Sometimes it’s tempting for an IT lawyer – or rather an academic IT lawyer – to feel that things are moving essentially in the right direction, that the subject is getting more mainstream, more understandable – and more importantly, more understood. In some ways, of course, that’s true – but in others, we need to remember that things are far from positive, and that in many ways the ‘establishment’ – the legal system, the politicians, even the public – still don’t really ‘get it’ at all. Perhaps the most important of these is the legal system. To a significant extent it seems as though the legal system – and the law – is just completely out of kilter with the reality of the IT world, and in particular the internet.
A couple of things in recent weeks have driven that home to me. Neither was surprising, but both were disappointing, particularly to those of us interested in privacy and autonomy. First of all, there was the announcement that there won’t be any prosecutions arising from the Phorm secret trials, something which has been greeted with dismay by privacy advocates. Secondly, and most recently, was the failure of the judicial review to overturn the Digital Economy Act.
In both cases, it’s easy to see how the results came about – and indeed to argue that from a precise legal standpoint the results might have been technically correct. In both – and in the case of the Digital Economy Act in particular – it shows that the legal system really doesn’t understand what’s going on in the internet, and how our online world functions. The Digital Economy Act – in its provisions concerning the policing of illegal downloading – is so clearly inappropriate that it’s hard to find an academic lawyer in the field who believes it’s appropriate or proportionate, or even who believes that it stands any real chance of being effective. Precisely the opposite. It won’t work. It misses the point. It will victimise the innocent. It shows a fundamental misunderstanding of both the nature of the internet and the habits of most of those who use it. It’s such a bad law it just makes many of us shake our heads in disbelief.
The Phorm story is a little less dramatic, but demonstrates some similar features. The CPS have decided not to prosecute – and they may be right that there might not be much chance of a result. That, however, just reveals that our legal system doesn’t have the teeth or the capability to deal with the reality of the internet – for what Phorm and BT did was something that the law should have been able to deal with. It was a serious invasion of privacy on a very serious scale – secretly tracking the entire internet activities of 30,000 people without their knowledge or consent – and yet the law seems to be incapable of dealing with it, incapable of providing people with the kind of protection that people need. The kind of protection that people have a right to expect. The law should do this – and in its current form it doesn’t.
In the grand scheme of things, neither of these two incidents are likely to matter in the end. Despite the failures of the law, Phorm still failed, brought down by a combination of the privacy advocacy of such excellent groups as the Open Rights Group and the Foundation for Information Policy Research, interventions by the European Commission, and the belated intelligence of businesses like BT who withdrew their support as they began to understand how things really work. Similarly, the Digital Economy Act is likely to end up an irrelevance, as the people who it is intended to catch find ways to sidestep it, as further legal challenges arise, and as embarrassing prosecutions fail – and something that gets closer to understanding the reality of the situation is brought in to replace it.
It feels, though, as if the legal system needs to be dragged kicking and screaming into the modern world. That’s the challenge for IT lawyers. People are thinking and writing interesting, informative and insightful things about the nature of the internet – but right now, it isn’t being sufficiently read or understood, and certainly isn’t finding its way into the mindsets of those creating or enforcing the law. It needs to be – for though other forces will (and have, in the case of Phorm) stop many of the worst things from happening, without the law being ‘fit for purpose’ everything is a struggle, and many people suffer along the way.
….and talk about the important part of that right in less emotive, less distracting, and more accurate terms. I’m not interested in rewriting or erasing history, I’m not interested in hiding my past – selectively or completely. I am, however, interested in cutting down the amount of data held about me for spurious purposes, and interested in having more control over what commercial enterprises do with the data they have on me. I don’t want a right to be forgotten – I want a right to delete personal data!
I asked a question about this at the Westminster Media Forum a few weeks ago, and gave a presentation on the subject at BILETA in Manchester yesterday – but I think the subject needs more attention. At the Westminster Media Forum, there was a particularly acerbic attack on the right to forgotten by journalist Tessa Mayes, who seemed to think that the right was all about restricting journalists’ rights to report on past events. At BILETA, even though I made the point very directly that the right to delete data isn’t the same as a right to be forgotten, one of the biggest questions I got was actually exactly about how such a right would effectively mess up the historical archive that the internet provides. For me, the right to delete data isn’t like that at all – but calling it a right to be forgotten can easily mislead people into thinking it is.
The right to delete, as I set it out in my presentation (slides of which are available by email), is something that allows individuals control over what data is held about them – but it has a number of specific exceptions, situations where data should be allowed to be kept, regardless of the desire of the individual concerned. They include examples such as medical records, criminal records, electoral rolls and so forth – and appropriate historical archives. All that should be clear – and should prevent the problems that would be associated with a real ‘right to be forgotten’.
The point is, though, that those holding data should need to justify that holding – rather than the individual justify why they would like data to be removed. If there ARE good reasons to hold data, then say so. If not, then the individual should have the right to delete it. The key thing to understand, though, is that BUSINESS reasons – and in particular the fact that you can make money out of holding someone’s data – are not sufficiently strong to override someones right to delete data. Privacy is more important than that.
Forgetting is important too – as Viktor Mayer-Schönberger has described so eloquently and compellingly in his excellent book Delete – but, as Mayer-Schönberger himself suggests, rights may not be the best way to bring it about. Talking about a bald ‘right to be forgotten’ doesn’t really help either the understanding of what is a complex and important issue, or about dealing with the important both practical and ethical issues surrounding rights over personal data.
So let’s forget about the right to be forgotten – but fight strongly for the right to delete personal data.