Privacy & Information Security Law Blog

On November 20, 2012, the European Network and Information Security Agency (“ENISA”) published a new report entitled “The Right to Be Forgotten – Between Expectations and Practice.” The report complements two earlier papers which focused on data collection and storage and online behavioral advertising, and focuses on the technical implications of the proposed General Data Protection Regulation’s new right to be forgotten.

As currently drafted, the proposed Regulation would allow individuals to order the deletion of their personal data unless there are legitimate grounds for retention. ENISA’s report reviews the technology currently available to “forget” data in open and closed systems, and identifies certain hurdles that complicate enforcement on a practical level. The report also indicates that the current legal definitions of relevant terms are insufficient, and offers the following suggestions for improvement:

• Clarify what the term “personal data” actually encompasses, who can exercise the right to be forgotten and what “forgetting” particular data entails.
• Consider how to deal with offline storage equipment once the right to be forgotten has been exercised.
• Use data accessibility as the starting point: for example, require search engines to filter out references to data which has been designated as “forgotten.”
• Increase collaboration among interested parties (e.g., the national data protection authorities, the Article 29 Working Party, the European Commission European Data Protection Supervisor) to develop coherent ways to exercise and enforce the right to be forgotten.

ENISA is a center of network and information security expertise for the EU, its member states, the private sector and European citizens. The agency works with these groups to develop information security best practices and assists EU member states with the implementation of relevant EU legislation.