Many companies will go bankrupt if X will happen. X=(tape recording, internet, ATMs, privacy laws, any kind of regulation).
I can't really hear this argument any more. Sure, any regulation will have bad side effects, but who are we? A planet full of people or a planet of companies that want to maximize profit on our back? The world will not end if we are allowed some more privacy for us.
Think about what the "Right to be forgotten" means at a technical level. It means you need to permanently delete records from your databases -- not just mark them with a deleted flag as well as delete records from your backups and reports generated that may contain personal information. In addition your organization may also be held responsible for removal of data given to third parties.
This is a big deal and it has many concerned over how it can be implemented as well as enforced.
No, this is not a "big deal", unless your company is already non-compliant with existing data protection laws.
Article 12 of directive 95/46/EC [1] specifies:
Member States shall guarantee every data subject the right to obtain from the controller:
...
(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.
Article 17 of the proposed regulation [2], a.k.a. the "the right to be forgotten/erasure" strengthens existing erasure/data minimization laws. You are already required to erase data upon request under certain circumstances, and under the circumstances described in article 17 (1) and existing law, you should no longer be storing the data to begin with.
This means that the companies will not collect and maintain too much data about me to start with. There can be a reasonable amount of data - like name, DOB, address - that can stay public in any case. Other data will have to be deleted.
Any kind of personal data must stay privat unless I decide that can be revealed/public. Name, DOB, and address are personal data. I must have the right to prevent companies giving my address away (public or other companies).
Backup this salt separately from the rest of the data in an easier to access media.
When deletion of a full row is needed, you just need to delete the salt from the comparatively smaller and quicker salt backups, as well as the live row+salt.
It's debatable whether Germany's data protection laws include a right to be forgotten, but, in any case, it is not on the scale that is being proposed by the revised Data Directive. Other EU countries do not have the "right."
What they do have, that exceeds protection in the US, is the right for many EU citizens to request a copy of all of the information a company has on an individual, as well as, in many cases, the requirement that a company gain explicit permission before collecting or sharing personal information.
Poland also have it (right tu update and delete your data) since 1997. In practice it wasn't a problem (or at least no big complains). We had our share of social networks.
What about the companies that secretly collect information from you, but are not visible because they are included as JS/cookies/whatever on other sites?
In case of the email address: I think facebook is violating german law by storing my personal information which I'd consider private. (I am not sure if they still do that.)
The point isn't "all regulation is good." The point is that "some companies will go out of business" isn't necessarily a good argument.
To continue your SOPA connection, "Google will go out of business if SOPA is enacted," isn't a good argument in and of itself. You're assuming that Google staying in business is a good thing.
Arguing against regulation of X because companies that have built a business around X being a certain way will go out of business necessitates that an explanation of why X continuing on in the same manner is in the interests of the general public.
I agree, though I don't think I should be assumed to rely just on that fallacy. The problem here is that just because a law purports to serve an ideal doesn't meant that its side effects should just be waved off as a necessary evil.
As an example, stopping terrorism is generally seen as a good thing, yet opinions differ on whether the laws that purport to prevent terrorism are good, and the government has also used such laws (such as e wire tapping allowances) to justify non-counter terrorism ops.
Europe is the largest economy in the world. If there is any merit to this article, then I wish the US luck, but I think they'll get a very short shrift. The EU has too many internal problems to bother pussy footing around with the US. It's a sleeping giant and I get the feeling it's about ready to start putting it's foot down, purely to save itself.
That is a very interesting point - Europe is hurting and will plain old react at some points - its going to be fun :-)
Weirdly it is likely that the best way that the EU will draw together and get behind one set of federal organisations is by seeing itself as attacked by outsiders - hopefully not literally as in US.
Europe is a bunch of countries. I'm sure we can arbitrarily choose any other group of countries that will make it a bigger economy than Europe. So saying that Europe is the largest economy in the world is kind of silly. Largest to what? To other continents?
By "Europe", the parent means the E.U. The fact that is has a parliament, a supreme court, a set of laws and a unified trade policy means that it can (in some situations, such as this one) be compared with other federations of states. Such as... the USA!
it always bothers me if US-officials threatening to take counter measures when countries strengthen civil rights.
His point is, private data is big business and the US gov needs data to grind. We, the US won't let your liberal boundaries interfere with that.
Well, in Germany one has the "Grundrecht", the fundamental right to stay in charge of ones own data.
There are of course many problems in daily life and our data privacy laws sometimes hitting those practical limitations.
Nevertheless, enclosure movement was key in the rise of the US and it remains that way. Strong arming weaker forces out of their turfs and making profits. That is the american way, not ours.
This enclosure movement of private data means "web 2.0 the capitalistic way". We take your data, profiting and you are not. Here, have some booze and blankets.
Thats how the wild west worked basicly. The natives haven't had the concept of property.
And we don't see our own private data as "our property" as well - which pages we use, which products we buy, which X we like, where we work, adresses and so on.
It isn't property, it is us and we should be able to decide what others do with those expressions. If companies earn money with it, we should profit from it as well. Don't you think.
Google profits from that and in exchange we can use their services. Often we do know that we are the product.
Having certain informations at certain online service deleted might just spawn new startups offering to do just that for your customers and your convenience.
Gaining the trust of customers is a good thing imho.
It's sad that a law like this is needed at all. It seems like a matter of common decency to remove data about someone upon request.
People that are willing to fight a trade war (whatever that is supposed to mean) over this are so far removed in their worldview from my own that it's actually quite shocking.
While we're at it I'd really appreciate if my bank data wouldn't be shipped off to the US.
Pricacy terrorists at work over there.
Sure, it's common decency to be reasonable and delete data if requested. But this law seems to go a bit too far and make things a bit too difficult.
According to the linked article, the person you're requesting to remove the data is also liable for any third parties that have it - and should take reasonable steps to ensure they remove it. Can you imagine the logistics of Twitter removing every reference to all tweets by xyz in a timely fashion? How about Google removing data from their search engine and making sure any number of aggregators etc also remove it? How can a company even know what's being done with public data? The law says personal data - there's certainly people sharing personal data publicly, making this effectively impossible to enforce.
The EU are right to be thinking about how to apply their privacy directive to the internet age - the current situation isn't working. However, they need to be a bit sensible here and realise that when data has been made public with a person's permission (eg Tweeted), it's that person's responsibility, not eg Twitter's.
EDIT: That's not even considering backups etc - we expect these services to work, so it's reasonable to expect and permit them to make backups. If I want to be forgotten with a reasonable degree of confidence, I'd need them to delete information about me from all their backups too. Maybe your average Wordpress blog doesn't have a nightly backup, but if it's picked up by a tech site/Reddit/HN, you can be sure they do - so I'd want it deleted from all of their backups too.
An unenforceable law that claims that people have more protection than is technically reasonably possible is not an improvement in my opinion - people should know what's happening with their data, and shifting whose lying/misleading from companies to Government is not an improvement.
So, what happens when the scammer that's been abusing your service asks for his information to be deleted? Now you have no information on him, and he can just continue to abuse your services over and over again.
still his remark about us having a right to privacy but not a fundamental right to data protection just plain irks me.
Its typical weasel words from government officials who seem to find no method unreasonable if it lets them circumvent the intent of the Constitution. They love to forget it was a document which limited the government, not us.
It wouldn't surprise me if they set up some relatively junior diplomat to make statements like this to test the water and to allow deniability if it all goes too wrong.
Already exists in some countries (for example in Poland). Each company that wants to keep your data here has to get your permission (either by off-by-default checkbox on a website form, or on paper), and to allow you to delete or change your data in their database on your request.
There is inspector that is responsible for receiving complaints about companies that don't comply with this law, and he can issue warnings and fines to companies. It's working OK, I don't understand why USA would start trade war over sth like this.
As a web developer for a smallish company with detailed customer records I'm happy to add this as a feature.
I'm not sure what to do about my backups but hopefully common sense will prevail on that front.
I'm also curious about industries that need to retain all financial transaction records for a certain amount of time. They are going to have to be exempt from this as well.
From the OP: Under the draft Regulation individuals would enjoy a qualified 'right to be forgotten'. That right would enable them to force organisations to delete personal data stored about them "without delay". Organisations that have made the data public would be liable for the data published by third parties and would be required to "take all reasonable steps, including technical measures" to inform those groups to delete the information.
Talk about a blow to the First Amendment. Let's give it the benefit of the doubt and say that this law doesn't force news sites to remove old stories from the web that identify people.
According to the OP's interpretation, if someone uses Twitter to tweet something racist/sexist/utterly despicable and then deletes it after getting called out on it, that person could sue Twitter ten years later if I happened to reply and quote that Tweet? Or if I referenced it in a blog post? And Twitter would be expected to take any technical means necessary to silence me?
This is a data protection act concerned with the right to delete information you have given an entity. It's for going to facebook and saying 'delete all the information I gave you, I no longer want you to have it and make sure you tell all the people you sold it to to delete it too'. It's nothing to do with freedom of the press, etc.
Whoa no need for the ad hominem there, it's too early in the morning. I'll repost what the OP says...if the OP is wrong, then obviously my argument is wrong
From the OP: Under the draft Regulation individuals would enjoy a qualified 'right to be forgotten'. That right would enable them to force organisations to delete personal data stored about them "without delay". Organisations that have made the data public would be liable for the data published by third parties and would be required to "take all reasonable steps, including technical measures" to inform those groups to delete the information.
Your Facebook example is a good one, as it has defined data as including the content submitted by the user. You are correct that FB, the organization in this case, would be required to delete the data. But then the proposed law goes further, mandating that third parties need to delete the data. That is what my comment was referring to. Who do you think "third parties" mean? From usual interpretation, it means every and anyone besides the user and organization, hence, anyone who retweets or reposts or refers to the data made public by the organization
Clearly, most users consider the content they've posted themselves as being personal data...when you delete your FB account, you expect that posted content to be deleted.
So if an ex-lover decides to screenshot some material that I only shared with my close friends and republishes it to Tumblr to embarrass me...does this law cover that? Sure, that seems like a clear cut case to most of us...and there are libel and harassment laws that cover this.
Now what if I make my affiliation with the KKK known on FB (such as Liking them and listing it under my job history). I renounce the organization and delete my FB account a month later later, but before then, someone has decided to post a screenshot of that ugly tidbit on their blog because while I was working as a cashier at Acme burger, they feel that I discriminated against them and so this KKK datapoint is proof.
Ten years later, does the public have a right to know that info, even if I spent the rest of the decade doing what I can to fight the KKK's efforts. Don't I have a right to be forgotten by search engines of my brief dalliance with the KKK?
Again, there are defamation laws that I can try to leverage (in the US, I would be considered a non public figure with stronger libel protections)...with this EU law, I now have e ability to bring a lawsuit against Facebook for not doing enough, in my opinion, to stop the dissemination of information after I deleted my account.
Now if your rebuttal is "well, it is a technical impossibility for FB to stop others from disseminating that information" Well, is it really? Or did FB just shirk their duties to save an extra buck? That's for the courts to decide...and as you well know, technical implementation is not always a deciding factor in the ruling.
I've used two extreme cases (most people hate the KKK so much that I assume they don't care if the person in the second scenario has their data shared)...but you can imagine all the other cases to fill the spectrum. You seem to take it for a given that the courts all agree what is in the public interest and what free speech is...but the reality is that such debates and lawsuits still go on today
Now I know no one sympathizes with the companies here...but given the litigious possibilities this law opens up, how do you think that might stifle initiatives that theoretically could fall afoul of this law? This is why I think it is akin to SOPA, which ostensibly protected the rights of content producers, but would've opened up new ways for certain companies to restrict and sue Google.
Doesn't _Organisations would be able to oppose the deletion of information if they could show they have a right to publish the data under the fundamental principle of freedom of expression or if it is in the public interest for the data to remain in existence._ take care of it?
It wouldn't be hard to argue that that tweet serves the public interest by allowing the sunlight to shine on it in public.
Obviously this is a Register article so it's light on details, but it seems to me that this is targeted at organizations and you send them a message that says, "delete everything about me" ie a collection of data, not "delete this one thing about me" ie a member of data. How that is codified into law is unclear.
So this is where you and I disagree. You are seeing this as "well, ideally, the law would be seen this way" and I'm thinking, "well, this is how lawyers will try to interpret the law to bring litigation forward"
We aren't ideologically opposed, we have different pragmatic expectations.
Thanks for posting the direct link to the legislation. Two things I noted:
This right is particularly
relevant, when the data subject has given their consent as a child, when not being fully
aware of the risks involved by the processing, and later wants to remove such personal
data especially on the Internet. However, the further retention of the data should be
allowed where it is necessary for historical, statistical and scientific research purposes,
for reasons of public interest in the area of public health, for exercising the right of
freedom of expression, when required by law or where there is a reason to restrict the
processing of the data instead of erasing them.
So these are the competing interests that I was alluding to. This: when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet -- covers everyone who has ever posted something on the Internet and regretted it.
And this: for reasons of public interest in the area of public health, for exercising the right of freedom of expression -- is not at all a settled definition...freedom of expression lawsuits happen quite frequently. And speaking from the U.S. perspective, the EU's laws on free speech or quite different than the ones in the U.S.
Why would such a privacy provision spark a trade war? Is the US going to increase import tariffs because the EU legislates stronger privacy protections? This makes zero sense to me.
I don't like this trend of US sparking trade wars everywhere. In the end it's a lose-lose outcome, for both parties. Do they really not want companies to do business in Europe over this?
I think it's just an empty threat. And I really hope EU doesn't cave in to their demands. They've done it plenty of times already, and I don't remember hearing much about "US caving to EU demands".
Side rant: first 5 paragraphs of the article are nearly the same each (yeah, I know, it's a title, a lead, and 3 paras to be precise). This, plus "TRADE WAR" in capitals in the title, made me feel like on some cheap tabloid site.
a) allow us to know who has obtained / stored individually identifiable information about us (presumably the storing party is opbliged to publically record who they have identifed and when where how - a cottage industry of letting us know will grow up)
b) allow us to block such recording - that is if we blacklist ourselves (right to be forgotten) then you cannot publish our details but must notify us at a contact point (ie email) and adhere to some wipe-orders.
c) this does not apply to warrented-supervised surveillance. But applies to governments et al.
This is not quite what the EU is proposing (there seems to be no "workability" to the proposals) but it is close.
In the end, technology has transformed a basic assumption about life - that we can only be identified by people within eyeshot. Now that has gone completely, and we need to rethink what we mean and expect from privacy.
As it has been said, secrecy is what other people don't know, privacy is what they politely ignore. We need to make sure companies are polite.
We should not go to war between EU and US, no matter what kind of war it is, even if it’s just a trade war. This mess is caused by the banks. Its history repeating itself all over again, in the 1920's there was a huge stock market boom funded by cheap credit from the banks, then the stock market crashed we got the great depression and Europe and US went to war against Hitler. Now 1990-2013 we have had cheap credit from the banks causing a housing boom, when it imploded the central planning central banks intervened creating new money saving the bankers. First the imploding house market will cause joblessness because there is less profits from housing speculation to consume for secondly the new money that the central banks give to the private banks will later cause high inflation as more money are chasing the same amount of goods. This high inflation will cause tensions high food and fuel prices, there will be joblessness but the fault is the banks. What we have had now is bank socialism, bailing out of the rich.
Same thing happening again as in the 1920s, but now it’s the Middle East. Same cause, different players.
Lets not repeat old mistakes.
I can't really hear this argument any more. Sure, any regulation will have bad side effects, but who are we? A planet full of people or a planet of companies that want to maximize profit on our back? The world will not end if we are allowed some more privacy for us.