The main news this week has been that the “right to be forgotten” ruling of the EU Data Protection Directive. It was decreed that an internet search engine operator is responsible for the processing that it carries out of personal data which appears on web pages published by third parties.
The decision by the Court of Justice of the European Union said that if a search is made on the basis of a person’s name, and if the list of results displays a link to a web page which contains information on the person in question, that data subject may approach the operator directly. If the operator does not grant their request, the individual may bring the matter before the competent authorities in order to obtain, under certain conditions, the removal of that link from the list of results.
Also, the operator of the search engine is the ‘controller’ in respect of that processing, and they determine the purposes and means of the processing. The operator of the search engine must ensure, within the framework of its responsibilities, powers and capabilities that its activity complies with the directive’s requirements.
The judgement effectively stresses the importance of the rights of the individual when it comes to control over his/her personal data, and search engines are responsible for their output.
Search giant Google, who faced an issue in Spain when a man requested pages relating to him were taken down, called the ruling “disappointing”. However Viviane Reding, European Commissioner for Justice, Fundamental Rights and Citizenship, said that the judgement was “a clear victory for the protection of personal data of Europeans”.
She called it a strong tailwind for the proposed data protection reform, and said that no matter where the physical server of a company processing data is located, non-European companies, when offering services to European consumers, must apply European rules. “The data belongs to the individual, not to the company. And unless there is a good reason to retain this data, an individual should be empowered – by law ¬ to request erasure of this data,” she said.
Professor Udo Helmbrecht, executive director of ENISA, said: “The right to be forgotten has for the first time been recognised by the EU-Court of Justice. As such, this is a landmark decision for the privacy of the EU citizens. It is a fundamental ruling, deciding on a current, ‘hot’ topic in the societal debate, namely how we deal with our personal data and the digital tracks we leave behind.
“So, the ECJ has, independently supported our view; our assessment was correct, which we are pleased to take note of. Now, it will be interesting to follow how search engines will implement this in practice, as to protect the privacy of individuals and the right to protection of personal data of the EU citizen’s digital fundamental rights.”
So the European powers that be like it; well they would as it kick starts a directive which has been described as dead, and has sat stagnant for over two years waiting for ratification.
Rik Ferguson, Global vice president of security research at Trend Micro, said that the ruling was the right one, as the court recognises that information that was “legally published” remains so and that the individual has no right to censor it.
“However, they also recognise that search engines collect, retrie
ve, record, organise, store and disclose information on an ongoing basis and that this constitutes ‘processing’ of data under the EU directive,” he said.
“Further, given that the search engine determines the means and purpose of their own data processing, they are also a ‘Data Controller’ under that directive and again must fulfil the legal requirements of such an entity, any other court decision would weaken that whole directive beyond repair. The entirety of information turned up in response to a search on a person’s name, represents a whole new level of publishing and the discrete items of information would have been very difficult, if not impossible, to put together in the absence of a search engine.”
TK Keanini said that the “right to be forgotten” is tricky when you are talking about information and the internet as even in the physical world no-one has a “men in black” device that erases memories at the push of a button.
He said: “Once anything is put on the internet, anyone from anywhere on the internet can create an archive of it. I’m not passing any judgment over this, I’m just pointing out that a person’s information is everywhere and the function of expunging this is complicated.”
Now as someone who has spent the majority of the last ten years writing news for publications both on and offline (mostly online in the past 6 years), a Google search does warrant a huge number for my name. Should I want to remove myself, I assume that the process would be pretty straightforward now, but syndication of the work I have done does mean that my name spreads further than results for IT Security Guru and other websites I have written for.
As someone on the major social network, this likely puts them on notice. Andy Green, senior digital content producer at Varonis agreed, saying that that the decision will affect not just search engine companies, but all of the social media service. He said: “While we’re waiting for the new Data Protection Regulation to be finalised, it’s looking like the existing rules—which include data retention and minimisation principles, along with the data correction and erasure rules—are still quite relevant and enforceable.”
Mark Brown, director of information security at EY, also called the ruling a “significant one” that will give many businesses a severe headache to respond to. “We are now finally seeing regulators playing catch up on privacy laws which have historically fallen behind the significant advances in technology – leading to wide-spread consumer data collection by businesses,” he said.
“The announcement fundamentally changes how companies collect, aggregate, store, retain and ultimately dispose of consumer data and has significant implications. At present, most businesses cannot confidently say what data they hold on a consumer and what they have done with this data. There are a number of reasons for this complacency including the rise in companies that outsource data collection which complicates the supply chain.”
Brown also suspected that businesses would be “quaking in their boots” at the thought of responding to a consumer ‘right be to be forgotten’ request. He said: “Ultimately, many have very little understanding of their own IT architecture which means compliance with this announcement would be very difficult until processes are changed. This announcement shows the EU believes end users should have control of their data.”
The EU Data Protection Directive, initially announced in January 2012, has had a slow start since then and it may be the case that this pulls it kicking and screaming back to life. I
hope that this is the case as too much has been done to get this long-awaited piece of legislation passed.