Simply Security - News, Views, and Opinions from Trend Micro

Posted on March 5th, 2012 in Current News, Government Policy by Simply Security | Be the first to comment | Tags: Policy

EU’s 'right to be forgotten' policy to affect search engines, social networks

The European Commission, the executive body of the European Union (EU), raised eyebrows last month when it proposed sweeping changes to decades-old data protection rules – a move that sparked some praise and a lot of criticism from government bodies and companies around the world.

One of the more contentious elements of the commission's proposed revision is the introduction of the "right to be forgotten" provision, which would essentially allow individuals to demand organizations delete their data if there are no legitimate grounds for keeping it.

The idea behind such a provision is clear. Given the growing threat of data breaches and the sophistication of tools employed by cybercriminals, it makes sense that consumers would be able to request their information be removed from certain databases as they see fit.

However, not everyone sees it this way. Several businesses, particularly those in which data collection is a significant part of their revenue generation – like social networks and search engines – have contested the right to be forgotten, asserting that the policy puts unreasonable demands on hosting platforms and inhibits them from providing services.

Google has been one especially vocal opponent of the right to be forgotten. In a recent blog post, Google global privacy counsel Peter Fleischer asserted that the individual, not the company, should have "full control" over any data he or she publishes intentionally. This includes the responsibility to delete data.

"That means that a user should be able to delete an individual post, photo or video that he or she stored with the hosting platform," Fleischer wrote. "The user should also be able to delete his or her entire account with a given hosting platform, thereby deleting all the materials he or she had published and which was stored in that account."

It turns out that "hosting platform" is the optimal phrase in Fleischer's blog and one that EU Justice Commissioner Viviane Reding, who introduced the policy change, didn't dispute.

In a message sent to technology news provider ZDNet, Reding acknowledged that "pure hosting services" have no responsibility for the content provided by their users. However, Reding also noted a distinction between pure hosting services and the platforms that Fleischer referred to.

"In principle, pure hosting services have no ownership and no responsibility for the content their users let them host. … This is independent of privacy laws, just in the definition of hosting services," Reding stated, according to ZDNet.

"However, other information services, including social networking and search engines, may exercise control on the content, conditions and means of processing, thereby acting as data controllers," she continued. "If and when this is the case, clearly they have to respect related data protection obligations."

Under Reding's definition, websites like Google, Facebook and YouTube are not considered pure hosting platforms, as they have an obligation to the content that users submit. This includes wall posts, photos, videos and the like. The key difference, according to ZDNet, appears to be the fact that pure hosting platforms do not organize and process such information, while social networks and search engines generally do.

The EU commissioner, however, did concede a few of Google's points. For example, Reding acknowledged that it would be difficult for sites like Google to demand that third-party systems delete material that has been republished on the Internet. To this point, Reding said that sites must take "reasonable steps" to inform third parties that a user wants personal information removed, ZDNet reported.

"Where the controller has authorized a third-party publication of personal data, the controller shall be considered responsible for that publication," Reding said, according to ZDNet.

Of course, Google isn't the only critic of the EU's proposed revisions. As they are currently worded, the new rules would apply to any organization that does business within the union, not just those located in Europe. This is a point that did not sit well with Philip Verveer, U.S. coordinator for international communications and information, who told reporters that the proposal could make it difficult for American businesses to compete in the EU.

The U.K.'s Information Commissioner's Office (ICO) also raised concern about the changes, calling them "unnecessarily and unhelpfully over-prescriptive." In a statement, the ICO criticized the inflexibility of the proposal and said the rules do not go far enough to consider special cases pertaining to sensitive data.

The debate over the EU's data security proposal seems poised to continue for some time, and it is unlikely that the rules will be enacted exactly as they are currently written. However, the EU must be commended for taking initiative to address the current data privacy climate, even if its stance is perceived by many as too overreaching.

Data Security News from SimplySecurity.com by Trend Micro