Technical Aspects of ‘Right to be Forgotten’: ENISA Report

November 20, 2012

Notwithstanding the on-going changes to the data protection reform package, and the probable downgrade from regulation to directive, the so-called ‘right to be forgotten’ remains an important element of the EU Commission’s proposal. Essentially, the right allows people to ask for digitally held personal information to be deleted.

The EU’s ‘cyber security’ Agency ENISA has published a report covering the technical aspects of ‘being forgotten’, as technology and information systems play a critical role in enforcing this right. The report identifies technical limitations and a further need for clear definitions and legal clarifications before appropriate technical means to enforce this right can be properly implemented.

The report’s authors are Peter Druschel (Max Planck Institute for Software Systems), Michael Backes (Saarland University) and Rodica Tirtea (ENISA).

Some key recommendations of the paper are:

·        policymakers and data protection bodies should work together to clarify definitions to assist the enforcement of the right and the associated costs need to be considered

·        a purely technical solution to enforcing this right in the open Internet is impossible – an interdisciplinary approach is needed and policymakers should be aware of this fact

·        a possible, pragmatic approach to assist in implementing this right is to require search engine operators and sharing services within the EU to filter references to ‘forgotten’ information stored inside and outside the EU region

·        particular care must be taken concerning the deletion of personal data stored on discarded and offline storage devices

·        data controllers should be required to provide users with easy access to the personal data they store and ways to update, rectify, and delete data without undue delay and without cost to the user (to the extent that this does not conflict with other applicable laws)

·        research communities, industry, etc. should develop techniques and coordinate initiatives that aim at preventing the unwanted collection and dissemination of information (eg, robot.txt, do not track, access control).

The report complements two other recent ENISA publications: the study on data storage and collection in Europe and the paper on the privacy implications of online behavioural tracking. In this broader context, policymakers should ensure the use of technologies supporting the principle of minimal disclosure in order to minimise the amount of personal data collected and stored online. ENISA also recommends the use of encryption for the storage and transfer of personal data. Particular attention should be given to tracking and profiling online, and enforcement solutions should be deployed to block inappropriate behaviour and to force compliance with regulations regarding personal data protection.

Full report and recommendations.