Time for the EU to forget ‘the right to be forgotten?’

What worries the US most, of all the elements in the proposed data protection regulation from Brussels?

What worries the US most, of all the elements in the proposed data protection regulation from Brussels?

There must be plenty of concern: recent media stories have claimed the proposals have resulted in the heaviest lobbying in memory between the US and the EU.

That seems extraordinary, given all the issues the two have argued over in recent years. But, reportedly, the proposed regulation worries EU member states, too. According to some reports, nine countries want the proposal watered down, particularly in areas that they claim would burden businesses. A leaked Irish memo, quoted in the Financial Times , noted: "Several member states have voiced their disagreement with the level of prescriptiveness of a number of the proposed obligations in the draft regulation."

The proposed regulations would create consistent data protection laws across all 27 EU states, potentially impose significant fines for breaches, allow citizens to port their data between sites and services, and allow them a “right to be forgotten”, or to have their data removed from sites such as social media services.

READ MORE

The proposals were first put forward by EU justice commissioner and vice president Viviane Reding in January 2012.

When I was at the RSA Data Security Conference in San Francisco at the start of this month, the Eu ropean approach to privacy came up many times. It divided people, especially given that so many at the event made their money from providing the software and services to protect data.

On one hand, many admired the greater protections afforded EU citizens and the signalled intention in the new regulations to punish slipshod breaches. As presenters said in session after session, most sites are not accessed through ingenious attacks, but are hacked through basic weaknesses such as not keeping software up to date, failing to have adequate passwords, and poor security design of IT systems.

That level of ignorance or wilful stupidity clearly makes many feel an incentive such as serious fines, is to be welcomed.

On the other hand, many worried what might happen to the internet generally if people could go about asking for information to be wiped clean. And of course, there’s concern at the impact such reforms might have on businesses.

I attended a session given by Trevor Hughes , head of the US-based International Association of Privacy Professionals, on the top 20 privacy issues to watch in 2013. The EU data regulations featured on the list, and I was surprised by his argument against – or perhaps it is better to say, his unease with – the right to be forgotten.

First off, he clearly felt this element of the draft regulation might be impossible for businesses to manage, at least as proposed: how could many, especially small businesses, begin to dig out data referring to one person and remove it?

Secondly, he felt that in our new digital era, the internet is our place of record, that removing chunks of personal data strips out part of the general human historical record, which should remain available.

The right to be forgotten also worried businesses in the question-and-answer session after and, from reports about the EU lobbying, is a key issue for US firms.

Speaking to Hughes after the talk, I noted that from direct briefings from Reding, I’d never had any impression that the “right to be forgotten” was intended to mean all references to a person could be stripped from search engines. Rather, she has said it is intended, for example, to allow people who wish to leave a social media service to have their data permanently removed – something that doesn’t currently happen with many of these sites.

Personally, I do not feel online information about someone, as created from online records or social media postings, is a reliable or accurate summary of that person, worthy of protection as social history. Often, information and images are posted without one’s permission or knowledge, and web data compiled by “bots” stripping information from random websites, with no context or human input, and highly inaccurate.

Whatever the case, Reding has indicated that while discussion is ongoing on the proposals, she is not being pushed around by business lobbyists.

So where are we now? Justice ministers met last week and indicated they generally support the proposals. In a press conference with Reding in Brussels afterwards, Minister for Justice Alan Shatter noted that the regulation "was one of our top priorities" for the Irish presidency.