November 26, 2012
In January 2012, the European Commission published proposed data protection rules that included a right for citizens of Europeto have their digital histories deleted from public access. This is commonly known as, the “right to be forgotten.” A recent technical analysis conducted by the European Network and Information Security Agency (ENISA) questions the feasibility of that right. The ENISA study is available at www.enisa.europe.eu/activities/identity-and-trust/library/deliverables/the-right-to-be-forgotten/at_download/fullReport.
A direct consequence of the expansion of computer networks and the increase in data storage capacity is the creation of substantial electronic records profiling the histories and activities of individual people. With each web site visit, social media post, and online transaction, we add to the already extensive digital records that reveal significant information about our actions and our interests.
These digital footprints are often accessible to a wide range of parties for diverse purposes that sometimes benefit us and other times harm us. There is increasing concern that the digital footprints we create through our online and other electronic activities may never entirely disappear.
This concern about the long lives of digital records was at the heart of the European effort to establish a legal “right to be forgotten.” The proposed European data rules would enable European citizens to require that their electronic records be erased.
The ENISA analysis suggests, however, that it may not be technically realistic to expect that a “right to be forgotten’ could be effectively implemented. The scope of data records and the range of parties who have access to those records are now so great that comprehensive deletion of digital histories of individuals may not be feasible.
At a theoretical level, the “right to be forgotten” may be entirely appropriate and reasonable. From a technical perspective, however, it is not at all clear that such a right could be enforced.
If the scope of data collection and analysis have already made it unrealistic to enforce a “right to be forgotten,” perhaps it is best to concentrate our efforts on development of a comprehensive legal framework which more effectively protects the security and privacy of the electronic records of individuals.
Although it may be too late to ensure that we all have the “right to be forgotten,” it may not yet be too late to create a legal and regulatory system which provides all of us significantly greater knowledge and control with respect to the electronic records that document our past.