The “right to be forgotten” as contained in the EU Commission’s Proposed Data Protection Regulation (Proposed Regulation), enhances the existing right to data erasure obligation by including an obligation on data controllers that have personal data public, to inform third parties on the data subject’s request to erase any links to, or copy or replicate personal data the individual no longer wishes to be public, from online services. How this new right may be implemented is far from straightforward, and the European Network and Information Security Agency (ENISA) has exposed many of the technical difficulties of its implementation in a report, “The right to be forgotten – between expectations and practice.”
A fundamental concern raised by ENISA is the broad scope of the definition of personal data. In addition, ENISA warns that the draft regulation is not specific enough with regard to who has the right to request the deletion of data. This can become complex in certain circumstances, especially in the context of multiple data subjects with divergent viewpoints on deletion. Although difficult to administer, according to ENISA, there is an obvious need to establish who gets to decide in these situations.
ENISA also finds the definition of “forgotten” data problematic, asking whether it is enough to simply make the data inaccessible to the public or whether it requires absolute deletion. Concerns are raised about the complexities involved in the deletion of personal data from data in large data sets or “Big Data,” especially where it may be possible to re-identify individuals from information from data held in large data sets. ENISA also points out that research, which depends on aggregated and derived forms of information (e.g., statistics), if elements of the raw data from which the data set is derived are forgotten.
Because of the Internet’s openly accessible nature, once information is published it becomes impossible to prevent unauthorised copying of the information, making it difficult, if not impossible, to locate all copies of it. Enforcement of the right to be forgotten solely through technical means or through requests to “take down” information, is therefore unlikely to be feasible. ENISA suggests that technical enforcement would need to be supplemented by international legal provisions aimed at making it difficult to find personal data, for instance, by requiring search engines to filter references to forgotten data from their search results.
Although ENISA stays clear of opining of the merit of a right to be forgotten, the report demonstrates that reliance on technical means to comply with the right, should it be implemented, requires a clearer definition of the scope of personal data, a clarification of who has the right to ask for the deletion, and under which circumstances and what methods data can be considered “forgotten.” The ENISA report shows that a technical solution by itself is impossible, and what is required is a further refinement by policymakers and data protection authorities if the right to be forgotten is to operate effectively should it be implemented.