The right to be forgotten: Between expectations and practice
The right to be forgotten is one of the elements of the new proposed regulation on data protection of the European Commission. The right allows people to ask for digitally held personal information to be deleted. The regulation is still to be adopted by the European Parliament.
ENISA is launching its new report covering the technical aspects of “being forgotten”, as technology and information systems play a critical role in enforcing this right.
The report identifies technical limitations and a further need for clear definitions and legal clarifications before appropriate technical means to enforce this right can be properly implemented.
Key recommendations:
- Policymakers and data protection bodies should work together to clarify definitions to assist the enforcement of the right (clarification of who can ask for the deletion of shared personal data, under what circumstances, etc.). Furthermore, with such definitions, the associated costs need to be considered.
- A purely technical solution to enforcing this right in the open Internet is impossible. An interdisciplinary approach is needed and policymakers should be aware of this fact.
- A possible, pragmatic approach to assist in implementing this right is to require search engine operators and sharing services within the EU to filter references to “forgotten” information stored inside and outside the EU region.
- Particular care must be taken concerning the deletion of personal data stored on discarded and offline storage devices.
The report complements two other recent ENISA publications: the study on data storage and collection in Europe and the paper on the privacy implications of online behavioural tracking. In this broader context, policymakers should ensure the use of technologies supporting the principle of minimal disclosure in order to minimise the amount of personal data collected and stored online.
ENISA also recommends the use of encryption for the storage and transfer of personal data. Particular attention should be given to tracking and profiling online, and enforcement solutions should be deployed to block inappropriate behaviour and to force compliance with regulations regarding personal data protection.
The Executive Director of ENISA Professor Udo Helmbrecht commented: “A uniform approach is needed in Europe to secure the fundamental right of personal data protection. The reform of the data protection laws in Europe is a decisive step in this direction. ENISA’s reports provide a technical information security perspective supporting this reform.”