Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Right to be Forgotten Can’t be Enforced on the Internet, says European Security Agency

Europe’s Network and Information Security Agency, ENISA, released on November 20, 2012 its report on the technical aspects of the right to be forgotten. ENISA first points out that any technical solutions for the right to be forgotten would require an unambiguous definition of the personal data that is covered by the right to be forgotten, a clear notion of who can enforce the right, and a mechanism for balancing the right to be forgotten against other rights such as freedom of expression. The text of the current European proposal leaves each of these subjects open to debate, making it difficult to implement technical mechanisms to deal with the right to be forgotten.

More important, ENISA notes that the right to be forgotten is virtually impossible to enforce in an open network such as the Internet. Nothing prevents users from freely copying and redistributing digital content, including photos. Subsequently trying to find and erase the distributed copies would be impossible. ENISA states that the only way to prevent such redistribution would be to use digital rights management (DRM) technology similar to that used by certain publishers of digital content such as motion pictures and music. However, most of the DRM technologies can be easily circumvented. ENISA points out that partial enforcement of the right to be forgotten could be achieved by requiring search engines subject to European jurisdiction to filter search results so that the information that is supposed to be forgotten does not show up:

A natural way to “mostly forget” data is thus to prevent its appearance in the results of search engines, and to filter it from sharing services like Twitter. EU member states could require search engine operators and sharing services to filter references to forgotten data. As a result, forgotten data would be very difficult to find, even though copies may survive, for instance, outside the EU jurisdiction.