W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2012

ENISA and the right to be forgotten

From: Christine Runnegar <runnegar@isoc.org>
Date: Thu, 6 Dec 2012 12:03:40 +0100
Message-Id: <B4E5CAC5-3B0D-4D86-8AA3-AA88CCD58A5A@isoc.org>
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
ENISA recently published a paper "The right to be forgotten - between expectations and practice".

Link: http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/the-right-to-be-forgotten/at_download/fullReport

Conclusions and recommendations extracted below.


5 Conclusions and recommendations

Once personal information is published, it is ultimately impossible to prevent, or even observe, by technical means, the creation of unauthorized copies of this information. In an open system like the Internet, the right to be forgotten cannot be enforced by technical means alone. Enforcement must rest on a combination of technical and international legal provisions.


- Technical means of assisting the enforcement of the right to be forgotten require a definition of the scope of personal data, a clarification of who has the right to ask for the deletion of personal data under which circumstances, and what are acceptable ways to affect the removal of data. Data Protection Authorities, the Article 29 Data Protection Working Party, the European Data Protection Supervisor, etc. should work together to clarify these issues.

- When providing the abovementioned definitions, the technical challenges in enforcing the right to be forgotten (and the associated costs) for a given choice of definition should be considered carefully.

- For any reasonable interpretation of the right to be forgotten, a purely technical and comprehensive solution to enforce the right in the open Internet is generally impossible.

- A possible pragmatic approach to assist with the enforcement of the right to be forgotten is to require search engine operators and sharing services within the EU to filter references to forgotten information stored inside and outside the EU region.

- Particular care must be taken concerning the deletion of personal data stored on discarded and offline storage devices.

- Data controllers should be required to provide users with easy access to the personal data they store and ways to update, rectify, and delete data without undue delay and without cost to the user (to the extent that this does not conflict with other applicable laws).

- Develop techniques that aim at preventing the unwanted collection and dissemination of information (e.g., robot.txt, do not track, access control).

As mentioned already, this paper is complementing two other recent publications of ENISA in this area. In this broader context, ENISA recommends:

- To policy makers should ensure the use of technologies supporting the principle of minimal disclosure in order to minimize the amount of personal data collected and stored online.

- We also recommend for all parties the use of encryption for the storage and transfer of personal data.

- Particular attention should be focusing on tracking and profiling online, and policy makers should provide clear sanctions and means for enforcement in order to block misbehaving players and to force compliance with rules and regulations regarding personal data protection.

- The Data Protection Authorities and relevant stakeholders in the field should aim to improve user awareness relating to their rights stemming from the data protection legislation and on the possibilities offered to them by the legal system to exercise these rights, including by complaining in cases of excessive collection and storage of personal data.

- At the same time, Data Protection Authorities, the Article 29 Data Protection Working Party, the European Data Protection Supervisor, etc. should work together to clarify pending definition issues taking into account the practical implementation aspects while Member States should eliminate conflicting regulations (the collection and storage of personal data is not always only governed by the data protection legislation).
Received on Thursday, 6 December 2012 11:04:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:23:55 UTC