November 20, 2016

Constitutional Issues in Granting Americans a “Right to Dispute” Personal Information With Search Engines Akin to the Existing Remedy Afforded to Europeans Via Europe’s Right to Be Forgotten

Mark T. Andrus

This article is the second in a three-part series exploring whether search engines may be lawfully classified as consumer reporting agencies for the purpose of allowing American consumers the right to dispute confidential personal information directly with a search engine comparable to the existing rights of European residents stemming from the EU’s “right to be forgotten.” The first article in this series analyzed whether search engines could be classified as consumer reporting agencies (CRAs) pursuant to the Fair Credit Reporting Act (FCRA). The analysis concluded that search engines could be classified as CRAs because they regularly assemble or evaluate information on consumers for monetary fees (i.e., particularly through behavioral advertising) for the purpose of furnishing comprehensive search results (i.e., consumer reports) to third parties.

*     *     *

This article will address the role of the EU’s right to be forgotten in creating a right to dispute personal information in the United States directly with search engines, and the constitutional limitations that could arise with classifying American search engines as CRAs.

Pursuant to Europe’s Right to Be Forgotten, American Search Engines Have Processed Hundreds of Thousands of Consumer Disputes, but Not for Americans

Europe’s right to be forgotten has recently been enshrined into law by the European Commission’s General Data Protection Regulation (GDPR), which protects personally identifiable information based on a fundamental right to privacy. Reg. (EU) 2016/679 citing EU Charter art. 8(1). This right extends the EU fundamental right to privacy to the “processing of personal data.” Reg. (EU) 2016/679(1). Simply stated, the right to be forgotten allows individuals to “demand the erasure” of certain personal data with a data controller, like a search engine, in situations where the individual has withdrawn his or her consent, or no other legal ground for processing the data applies. Reg. (EU) 2016/679 art. 17. In theory, this right empowers individuals to control their data regardless of who possesses the information. As applied, however, the right to be forgotten has allowed the EU to treat global search engines as the United States treats CRAs pursuant to the FCRA, 15 U.S.C. § 1681(i).

Although there are various protections afforded by the right to be forgotten, some immediate effects have been to create a right to dispute personal information directly with search engines. Interestingly, the primary enforcement actions invoking the right to be forgotten have been applied to the type of consumer information that would constitute a “consumer report” in America (e.g., old liens and minor criminal offenses). See Google Spain SL v. Agencia Española de Protección de Datos (AEPD), 2014 E.C.R. 317; see also Margaret Briffa, UK Regular the ICO serves first ‘right to be forgotten’ enforcement notice on Google, Privacy Europe, Sept. 17, 2015.

A Fundamental Right to Dispute?

The language of the GDPR does not expressly create a fundamental right to dispute; however, the right to be forgotten primarily has been applied to allow residents of the EU to directly dispute personal information with search engines by demanding the removal (i.e., delisting) of certain personal information. See, e.g., Peter Fleischer, Adapting Our Approach to the European Right to Be Forgotten, Google Europe Blog, Mar. 4, 2016. In fact, Google has interpreted the right to be forgotten as “the right to delist.” This means that, according to Google, the right to be forgotten allows Europeans to dispute information linked by search engines to the set of search results generated by a search query for their name. This process is very similar to the dispute and reinvestigation process mandated by the FCRA, which grants a consumer the right to dispute personal information with CRAs.

The FCRA Provides a Valid Framework to Utilize the Right to Be Forgotten’s “Right to Dispute” With Search Engines, as Long as Search Engines May Be Classified as CRAs

Pursuant to the FCRA, American consumers have a right to dispute information reported by a CRA. Individuals are able to request under section 1681(i)(a) that CRAs correct or remove negative information appearing on a credit report associated with the consumer’s personal information. Existing policy allows a consumer to submit a dispute via the CRA’s website or in writing. Any consumer may directly dispute the completeness, accuracy, or fairness of any item of information that is on file with the CRA under section 1681(i)(a)(1).

In essence, the application of the right to be forgotten is sufficiently similar to the FCRA’s right to dispute such that the net effects of the right to be forgotten may be afforded to American consumers upon a finding that search engines may be classified as CRAs. Search engines may reasonably be classified as CRAs given that they regularly assemble or evaluate information on consumers for monetary fees for the purpose of furnishing comprehensive search results (i.e., consumer reports) to third parties. See Andrus, supra. Consequently, the scope of the FCRA’s right to dispute should be interpreted to address the modern data collection efforts of search engines.

The FCRA’s “Right to Dispute” Should Be Interpreted to Address the Modern Data Collection Efforts of Search Engines

The FCRA was passed in 1970 to protect an individual’s right to control and protect his or her personal data, particularly data collected by banks and insurance companies and compiled into profiles that directly affected the individual’s ability to obtain employment, a loan, or an education without the individual’s knowledge or consent. Today, search engines monitor, collect, record, store, and report consumers’ behavior particularly through the use of behavioral or targeted advertising and make billions of dollars in the process. See, e.g., IAB Internet Advertising Revenue Report, PWC (Apr. 2016); AdSense Help, Ad Targeting: How Ads Are Targeted to Your Site, Google (last visited Sept. 15, 2016).

These practices have led to a boom in consumer “spy” technologies that monitor and monetize the mundane by organizing consumer information in a manner that is tantamount to a profile that may be based on a user’s IP address, tracking cookies, and other “digital fingerprints.” See, e.g., Mary Brandel, What Search Engines Store About You, TechWorld, July 20, 2010. Significant portions of this profile are accessible by anyone with an Internet connection interested in searching for a specific individual’s name, often free of charge, and may be relied upon by potential employers, professionals, peers, law enforcement officials, romantic interests, neighbors, or other interested parties for any purpose, let alone a permissible one. This is the very type of information that Congress intended to protect by enacting the FCRA. In fact, search engines have the capacity to report more information about consumers than CRAs; yet, American consumers cannot dispute information reported by search engines about themselves. Meanwhile, search engines have existing processes in place to handle consumer disputes, but expressly limit the right to dispute to European residents pursuant to their right to be forgotten.

American Search Engines Have Already Processed Hundreds of Thousands of Consumer Disputes

Since the right to be forgotten was first enforced approximately two years ago, search engines have processed hundreds of thousands of direct disputes regarding the linking of personal information to search results. See Jeff John Roberts, Google Shows Sites That Get Most 'Right to be Forgotten' Requests, More Than 500K Pages Removed, Fortune, Nov. 24, 2015; Sophie Curtis, EU 'Right to be Forgotten': One Year On, The Telegraph, May 13, 2015. Ironically, the right to directly dispute personal information with American search engines is not available to Americans. Search engines clearly have existing processes in place and the ability to perform these types of disputes for Americans; they simply choose not to. Certain information privacy laws such as the FCRA, however, would provide a legal framework to afford Americans the opportunity to directly dispute personal information with search engines, provided that search engines are classified as CRAs. As part of the analysis of classifying search engines as CRAs, certain constitutional limitations must be addressed.

Potential U.S. Constitutional Limitations in Treating Search Engines as CRAs

Part of the analysis in determining whether search engines may be treated as CRAs includes addressing certain constitutional matters, such as: (1) whether the United States recognizes a fundamental right to privacy that allows the government to regulate search engines as CRAs for purposes of the FCRA; (2) whether the government’s authority over search engines is limited due to their status as private corporate entities; and (3) whether search engines have a First Amendment right to publish truthful and legally obtained, albeit confidential, consumer information.

The U.S. Supreme Court Has Enforced the FCRA against CRAs in Light of a “Fundamental” Right to Privacy; Consequently Search Engines May Also Be Regulated as CRAs

Although the U.S. Constitution does not expressly grant any enumerated right to privacy, both the U.S. Supreme Court and Congress have found that Americans are entitled to a fundamental right to privacy. Griswold v. Connecticut, 381 U.S. 479 (1965); see also 41 C.F.R. § 1-1.327-1 (1976). Initially, this fundamental right was bifurcated between an individual’s interest in avoiding disclosure of personal matters (i.e., a right to be let alone) and an individual’s independence in making certain kinds of important decisions (e.g., abortion, use of contraceptives, parent’s right to educate child, etc.). See Whalen v. Roe, 429 U.S. 589, 598 (1977). The first interest apparently was subject to only rational basis scrutiny, meaning that any federal law affecting a “right to be let alone” interest would be upheld so long as it was conceivably related to a legitimate governmental interest. See, e.g., Romer v. Evans, 517 U.S. 620 (1996). Meanwhile, the second interest was subject to strict scrutiny, requiring that the government prove that the challenged government action is necessary to achieve a compelling government interest. See, e.g., Sherbert v. Verner, 374 U.S. 398 (1963); Roe v. Wade, 410 U.S. 113 (1973). The level of scrutiny associated with a fundamental right is important to determine the degree of protection the government will afford a particular interest, like an individual’s right to privacy.

The FCRA, which regulates CRAs, was enacted by Congress over 45 years ago in significant part to protect a consumer’s right to privacy. This act has been upheld and enforced by the U.S. Supreme Court on various occasions. See, e.g., United States v. Bormes, 133 S. Ct. 12 (2012); Sorrell v. IMS Health Inc., 564 U.S. 552 (2011); Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47 (2007). Recent constitutional challenges to the FCRA have been rejected. See, e.g., King v. Gen. Info. Svcs., Inc., No. 10-6850 (E.D. Pa. 2012); see also, Memorandum of the United States of America in Support of the Constitutionality of § 1681c of the Fair Credit Reporting Act (May 03, 2012). Consequently, search engines may also be regulated pursuant to the FCRA if found to be CRAs. It is also important to remember that the various levels of scrutiny apply only to government action and not to private actors, like CRAs or search engines. Nonetheless, Congress may enact legislation affecting private actors subject to an enumerated power.

Search Engines Engaged in Interstate Commerce May Be Regulated Pursuant to Industry-Specific Laws and Regulations, Including the FCRA, Even Though They Are Private Entities

The U.S. Constitution does not generally apply to private action, such as the actions of data controllers or search engines; however, the U.S. Supreme Court has held that Congress has broad authority to regulate interstate commerce even when applied to private action. See, e.g., Heart of Atlanta Motel, Inc. v. United States, 379 U.S. 241 (1964). Although most Supreme Court jurisprudence involving the right to privacy focuses on an individual’s independence to make certain important decisions (i.e., as opposed to “right to be let alone” matters), the court has upheld Congress’ authority to pass laws regulating an individual’s interest in the nondisclosure of private information against private actors. See, e.g., Reno v. Condon, 528 U.S. 141 (2000); Maracich v. Spears, 133 S. Ct. 2191 (2013). Consequently, information privacy laws such as the FCRA, the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA) have been upheld as legitimate government interests. See, e.g., Bormes, 133 S. Ct. at 12; Nat’l Fed’n of Indep. Bus. v. Sebelius, 132 S. Ct. 2566, 2628 (2012); Watters v. Wachovia Bank, 550 U.S. 1 (2007). These laws all apply the constitutional protections associated with the fundamental right to privacy to private action (e.g., actions by credit bureaus, healthcare providers, and financial institutions). Thus, the FCRA may be constitutionally applied to search engines.

Any First Amendment Rights of Search Engines to Facilitate the Publication of Confidential Personal Information Are Not Outweighed By an Individual’s Right to Privacy

At issue is whether search engines have a First Amendment right to publish confidential consumer information (i.e., information that would be protected if part of a consumer report). In recent years, the U.S. Supreme Court has determined that “the creation and dissemination of information are speech” (as opposed to conduct); that commercial speech is subject to heightened scrutiny; and that corporations are entitled to broader constitutional rights. See, e.g., Sorrell v. IMS Health Inc., 131 S. Ct. 2653, 2667 (2011); Citizens United v. FEC, 558 U.S. 310 (2010). Consequently, search engines may raise the argument that they are entitled to First Amendment protections to facilitate the publication of truthful information that is lawfully acquired regardless of whether the individual consents or finds the information embarrassing. See, e.g., Florida Star v. B.J.F., 491 U.S. 524 (1989).

Search engines may rely on this assertion to argue that they should not be treated as CRAs because they view themselves more as “neutral” sources of information—more akin to the press—as opposed to credit bureaus. Even assuming search engines are more akin to the press, the First Amendment requires the court to weigh an individual’s interest in privacy against the media’s “interest in publishing matters of public importance.” Bartnicki v. Vopper, 532 U.S. 514, 536–37 (2001). Matters of public importance are “newsworthy” matters that relate to current events. See, e.g., Bartnicki, 532 U.S. at 525; New York Times Co. v. United States, 403 U.S. 713, 714 (1971). The key to the analysis will be whether search engines have a prevailing right in facilitating the publication of confidential personal information rarely involving “current” (i.e., newsworthy) events. Bartnicki, 532 at 525.

Confidential Consumer Records Are Not Newsworthy and Require Express Consent or a Permissible Purpose Prior to Disclosure

Confidential consumer records, such as information intended for a consumer report, generally are not “current events” such as old liens and minor criminal records. For example, the Supreme Court has allowed Congress to restrict the “speech” of CRAs, healthcare providers, and financial institutions based in large part on the rationale that consumer reports, medical records, and private financial records are confidential and not newsworthy. See Bartnicki, 532 U.S. at 514; see generally Bormes, 133 S. Ct. at 12; Sorrell, 131 S. Ct. at 2667 (stating that HIPAA’s privacy standards are well-justified); Watters, 550 U.S. at 1. Such confidential records may be disseminated only to authorized parties based on permissible purposes absent express consent (e.g., employment purposes, credit transactions, or insurance underwriting). See, e.g., § 1681(b). Permissible purposes provide a safeguard to prevent unauthorized third parties from revealing confidential personal information. Furthermore, if such information is not acquired through a proper means (i.e., via a permissible purpose or express consent), it is acquired unlawfully. Thus, the publication of such information is not protected by the First Amendment.

Conclusion

Although technology has changed drastically since 1970, the need to protect each individual’s fundamental right to privacy remains constant. Although the FCRA does not provide a perfect solution to protecting personal information, the act provides a viable mechanism that would allow Americans to directly dispute such information with search engines, provided that search engines may be classified as CRAs. In addition, the FCRA provides a framework to require search engines to obtain express consent or identify a permissible purpose prior to publishing or sharing any confidential personal information legally obtained about an American consumer. American search engines are already processing hundreds of thousands of direct disputes from residents of the EU, and now is the time for search engines to afford American consumers those same rights. Such a reality is possible sooner than later so long as search engines are found to be CRAs. Although not a panacea, such a finding would be a significant step to protect and defend American’s fundamental right to privacy in the 21st century.

Mark T. Andrus

Mark T. Andrus, CIPP/US, is the supervising attorney for data protection and privacy at Lexington Law Firm.