> right to be forgotten is to onerous to implement and not present in other domains
Not always, but it definitely is. Take the legal system. The UK has something called the Rehabilitation of Offenders Act. After some varying time - dependent on seriousness of offence - I can legally answer "no" to a potential employer asking "have you ever been convicted?".
Google makes a mockery of that. If the law says a 7 year old minor offence is spent, why not search and media too?
> They do make it harder for smaller businesses to compete
As someone working mainly for smaller UK businesses over my career, I don't see this at all. Complying with GDPR, and its very similar Data Protection Act predecessor has been fairly trivial.
> a credit bureau or an insurance company and say that all my past history should be forgotten
For both credit rating and insurance history, they age out after 5 or 6 years.
Seems like it's online that is wanting the exception of "everything, forever".
I don't believe that is true. Credit Bureau's and Insurance companies have information about every place you have lived and worked, what school you attended.
The actual ratings may be waited on information in the last X years.
Also, it is much easier to implement a policy where no data can be retained after X years than on-demand wipeout.
Neither has which school I attended, or has ever asked. An insurer has employers, but only those whilst insuring with that company. I suppose my bank could have told the credit rating agency, but they'd have to infer it from the monthly wages deposit. Is that required in the US?
If they are only weighting on the last 5 years they no longer have a business case under GDPR to retain it[1]. Essentially it crystalises in law what should already have been the case.
> it is much easier to implement a policy where no data can be retained after X years than on-demand wipeout
Not sure how when all that changes is the clock.
[1] If my account was fraudulent in some way, or there's a law requiring some retention, there is a business case for retaining longer, and it is permitted.
> Not sure how when all that changes is the clock.
This is most surely not the case. Many data stores are simply dated collection of files.
With fixed expiration for all data you can simply implement GDPR with things like TTLs and making sure that any downstream systems do not consume data older than a certain date.
With individual wipeouts that can happen at any time this becomes much more challenging.
Now all data, in all systems that use that data have to the ability to wipe data at the individual record level on demand.
This broad implications especially depending on how interpret whether things like derived models, aggregate stats, etc. need to be recalculated in light of GDPR requests.
Not always, but it definitely is. Take the legal system. The UK has something called the Rehabilitation of Offenders Act. After some varying time - dependent on seriousness of offence - I can legally answer "no" to a potential employer asking "have you ever been convicted?".
Google makes a mockery of that. If the law says a 7 year old minor offence is spent, why not search and media too?
> They do make it harder for smaller businesses to compete
As someone working mainly for smaller UK businesses over my career, I don't see this at all. Complying with GDPR, and its very similar Data Protection Act predecessor has been fairly trivial.
> a credit bureau or an insurance company and say that all my past history should be forgotten
For both credit rating and insurance history, they age out after 5 or 6 years.
Seems like it's online that is wanting the exception of "everything, forever".