Speaking at a Westminster E-Forum event in London yesterday, the Information Commissioner Christopher Graham alluded that the so-called "right to be forgotten" in the draft EU General Data Protection Regulation could change from its present form, as well as discussing wider issues.
Why is the right to be forgotten in the spotlight?
The Information Commissioner's Office (ICO) themselves pointed out in their initial analysis that:
- Applied incorrectly, the right could infringe on freedom of expression and the keeping of historical records (e.g. if someone wanted something embarrassing to be erased about them). The EU has provided carve-outs around these points, but absent any real guidnace it is not clear how these competing interests are to be balanced.
- Erasing anything from electronic computer records is technically difficult. Put simply, hitting "delete" just means data is simply marked to be overwritten on a disk drive, rather than actually deleted, and once overwritten, can often be re-created by advanced techniques. In practice this means the right to be forgotten is more of a "right to do everything possible to forget" rather than absolutely forget. This position is not actually acknowledged by the Regulation.
- Where data has been put into the public domain (e.g. by social media sites), the organisation doing so has to "take all reasonable steps, including technical measures" to inform third parties using the relevant data that the right to be forgotten has been exercised. This obligation is likely to be difficult to fulfill in many cases. A classic one social media monitoring, a process which harvests publicly-available data, usually without the direct knowledge of the organisation from which it is gleaned.
- The above could lead to individuals becoming disillusioned and believing they have an absolute right to erasure when this is not in fact the case. In the ICO's words "it might be preferable if this right was presented in less ambitious terms".
More generally, the right also clashes with the rise and rise of "big data". Existing data retention obligations under the Data Protection Act 1998 require data to be deleted or anonymised once no longer needed for the purpose for which they are obtained. Organisations are frequently poor at implementing this requirement though, in part due to the scale of the task, but also because they typically want to hang on to data "just in case" or increasingly for ongoing analysis using the new wave of "big data" technologies. The right to be forgotten runs counter to this commercial trend. It is likely to force organistions to look far more closely at anonymisation as a way forward.
Ultimately, we will all have to wait and see whether the Information Commissioners hint proves to be accurate or not.
On a linked note, the Information Commissioner confirmed that the ICO's forthcoming new guidance on anonymisation would be available on the 20th November.
It will be interesting to see what this guidance says. At consultation it was welcomed in principle, but criticised at a detailed level, in particular given that it seemed to be very focussed on the UK government's "Open Data" initiative, and less so on general private sector issues in this area. Its complex, and scientific approach also seemed to be unworkable for many SMEs without access to external consultants.
Look out for our later post digesting this guidance.
The Information Commissioner also stoked the importance of cookies to the overall privacy compliance picture.
Faced with the (fairly usual) comments criticising this year's new cookie laws, he remained resolute. In the Commissioner's view, they are disliked because of the extent to which cookies are used as a business tool, not out of any genuine desire to respect individual's privacy. Consumers may not have kicked up a stink about cookies, but that was largely due to their ignorance and also the fact that they are frequently presented with a stark choice - accept the cookies or suffer a severe drop in browsing experience.
This view may be unpaletable, but it is one with which we agree. Cookies are very relevant to privacy so deserve to be regulated; the plethora of comments saying they do not collect personal data are simply wrong in many cases, being born out of US practices and their different legal regime.
Furthermore, by dragging cookies into the spotlight, the new cookies laws help educate people about how their data is being used, even if cookies policies are not actually being read in many cases.
Finally, by requiring opt-out mechanisms to be developed, in due course the new cookies laws may lead to the rise of sites which are less cookie dependant, giving a consumer more choice as compared to the present cookie-dominated landscape.
Interestingly, the Information Commissioner said that the ICO would be publishing their initial report on the enforcement action they have taken very shortly.
The Information Commissioner gave further support to the view that consumer trust is the key benefit for businesses in privacy compliance.
In particular, being transparent demonstrated that an organisation respected the right for customers to make an informed decision, confidence that they had nothing to hide, and that customers would be right to chose them.
In the Information Commissioner's own words it boils down to a very simple proposition "Do you treat customers as savvy or suckers?".
It may not be a statement everyone agrees with, but it is interesting food for thought.This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.