Who are you? The Right to be Forgotten moves closer
Organisations that gather information on individuals may now have to delete it too, following an EU Court of Justice ruling
Inside the enterprise: Changes to the Europe's data protection regime are currently working their way through the European Union's legislative system.
A new Data Protection Regulation is set to replace the less binding Data Protection Directive, the basis for current European privacy laws. The new legislation will include a range of new measures, including much higher fines for organisations that lose data, compulsory breach disclosure, and the "right to be forgotten".
Companies rely on information about individuals to operate a range of services, from e-commerce sites to context-aware advertising.
The new law, though, is still some way off: 2015 is now looking like a realistic target, as negotiations over the law between the European Parliament, Commission and Council of Ministers continue. But one aspect, the right to be forgotten, is already being put into force by the courts. This could have some serious ramifications for companies that hold or process date on individuals.
A landmark ruling from the European Court of Justice (ECJ) found that search engines are "controllers" of personal data, and will have to delete information, including links to information published legally elsewhere, if the subject of the data asks them to.
A right to be forgotten, though, addresses the wider issue of who owns information on individuals, and whether individuals can ask for that information to be removed.
Increasingly, companies rely on information about individuals to operate a range of services, from e-commerce sites to context-aware advertising.
Then there are the social media sites that, in effect, encourage users to create the content that others view. That content, potentially, could live online for ever.
Under the proposed Data Protection Regulation, anyone will be able to ask a data controller to remove information on or about them or indeed created by them, unless there are "legitimate grounds" for retaining it.
Exactly how that will work in practice, remains to be seen. The European Commission has said that a right to be forgotten will not give individuals to rewrite the past; the new law should not, for example, be used to limit the freedom of the press. But companies will certainly have to be aware of the new right, and put in place mechanisms to allow individuals to remove their records.
But, as the ECJ ruling has shown, this can be complicated. Google has been told to remove links to information about an individual whose house was sold at auction some 16 years ago, even though the information Google is pointing to is legitimately in the public domain.
Court rulings, though, are apt to throw up this sort of paradox, and the hope is that the Data Protection Regulation will clarify what information businesses will have to delete, and what they can keep. But, as ENISA, the European Network and Information Security Agency, pointed out in a recent paper, more consistency across the EU is essential to protect citizens' rights. It will be important for the smooth running of data-driven businesses too.
Stephen Pritchard is a contributing editor at IT Pro.