How will the EU’s ‘right to be forgotten’ work in practice?

In the 1990s, the web was a place of anonymity. “On the Internet, nobody knows you’re a dog,” a famous New Yorker magazine cartoon joked in 1993.

But things have changed since then. Today, everyone knows you’re a dog.

The growth of social networking sites, the use of data gathering and mining by businesses and the increasing sophistication of search engines mean that anyone who wants to conceal their online identity now needs both determination and a considerable amount of technical knowledge.

Businesses routinely gather, store and analyse online information about consumers, often without their knowledge. Last year, MP Tom Watson wrote to health secretary Andrew Lansley asking why four web analytics companies were able to track users as they visited pages on the NHS Choices website.

This is not for want of opposition. Social networking giant Facebook has often come under criticism for the way it handles user privacy, while Google has been censured in several European countries for gathering data through individuals’ Wi-Fi connections as part of its Street View project.

And there are growing concerns about the way that third-party profiling websites, as well as tools used by businesses to ‘mine’ opinions, views and sentiment about their brands online and on social media, are creating vast, and largely unregulated, stores of personal information.

But remaining anonymous is still an “ever increasing challenge” for consumers, the UK’s information commissioner, Christopher Graham, has remarked.

Now, the European Commission is getting ready to take action. In a set of proposed amendments to its directive on data protection, which forms the basis of data protection laws in member states, including the UK’s Data Protection Act, the EC has included measures to protect an individual’s ‘right to be forgotten’.

In a consultation document explaining the proposed amendments, the EC articulated this as “the right of individuals to have their data no longer processed and deleted when [it is] no longer needed for legitimate purposes.”

According to Viviane Reding, European commissioner for justice, citizens should be able to refuse consent for data about them to be processed, withdraw their consent at any time in the future, and ask websites and other services to remove any information about them from online and offline data stores. According to a spokesperson for the commissioner, “It is your data, and it is gone for good.”

The proposal of a right to be forgotten appears to have been inspired by social networking sites, which pose numerous risks to privacy by exposing personal data online and which, in some cases, can make it rather difficult for users entirely to remove their data.

“The evolution of social networks is an opportunity for organisations to collect massive amounts of data on individuals, including real-time data,” explains George Thompson, a director of security services at KPMG. “The public is mainly unaware of the risks of fraud, for example. The complexities of these vulnerabilities are beyond the grasp of most people.”

There are criminal risks associated with social networking data, such as identity theft or social engineering attacks, where an individual’s personal data is used to convince them to hand over passwords or bank account details. The right to be forgotten would mean that individuals could at least ensure they are not exposed unwillingly.

There are other concerns, too: it is not unheard of for job candidates to be turned down because employers found risqué pictures of them on Facebook. Some EU states, such as Germany, have already banned the use of information gleaned from social media in this way. The new regulations would not rule this out altogether, but it would give individuals an avenue to restrict the circulation of potentially embarrassing information.

Social networks also expose individuals to analysis and monitoring by business, whether or not they are aware of that fact.

“Monitoring social media has rocketed up the business agenda in the past three years,” says Drew Benvie, managing director of marketing agency 33 Digital. “Around nine out of 10 corporates now monitor social media at some level.”

But according to Eric Domage, manager for Western European security research and consulting at IDC, consumers are becoming increasingly frustrated by websites and social media services that market or advertise to them based on data they have gleaned from their preferences or online behaviour.

The right to be forgotten would give citizens the power to withdraw information they no longer wish to be publicly visible from the automated eyes of social media monitoring tools. For businesses that wish to employ those tools, it may reduce the amount of personal data available, but it would also reduce the risk of frustrating customers by basing offers and discounts on data they wish to keep private.

The principle of a right to be forgotten, then, is hard to fault. The difficulty will be in formulating workable regulations – local legislation would have to be updated before it came into effect – and enforcing them.

“Technically speaking, the right to be forgotten is an empty right,” says Rolf von Roessing, international vice president of ISACA, the security professionals’ body. “Any law will be, at best, moderately successful inside the EU and affiliated countries.” He says that the international nature of the Internet means that any regulations drafted by the EU will have little or no impact on data held elsewhere.

Authorities across the EU already face significant challenges enforcing sanctions against those committing cyber crime and other security breaches, especially if the perpetrators base themselves outside the European Economic Area.

Although the European Commission undoubtedly has consumers’ interests at heart, concerns are growing that the proposed regulations might be ineffective, pose an unreasonable burden on businesses and even give protection to those who have committed crimes in the past.

Media companies, for example, have raised concerns that people convicted of crimes, or those in public office, might use the revised directive to remove references to them from archives. Unless national legislation is drafted with care, the right to be forgotten could turn into a form of privacy law by the back door.

“In the US, for example, some states have laws that require publication of the names and photographs of sex offenders, because that is [considered] in the public interest,” says Roessing. This could cause issues if the ex-offender moved to Europe and claimed the right to be forgotten. “On the one hand, there is the good of the general public, and the rights of the individual on the other hand,” he says.

“What is of legitimate public interest needs to be debated,” agrees Peter Gooch, a privacy expert at Deloitte. “The role of media organisations will need to be addressed; that is an exemption that will need to be discussed.”

Another concern is for businesses that engage with their customers by encouraging them to contribute user-generated content. Brands with a strong following among consumers, or a loyal user base – in areas as diverse as hobbies, health and parenting – use online forums to allow consumers to share advice and ideas, and to build up a body of knowledge.

Then there are sites that take some, or even all, rights of ownership of information or data contributed by the public. YouTube, the world’s largest video-sharing site, claims the right to resell material posted by users.

All could face some serious, practical issues, if the right to be forgotten – in its proposed form – becomes part of data protection law.

Then there are technical issues. If to ‘forget’ an individual’s personal data is to delete it, then something as mundane
as restoring backup data to a failed server could fall foul of the new rules, if the backup tape contains details of a ‘forgotten’ individual.

As Charlotte Walker-Osborn, TMT sector leader at law firm Eversheds, has warned: “If the right extends to data held on any medium, there will be widespread havoc.”

Perhaps the most challenging issue is the degree to which the right to be forgotten will extend into an organisation’s internal database systems. In their current form, the proposed amendments appear not to distinguish between public-facing systems, such as social networks, and internal systems, such as CRM databases.

This is a potential minefield, as businesses routinely rely on customer data to perform even the most basic of functions. Could a company’s own customers, for whatever reason, withdraw their consent for it to use their data internally? Could companies be certain that all traces of customer data were removed if requested?

Furthermore, government departments and healthcare providers will clearly need some exemptions from the right to be forgotten, as well as organisations such as banks, which will need to retain some information for compliance and tax purposes. The complexities of ‘the right to be forgotten’ in the context of social networks are just the tip of the iceberg.

Assuming that the EU proposals are not watered down – and that might still happen – it will fall to the local legislators, who will have to turn the EU directive into law, national information commissioners, who will have to police the new legislation, and companies’ own data guardians and legal advisers, who will have to interpret it, to make sense of these complexities.

But until the detail of the regulations is known, the best advice for businesses, as Deloitte’s Peter Gooch suggests, is to ensure their own houses are in order. “The first step is to understand what the implications might be for your business. Understanding what data you have is vital if you are to know if you are compliant.”

Unlike other European countries, such as France, there is no general right to privacy under UK law. Instead, individuals’ privacy is protected by the European Convention on Human Rights, and the Data Protection Act.
The Data Protection Act already gives individuals some important protections: The Information Commissioner’s Office can impose fines of up to £500,000 on organisations that breach the Act through the unauthorised release of data.

Individuals also have the right to see the data that is held on them – a subject access request – although businesses and organisations are allowed to charge £10 for a request, or up to £50 for health or education records.

Organisations have 40 days to respond to a valid request, and must do so even if the data is held or processed by a third party, such as a marketing agency.

Companies can decline subject access requests if they would be very time consuming to grant, but guidance from the Information Commissioner’s Office says that this is likely to be legitimate “only in the most exceptional of cases”. The ICO would usually expect the organisation to provide access to the data in another form.

Although specific details on how the right to be forgotten will be implemented have yet to be issued, it is likely that UK regulations governing any right of individuals to have their information deleted from databases or websites will follow similar procedures to rights under the existing Act.

Related Topics

European Union