IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Who are you? The Right to be Forgotten moves closer

Organisations that gather information on individuals may now have to delete it too, following an EU Court of Justice ruling

European flag

Inside the enterprise: Changes to the Europe's data protection regime are currently working their way through the European Union's legislative system.

A new Data Protection Regulation is set to replace the less binding Data Protection Directive, the basis for current European privacy laws. The new legislation will include a range of new measures, including much higher fines for organisations that lose data, compulsory breach disclosure, and the "right to be forgotten".

The new law, though, is still some way off: 2015 is now looking like a realistic target, as negotiations over the law between the European Parliament, Commission and Council of Ministers continue. But one aspect, the right to be forgotten, is already being put into force by the courts. This could have some serious ramifications for companies that hold or process date on individuals.

A landmark ruling from the European Court of Justice (ECJ) found that search engines are "controllers" of personal data, and will have to delete information, including links to information published legally elsewhere, if the subject of the data asks them to.

A right to be forgotten, though, addresses the wider issue of who owns information on individuals, and whether individuals can ask for that information to be removed.

Increasingly, companies rely on information about individuals to operate a range of services, from e-commerce sites to context-aware advertising.

Then there are the social media sites that, in effect, encourage users to create the content that others view. That content, potentially, could live online for ever.

Under the proposed Data Protection Regulation, anyone will be able to ask a data controller to remove information on or about them or indeed created by them, unless there are "legitimate grounds" for retaining it.

Exactly how that will work in practice, remains to be seen. The European Commission has said that a right to be forgotten will not give individuals to rewrite the past; the new law should not, for example, be used to limit the freedom of the press. But companies will certainly have to be aware of the new right, and put in place mechanisms to allow individuals to remove their records.

But, as the ECJ ruling has shown, this can be complicated. Google has been told to remove links to information about an individual whose house was sold at auction some 16 years ago, even though the information Google is pointing to is legitimately in the public domain.

Court rulings, though, are apt to throw up this sort of paradox, and the hope is that the Data Protection Regulation will clarify what information businesses will have to delete, and what they can keep. But, as ENISA, the European Network and Information Security Agency, pointed out in a recent paper, more consistency across the EU is essential to protect citizens' rights. It will be important for the smooth running of data-driven businesses too.

Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Legal challenge for Sadiq Khan over ANPR expansion, Met access to data
data processing

Legal challenge for Sadiq Khan over ANPR expansion, Met access to data

3 Aug 2022
DataGrail hires former Shopify VP Cathy Polinsky as CTO
Business strategy

DataGrail hires former Shopify VP Cathy Polinsky as CTO

27 Jul 2022
Storage's role in addressing the challenges of ensuring cyber resilience
Whitepaper

Storage's role in addressing the challenges of ensuring cyber resilience

4 Jul 2022
Modernise your legacy databases in the cloud
Whitepaper

Modernise your legacy databases in the cloud

10 Jun 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022