In mid December 2015, the Commission announced the final plans for new data laws, this including an expansion on the right to be forgotten, but will it give the people of the EU the power to become invisible?
Over the past two decades technology has evolved at an aggressive rate. EU officials have taken the rate of 3 generations of Iphone to finally agree on how they can protect everyone’s data, and it will take at least another two generations to be put in place.
Implemented in 1995, directive 94/45/EC is used as a reference text that sets up a national regulatory framework. It intended to balance a high level of protection for the privacy of individuals while at the same time allowing the free movement of personal data. It demands there is a limit on the collection of personal data and each member state must have an independent regulatory body that supervises any activity where personal data is processed. The directives are not legally binding and transposed into internal law which all member states put their own data protection legislation into place.
The current directive does not consider present pinnacle aspects of sites that harvest data such as social networks and data storage sites such as the cloud. Since 2012, the commission has planned to eradicate these directives and to unify data protection throughout the EU with a single law called the General Data Protection Regulation. (GDPR) Originally aimed for implication in early 2016, it is now estimated to take effect in 2018.
“17 (now 21) years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,” said EU Justice Commissioner Viviane Reding, the Commission’s Vice-President back in 2012, “A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”
Aspects of the reform include: companies and organisations informing the commission of breaches within 24 hours without fail, there must be easier access to personal data, national data protection authorities will be strengthened, single sets of data protection law that are valid throughout the EU.
One of the most spoken about aspect of this form comes on the shape of the ‘right to be forgotten.’ (RTBF) The Commission states that it will help people better manage data-protection risks online. When individuals no longer want their data processed they can requests its deletion; it must happen every time without fail. However, not everyone is convinced that this will work. Ever the sceptics Euroscope is wondering just how plausible the RTBF is.
Despite the positivity from the EU figure heads, many are worried that its negative implications outweigh its positives. Aspects of the right to be forgotten have been ratified since 2014.
This is related to the pyrrhic case of Mario Costeja Gonzalez. in 2014 Gonzalez took Google to the European Court of Justice. This was after their refusal to take down articles from 1998, that reported his home was being repossessed to pay off debts. Now out of financial difficulty and a successful businessman; the position of these articles when his name was searched were detrimental.
The ECJ saw that this was an infringement of his privacy and Gonzalez won the case. It brought about new rules for search engines that must get rid of data which is “inadequate, irrelevant or excessive”. This translates to the information only being removed if the impact on an individual’s right to privacy is greater than the public’s right to know. The problem being, however, as the case had such huge implications, Gonzalez in the pinnacle of modern day irony, has made somewhat of a name for himself.
Sites such as UK paper The Telegraph online released an extensive list of content removed from google searches such as: A 2002 article detailing how Britain’s Jewish community staged a 30,000 person-strong protest march in Trafalgar Square to show support for Israel. A 2003 article about people under 30 suffering strokes. Providing a concerning stance as to how far this request law really needs to go.
The Information Commissioner’s Office (ICO), the UK’s governing body of data protection, argues that the ‘right to be forgotten’ is a misleading term, because at current, the debate is actually about removing information that is ‘inadequate, irrelevant or no longer relevant.’ from search results, but not erasing the information all together.
A more recent update shows that professionals analysing the new law, such as the Parisian technology consultancy firm Reputation Squad has found that although it has made big companies aware of the importance of data protection; most companies only apply the laws minimally, only dealing with about a third of the requests they receive. It has also been proven that Google’s international version, google.com is essentially a bypass to this law.
So with the essential framework of some aspects of the right to be forgotten , questions have already been raised at the legitimacy of the new proposed laws.
A synopsis of the updated specifics of RTBF were provided by The Center for Internet and Society at Stanford Law School. Data controllers, including at some internet intermediaries, must erase content based on the right to be forgotten. Although this does not indicated whether social media sites like Twitter or Facebook are included under the RTBF guidelines. There will be fines imposed to sites that do not adhere to regulations, and no fines for over compensating, which could but up to 4% of a company’s annual turnover
Research shows that there is an overlap with similar regulation. Other laws in similar areas, such as e-commerce, go to explain how companies handle removal quests for other legal claims like defamation. There is seems to be a loophole, cutting through the jargon, that seems to suggest that in most cases sites will not have to take information down until there is a valid point rather than just due to request.
“The new rules will give users back the right to decide on their own private data”, said Parliament’s lead MEP on the regulation, Jan Philipp Albrecht from the German Greens Party, “At the same time, the new rules will give businesses legal certainty and chances for competition. It will create one single common data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market.”
Research by Blancco Technology Group found that there is a governance and technology shortage, which could affect the way in which companies deal with the RTBF laws when they are applied. This echoes back to the laws that are already in place for search engines. Results showed that although 46% of global organisations received requests to remove data, 41% lacked the provisions, such as documentation to deal with them.
“Because the EU GDPR negotiations stretched on for the last four years, many organisations held out hope that an agreement would be postponed, or if things went the way they hoped, the negotiating parties would never come to agreement,” said Pat Clawson, CEO of Blancco Technology Group.
“But now that the EU GDPR is a reality and the new privacy rules will be ratified by the European Council in early 2016, many organisations have a considerable amount of work ahead of them to align their IT governance and data protection programs with both regulatory and customer demands.”
The right to be forgotten, in theory, seems to be a conscious effort to return power to the people. The genesis of the law itself was immediately sidestepped by Google through loopholes. If the internet giants don’t play fair, how can any other type of internet service be expected to either. It seems that the loopholes have followed through onto the General Data Protection Act, and the most concerning aspect being that sites themselves simply do not have the means to deal with the requests. Although the law change itself is decidedly a more modern and straightforward approach than the previous directives included, it is still chock-full of problems that mean, sadly, the only way of being forgotten is infact not using the internet at all.