Robert Kirk Walker
Volume 64, Issue 1, 257-286
Information posted to the Internet is never truly forgotten. While permanently available data offers significant social benefits, it also carries substantial risks to a data subject if personal information is used out of context or in ways that are harmful to the subject’s reputation. The potential for harm is especially dire when personal information is disclosed without a subject’s consent. In response to these risks, European policymakers have proposed legislation recognizing a “right to be forgotten.” This right would provide persons in European Union countries with a legal mechanism to compel the removal of their personal data from online databases.
However, only a limited form of the right to be forgotten—a right to delete data that a user has personally submitted—would be compatible with U.S. constitutional law. By itself, this limited right is insufficient to address the myriad privacy issues raised by networked technologies, but it is nevertheless an essential component of a properly balanced regulatory portfolio—as existing privacy tort law is inadequate in this context. As such, this Note argues that Congress should recognize this limited right through adoption of a default contract rule where an implied covenant to delete user-submitted data upon request is read into website terms of service contracts.