Although “the right to be forgotten” sounds like something that has more to do with philosophy than information security, it’s actually one of the elements of the recently proposed European Commission regulation on data protection.The “right to be forgotten” allows Internet users to ask organizations that store their personal information to delete it.
A new report launched by the European Network and Information Security Agency (ENISA) details the technical and legal aspects of this right.
First of all, the report highlights the fact that this right can't be enforced solely by relying on technology, considering that the Internet is open. Instead, an interdisciplinary approach is needed and policymakers should take note of this aspect.
Furthermore, policymakers and data protection entities should work together to clarify who can ask for the removal of shared personal data and under what circumstances. Also, the associated costs need to be taken into consideration.
The “right to be forgotten” should also focus on the information stored on offline and discarded devices.
A plausible approach to implementing this right could lie in a collaboration with search engines and sharing service providers within the European Union to filter references to “forgotten” information.
Other recommendations made by ENISA include minimizing the amount of personal data collected and stored online, the use of encryption for storage and transfer of personal data, and the deployment of enforcement solutions to ensure that inappropriate behavior is blocked and the involved actors comply with regulations.
“A uniform approach is needed in Europe to secure the fundamental right of personal data protection. The reform of the data protection laws in Europe is a decisive step in this direction. ENISA’s reports provide a technical information security perspective supporting this reform,” Executive Director of ENISA, Professor Udo Helmbrecht, explained.