Businessplainer about the EU “Right to be Forgotten” and the GDPR
Hey! I’ve got a question.
I hear that Wikipedia has a bunch of answers!
No, no. I want it explained to me.
You’re very demanding. Didn’t you learn your lesson after that incident with the…
Cut the complaining and start the ‘splaining. Here’s what is happening — my boss saw an article about some new right in the GDPR and now is freaking out about 20 million Euro fines and how we’re going to become compliant. At my company, we keep a lot of data on our customers, and of course a bunch of them are in Europe. What’s the GDPR?
Fine, fine. The GDPR is the General Data Protection Regulation, a regulation passed in the European Union in April of 2016. The EU passed it because they wanted to modernize and unify data protection laws for everyone in the EU, and wanted to give people there more control over their personal data. It’s enforceable beginning in May of 2018.
In May? Eesh. That’s not far away. But what’s this “right to be forgotten” that my boss is ranting about? That sounds dubious.
That is an idea that has been kicking around in different forms in Europe for a while. It started with an old French thought, le droit d’oubli, that translates as ‘the right to oblivion’. It means that after a convicted criminal has served their time that they should be able to object to, and stop, publication of information about their conviction and imprisonment.
This view spread to other countries in Europe, and then was greatly expanded in the last several years.
But this d’oubli thing you’re talking about is completely different. None of my company’s data is about conviction or imprisonment. Tell me how this affects me. And my company!
I’m getting to that.
Beginning in 2010 and finally wrapping up in 2014 there was a series of cases moving through successively higher courts, collectively known as Costeja, where Google was sued by a Spanish plaintiff. A Spanish newspaper had published information about the forced sale of some properties to pay social security debts, at the order of a Spanish government ministry. One of the people whose property was sold, a guy by the name of Mario Costeja González, objected that when anyone searched for his name online they would get information about this sale, which he claimed was no longer relevant. The Spanish Agency of Data Protection ruled that the newspaper in question couldn’t be forced to remove the content because publication had been ordered by the government and was lawfully published. But Google was ordered to remove their links to the information.
Google was unhappy with this decision, and fought it hard in Spanish courts and then in the Court of Justice of the European Union. When it was eventually decided, Google was ordered to remove the links, and the court had established a “right to be forgotten”, which it based on the EU data protection law from 1995 that was a precursor to the GDPR.
This new right to be forgotten was said to apply to anything, not just criminal history. So, for example, young adults posting pictures of themselves making foolish decisions that might have a negative impact on their employability later in life could ask that a search engine remove the links to those pictures, even though they were posted by the person themselves.
So, the EU court said that anybody could force Google to delete links to anything about themselves that made them uncomfortable?
Not completely. The ruling said that the right to be forgotten needs to be balanced against the public’s legitimate right to access information, and it said that there is a difference between public figures and private people.
That’s vague!
Yes.
In practice, the search engines evaluate requests to delete links, and sometimes don’t comply. If a requester wants to fight the search engine decision, they can appeal to their local data protection agency, which sometimes overturns the search engine decision. For example, the British Data Protection Agency has overturned Google’s decision in about a quarter of the appeals that they have heard.
OK, well I don’t work at Google, so at least I don’t have to worry about this.
Although the language of the Costeja decision claimed that everyone had the right to be forgotten, it only seemed to require compliance by search engines. Along with Google, Microsoft’s Bing is also allowing people in the EU to request that links to content be removed.
But now, under the GDPR, the right to be forgotten has changed again. And just to muddy the waters, the GDPR also calls it the right to erasure. It’s not exactly the same as the right that the EU Court of Justice created with Costeja, and its scope — the organizations that have to comply with it — has expanded considerably. Anyone that collects or processes data on EU residents is subject to the GDPR right to be forgotten, not just search engines.
Of course they expanded this new right. And now you’re going to tell me that companies other than Google and Bing are going to need to worry about this? What companies exactly?
The law is written to apply to cases where any of the “data controller,” the “processor,” or the “data subject” is based in the EU.
The data controller is anyone that collects any personal data from EU residents.
Uh huh.
The processor is different — that is someone that processes data on behalf of the data controllers. You know, like Netsuite, Salesforce, and Oracle, or even companies like DropBox and Google — those companies help you process your data in some way even though that data is not created by them.
And the data subject is pretty self explanatory — the person about which the data is collected. It can be customers, visitors, vendors, contributors, commenters, employees that are based in the EU.
So, between those three categories, GDPR applies to pretty much every online company? What is the definition of “personal data”? That could mean almost anything! Maybe they are just talking about medical stuff?
It definitely includes medical data, but it’s a lot more than that, including things that a lot of people aren’t even aware of about themselves, like their computer’s IP address. To explain, the European Commission defined it as:
“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.”
That’s still kind of vague, but we definitely collect some of that information.
Everybody does.
How do I get out of this? My company is not based in Europe! This can’t apply to me!
That’s actually a complex legal question. If you think that this doesn’t apply to you even though you maintain data on EU residents, then I’d recommend that you talk with an attorney who is skilled in International Law for guidance. What does seem quite clear from the way the European Union wrote the law, from the EU’s actions, and from the ruling in the Costeja case against Google, is that the EU and their courts will consider the law as applying to anyone like your company that keeps or processes any personal data on residents of the European Union regardless of the location of their headquarters.
So what exactly does the GDPR’s version of the right to be forgotten require us to do?
The GDPR has a lot of different elements. I’m just going to talk about what it says about the right to erasure. Similar to the Costeja ruling, under the GDPR an individual can ask for their personal data to be removed from wherever it’s being held — server databases, desktop computers, the cloud, systems used by your vendors and contractors, backups, etc. The GDPR also requires organizations to erase data by themselves, without anybody making requests, in some circumstances.
Under Costeja, the data had to cause the individual damage or distress. Under the GDPR, that requirement is gone; the individual just needs to withdraw consent to you holding or processing their data.
Someone asks and then we just have to do it? Erase bits of our data?
You have to comply, “without undue delay”, and remove the data when it’s no longer needed for the reason it was originally collected or processed. Or you have to remove the data if the subject of the data removes his or her consent to you having it and none of the exceptions that I talk about below are relevant. Or you have to remove the data if the data was unlawfully processed. Or you have to remove data if you’re required to by a legal obligation. Or you have to remove the data if the subject was a child when the data was collected.
If your company made the data public and you later remove it, you are required to take reasonable steps to ask other processors to remove the data as well.
For example, let’s say that your website has a blog post about Joe Smith, a resident of the EU. After some time, Joe objects to the post and invokes the GDPR’s right to erasure. If you comply with Joe’s objection, then when you erase the article, you also have to contact other websites that you know that copied the post from you and ask them to remove it, too.
But, there are a bunch of exceptions! You might be able to leave the data intact if removing it conflicts with the right of freedom and expression, if you need to keep the data to adhere to legal requirements, if the data is in the public interest in the area of public health, if the data is needed to support legal claims, or if the data has a scientific, historical, or public interest archiving purpose.
In other words, the requirements are open to interpretation, and there are exceptions to the rules that can contradict the requirements. And was that penalty that my boss was freaking out about — 20 million Euro fines — even true?
That’s the fine for smaller organizations. The penalty for violations of the Right to Erasure is €20 million or 4% of worldwide annual revenue of the previous financial year, whichever is higher. So bigger companies pay more.
Does it apply to all of our data on someone?
Yes. If you use 3rd party services to handle billing, customer support, sales, analytics of how your website or product is used, data backups, etc., you will have to remove the information of the requesting user from all of those places. Even if some of that data isn’t under your direct control or is offline, like with backups.
How can I do this? How can anyone do this?
Well, start by figuring out all the places — all the systems — where your company keeps any personal information on individuals. Don’t limit it just to vendor and customer or potential customer information — if you or your processors or any employees are in the EU, then your HR data can fall under the right to be forgotten as well.
When you’ve got a list of where personal information is kept by your company, then figure out how you can delete it everywhere it lives, when you need to. Don’t wait until the enforcement starts — since you’ve got to be able to erase records ‘without undue delay’, you’d better be ready for this before those penalties start.
And while you’re at it, set up the procedures for deciding what needs to be removed, and for removing information from your records when you no longer need it, even if you aren’t specifically asked.
But you still haven’t told me HOW. I mean, what do I do about data, and removing data, that’s all over the world in different systems, some of which I don’t even control? And freaking backups, too? Sheesh!
Well, it can be done manually, but mistakes — and not removing the data everywhere — can be expensive.
One really great way to control data spread out on a lot of different computers, including backups, is to do it using encryption keys and public key cryptography. The GDPR strongly encourages encryption of the data for security purposes anyway, and separate private keys for each record gives you some almost magical fine-grained control.
With the right system, you can revoke access to a specific user’s data no matter where that record is kept and on however many different systems. Once access is revoked, the data is unreadable and inert.
Unfortunately, systems like these are incredibly difficult to build.
What about that backup tape that’s sitting in a storage basement?
This approach works even on backups in cold storage. The user data on those tapes is encrypted and the keys aren’t on the tape. Without the keys, the data is unreadable no matter where it is!
That sounds kind of amazing! Who has a system where you can do that?
IronCore Labs has sophisticated crypto-backed access controls that can be revoked at any time regardless of where data is stored. Sign up for the beta and learn more at https://ironcorelabs.com.
Image credit: DocChewbacca (CC BY-NC-SA 2.0)