This is my blog

Global Internet Law and My View on Privacy


Introduction

I am someone who likes to be aware of my online presence and control the data that is available about me, if at all possible. Because of this, I primarily use the Internet for research purposes, plus occasional perusing of YouTube, use an encrypted email provider, no Google or Microsoft products, and do not use any social media sites. Due to my ire for data collection, the three key rulings, laws, and regulations from "Global Internet Law in a Nutshell" that relate to my internet use are all privacy-focused: the Google Spain v. AEPD "right to be forgotten" case, the Electronic Communications Privacy Act (ECPA), and the EU's General Data Protection Regulation (GDPR). Each of these provides some level of privacy protection, but of course, they have their limitations.


Google Spain v. AEPD

In the court case Google Spain v. AEPD, the Court of Justice of the European Union (EU) ruled that under the EU Data Protection Directive, individuals have a "right to be forgotten", allowing Europeans users some control over their online reputation and privacy by having outdated or irrelevant personal data delinked from search results (Harvard Law Review, 2014). While not an American law, cases involving major institutions—such as Google and the EU—that reestablish principles are sure to have a ripple effect on other countries, including America.


The case did not decide the right to be forgotten to be absolute. Site links are only required to be removed if the information is "inadequate, irrelevant or no longer relevant," and exceptions exist for freedom of expression and public interest (Rustad, 2016). The ruling also only applies within the EU, not globally. While this case provides somewhat of an important privacy tool, its scope is very limited. For someone like myself who is privacy-conscious, the ability to request removal of personal information from search engines in the EU is beneficial, but does not provide comprehensive protection. In fact, the ruling could be seen as detrimental to privacy, as only being able to request the removal of *irrelevant* information by definition means that companies are only allowed to store *relevant* information. This essentially means people act as garbage collectors for these companies, ensuring increased sales of more accurate data.


The Electronic Communications Privacy Act

The Electronic Communications Privacy Act (ECPA), passed by the U.S. Congress nearly 40 years ago in 1986, is an update to the Federal Wiretap Act of 1968. It extends the act to cover electronic communications in addition to telephone conversations. It places some limits on what the government and private parties can access by restricting their interception of electronic communications like emails. However, the ECPA was written before our modern era of ubiquitous Internet and cloud usage. It allows law enforcement to obtain emails and other communications records without a warrant in many cases, and because many companies rely heavily on cloud-computing and data collection, there are vast troves of data able to be perused. The ECPA also has weaker protections for communications records held by third-party providers (Rustad, 2016).

This galvanizes my current stance that end-to-end encryption should be used as much as possible for communication. Luckily, nearly everything I use is encrypted, but one major flaw is SMS. I use an Android phone, and because most of the people in my life use iOS (Apple has yet to adopt RCS), all of my text messages are unencrypted SMS messages; this means that due to the outdated ECPA, my privacy, and millions of others', is not protected. We should not have to rely on private companies to roll out rights-protecting features; this is the government's role. The ECPA provides some baseline protections against interception, but has major gaps in protecting plain-text data like SMS and cloud-stored data from government access without robust judicial oversight. Reforms to strengthen the ECPA for the internet age are definitely needed.


General Data Protection Regulation (GDPR)

Finally, the EU's General Data Protection Regulation (GDPR), which went into effect in 2018, will update and harmonize data protection laws across the EU. The GDPR expands the jurisdiction of EU privacy law to all companies processing the data of EU residents, no matter where the company is based. It codifies a right to be forgotten, notifications within 72 hours of a [data breach](data%20breach.md), privacy by design, and strict consent requirements for processing personal data. Penalties for non-compliance can be up to 4% of global revenue.

The GDPR is a major advancement for privacy rights in Europe and will impact companies globally, as we have seen with multiple lawsuits in the EU against Apple, Google, and Microsoft (all US companies). By imposing mandatory privacy protections and significant penalties, the GDPR incentivizes companies to bake in privacy from the start, allowing individuals more control over their personal data. Unfortunately, the GDPR still has broad language that allows data processing without consent in various cases, such as when necessary for a "legitimate interest". The strength of the GDPR's protections will be weakened with the amount of allowed wiggle room, based upon how this broad language is interpreted. Also, the GDPR governs all data processing in the EU, but importantly does not restrict government surveillance.


Again, living in America, this law technically has no effect on me. However, as with the aforementioned Google Spain v AEPD case, there will be a ripple effect. As an example, in my home state of California, the California Consumer Privacy Act (CCPA) of 2018 and its subsequent amendment, the California Privacy Rights Act (CPRA) of 2020, share many similarities to the GDPR. Both regulate the collection and use of personal data, grant individuals rights like access, deletion, and opting out of data sales, and impose obligations on businesses (Kucera, 2021). A key difference is how the GDPR sets a basis in law for processing data, whereas with the CPRA California residents must opt out of collection. I believe the GDPR to be an excellent law and foresee the US implementing a law that is similar, but perhaps closer to the CPRA.


Conclusion

The right to be forgotten as established in Google Spain v. AEPD, the Electronic Communications Privacy Act (ECPA), and the General Data Protection Regulation (GDPR) each offer mechanisms for protecting personal data online—with notable limitations. The "right to be forgotten" allows EU citizens to request the delinking of outdated or irrelevant personal information from search engine results—with limited geographical scope and application. The ECPA is outdated and inadequately addresses the privacy of electronic communications in the era of cloud computing and ubiquitous internet access, particularly failing to protect unencrypted SMS messages. The GDPR is a significant advancement in privacy rights (within the EU), but contains broad language that permits data processing without explicit consent under certain conditions, potentially undermining its effectiveness.

To enhance online privacy protections in the future, it's imperative for governments to expand the scope of the right to be forgotten beyond the EU, update the ECPA to reflect modern technological realities, and amend the GDPR's exceptions to apply more narrowly. These steps, along with limiting government data collection practices, are essential for safeguarding citizens' privacy. At the same time, while legal frameworks provide a foundation for privacy protection, the modern digital age is an ever-evolving landscape: it's paramount for individuals to proactively manage their digital footprints.

References

Harvard Law Review. (2014) Recent Cases: Google Spain SL v. Agencia Española de Protección de Datos. *Harvard Law Review*, 128(2), 735-741. [https://harvardlawreview.org/print/vol-128/google-spain-sl-v-agencia-espanola-de-proteccion-de-datos/](https://harvardlawreview.org/print/vol-128/google-spain-sl-v-agencia-espanola-de-proteccion-de-datos/)

Kucera, D. (2021, April 13). CCPA vs. GDPR: Similarities and differences explained. *Okta*. https://www.okta.com/blog/2021/04/ccpa-vs-gdpr/

Rustad, M. L. (2016). Global Internet law in a nutshell (3rd ed.). West Academic Publishing.