Out-Law / Your Daily Need-To-Know

'Right to be forgotten' may not be enforceable, UK Culture Minister says

Out-Law News | 14 Nov 2011 | 2:49 pm | 6 min. read

EU member states will not be able to guarantee that individuals' personal data has been deleted from the internet even if the 'right to be forgotten' is introduced under new data protection laws, the Culture Minister has said.

Ed Vaizey said that introducing a 'right to be forgotten' into a revised EU Data Protection Directive might give "false expectations" to people who would seek to have their personal data deleted under the new regime.

"We support the idea that consumers should have more control over the processing of their data. And of course we support greater transparency.  But we also need to be clear about the practicalities of any regulation," Vaizey said in a speech earlier this month.

"For example, how do we enforce the ‘right to be forgotten’ when data can be copied and transferred across the globe in an instant? No Government can guarantee that photos shared with the world will be deleted by everyone when someone decides it’s time to forget that drunken night-out. We should not give people false expectations," he said.

Last week EU Justice Commissioner Viviane Reding said that individuals would have a right to force organisations to delete the personal data they store about them under a revised EU Data Protection Directive. Formal proposals for the new laws are set to be announced before the end of January.

Vaizey also questioned proposals outlined by Reding to make non-EU based companies subject to the new data protection laws if they stored EU citizens' data in "the cloud".

Cloud computing refers to the storage of files and programs on an internet-based network rather than on local computers.

"We agree; data should be processed in accordance with expectations of privacy in Europe," Vaizey said. "But we need to be aware that questions of liability could jeopardise the ability of European firms to use the cloud for data processing and storage. We should question the logic of trying to make firms outside of the EU subject to EU law," he said.

Vaizey said new data protection laws should not "stifle innovation" and must be "future proof".

"It is all too easy for directives to become irrelevant when dealing with a medium as fast moving as the internet," Vaizey said. "We need to ensure that the international transfer of data, so critical to economic growth, can continue. And we need to ensure that changes are both practical and proportionate."

"Good data protection laws will allow innovation to continue, and technologies like the cloud to flourish while also ensuring appropriate protections for peoples’ personal data," he said.

In his speech at the Internet Advertising Bureau (IAB) in London, Vaizey defended the UK's approach to implementation of new EU laws on 'cookies'.

Cookies are small text files that websites store about users to remember their activity on the site. The Privacy and Electronic Communications Directive (E-Privacy Directive), from which laws governing the use of cookies are drawn, states that storing and accessing information on users' computers is generally only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".

The E-Privacy Directive was implemented into UK law in May. The amended Privacy and Electronic Communications Regulations state that website owners must obtain "informed consent" to tracking users through cookies.

The Information Commissioner's Office has previously issued guidance on how website owners can comply with this requirement, but it has left it up to individual companies to choose methods they believe comply with the laws. The Government is working with browser manufacturers to come up with a way to gather consent via browser settings.

"I believe our approach to implementation has struck the right balance by keeping in mind the original intent of the directive, complying with the letter of the law and also being flexible enough to allow business to find solutions which suit them best," Vaizey said in his speech.

"The key is finding solutions which engage users. There is no point in putting a block of text and a tick box in front of users. People will simply ignore it and click through. The consequences of users being forced to make an uninformed decision on something which can so profoundly affect the internet economy are potentially dire," he said.

Vaizey praised the advertising industry for developing its framework around online behavioural advertising (OBA) and said the self-regulatory code established by the IAB Europe (IABE) and European Advertising Standards Alliance (EASA) earlier this year formed a "crucial part" of the measures needed to comply with EU laws on cookies.

"The IAB’s Online Behavioural Advertising (OBA) Framework ... offers users further information about the ads they are seeing without doing so in an obtrusive or disruptive way. And it is a fantastic example of the willingness of industry to work together to find solutions which suit both business and users," Vaizey said.

"The OBA framework is an essential element of a series of measures being taken across industry, which we believe will give users more control over their privacy online," he said.

Under the IABE and EASA code website operators must give users access to any easy method for turning off cookie tracking on their site. The code also requires operators to make it known to users that they collect data on them for behavioural advertising.

Operators must also publish details of how they collect and use data, including whether personal or sensitive personal data is involved. Details of which advertisers or groups of advertisers they make the data available to also have to be published.

Companies that adopt the code will also have to display an icon telling users that the adverts track their online activity. Through the use of the icon web users will be able to manage information preferences or stop receiving behavioural advertising via a new pan-European website, www.youronlinechoices.eu. A user can click on the icon to see the relevant information. The initiative is supported by many leading content providers, including the BBC, Financial Times and Telegraph Media Group, as well as AOL, Microsoft and Yahoo!

The code has been criticised by EU privacy watchdogs. The Article 29 Working Party has argued that internet users' consent to cookies can only be deemed to have been given through statements or actions, rather than "mere silence or inaction", which it says does not constitute valid consent.

However, Vaizey defended the code and said it was important that website operators and browser manufacturers also help users exercise control over their privacy.

"The OBA framework is a crucial part of our package of compliance but it is not the only part. Obviously this isn’t only about advertisers," Vaizey said.

"Publishers (website owners) and Browsers have a big role to play here too. Publishers are just as responsible as advertisers for the cookies they place on a user’s machine. So they should do what they can to make the user aware of the cookies they use and consider how best they can seek consent from users especially if they are particularly intrusive. Browsers are also a crucial part of this, they are the natural place for users to exercise control over their privacy settings and by extension are a means to signify consent. We are working closely with browsers to find ways of ensuring users have increased and easy to understand controls, and easier access to those controls," he said.

Vaizey said that internet users need easily accessible information about why their data is collected and for what purposes, and that they should have "easy to use controls" to modify what information is collected about them.

"People give companies their data because they trust that those companies will not abuse or misuse that data and it is essential that people do not lose that trust in the future," Vaizey said.

"Behaviourally targeted, or preference based advertising is an incredible innovation that can be of huge benefit to both business and to the consumer," he said. "But it needs to be done right. Users should not feel stalked around the web by companies wishing to sell them something. Users should be able to understand why they are seeing the ads they are seeing, who is responsible for that ad, and be able to exert a level of control over the extent to which ads are tailored to their preferences."

"It is important that this is done in a way that allows consumers to genuinely engage with the process and be able to make informed decisions about the information put in front of them," the Culture Minister said.

"Users should not be forced to make a decision about something they don’t understand and may or may not care about. But that does not mean we shouldn’t give users the ability to make those decisions. There needs to be easy to understand information and easy to use controls in place so users can make those informed decisions and exercise their right to have complete control over their data and their privacy online," he said.