The European Network and Information Security Agency (ENISA) has released a report on the possible implementation of the right to be forgotten. “The right to be forgotten” is one of the elements of the new proposed regulation (January 2012) on data protection of the European Commission. The right allows people to ask for digitally held personal information to be deleted. The regulation is still to be adopted by the European Parliament. Therefore the EU’s ‘cyber security’ Agency ENISA is launching its new report covering the technical aspects of “being forgotten”, as technology and information systems play a critical role in enforcing this right. The report identifies technical limitations and a further need for clear definitions and legal clarifications before appropriate technical means to enforce this right can be properly implemented.
Some key recommendations of the paper are:
- Policymakers and data protection bodies should work together to clarify definitions to assist the enforcement of the right (clarification of who can ask for the deletion of shared personal data, under what circumstances, etc.). Furthermore, with such definitions, the associated costs need to be considered.
- A purely technical solution to enforcing this right in the open Internet is impossible. An interdisciplinary approach is needed and policymakers should be aware of this fact.
- A possible, pragmatic approach to assist in implementing this right is to require search engine operators and sharing services within the EU to filter references to “forgotten” information stored inside and outside the EU region.
- Particular care must be taken concerning the deletion of personal data stored on discarded and offline storage devices.
The report complements two other recent ENISA publications: the study on data storage and collection in Europe and the paper on the privacy implications of online behavioural tracking. In this broader context, policymakers should ensure the use of technologies supporting the principle of minimal disclosure in order to minimise the amount of personal data collected and stored online. The Agency also recommends the use of encryption for the storage and transfer of personal data. Particular attention should be given to tracking and profiling online, and enforcement solutions should be deployed to block inappropriate behaviour and to force compliance with regulations regarding personal data protection.
As many commentators have pointed out, implementing a “right to be forgotten” is very difficult, but not impossible.