Violent Extremism and the Right to Be Forgotten

Christian Neumeister
Vol. 40 Associate Editor

The “Right to be Forgotten” has its origins in Google Spain, in which the Court of Justice of the European Union ruled that individuals have the right to petition internet search providers to remove personal data from that search engine’s index under certain conditions.[1] The EU’s General Data Protection Regulation (GDPR) reinvented the doctrine, setting out rights to erasure, objection, and rectification of inaccurate or misrepresentative personal data.[2] For many commentators, both the Google Spain case and the GDPR recognize the right to a “dynamic identity” in which individuals enjoy “a right to have one’s own identity, made public through the  media,  permanently  and  regularly  consistent  with  reality  and  hence  not only up to date but possibly also protected through the removal of information that is no longer accurate or of public interest.”[3] Subject to certain exceptions, the GDPR also prohibits the processing of special classes of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.[4] When the data processing subject withdraws their consent, they may exercise their “right to be forgotten” and request that the data controller erase their personal data.[5] However, the data processor is not required to erase that data when such processing implicates the “[exercise] of the right of freedom of expression and information” or “for archiving purposes in the public interest, scientific or historical purposes or statistical purposes…”[6] The GDPR directs member nations to promulgate laws reconciling data protection to freedom of expression and information[7] and archiving purposes in the public interest,[8] though member state law offers little more guidance than the EU regulation.[9] Europe’s move towards data privacy comes at a particularly interesting time, given other socio-political trends throughout the continent. Populist movements have embraced a range of far-right ideologies across the continent;[10] some countries must cope with former Islamic State fighters returning home;[11] and concerted online propaganda efforts and cyberattacks threaten the integrity of elections.[12] Keeping track of this type of activity requires data processing by law enforcement, journalists and other non-governmental actors, implicating many of the GDPR restrictions. Under Article 2(d) of the GDPR, law enforcement agencies have broad authority to collect data on individuals for the purposes of criminal investigation or preventing threats to public security, regardless of the content of that data.[13] If that data reveals political opinions or religious beliefs, like data showing support for ISIS or neo-fascist parties, processing by private parties, like non-governmental or journalistic organizations, must fall under one of the exceptions outlined in Article 9. Open-source data would likely fall under the 9(e) exception as having been manifestly made public.[14] However, this depends on certain facts about the underlying data itself; analyzing public tweets would be acceptable, but Google’s Redirect Method, which uses browsing history to send targeted ads to those the algorithm deems at-risk of radicalization by ISIS, might not be.[15] Other kinds of data could fall within the public interest exception, either under Article 9(g) or for archiving purpose in the public interest under 9(j).[16] Records identifying individuals who participate in neo-fascist rallies or donate to those causes, for instance, might seem to fall within either of these public interest exceptions. If we consider ISIS or neo-Nazis enough of a threat to exclude them from GDPR protection, however, the public interest exception becomes an exercise in line-drawing, in which we refuse to grant some individuals the “right to a dynamic identity,” which underlies Court of Justice of the European Union (CJEU) jurisprudence and the GDPR itself.[17] In absence of more specific law on the subject or, as is more likely, CJEU rulings delineating the boundaries of these rights, the actual scope of GDPR data protection will remain murky. The construction of the GDPR’s “public interest” exceptions for political and religious beliefs raises questions about how far those exceptions will go. Until more detailed regulations are promulgated or cases are decided, organizations whose missions include this type of data gathering will remain in the dark.

[1] Case C-131/12, Google Spain SL v. Agencia Española de Proteción de Datos, 2014 [2] Regulation (EU) 2016/679, art. 16-19, 21, 2016 O.J. L 199/1 (hereinafter GDPR). [3] See Francisco Di Ciommo, Privacy in Europe after Regulation (EU) No 2016/679: What Will Remain of the Right to Be Forgotten, 3 Italian L. J. 623, 627 (2017). [4] GDPR art. 9. There are 10 exceptions, including when: (a) the data subject has given explicit consent to the processing . . . (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; (e) processing relates to personal data which are manifestly made public by the data subject; . . . (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; . . . (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. . . [5] Id. art. 17 [6] Id. [7] Id. art. 85. [8] Id. art. 89. [9] See, e.g., Bundesdatenschutzgesetz [BDSG] [Federal Data Protection Act], June 30, 2017, Bundesgesetzblatt I at 2097. § 28 [10] See, e.g., Carol Shaffer, How Hungary Became a Haven for the Alt-Right, The Atlantic (May 28, 2017), [11] See, e.g., Souad Mekhennet & Joby Warrick, ISIS Behind Bars, Wash. Post (July 26, 2018), [12] See, e.g., Eric Brattberg & Tim Maurer, How Sweden is Preparing for Russia to Hack its Election, BBC (May 31, 2018), [13] GDPR art. 2(d). [14] Id. art. 9(e). [15] See (last visited Oct. 21, 2018). “The Redirect Method uses Adwords targeting tools and curated YouTube videos uploaded by people all around the world to confront online radicalization. It focuses on the slice of ISIS’ audience that is most susceptible to its messaging, and redirects them towards curated YouTube videos debunking ISIS recruiting themes.” [16] GDPR art. 9. [17] See Di Ciommo, supra.