BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

The EU's 'Right To Be Forgotten': What Data Protections Are We Missing in the US?

This article is more than 10 years old.

Consumer data protection is hot news again, along with the privacy issues raised by browser tracking and tracking software. Since the Obama administration's proposed privacy policy on consumer data last year, consumers are wondering how Congress will legislate Obama's guidelines into working consumer protections. Meanwhile, the European Commission is working on a consumer data protection plan whose "right of erasure" provision for consumers is almost poetic. "The right to be forgotten" in its Article 17 proposes to protect (or rather guarantee erasure of), consumer data in a manner that seems to put the power of privacy back in the hands of the consumer. I can't help but wonder what protections we are missing in U.S. data privacy laws, and how we could make the protections afforded by Europe's "right to be forgotten" work in the U.S., as our online "lifescape" becomes ever larger with ubiquitous browsing and social networking behavior. I shared thoughts via email with two key members of ENISA, the European Network and Information Security Agency: the Head of Technical Department head, Steve Purser and Mina Andreeva, Spokeswoman of Vice-President Viviane Reding, EU Commissioner for Justice, Fundamental Rights and Citizenship to mine their own thoughts on the European Community's "right to be forgotten" and how it could possibly inform how digital data protection is implemented in the U.S.

The European Community regards the protection of consumer data as a basic human right, one whose legal provisions, (The Right to Be Forgotten), grant legal provisions implemented in practice within the social and online context of European consumer behavior. This means that securing optimal consumer data protection is possible only in so far as search engines and database operators are able (or willing) to implement such protections. What legal provisions for digital data are we lacking in the U.S., and what policies for online privacy could adapt from European policy making? Recently, there is some cause for consumers to be concerned about where their data is migrating. Elise Ackerman reports that Google And Facebook routinely ignore "Do Not Track" Requests, claiming they confuse consumers. Kashmir Hill posted that Facebook is creating partnerships with Axciom, Epsilon, Datalogix and Blue Kai and making use of these companies' first party website data to better profile customers for ads, sales opportunities or cold shouldering.

As it this weren't enough to cause alarm, there was the Guardian's story about Raytheon's Rapid Information Overlay Technology, an "extreme-scale analytics" system with the functionality to mine large amounts of information from Facebook, Twitter, Foursquare, etc. and to create a comprehensive social media landscape of the online user and consumer. A June 2010 company press release describes the project as an "interoperable service platform for developers and analytics suppliers" that will "ensure both scalability and interoperability when deriving actionable intelligence from the increasingly staggering volumes of intelligence data coming in to the various branches of government." Call me data-paranoid, but this seems like systems-engineering speak for the unrestricted implementation of a data mining network -- interfacing seamlessly across global information systems and allowing the ungoverned, total access to global consumers' digital data.

And the tracking of consumer data is a timely issue being actively dissected by companies with a vested interest in tracking online data. According to Keith Enright, a Google senior policy counsel, there is a “consumer confusion question,” caused by the lack of a standard industry “do not track” policy. To note a consumer’s “do not track” preference in an “ad hoc way” would perhaps not meet individual user expectations, Enright commented.

Speaking to the "do not track issue" regarding the data of social network profiles, Erin Egan, Facebook's chief privacy officer, said she wasn't sure that a “do not track” browser setting accurately reflected a user’s wish to not to be tracked online, particularly in cases where companies such as Facebook tracked users to enable the very feature that customizes the user experience on the popular social network. Egan added, “For Facebook, we have social plugins. We don’t use that data for an advertising purpose -- we use it to personalize the data on those pages.” Egan maintains that until the World Wide Web Consortium (W3C) sets an official standard, “it’s really hard for companies like us.” More browser platforms may push ahead with a standard of their own, implementing settings that will enable expanded user control to block cookies, such as Internet Explorer's default do not track setting.

The European Network and Information Security Agency (ENISA) has been working on a framework that sees data protection as a basic human right, a protection that is offered to consumers within a social context. Since consumers drive economic development, their "online trust" must be preserved. And, preserving that consumer trust is where consumer data protection becomes essential to the online economy. I communicated via email with ENISA's Head of Technical Department, Steve Purser and Mina Andreeva, Spokeswoman for Vice-President Viviane Reding, EU Commissioner for Justice, Fundamental Rights and Citizenship about the E.C.'s "right to be forgotten" proposal, and what we might learn about protecting the digital data of U.S. consumers.

Venables: Building consumer trust is linked to economic development -- consumers whose data is protected will be willing to use new online services, use new technologies and drive economic development. This approach to consumer trust protects the rights of the online consumer, both in terms of human rights and as a form of economic right. Are consumer protections a form of economic incentive, as well as a protection of personal data information for the EU?

Purser: The starting point for the EU is that data protection is a fundamental human right, and the ENISA report ‘The Right to be Forgotten – Between Expectations and Practice’ is looking into the technical aspects of the right to be forgotten. To that picture, you have to add the entire context of cyber security, or Network and Information Security  in the Digital Agenda for Europe. The ICT sector constitutes around 5% of GDP, but contributes to an amazing figure of 25% of business research and development spending. The Internet sector in Europe is growing by 12% and represents the size of the Belgian economy. The digital economy is growing seven times faster than the rest of the economy. It is clear therefore that we should make full use of our digital opportunities to contribute to a strong EU economy and this is why the Digital Agenda is advocating ICT as a driver for the economy. In this sense, consumer protection is indeed a form of economic incentive. By providing citizens with a safe and secure environment for carrying out their daily activities the EU is encouraging the adoption of new technologies that will be instrumental in bringing about improvements in efficiency and effectiveness.

Venables: Article 8 of the EU Charter already provides for the "Protection of personal data" of EU citizens. The new proposed regulation states, "As underlined by the Court of Justice of the EU, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society." How does implementing the "right to be forgotten" for EU citizens make data erasure and by default, data protection, an "absolute right" for all citizens in terms of common data usage on the Internet and mobile phones?

Purser: As you correctly point out, the regulation states that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society. The ENISA report shows that the implementation of the right to be forgotten will not make data protection and data erasure an absolute right for all citizens on the Internet and mobile phones due to limitations in our ability to implement the concept in an absolute way. The ENISA report therefore makes no comment on whether or not the right to the protection of personal data should be absolute, this was not the purpose of the study. It does point out that in actually applying this right, there are great many practical challenges which need to be overcome and in our opinion it is not possible to guarantee these rights. We are therefore sending a message to all stakeholders to take a second look at this, and work together on the practical limitations in order to achieve an optimal, but not perfect, implementation of the concept.

Venables: The United States has no federal law that guarantees the comprehensive protection of consumer data and the "right of erasure" for its citizens. How might the U.S. gain insight on practical implementations of such a policy to protect the online data of U.S. consumers?

Purser: ENISA cannot sensibly comment on this as our work is focused on improving Network and Information Security throughout the EU and we have not studied the situation in the US. We can only echo EU-Commissioner Reding on the US-EU cooperation on this topic, in a global world, ''more needs to be done. We need our technicians and our legal experts, from both sides of the Atlantic, to continue their dialogue to improve the Safe Harbour agreement as well as other missing elements. And support the work of those relevant actors working on this.

I asked for further comment on implementation of "the right to be forgotten" from Vice-President Viviane Reding, the EU Commissioner for Justice, Fundamental Rights and Citizenship , who is responsible for drafting and steering the EU's data protection reforms.

Venables: How would "the right to be forgotten" work in practice for the EU consumer?

Andreeva: "New technologies provide unlimited possibilities for the storage, exchange and dissemination of information. We need to make sure individuals remain in control of their personal data. Rights of access, rectification and erasure all exist under our current rules, the 1995 EU Data Protection Directive. These principles are now being further clarified as well as updated to put them in line with 21st century data processing activities.

Let's take an example of how this would work: Somebody's personal data is published online and is then copied to another website. Additionally, a search engine links to the original story/website. Here the right to be forgotten can be exercised if the person withdraws his/her consent for the data processing. The original website would need to take down the personal data (if no legitimate reasons exist to keep it) and inform the other website that the individual wants to have his/her data deleted. You would thus for example no longer find the information listed on the search engine as the site on which the original information had been posted, has taken down this information.

And here an example of how it would not work: A press report reveals information about an individual of public importance. In this instance, it is likely that the exception relating to the right to freedom of expression and freedom of the media (set out in Articles 17 and 80 of our proposed Regulation) would apply. The press' ability to report information would be protected in such circumstances from somebody trying to "silence" them via the right to be forgotten."

Venables: How would European Union rules for data protection be legally applied in E.U. member states?

Andreeva: "If companies want to operate on Europe's single market with its 500 consumers, they have to play by the European rules. If a non-EU company (based outside the EU) is operating on the single market and targeting consumers in the EU then the EU rules apply to them, as will the sanctions for not abiding them."

As consumers' lives become increasingly transcribed in complex digital data trails across blocks of health, financial, vital statistics and social networking data, they will become more informed about protecting their digital "lifescape", as it were. Online aficionados in the U.S. will have to wait to see how vigorously the U.S. legislature will protect their life's data, and how the purveyors of search such as Google, Microsoft and Yahoo will battle against any U.S. legislative or other international measures that seek to ensure higher levels of digital data protection for consumers in the coming months.

Follow me on Twitter or Facebook. Read my Forbes blog here.