Deepfakes — False digital depictions — can harm a person’s privacy and reputation, and also pose a risk to broader society, as well. While some may be harmless (DeepTomCruise, ReFace App), others may involve substitution of identities in pornographic video, foreign social influence campaigns, or identity theft in corporate fraud, according to a Private Industry Notification by the FBI in March 2021,
One remedy may be the use of Notice and Takedown procedures in copyright law, but expanding the law here might inhibit the dissemination of truthful information.
Another remedy may be something similar to the European Union’s privacy regulations called the GDPR.
General Data Protection Regulation
The European Union began enacting digital data privacy regulations in the 1990s and finalized a systematic legal approach in March 2014 with the GDPR.
The GDPR’s primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.
It establishes lawful ways to collect information, data protection and security guidelines, and an individual right of informed consent, access and correction.
Similar state regulations in California and Virginia
California’s Privacy Rights Act (CPRA) provides a private right to bring lawsuits (right of action) against creators of nonconsensual deepfake pornography and outlaws manipulated video of politicians within 60 days of an election.
The CPRA also expands on the protections provided by an earlier version of the CCPA and was approved by California voters under Proposition 24 in the November 2020 election.
The Virginia Consumer Data Privacy Act, (VCDPA) passed in 2021, has provisions like Europe’s GDPR and the CPRA.
Under the new laws, California and Virginia residents are protected from inaccurate data storage and collection:
- “Sensitive personal information” such as social security number, driver license number, and financial account number, also racial or ethnic origin, religious beliefs, union membership, the contents of a consumer’s email and text messages (unless the business is an intended recipient), genetic and sexual orientation.
- New rights for consumers: Consumers will have the right to request limitations on the use and disclosure of that information and to ask businesses to correct inaccurate personal information maintained by a business.
- Enhanced protections for children’s data. The CPRA triples fines for collecting and selling information of minors under 16 years of age.
- Adds data retention requirement. Prohibits businesses’ retention of personal information or sensitive personal information for longer than reasonably necessary for the disclosed purpose for which the information was collected.
- Adds a specific data security requirement. Prior to the CPRA, the CCPA did not expressly require businesses to maintain reasonable safeguards to protect personal information, although it added a private right of action for data breaches cause by a failure to maintain reasonable safeguards. The CPRA expressly requires businesses to implement reasonable security procedures and practices to protect personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code 1798.81.5.
- Data Protection Assessments.The VCDPA imposes a new requirement for controllers: data protection assessment obligations (as mentioned above regarding sensitive data). Controllers must conduct data protection assessments for specific processing activities involving personal data. These activities include targeted advertising, sale of personal data, profiling, sensitive data, and data that presents a heightened risk of harm to consumers.
Right to be forgotten
The right to be forgotten is one of the most controversial aspects of the GDPR, and it has not been copied at the US federal or state level.
The right to be forgotten is the right to have private information about a person be removed from Internet searches. In Europe, data protection laws protect (to a limited extent) a “right to [data] erasure” in some cases.
As noted in this March, 2021 essay, the right to be forgotten dovetails with ethical concepts about criminal justice, victims and rehabilitation.
Under the US First Amendment, transparency, the right of free speech and the “right to know” are typically favored over removing or increasing the difficulty to access truthfully published information regarding individuals and corporations.
One exception is the way some states have made it illegal to extort individuals for removal of public information, such as police photos of criminal offenders. Prior to 2015 in Virginia, for example, “mug shot” publications on the web would charge up to $3,000 to remove photos and true criminal incident information. Afterward, a state law prohibited that kind of activity. Nationally, a legal push on behalf of people who made minor mistakes and then face major harm to their reputation is underway, called the Clean Slate Campaign.
One newspaper’s approach to the issue is the “Boston Globe’s” fresh start campaign, which attempts to “unpublish” articles that are unfair or reflect racial injustice.
European RTBF
One part of the GDPR involves the rehabilitation of minor criminal offenders, and it was upheld in the European Court of Justice case Google v Costeja – Gonzlez, in 2014.
That case began in 1998 when a Spanish newspaper published an announcement about a property that Costeja-Gonzales had to sell to satisfy a debt. By 2009, the old article about the 1998 forced sale was still affecting his business, so he sued Google Spain to have the information de-linked. The courts agreed and the case set a precedent.
Note that the newspaper article is still there, and the court decision about the 1998 forced sale is still on record. Only the Google link has been changed. In these “Right to be Forgotten” cases, individuals request de-linking of outdated minor information. Since 2014, Google has de-linked about four million sites.