Naked Security Naked Security

Sorry, who did you say you were? We’ve forgotten about you

Britain's data proposals will enshrine GDPR's right to be forgotten in domestic law - but what's the situation elsewhere?

The proposed UK Data Protection Bill, if passed, will bring UK law into harmony with the EU General Data Protection Regulation (GDPR). Matt Hancock, the digital minister, told the Mirror that the bill should “give consumers the confidence that their data is protected and those who misuse it will be held to account”.

The bill specifically calls out how UK citizens will have the right to be forgotten,

  • Individuals will be able to ask for their personal data to be erased (some exemptions may exist)
  • Require social media platforms to delete information posted during their childhood
  • Request social media companies to delete any or all posts (with very narrow exemptions)
  • Digital footprints – IP addresses, cookies and biometric information are categorized as personal data.
  • Opt-in will be unambiguous and easily withdrawn.
  • Personal information being held by an organization shall be revealed, at no charge, to the individual upon request.

The bill adjusts how the right to be forgotten will be administered, noting that the

… principle difference is a strengthening of the law from being applicable when substantial damage or distress is likely to be caused, to whenever a data subject withdraws their original consent for the data to be available, as long as it is no longer necessary or legally required for the grounds on which it was originally collected, or there are no overriding legitimate grounds for processing.

The UK data regulator, the Information Commissioner’s Office (ICO), has created a data protection self-assessment toolkit to assist organizations in their efforts to be compliant with the GDPR which comes into force in May 2018. The modules include data protection assurance, getting ready for the GDPR, information security, direct marketing, records management, data sharing and subject access, and CCTV.

The ICO, in a follow-up to its publication of the draft data protection bill, took a stab at slaying some of the myths finding their way into the headlines, which characterized the GDPR as a vehicle to greater fines for those with infractions. In her piece, the Information Commissioner, Elizabeth Denham,  makes clear that “this law is not about fines. It’s about putting the consumer and citizen first.” Denham also states that she will be providing myth-busting guidance in the weeks ahead via the ICO’s blog.

What’s missing from the ICO’s proposed bill?

Search engines!

The bill speaks to social networks and organizations, but not to search engines.

Google, for example, has been supporting the EU GDPR right to be forgotten for just over three years. In 2016, it extended the “right to be forgotten” to all domains. During the past three years, Google processed more than 720,000 requests, removing approximately 43% of the 2m links submitted for removal – which means that fewer than half of all requests to have URLs removed are successful.

If you are an EU resident, you can ask Google to remove a URL from its search results by filling out the EU Privacy Removal form. That removes it from search results, but if you want the offending content taken down, you’ll have to ask the site it’s hosted on to remove it.

What about the other side of the pond?

The United States has limited “right to be forgotten” statutes available to its residents. The Electronic Privacy Information Center tells us of laws across the states that “allow individuals to remove records containing disparaging information, including personal bankruptcy and juvenile criminal history”.

California has a law in place “California Eraser Law” which provides minors the right to request information be removed from websites or online applications.

New York State Assembly is considering a “right to be forgotten act” Bill A05323, sponsored by Rep. David Weprin (D-23), which calls for search engines, publishers and indexers who make information about an individual available to “remove such information, upon the request of the individual, within 30 days of such a request”. Rather broad brushed, without consideration for the First Amendment, scholarly research and the like.

In Canada, meanwhile, Google has been ordered to remove entire domains and websites by the Canadian courts. Thus, as the Electronic Frontier Foundation tells us, in effect “making them invisible to everyone using Google’s search engine”.

What’s the back story?

We’ve been discussing the right to be forgotten for a good number of years. In her book, Ctrl-Z: The Right to be Forgotten, Meg Leta Jones identifies two cases as having instigated the discussion.

The first concerned Mario Costeja Gonzalez and his request to have a newspaper remove information about his property and insolvency proceedings. When the paper refused Gonzalez, he asked Google remove the information from search results, they declined and Gonzalez took Google to court and won. Contemporaneously, in the United States, two American Idol contestants sued a number of defendants about online content which served to have them disqualified from the program. Their cases was thrown out, because the information was “true.”

Then there is the Google Bomb phenomena, which is when people try artificially to boost a website in the search rankings by linking to it from other websites – which can be done for many reasons including malicious ones, such as when the author of Google Bomb, Sue Scheff, found herself the subject of the ill-intentioned individuals spreading falsehoods.

Google has evolved, and those in the US can make requests of Google and other search engines in instances similar to that described in the Google Bomb.

For now, if you are in the EU or the UK, you’ve a path to removing information from organization’s databases, as well as search engines. Elsewhere, the discussions continues both in and out of the legal systems.