in order for personal information to be included in the scope of private life’.Footnote 138 This additional ‘private’ element requires a contortionist trick in the case of public personal information, such as a criminal conviction or police caution. The ECtHR has pulled off this trick by holding that when such public information ‘recedes into the past, … [it] becomes a part of the person's private life which must be respected’.Footnote 139
It is questionable whether in such cases the ‘private’ categorisation is anything other than the conclusion that the information must be protected rather than a precondition for such protection. It is, however, a legal fiction that such personal information can acquire a confidential status considering that it remains in official police records and news archives. Against this contorted interpretation of Article 8, Warby J in NT1 & NT2 went a step further by liberally adding assumptions from the Anglo-American culture of privacy to his data protection analysis of whether the claimant's criminal record was ‘sensitive personal data’ as a counterweight to the public's interest in it. Not surprisingly, it had none of the ‘private’ hallmarks:
The rest of the information (‘the crime and punishment information’) is ‘sensitive’, but it is not intrinsically private in nature. The criminal behaviour has a private aspect in that it was undertaken in secret, and not intended for public view. But it was not intimate or even personal. It was business conduct, and it was criminal. Having been identified and then made the subject of a public prosecution, trial and sentence, it all became essentially public. The authorities do show that information that begins as public may become private, and that Article 8 may be engaged by dealings with information, of whatever kind, that have a grave impact on the conduct of a person's private life—for instance by undermining their ‘personal integrity’—or by interfering with their family life … But the essential nature of the crime and punishment information in this case was public, not private.Footnote 140
His reasoning, steeped in the Anglo-American culture of privacy as reflected in Article 8, misconstrues data protection law. For the latter, information must only be ‘personal’ which, once more, means ‘relating to an identified or identifiable natural person’,Footnote 141 and not secret, confidential, intimate, family- rather than business-related, or ‘innocent’. Thus, when the right to be forgotten applies, the information need not have become ‘private’ before it can be ‘forgotten’ which would make the right all but redundant. The right to be forgotten envisages that the relevant personal information is, and will, remain in the public domain, but should not be so easily traceable to the data subject. The problem with this Anglo-American inflection on data protection law is that it misdirects the engagement of the right to the private sphere and thereby undermines its functionality.
This misdirection also manifests itself in the different types of harms that both rights target. Article 8 defines privacy with the Anglo-American gravitational pull of home and family life. Thus, even though professional harms are not in principle excluded,Footnote 142 in ML & WW the ECtHR stated that ‘[i]n order for Article 8 to come into play … an attack on a person's reputation must attain a certain level of seriousness and in a manner causing prejudice to personal enjoyment of the right to respect for private life’.Footnote 143 Transposed onto data protection law, Warby J in NT1 & NT2 looked for harms derivatively suffered by the claimant's innocent and thus deserving family members, and in the absence of such derivative interests, the entitlement would be more difficult to establish.Footnote 144
Yet, data protection law guards against harms which lie—in the first instance—in the interference with one's personal, meaning autonomous, zone, and—in the second instance—in harms widely defined, including professional harms, or harms in public, that an individual may suffer at the hand of employers or in business.Footnote 145 In Google Spain Mr González's professional activities as a lawyer suffered,Footnote 146 and in GC and Ors, the court listed as a relevant factor in the balancing exercise ‘the consequences of publication for the data subject’Footnote 147 with no mention of home or family life. Re-integration in society, as opposed to social exclusion based on continuing stigmatisation, requires more than anything else a footing in the social and employment sphere.
2. ‘Reasonable or legitimate expectation of privacy’
The mismatch between the two traditions is also pronounced in so far as Article 8 jurisprudence imports the concept of ‘reasonable or legitimate expectation of privacy’ to data protection law. The concept of ‘reasonable expectation of privacy’ has variously been described as a touchstone for Article 8 entitlement (which it is in the English action of misuse of private information) or as one available route to such entitlement.Footnote 148 It has its origins in the US case of Katz v US,Footnote 149 and has subsequently been adopted with variations in other common law jurisdictions.Footnote 150 In Katz the US Supreme Court extended the ambit of the Fourth Amendment prohibition of warrantless ‘searches and seizures’ to eavesdropping beyond the strict enclosures of the home to other spaces where one may have ‘reasonable expectations of privacy’, here an enclosed public telephone booth. The case thus concerned a covert intrusion, rather than a disclosure.Footnote 151 Pursuant to Katz, the test requires ‘first that a person … [has] exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as reasonable’Footnote 152 and, as argued above, the latter is tied to an offensiveness standard.
Whilst Katz expanded traditional American privacy beyond the four walls of the home, it is wholly at odds with data protection law and its right to be forgotten, and implicitly the Continental European culture of privacy. To start with, considering that the right to be forgotten is invariably directed at public personal information, it would often be difficult to satisfy that there was an actual or legitimate expectation of privacy, particularly if—as has been the case—the test is also conditional upon proof of the confidential nature of the information.Footnote 153
In ML & WW the ECtHR found that the initiatives taken by the claimants to prove their innocence through reopening the proceedings and to enlist the support of the press for that purpose meant that they ‘had only a limited legitimate expectation … of obtaining anonymity in the reports or even a right to be forgotten online’.Footnote 154 Similarly, for Warby J NT1's engagement of a reputation management business two months after his conviction became spentFootnote 155 in order to ‘put forward such clear and gross misrepresentations of his business history and his actual or reputed integrity’Footnote 156 was one of the reasons why he could not possibly entertain a legitimate expectation of privacy. American privacy encourages self-help as a means for rehabilitation; Continental European privacy gives legal remedies for that purpose. Yet, Article 8 falls between the two chairs as claimants risk foregoing a legal remedy should they take their online reputation into their own hands but are, at the same time, exposed to a jurisprudence that remains suspicious of the idea of privacy-in-public.Footnote 157 The public nature of the information remained for Warby J the main stumbling block:
It was information about business crime, its prosecution, and its punishment. It was and is essentially public in its character. NT1 did not enjoy any reasonable expectation of privacy in respect of the information at the time of his prosecution, conviction and sentence. My conclusion is that he is not entitled to have it delisted now. It has not been shown to be inaccurate in any material way. It relates to his business life, not his personal life …Footnote 158
Data protection law does not require a ‘reasonable expectation to privacy’ as a precondition for entitlement, but creates that expectation by tying privacy entitlements to the context or purpose for which personal information is taken or given in the first place, as for example crime reporting.Footnote 159 If access to personal information was given in a particular context or for a particular purpose, such as a purchase, medical treatment, or an employment contract, the reasonable expectation created by data protection law is that the information is not to be used otherwise. An approach to privacy which is tied to purpose or contextFootnote 160 helps to explain various disclosure cases decided under Article 8 privacy,Footnote 161 and supports a context-based understanding of privacy.Footnote 162
More significantly, in the Continental European culture of privacy, the individual is prima facie in control, and certainly the key arbiter for delimitating the acceptable boundaries of his or her metaphorical inner space, and thus of granting or denying access to relevant information. Privacy sensitivities vary from person to person, and thus the particularised content of privacy is within the eye of the beholder. Thus, consent is the touchstone of informational privacy under data protection law, and even for uses of personal information that are permitted without consent, individuals retain or regain some control through the right to object or the right to be forgotten as tools for their informational self-determination.Footnote 163 This means that an objective test based on ‘reasonable expectation of privacy’ which imports actual or desired community normsFootnote 164 misconstrues GDPR normativity. By the same token, any test that seeks to define ‘private’ and thereby imports notions of what ‘most individuals in a given time do not want widely known about themselves’Footnote 165 seems also irreconcilable with an understanding of privacy as informational autonomy.
3. ‘Foreseeable consequences of one's actions’
Article 8 privacy does not shield individuals from ‘the foreseeable consequence of … [their] own actions such as … the commission of a criminal offence’.Footnote 166 This privacy conception does not protect an individual from themself, which echoes the American laissez-faire attitude to social consequences of one's behaviour. It is not for the State to intervene in social relations on dignity grounds and protect individuals from communal judgment. This idea has found expression in the distinction drawn between voluntary and involuntary events as in the US case of Daily Times Democrat v Graham Footnote 167 concerning a wind gust blowing up the dress of an ordinary woman exposing her body waist down, and also in the concept of implied consent or waiver of privacy entitlements.Footnote 168
Article 8's prima facie indifference to self-inflicted reputational damage provided the background to the assessment of the anonymity claims in ML & WW,Footnote 169 and was injected into the data protection claims in NT1 & NT2. Warby J held that individuals who commit crimes may be assumed to have taken deliberate steps to be in the limelightFootnote 170 and so cannot complain about the availability of the information that had been ‘manifestly made public’ by them. Citing Stephen J in Townsend v Google Inc.,Footnote 171 he reasoned that ‘legally as a consequences of the open justice principle by committing an offence he [the offender] is deliberately taking steps to make the information public’.Footnote 172 Considering that most offenders hope not to get caught and many do not, this interpretation of ‘deliberately’ stretches not only its natural meaning but also the legal understanding of intentionality.Footnote 173 It is, however, explicable against the Anglo-American expectation that individuals ought to bear the reputational consequences of their actions.
In contrast, data protection law generally and the right to be forgotten specifically seek to protect individuals from undeserved and deserved humiliation and stigmatisation, and acts as a restraint on prolonged communal disapprobation, bar countervailing public interests. Such countervailing public interests may lie in open justice or crime reporting, but once those interests are expended, there is a public interest in granting individuals reprieve even from the foreseeable consequences of their actions.
By the same token, where the public interest legitimises the continued presence of personal information in the public domain over and beyond what was necessary for the purposes of its initial lawful processing, the current ‘role played by the data subject in public life’ is invariably but only derivatively significant to determine the public interest.Footnote 174 Otherwise the fame or infamy of the individual does not, of itself, signal their ‘implied consent’ to public exposure for all times. In short, the right to be forgotten intervenes in what would otherwise be the foreseeable consequences of one's actions.
4. Privacy versus freedom of expression
The different interpretations of ‘harm’, ‘legitimate expectations of privacy’ or ‘foreseeable consequences of one's actions’ discussed above instantiate different perspectives on where to strike the balance between privacy and free speech. Both privacy and free speech are important values in each privacy culture, yet, when in conflict, are resolved differently. Those resolutions are—regardless of any formal constitutional hierarchyFootnote 175—already implicit in the very nature of each conception of privacy and their respective places of engagement.
Locating privacy entitlements in the sphere of the home minimises the potential for clashes between privacy and freedom of expression, as they each occupy separate and distinct social spheres. It creates a framework within which privacy claims beyond the home—such as Prosser's category of ‘public disclosure of private facts’—require very special circumstances indeed to justify curtailing free speech. In contrast, where privacy has its principal field of engagement in the social or public domain and is concerned with the levelling up of dignity in public, it acts routinely and deliberately as a restraint on freedom of expression.Footnote 176
This explains why for the CJEU in GC & Ors and in Google Spain the privacy interests of the data subject would ‘as a general rule’ override the collective interest of the public in accessing the information. Warby J's insistence in NT1 & NT2 that ‘the “general rule” to which the court [the CJEU in Google Spain] was referring was a descriptive, not a prescriptive one’Footnote 177 misunderstands the essential speech-editing function of the right, and the informational self-determination which it facilitates in the public realm.Footnote 178
Having said that, Warby J's approach is not inconsistent with Article 8, where privacy and freedom of expression have formally been placed on an equal footing: ‘as a matter of principle these rights deserve equal respect’.Footnote 179 It thereby follows other jurisdictions that also accord equal standing to privacy and free speech, such as Germany, France or Israel, in contrast to the ‘brutal simplicity of the First Amendment’.Footnote 180 On closer inspection, however, this equality of rights may be understood as no more than the requirement to balance the respective rights against each other, rather than the idea that there are no presumptive preferences in particular cases.Footnote 181
In German privacy jurisprudence, for example, in cases of speech targeted at private individuals, privacy rights have generally won out, whilst in cases of harm to more diffuse dignitary interests, freedom of expression has carried the day.Footnote 182 It has also meant that ‘pictures can only be disseminated or exposed to the public eye with the express approval of the person represented’,Footnote 183 unless the photograph is generally depicting contemporary societyFootnote 184 or shows a public figure, and even then their legitimate interest in privacy may still trump the public interest in the information.Footnote 185 By extension, in data protection claims where the conflict between privacy and freedom of expression necessarily involves an identified or identifiable individual (as part and parcel of the definition of personal data), it makes sense that ‘as a general rule’ freedom of expression should yield to a ‘grounded’ claim of a right to be forgotten.
Consistently, whilst under the Data Protection Directive a de-referencing request depended on an individual making out ‘compelling legitimate grounds relating to his particular situation’,Footnote 186 under the GDPR the data subject only needs ‘grounds relating to his or her particular situation’ to assert their right to be forgotten, and it is the controller who has to demonstrate ‘compelling legitimate grounds for [the continued] processing’.Footnote 187 So the GDPR now shows a presumptive preference for accepting an individual's justified take-down request, putting the onus on controllers to justify the continued accessibility of the data for compelling legitimate reasons.
IV. CONCLUSION
It is uncanny how the technical regulatory regime of data protection law should so comfortably embody the values of the Continental European culture of privacy with its focus on protecting one's public image—a tradition which Whitman described as ‘vague and grandiose’, and which has its philosophical roots in Kantian idealism and inalienable personal autonomy. Yet, the evidence is incontrovertible. Using the relatively new right to be forgotten in the context of spent criminal convictions as a case study for privacy-in-public, this discussion has revealed the right's comfortable standing in data protection law and CJEU jurisprudence since its inception in Google Spain; its outright rejection by the US judiciary in the face of free speech constitutional demands; and its contorted transformation by the ECtHR in its Article 8 jurisprudence that has been exposed to both Western cultures of privacy.
What is instructive about the case study is not just how protection based on ‘personal’ rather than ‘personal and confidential’ information necessarily opens the protective regime up to the public realm, but the significant consequences that flow from it for the types of harm that may be recognised, for the behaviours that may or may not be disentitling, or for how the competing values may be considered. Data protection law, within which the Continental European culture of privacy manifests itself, constructs the fundamentally vulnerable individual not just in the private setting of their home, but in the public domain of employment, community and polity and extends an entitlement to basic human dignity to those public realms. This explains why superimposing Article 8 jurisprudence based on its Anglo-American privacy roots on data protection law short-changes the right to be forgotten and severely restricts its operation to private information and the private sphere, which is not where it is meant to do its work.
James Whitman's comparative study of privacy cultures does heavy explicatory lifting of the fundamental difference in the privacy regimes in Continental Europe and the US (and other common law jurisdictions). Data protection law manifests as an odd privacy creature until it is positioned within Whitman's comparison from which it emerges as a fine sample of the Continental European culture of privacy. Yet, much as Whitman's approach presents as a detached non-critical assessment of culturally grounded privacy sensibilities, it also invites criticisms of the continued validity of the resultant regimes against their cultural myths.
So one might argue that contemporary social and economic relations in the US are so beset by inequalities that a privacy regime which is—in its essence—based on the cultural myths of the equal settler with equal dignity and of the State as the main enemy of liberty profoundly fails in its corrective mission today.Footnote 188 Meanwhile there may also be critical reflections on Continental European privacy regimes premised on the myth of the trustworthiness of the State, especially in the era of mass surveillance and its possibilities for governmental abuse, albeit not discussed in this article. By the same token, Whitman's approach focusing on the historic cultural contingencies of the privacy differences also (deliberately) understates the continuing dynamic nature of privacy regimes in their conversations with each other, that is other economic, legal and cultural orders.
It seems rather remarkable how Article 8 of the ECHR as traceable to Article 12 of the UDHR and the Fourth Amendment of the US Constitution (which in turn reflects the English common law on the inviolability of the home) belatedly got a Continental European privacy make-over in response to the refusal of the German Constitutional Court (of all courts) to recognise privacy-in-public in the particular case, and how this expanded definition then, once more, made its way back to England, the cradle of its common law understanding. In short, the evolution of privacy regimes is neither linear nor pure—nor is it over.
Open access
