Who are you? The Right to be Forgotten moves closer

Organisations that gather information on individuals may now have to delete it too, following an EU Court of Justice ruling

Inside the enterprise: Changes to the Europe's data protection regime are currently working their way through the European Union's legislative system.

A new Data Protection Regulation is set to replace the less binding Data Protection Directive, the basis for current European privacy laws. The new legislation will include a range of new measures, including much higher fines for organisations that lose data, compulsory breach disclosure, and the "right to be forgotten".

Advertisement - Article continues below

Companies rely on information about individuals to operate a range of services, from e-commerce sites to context-aware advertising.

The new law, though, is still some way off: 2015 is now looking like a realistic target, as negotiations over the law between the European Parliament, Commission and Council of Ministers continue. But one aspect, the right to be forgotten, is already being put into force by the courts. This could have some serious ramifications for companies that hold or process date on individuals.

A landmark ruling from the European Court of Justice (ECJ) found that search engines are "controllers" of personal data, and will have to delete information, including links to information published legally elsewhere, if the subject of the data asks them to.

A right to be forgotten, though, addresses the wider issue of who owns information on individuals, and whether individuals can ask for that information to be removed.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Increasingly, companies rely on information about individuals to operate a range of services, from e-commerce sites to context-aware advertising.

Then there are the social media sites that, in effect, encourage users to create the content that others view. That content, potentially, could live online for ever.

Under the proposed Data Protection Regulation, anyone will be able to ask a data controller to remove information on or about them or indeed created by them, unless there are "legitimate grounds" for retaining it.

Exactly how that will work in practice, remains to be seen. The European Commission has said that a right to be forgotten will not give individuals to rewrite the past; the new law should not, for example, be used to limit the freedom of the press. But companies will certainly have to be aware of the new right, and put in place mechanisms to allow individuals to remove their records.

Advertisement - Article continues below

But, as the ECJ ruling has shown, this can be complicated. Google has been told to remove links to information about an individual whose house was sold at auction some 16 years ago, even though the information Google is pointing to is legitimately in the public domain.

Court rulings, though, are apt to throw up this sort of paradox, and the hope is that the Data Protection Regulation will clarify what information businesses will have to delete, and what they can keep. But, as ENISA, the European Network and Information Security Agency, pointed out in a recent paper, more consistency across the EU is essential to protect citizens' rights. It will be important for the smooth running of data-driven businesses too.

Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement

Recommended

Hundreds of thousands of Instacart customers impacted by data breach
phishing

Hundreds of thousands of Instacart customers impacted by data breach

23 Jul 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020