One of the newest and most talked about developments outlined by the European Commission (as part of its plans to update the EU’s data privacy regime), is the introduction of a ‘right to be forgotten’ for individuals. The Commission intends for individuals to be given much more control over their personal data, including rights to tell those using and storing their personal data to permanently delete it from their records when no longer required. This follows the theme of the Commission’s plans in general, which also include expansions of the opt-in consent requirements for the processing of personal data by online businesses and advertisers in particular.
Given that the current principles require organisations to delete personal data once it is no longer necessary for the purpose for which it is collected, and give individuals a right to require an organisation to correct or delete inaccurate data held about them, what additional protections does the ‘right to be forgotten’ entail? These new rights seem to be aimed primarily at social networking sites (SNS) and other sites with user generated content (to require them to permanently remove user profiles and photos, for example), and highlights a shift in focus to individual data subject control.
In an SNS environment, the SNS does not have the knowledge to make decisions about the appropriateness of some of the user generated content, so the only way to protect individuals is to give them enhanced rights to remove content posted by themselves and others. The need for such enhanced rights is all the greater in light of today’s technology, which enables information that would likely be forgotten or accessible only by a close group of real friends to be retrieved for years after it was originally posted (for example that photo of you in fancy dress in your late teens, which is now accessible by prospective employees by typing your name into a search engine).
It is not clear how the Commissions’ suggestions will manifest themselves in the Directive update (due to be issued in 2011) and in Member States’ national legislation, but there are two key questions in my mind. The first is whether there are technological solutions available to enable an individual to remove information pertaining to him/ her (no matter who posted or tagged it etc.) or whether the rules could force SNS, profiling sites and search engines to change their functionality and service offerings. The second is at what point does the right to privacy starts to suppress freedom of speech, and how will the ‘right to be forgotten’ delineate between information that is “public” and information that is truly “private”.