From signing up for an Amazon Prime account to setting up on line banking to having a PayPal account, you're constantly exposing private information to misuse, fraud, or data breaches. Google yourself and find out that much of your PI is privy to the world via online directories such as People Finder, Truthfinder, White Pages, and other background check sites. Googling your name can also bring up results of third parties who have written or posted information about you. Even pseudo-accounts may exist, where unknown people have set up false accounts in your name (complete with stolen pictures) on Facebook or other sites.
One-third of internet users admit to having no idea what personal information is available online, who has it, or even where it is! The propagation of cyber information and its misuse has opened a completely new set of legal challenges for law firms and corporate legal areas.
You leave digital footprints all over cyberspace
The granularity of information that can be harvested from so many sources by data brokers and other analytics companies is mind-boggling. Everything from what your buying patterns are, what webpages you've visited, what events you've attended, where you live, what your income is, who you connect with on social media, where you live, which people you had relationships with, and much more is splayed across cyberspace.
Hackers, stalkers, ex boyfriends/husbands, and identity thieves can have a field day if they get a hold your information. The possibilities for malicious use of your personal data are quite scary: filing false worker’s compensation claims in your name, stealing your Social Security benefits, getting fake passports, stalking your residence, putting their medical bills in your name, giving your information for their speeding tickets or crimes, or stealing money from your bank accounts. Moreover, future careers and personal relationships can be jeopardized.
Data controllers: who has and can display your information
The obvious candidates having most peoples' PI are the big online players such as Amazon, Facebook, Twitter and banks with whom so many individuals set up accounts. In addition, many informational websites (not just ecommerce sites) want your personal information as well, and demand an account just to access their information. Then there are public records sites from which any party or outside person can learn a great deal about someone.
Your personal information is also unknowingly flowing from large data brokers such as Acxicom, Choicepoint and others -- who collect your PI from all over, analyze, and sell it -- to advertisers and other entities without your knowledge. Data brokers can get police records, phone numbers, addresses, interests, reverse lookups (determines where an image came from), names of family members, and more.
Law firms can also assume the role of data controller when they obtain PH and PHI for use in litigation and are subject to keeping the data subject's information secure.
Your right to be forgotten - a balancing act
Internet invisibility is the ultimate end of data privacy. If complete anonymity is not possible, at least having the right over how much data of an individual’s PI is available to the public or used by online entities is feasible. It's often a balancing act of whether the general public or commercial interest is more legitimate than a person's right to have it expunged. Moreover, the "right to privacy" is concerned with information not intended for public consumption, while the "right to be forgotten" revolves around information that has been made public already. In both European and American systems, there is also the factor of whether the person is a public or private figure.
A survey by Adweek found that 9 out of 10 Americans want some form of the right to be forgotten ruling to be applied in the U.S . There are pros and cons on both sides of having the right to personal data effaced from cyberspace:
- Self-regulation of online presence
- Ability to remove slanderous or embarrassing unwanted information from public view
- Opportunity to give individuals a new beginning in life
- Removal of information that may jeopardize a data subject's finances, career, or personal safety
- Inherent value to the public (especially for public figures)
- Useful information for business or commerce may be hindered
- Blocks to journalistic, media, or public knowledge of truthful facts commensurate with First Amendment free speech
Your right to be forgotten on the internet: Europe versus the U.S.
In Europe, protecting an individual’s PI is considered a civil right and legally mandated.
The EU's GDPR Act of 2016 legally provides the erasure of PI from search engines, revocation of its use by data controllers, objection to wrong information, and deletion of old data by entities. This does not provide carte blanche for anyone to have any information about himself or herself expunged. The GDPR outlines exceptions for what can be deleted.
Europe' s GDPR ruling only provides protection for personal information that is incorrect, misleading, excessive, or irrelevant in the context of the business using it. If a person's publically accessible data does not outweigh the preponderant interest of the public in that information, then it can't be removed. Under the GDPR Act, legal firms cannot keep copies of clients' data, whereas in the U.S. legal service providers can keep copies.
In the U.S., ideas of First Amendment free speech and free exchange of truthful information govern the flow of PI.
Data subjects can request to have private information removed by an entity or Google, but there is no legal mandate binding the data controller. The process is more ad hoc and based on individual company policies and privacy laws versus legal mandate. Private data purge companies or legal firms can be hired to assess and purge and individual's on line data. Law firms and lawyers can get involved in purging PI if there is litigation involving personal safety or criminal dangers resulting from public views of personal data. Similar to Europe though, public interest comes into play.
There has been some legal movement in the United States. California's Minor Eraser Law allows California residents below the age of 18 to request the removal of personal information posted on websites, mobile apps, social media sites, and other online services.
How the right to be forgotten impacts law firm attorneys and other legal services providers
Law firms working with European data subjects residing in the U.S. or in Europe, should follow these guidelines regarding the GDPR mandate:
- Under GDPR guidelines, the firm must make the client aware of why they need their personal data and how they are going to use it in relation to the handling of the case.
- Appoint a GDPR specialist who thoroughly understands the rights and responsibilities of all parties under the 2016 mandate.
- Building awareness inside your law firm or corporate legal area of GDPR stipulations. Make sure every member of staff is aware of GDPR, what it is, when it comes into force and why it is necessary.
- If a law firm is a designated data controller, data subjects will have the right to access their personal information held by at any time, and the organization will have a very short response deadline.
- Return all data and files to clients completely without keeping copies.
Law firms and other legal providers that are not subject to the GDPR and working with U.S. citizen litigation involving PI should:
- Provide information inside your law firm or corporate legal area about current U.S. laws regarding data privacy, including HIPAA, Fair Credit Reporting Act, California Minor Eraser law (CA only), Fair Credit Reporting Act and other legislations.
- Establish compliance subject matter experts on the various regulations.
- If a law firm is a designated data controller, data subjects will have the right to access their personal data but you can maintain a copy indefinitely.
- Law firms become data controllers when handling a litigation case on behalf of a client and need to process and use a client’s personal data. They then become subject to the GDPR mandate and individual U.S. data privacy laws.
- Provide data subjects with information on what data is needed, why it is needed, how it will be used, how they can verify it, and how it will be safeguarded. Use and request data that is limited to what is necessary, and used responsibly.
- Reacting swiftly and efficiently, to remove defamatory content and hold a malicious poster liable, if the firm or area is hired as a purge provider.