Privacy has just taken on new meaning in Europe. The European Union’s highest court has ruled that any of the region’s 500 million citizens can compel Google and other search engines to remove information about them from the companies’ search results, even if that information is neither inaccurate nor unlawful. The surprising decision, which Google can’t directly appeal, is either a bold reclamation of privacy rights in the digital era or a mandate to let anyone rewrite history as they please, depending on your perspective. It’s also the clearest sign yet that U.S. and European data protection laws are heading down divergent paths.
The European Union has always placed an emphasis on protecting its citizens’ data. The latest ruling, for a case in which a Spanish lawyer demanded that Google remove links to an old news article about his debts, is based on a 1995 European Parliament directive that provided extensive protections for personal data. The Parliament is in the midst of passing an even more sweeping update to the law that will make “data protection first, not an afterthought,” according to the body. A key tenet of this new policy is the “right to be forgotten,” the idea that individuals have the right to delete information about themselves that is not legally required to remain online. “This is the fundamental right of an individual as opposed to the business right of a company,” says Marc Rotenberg, president of the Electronic Privacy Information Center. “When courts are asked to consider those claims, I think they rightly look more seriously at the individual’s claims first.”
The U.S. has no privacy protections that even approach the broad aims of Europe’s laws. It’s not because Europe is the innovator on this front—former Supreme Court Justice Louis Brandeis first introduced the “right to privacy” in the U.S. in an 1890 article in the Harvard Law Review that was globally influential. It’s also not because Americans don’t value their digital privacy. A recent study by the Pew Research Center found that 68 percent of American Internet users believe U.S. laws don’t go far enough to protect individual online privacy. But a variety of factors mean American privacy legislation will likely never reach the scope of Europe’s laws.
First, Europe’s new ruling is difficult to reconcile with the First Amendment, which grants citizens the right to free speech. A U.S. law that compelled a company like Google to limit the type of content it shows in search results likely wouldn’t pass muster in American courts, experts say, because it could be construed as a form of censorship. “The First Amendment really does prevent this kind of widespread unpublishing of data,” says Danny O’Brien, international director at the Electronic Frontier Foundation. “In the U.S., free speech sort of trumps privacy.”
Americans do have privacy protections, but they’re spread across a variety of state and federal laws that typically apply to specific groups of people. For instance, California has a law somewhat similar to the E.U. ruling that allows people to demand that tech companies delete their data, but it’s only for minors. On other online issues, like hijacking someone’s digital identity, punishments vary from state to state. With Congress's ability to pass new legislation near an all-time low, it's doubtful sweeping federal change will suddenly come on this front anytime soon. “The way in which the U.S. protects privacy is through a patchwork series of laws,” says Andy Sellars, a staff attorney for the Digital Media Law Project housed at Harvard University. “The EU has always tended to think of a privacy as more of an overarching thing that touches on all other domains.”
Money, of course, also plays a role in the way laws are formed. Though energy company lobbyists are the ones pulling the strings on shows like House of Cards, Google spent $15.8 million on D.C. lobbying in 2013, more than Exxon Mobil. “That has played a big role in what Washington has or has not done,” Rotenberg says. By comparison, the tech giant spent around $2 million to influence the European Union last year.
Even though the U.S. is unlikely to adopt similar policies, the E.U. ruling will still have global implications. Sellars says it’s likely that Google will only delete content in the countries where it is required to do so. Twitter has this policy, and Google does it on a small scale for issues such as German laws banning content related to Nazism. Such measures could lead to a decidedly different Internet experience on American shores compared to European ones, a concept known as balkanization that Silicon Valley views as anathema to the open Internet.
Many questions remain. It’s not clear whether Google will readily delete data when requested or try to protect its search results by taking individual cases to local judges, a strategy that could rack up huge legal fees. The boundaries of what can be deleted are also extremely vague, with the court only saying that information that is no longer relevant or timely is game to be scrubbed. Prominent figures won’t have a right to delete information in the public interest, but that exception is open to wide interpretation.
Ultimately, the ruling, which could eventually impact other tech companies like Facebook and Twitter, will establish a different set of online standards and expectations based on where users happen to reside. And those varying standards aren’t likely to be reconciled anytime soon. The question judges, legislators and citizens will have to grapple with, Sellars says, is “whether or not the Internet is truly a global platform where all of us have access to the same information or whether it is really just something that is going to be recaptured by nations over time.”