The Right to be ForgottenSeeking Technology to Erase Private Information Online
The cover illustration of a new paper from the European Network and Information Security Agency shows a pencil eraser rubbing out the word IMPOSSIBLE. Just below the image are the words "the right to be forgotten."
The European Parliament is considering adopting a regulation on data and privacy protection to give individuals the right to have personal information about them expunged from computer networks.
Here's what the proposed regulation states:
"Any person should have the right to have personal data concerning them rectified and a right to be forgotten. ...The proposed regulation is admirable, but one that could prove difficult to enforce. Just ask a forensics expert, who can recover information users positively and absolutely knew they had erased from computers. Plus, data once distributed to servers throughout the world, whether on the cloud or not, can live forever, veiled from those seeking to obliterate them.
Data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing."
Still, ENISA is giving it a try. The paper, issued Nov. 20, focuses on the technical means to enforce or support the right in information systems. The paper's recommendations cover multiple topics:
- Technical means of assisting the enforcement of the right to be forgotten require a definition of the scope of personal data, a clarification of who has the right to ask for the deletion of personal data under what circumstances, and what are acceptable ways to affect the removal of data. Data protection authorities should collaborate to clarify these issues. When providing the definitions, the technical challenges in enforcing the right to be forgotten, and the associated costs, for a given choice of definition should be considered carefully.
- For any reasonable interpretation of the right to be forgotten, a purely technical and comprehensive solution to enforce the right in the open Internet is generally impossible. An interdisciplinary approach is needed and policy makers should be aware of this fact.
- A possible pragmatic approach to assist with the enforcement of the right to be forgotten is to require search engine operators and sharing services within the European Union to filter references to forgotten information stored inside and outside the EU region.
- Particular care must be taken concerning the deletion of personal data stored on discarded and offline storage devices.
- Data controllers should be required to provide users with easy access to the personal data they store and ways to update, rectify and delete data without undue delay and without cost to the user to the extent that this does not conflict with other applicable laws.
- Research communities, industry and others should develop techniques and coordinate initiatives that aim at preventing the unwanted collection and dissemination of information, such as robots exclusion protocol, do not track and access control, to name a few.
Whether a perfect solution can be found to assure the privacy of individual information that should be secreted, let's give the EU and Europe credit for trying. A half a loaf, as the old saw goes, is better than none.