A pact with Facebook - Timeline, the story of your life

Time to forget the right to be forgotten?

In September 2011, Facebook launched what appears to be a restyling of the application so it can compete with services such as Google+: Facebook Timeline. With Timeline, “the story of your life”, Facebook allows us to display in a clear and organized way the major events of our life in the form of a diary. Facebook will therefore follow us throughout our whole life.

The idea is, at first sight, attractive, especially in a context where more of our social and professional live happens online. Facebook offers users a service that will help them organize their “digital memories” so they become easier to retrieve, to share or simply to remember. The idea is not new. Gordon Bell and Jim Gemmel, the developers of Microsoft’s concept  “MyLifeBits”, envisioned a world where everything, every moment of the life of an individual could be recorded, stored and traced. The authors presented their vision as a logical consequence of a situation where “individuals are already capturing so much of their life, be it on the date- and location-stamped photos we take with our smart phones or in the continuous records we have of our emails, instant messages, and tweets — not to mention the GPS tracking of our movements many cars and smart phones already do automatically”.  Facebook made this vision a reality.

While Timeline offers great advantages for Facebook’s users in terms of social networking, it also raises serious privacy concerns. Facebook’s Timeline is public by default. Users can obviously change their privacy settings, but these are usually configured in such a way that only knowledgeable users will actually be able to protect themselves from the public's gaze. This means that it is likely that users will, by default, make their whole life (knowing for example that you can now add health information to your status) publicly accessible. This information will be added to the flow of personal information already published online by Internet users through blogs, personal pages and other forums. The culture of “digital memories” thus brings along the one of “unforgetfulness”. “Digital data never dies” has now become a commonplace warning about the risks involved in the growing amount of private information disclosed online. These digital profiles contain a wealth of information that could be used for diverse unforeseen purposes such as advertisement or evidence gathering in civil and criminal investigations.

This raises the problem of e-reputation. As shown by last year’s heated debates about the use of social network information by employers, the first consequence is on users' employability. Some people are denied a job because of photos of somewhat too animated parties, carelessly posted on social networks and accessible to all, while others are being dismissed on the basis of statements made on these pages. The problem of e-reputation, however, not only affects individuals. Businesses are also becoming increasingly vulnerable to information published on the quality of their services by their customers. The Internet, because of its essentially written nature, plunges individuals and businesses into an "eternal present", in the words of P. Bellanger. The issue of online reputation becomes a problem in itself and does seem to have an easy solution. It involves giving individuals and private companies effective means to manage the information publicly available on the Internet that relates to them but also to control the viral spread of this information. Online content often falls beyond the control of its author, who, even when he makes the decision to delete it, can hardly prevent this content from appearing on other web pages, spread spontaneously by other (unknown) users.

Under current EU data protection laws, individuals who want to have their information deleted should request their deletion, or should oppose to a particular processing of personal data by revoking the consent they have previously given. However, they must direct their request to every webmaster that published this information and invoke a legitimate reason (such as invasion of privacy or an attack to their reputation). Faced with the enormity of the task in practice, the Spanish Data Protection Authority acknowledges the existence of a general users' right to ask Google to delete data that appear in search results. This decision was, however, referred to the courts, who will decide upon the case in the coming months. The Spanish case shows the difficulties faced by individuals in practice to make effective the rights granted by European data protection rules, notably the Data Protection Directive 95/46/EC, which remain largely theoretical. For private companies, the problem is even more complex as they often do not have any right to delete data.

The right to oblivion is gradually seen as the conceptual solution to turn things around, that is to say, as highlighted by V. Mayer-Schoenberger in "Delete: The Virtue of Forgetting in the digital age", for oblivion to become once again the rule and remembering the exception. In this context, the heated debates revolving around the introduction of a right to oblivion into the new Data Protection Directive gain their full meaning. The EDPS, through its Opinion of January 14, 2011, notably suggested assigning an expiry date to the data published online. This would ensure individuals that the information concerning them would automatically disappear after a while even if the individuals did not request it or if they did not even know that information about them was being processed by a third party. In addition, as this right would define a fixed storage period that would be subject to only limited derogations, there would be a reversal of the burden of proof: the data controller would then have to demonstrate that the processing of data after the expiration date would still be legitimate. The EDPS suggestion looks for turning the right to delete data into an automatic deletion obligation for data controllers.

Although this proposition is appealing, its applicability in practical terms remains to be explored, especially when considering the multiple and complex statute of limitation periods that will influence the time certain information should be store for evidence purposes. Who should then define the expiry date of the information? V. Mayer-Schoenberg suggests that this power should be given to the user, allowing him to become aware of the durability of the information he publishes and to regain control. However, the deletion cannot be automatic, since data controllers may have legitimate reasons for a retention period longer than that established in the first place. In such cases, should the controller be given the possibility to assign a new expiry date? This raises the questions of technical feasibility, reasonable cost, and effective control.

While the new contours of the right to oblivion are still to be defined at European level, the launch of applications such as Facebook’s Timeline shows the urgency to introduce this right as a tool to enable users to manage their e-reputation. Private companies should however not be ignored in this debate and similar mechanisms should be put forward to also allow them to manage their e-reputation in an efficient way.