Over the past two years, there has been a significant amount of discourse concerning the European Union’s (EU) newly created “right to be forgotten” based on article 7 of the Charter of Fundamental Rights of the European Union and article 8 of the European Convention on Human Rights. The right to be forgotten essentially allows individuals to object to information about themselves associated with a search of the individual’s name conducted through a search engine. Ironically, however, the decision that created this right, Google Spain SL v. Agencia Española de Protección de Datos, never affirmatively mandates that anyone “forget” anything. See, Case C-131/12, Google Spain SL v. Agencia Española de Protección de Datos (AEPD), 2014 E.C.R. 317; Luciano Floridi et al., The Advisory Council to Google on the Right to be Forgotten 3 (2015) available at https://drive.google.com/file/d/0B1UgZshetMd4cEI3SjlvV0hNbDA/view?pli=1. Rather, the landmark decision, along with subsequent enforcement actions, relates primarily to the actions of operators of vast global search engines that facilitate the “linking” or displaying – arguably the “reporting” – of personal information that, inter alia, relates to the character, general reputation, or personal characteristics of an individual. The reporting of this personal information has been interpreted to create a possible present harm that may negatively affect the individual in several ways such as employment, housing, or educational opportunities. Doctrinally speaking, the right to be forgotten is grounded in an individual’s fundamental right to privacy; however, the harm intended to be remedied is rooted in consumer credit reporting. Consequently, this article will explore the benefit of viewing this important subject matter with both the lens of privacy and the lens of consumer protection to better avoid unnecessary jurisprudential myopia. In doing so, both the EU approach to the fundamental right to privacy and the American approach to consumer reporting will be analyzed.
What Exactly Is the “Right to Be Forgotten”?
The “right to be forgotten” is largely a misnomer derived from the Google Spain decision in which the Court of Justice of the European Union (CJEU) determined that Google Spain SL must remove links, or “delist,” certain search results based on an individual’s name when those results are “inadequate, irrelevant or no longer relevant, or excessive” unless there is an overriding public interest in the search results (e.g., based on the role of the data subject in public life). Floridi et al., supra para. 1 at 3. This new right came to being when an individual sued Google Spain SL to prevent it from linking a then 16-year-old news article that included information regarding an attachment of the individual’s property to the results of a search for the individual’s name through Google Spain SL’s search engine. Google Spain, C-131/12 at 317. The court ordered that Google Spain SL provide a consumer-friendly form for EU residents to request that certain personal information be delisted regardless of whether there is harm or prejudice to the individual. Google Spain, C-131/12 at 317; Floridi et al., supra para. 1.
Upon receipt of such a request, Google Spain SL is obligated to perform a balancing test of the individual’s rights and interests in a quasi-judicial capacity. See, Floridi et al., supra para. 1 at 7-14. These rights and interests include the relevance or obsolescence of the data, whether there is a public interest in access to the data, and the published information’s “sensitivity for the data subject’s private life.” Google Spain, C-131/12 at paras. 81, 98; Floridi et al., supra para. 1 at 7-14. If a search engine fails to remove qualifying data, then the individual may seek redress through domestic authorities. In addition, an amended proposed draft of the General Data Protection Regulation (GDPR) expands the right to be forgotten particularly by: granting a right to minors to demand erasure from search engine results, by granting a right to prevent direct marketing to the individual, and by broadening the rights of individuals to demand erasure unless the controller demonstrates “compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.” Reform of EU data protection rules, European Comm’n, Justice (updated Feb. 16, 2016) available at http://ec.europa.eu/justice/data-protection/reform/index_en.htm. These proposals will likely be adopted in spring 2016 and will consequently take effect in 2018 due to a two-year waiting requirement. In the meantime, France has recently adopted the “Digital Republic” bill that implements several of the proposals of the GDPR including the enforcement provisions. Nadège Martin and Geoffroy Coulouvrat, French National Assembly adopts “Digital Republic” bill, Data Protection rep. (Mar. 10, 2016). Enforcement provisions for any serious violation of the right to be forgotten and other data protection laws may include a fine of up to 4 percent of a company’s global annual revenue. Press Release, European Commission Press Release Database, Questions and Answers – Data protection reform (Dec. 21, 2015). In the case of Google’s parent company, Alphabet, this fine may be $2.5 billion.
Ultimately, search engines now contain access to historically unforeseeably large quantities of personally identifiable information. As more of this information becomes available immediately upon conducting a search for an individual, search engines may have unintentionally become consumer reporting agencies (CRAs). If this is the case, then the EU approach to privacy may be an incomplete analysis as access to personally identifiable information that may negatively impact an individual regarding employment, housing, and educational opportunities should also be guarded via consumer protection statutes such as credit reporting laws. American jurisprudence provides an ample approach to limiting the type and scope of such information that may be reported about individuals pursuant to the Fair Credit Reporting Act (FCRA). 15 U.S.C. § 1681, et seq.
Should Search Engines be Classified as Consumer Reporting Agencies for the Purpose of Protecting Both an Individual’s Right to Privacy as Well as the Individual’s Rights under Consumer Protection Jurisprudence?
What Is a Consumer Reporting Agency?
In short, a CRA is an entity that provides qualifying third parties access to information regarding an individual’s creditworthiness or character. The statutory definition for a CRA states that, “[i] any person [ii] which, for monetary fees . . . regularly engages in whole or in part in the practice of assembling or evaluating . . . information on consumers [iii] for the purpose of furnishing consumer reports to third parties, and [iv] [utilizes any means of interstate commerce to do so].” § 1681(a)(f)(emphasis added). Aside from the three major credit bureaus, Experian, TransUnion, and Equifax, other entities may qualify as a CRA. For example, an entity that performed a background check on a job applicant was determined to qualify as a CRA. See, e.g., Dalton v. Capital Associated Indus., Inc., 257 F.3d 409, 412-13 (4th Cir. 2001). Furnishers of information to CRAs (e.g., banks, creditors, debt collectors), however, are not CRAs. See, e.g., DiGianni v. Stern’s, 26 F.3d 346 (2d Cir. 1994). Regarding search engines, the first element is easily satisfied as a “person” is broadly defined to include any “entity” including corporations. § 1681(a)(b). The remaining elements require a more thorough analysis.
Do Search Engines Regularly Engage in the Practice of Assembling Information on Consumers for Monetary Fees?
It is widely understood that a search engine’s primary function is to assemble information by linking search terms to existing data. It is also widely understood that much of the existing data includes information on “consumers,” which term is expressly defined as “an individual.” § 1681(a)(c). This definition is in harmony with the EU’s focus on the fundamental rights of the individual. See, Google Spain, C-131/12 at 317; UN Convention art. 8; UN Charter art. 7. Consequently, there is little room for doubt that search engines assemble information on individuals. Thus, the thrust of this element is whether or not the search engines regularly assemble information on individuals for monetary fees.
Search Engine Advertising. It is sufficient for purposes of this analysis to show that search engines profit – at least in part, although possibly “in whole” – from activity associated with the assembling information on individuals. In 2015, Google, the global leader in search engine advertising, reported more than $67 billion in advertising revenues. Press Release, Alphabet Investor Relations, Alphabet Announces Fourth Quarter and Fiscal Year 2015 Results (Feb. 1, 2016), available at https://abc.xyz/investor/news/earnings/2015/Q4_google_earnings/index.html (select “Revenues by source (Quarterly)” hyperlink at the bottom of the page). This represents approximately 90 percent of Google’s total reported annual revenue. In addition to Google, Baidu, Microsoft, Yahoo, Sohu, and other search engines compete in a market valued at approximately $130 Billion globally in 2015. See, e.g., Media Buying, Google Will Take 55% of Search Ad Dollars Globally in 2015, EMarketer (Mar. 31, 2015) available at http://www.emarketer.com/Article/Google-Will-Take-55-of-Search-Ad-Dollars-Globally-2015/1012294. Needless to say, Google and other search engines are making substantial profits from their advertising approaches; advertising directed primarily at individuals. Some courts may require a stronger nexus to show that a search engine’s advertising is specifically related to its purpose for assembling information on individuals. If so, such a nexus may be found in a widely used practice by presumably all search engines: behavioral advertising.
Behavioral Advertising. Behavioral advertising is defined as, “the act of tracking users’ online activities and then delivering ads or recommendations based upon the tracked activities.” Int’l Ass’n of Privacy Prof’l, Glossary of Privacy Terms (2013). For example, a search engine may store all search terms and sites visited by an individual over time and sell this information to interested buyers. Behavioral advertising encompasses “behavioral targeting” and “targeted advertising.” Google has disclosed that it utilizes at least four primary methods of targeted marketing: (i) contextual targeting (i.e., an approach to analyze the keywords that an individual enters into the search engine to provide targeted ads to the individual); (ii) placement targeting (i.e., an approach that allows the advertiser to choose the location of specific ad placements regardless of the apparent relevance of the placement); (iii) interest-based advertising (i.e., an approach based on users interests and demographics based on user’s prior interactions with the advertiser such as visits to certain webpages); and (iv) language targeting (i.e., an approach to determine the primary language of an ad based on user history, search terms, and prior history). See e.g., Emma Bazilian, Google Completes Rollout of Interest-Based Advertising: AdWords will be able to target customers based on Web Behavior, Adweek (June 24, 2011) available at http://www.adweek.com/news/advertising-branding/google-completes-rollout-interest-based-advertising-132908.
While all targeted advertising is relevant to determine whether a search engine regularly assembles information on individuals for monetary fees, interest-based advertising is among the most likely to ensure that a sound nexus between profit and the collection of information on individuals is met. Although it is not readily apparent what percentage of advertising revenue is attributable to interest-based advertising, Google has disclosed that it primarily initiated interest-based advertising in 2009 after it acquired a company named DoubleClick for $3.1 Billion. See, e.g., Kurt Opsahl, Google Begins Behavioral Targeting Ad Program, Elec. Frontier Found. (Mar. 11, 2009), available at https://www.eff.org/deeplinks/2009/03/google-begins-behavioral-targeting-ad-program. This fact is significant to show that search engines have made substantial investments in not only advertising to individuals, but in expanding their capacity and ability to track the web browsing habits of individuals for a profit. Consequently, search engines profit from of the actions of individual consumers that have no affiliation with the corporation and this profit is directly related to a search engine’s act of assembling information on consumers. Thus, a reasonable fact finder, similar to the CJEU, could easily determine that any search engine engaged in the practice of behavioral advertising, in particular, is assembling information on consumers for monetary fees and that such activity is conducted on a regular basis. See e.g., Google Spain, C-131/12, at para. 100.
Do Search Engines Assemble Information on Consumers for the Purpose of Furnishing Consumer Reports to Third Parties?
Of the factors required to determine whether or not a search engine could be reasonably found to be a CRA, this factor may be the most problematic. Traditionally, consumer reports have been associated with credit reports designed to support the banking system with a fair mechanism to investigate and evaluate the credit worthiness, credit standing, credit capacity, character, and general reputation of consumers. § 1681 Congressional Findings and Statement of Purpose; Safeco Ins. Co. of America v. Burr, 551 U.S. 47, 62 (2007) (citing the objective of the FCRA as being the prevention of adverse effects of unfair and inaccurate credit reporting by virtue of assigning grave responsibilities to CRAs including a respect for the consumer’s right to privacy). There may be room, however, for expansion of this general understanding pursuant to the fundamental changes in technology that have occurred since the FCRA was enacted in 1970. After all, a search engine like Google has a greater capacity to access and report more personal information on an individual regarding that individual’s character or creditworthiness than any CRA could pursuant to a traditional credit report. See, e.g., Snyder v. Millersville Univ., No. 07-1660, 2008 U.S. Dist. LEXIS 97943 (E.D. Pa. Dec. 3, 2008)(discussing how an individual was prevented from obtaining employment based on personal information derived from the results of an employer’s use of a search engine). A 2010 survey conducted by Microsoft revealed that approximately 75 percent of recruiters utilize search engines to scrutinize job applicants of which 70 percent admit having rejected candidates based on those search results. Jeffrey Rosen, The Web Means the End of Forgetting, N.Y. Times, Jul. 21, 2010. In addition, in Safeco Insurance Company of America v. Burr, the U.S. Supreme Court expressly stated that part of the “ambitious objective” set out in the FCRA is to “insure” that CRAs “‘exercise their grave responsibilities’ fairly, impartially, and with respect for [the consumer’s right to] privacy.” Safeco Ins. Co. of America, 551 U.S. at 62. Consequently, there exists a reasonable basis within the FCRA for expanding the traditional notion of a CRA based on an individual right to privacy.
What Is a Consumer Report?
In simple terms, a consumer report is a communication made by a CRA about the character or creditworthiness of an individual to a qualifying third party. Specifically, a consumer report means “[i] any . . . communication of any information [ii] by a CRA [iii] bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living [iv] which is . . . collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility [for credit or insurance; employment purposes; or any other permissible purpose.]” § 1681(b)(a)(3)(emphasis added). Permissible purposes are enumerated and may include eligibility for a license, government benefit, or business transaction. § 1681(b)(a)(3). One paradoxical aspect of this definition involves the circular reasoning on which it is based. A “consumer report” by definition must be issued by a CRA yet a CRA is expressly defined as an entity that provides a “consumer report” to third parties.
Do Search Engines Expect, At Least in Part, That the Information It Collects Will Serve as a Factor in Establishing a Consumer’s Eligibility for Credit, Insurance, Employment Opportunities, or Other Permissible Purposes?
In analyzing this factor, some facts from existing actions pursuant to the EU’s right to be forgotten may be helpful. The first suit brought under the right to be forgotten was based on information regarding a 16-year-old attachment to a residential property. See, Google Spain, C-131/12 at 317. The first enforcement action was brought in the United Kingdom pursuant to a nine-year-old minor criminal record. See, Margaret Briffa, UK Regular the ICO Serves First ‘Right to be Forgotten’ Enforcement Notice on Google,’ Privacy Europe (Sept. 17, 2015); Samuel Gibbs, Google Ordered to Remove Links to ‘Right to be Forgotten’ Removal Stories, The Guardian (Aug. 20, 2015). Associating an individual’s name with an attachment was potentially harmful because it could affect the individual’s credit worthiness, credit standing, and credit capacity by damaging the perception of the consumer’s character or general reputation with regards to employment, housing, or educational opportunities. The criminal record likewise is directed at affecting the character or general reputation of the individual. Consequently, both instances would be regulated by consumer credit reporting statutes under American law.
As discussed above, search engines communicate information that bears on a consumer’s credit worthiness, credit standing, credit capacity, character, or general reputation. The key to determining whether or not the link created by the search engine is “expected to be used” in part for the purpose of serving as a factor in establishing the consumer’s eligibility for employment, license, insurance, government benefit, or other permissible purpose remains to be determined. If the cases involving the right to be forgotten and the Microsoft survey provide any indication, then a reasonable fact finder may determine that a search engine not only has knowledge of the purposes for which the information it provides is being used, but expects that certain types of personal information will likely be used by employers, landlords, mortgage lenders, insurance providers, and other similar entities for the purpose of engaging in a business transaction. These factors seem to indicate that it may be reasonable to determine that search engines do in fact produce “consumer reports.”
In addition, the FCRA prohibits the reporting of negative information on a consumer report beyond seven years in most cases. A similar provision would strengthen the right to be forgotten by requiring search engines to delink negative personal information with an individual’s name beyond a certain time frame.
Do Search Engines Utilize Any Means of Interstate Commerce for the Purpose of Preparing Consumer Reports?
The international scope of most search engines easily satisfies the requirement that the search engine use a means of interstate commerce. The key to satisfying this element lies in proving that search engines compile information for the purpose of preparing or furnishing reports. Linking may equate to preparing individual information to be viewed by other third parties for purposes that bear on a consumer’s credit worthiness, credit standing, credit capacity, character, or general reputation which function is similar to that of a CRA. Consequently, search engines may be found to utilize interstate commerce for the purpose of preparing consumer reports. Thus, it may be reasonable to conclude that search engines both produce consumer reports and may be regarded as CRAs.
The EU’s right to be forgotten provides a basis for strengthening rights of privacy in the United States. In addition, it may provide a basis for treating search engines as CRAs. Reasonable fact finders in the United States have a strong basis to expand the traditional concept of CRAs to include search engines due to the breadth of personally identifiable information that may exist and be linked to individuals by global search engines. Both the EU and the United States should begin to reanalyze some of the basic concepts of credit reporting to allow for a more complete framework that utilizes both strong privacy laws as well as consumer protection laws. For the United States, this means strengthening individual’s right to privacy inherent within the purpose of the FCRA. In the EU, this means developing strong consumer protection laws akin to the FCRA. By doing so, both jurisdictions may learn from each other and avoid the negative effects that arise from jurisprudential myopia.