This week saw the announcement of the draft Data Protection Directive and among the significant changes was the wording from “right to be forgotten” to “right of erasure”.
1980s pop jokes aside, but perhaps the EU Parliament made this change to get a little respect from the EC Council who will now review it ahead of potentially passing it in April 2014. While the wording differences between forgotten and erasure are pretty significant, I asked the industry how much difference there was generally.
Sarah Pearce, partner at law firm Edwards Wildman Palmer said that this has been discussed over time and what exists now is “the right to be forgotten and erasure”. Asked what she thought the differences between the wordings, she said: “This is generally the same as data subjects can request deletion of their personal data and prevent further dissemination, and they are obliged to go a step further and control what third parties put out there. So the data controller is obliged to delete too.
“The difference between deletion and erasure was a case of having watered down obligations and the obligation on the controller, and taking steps to do so when there was no fixed obligation. Now this has been adopted and while it not set in stone, the powers will come through but how they can be enforced is another matter.”
Pearce also said that reading between the lines from the French translation of the draft, what it comes down to is the obligation to take “reasonable steps”, which will make it harder to enforce, but until this is reviewed by the EU Parliament it is entirely speculative.
From conversations I have had in the past, it seems that the “right to be forgotten” is rather impractical, and will probably have as much impact as the
cookies law which I suspect are being clicked through and ignored by many members of the public.
Sarb Sembhi, principal security consultant of Incoming Thought, told IT Security Guru that he had followed this law until it got into many thousand amendments, and they were grouped into two separate areas and they have now deleted one of the words. “There is some criticism of it that it is too tough, and that there are loopholes that will be exploited and that will make a mockery of all of it. But what it is trying to do is work on the legal side,” he said.
Matt Palmer, a member of the ISACA UK Security Advisory Group said that many of the ideas in these plans “are going to look fortuitous 10 or 20 years from now” and that the EU’s focus on individual privacy “is the world’s most convincing legislative attempt to answer the question of our generation”.
Palmer called the right to be forgotten/erasure a nice idea and a good sound bite, but impossible for many companies to deliver. “Most large global companies have a multitude of information stores, many developed in an era before privacy legislation. Things that sound simple, such as deleting references to an individual, are actually incredibly hard, and incredibly costly to implement,” he said.
This is one of the issues surrounding the right to erasure, that companies hold data on customers past and present and retrospectively seeking permission to hold that is likely going to cause issues for many businesses.
<
div>TK Keanini, CTO of Lancope, asked how practical this is when seeking approval from the board. “Lawmakers have come to the proper conclusion that ‘the internet never forgets’. What has been seen cannot be unseen, so laws and policies must recognise this inherent characteristic of information as opposed to physical properties,” he said.
With the backing of the European Parliament, it is fairly likely that this will be changed before we see a final draft of the directive. Yet it does strike me that the term erasure is more draconian than forgotten, as the latter just requires a session data to be ended, while erasure is in the league of the persistent cookie.
As the wording states, this is the “right” of the individual to do this, so it is up to the individual to control the level of data that is held on them. How many do you think will actually make the effort after all of this pondering?