The European Union’s “Right to be Forgotten” rule is a privacy benefit for EU residents but a major headache for search engine providers. As such, search providers (namely Google) have been fighting with European courts about the extent of the rule’s reach. Google has argued over the years that each country—and by proxy, each search engine which operates in that country—has the right to decide for itself (presumably based on its citizens’ wishes) the appropriate policies for privacy and freedom expression. The EU, for its part, has said that control over data should be governed by data owners: citizens themselves.
These differences of opinion have bumped up against one another in the past, causing delays in both removal of private citizens’ information and refusal to remove information from search engine results in countries where the requester did not reside. Now, the Court of Justice of the European Union is set to rule on the extent of the law’s reach. In other words, when an EU resident requests his or her information be deleted from a search engine, will that apply only to the search engine for the country in which he/she resides, or will the search engine be required to scrub data from all its entities?
Privacy, itself, is a topic viewed very differently in the U.S. compared to the EU. As a result, geographic rules and regulations have followed suit in accordance with each region’s attitudes and feelings. The internet—a borderless communication mechanism—has significantly blurred the lines over what can be published, shared, and retained about individuals, and the average citizen can do little to nothing about that. Even when an EU resident is successful in his/her bid to have information removed from search engine listings, that information is not “gone.” It’s simply hidden from public results. Similarly, when a person (EU or otherwise) requests to be “removed” from a company’s email/marketing/PR communications, that person’s information is not wiped out of the system. In the vast majority of cases, the person managing the database containing the requestor’s email address simply checks a box that disqualifies the requestor from receiving email communications. The email address and associated information (which can be quite extensive) remain in the database, and the data owner—the requester—can do nothing about it.
Now, some people might argue that we all give up data “for free.” In other words, no one says anyone else must shop, bank, or conduct business online. In today’s society, however, it is all but impossible to keep one’s information out of internet-connected systems. For example, if you live in a house that has electricity, whether or not you choose to pay your bill online, your provider stores your information in some internet-connected system. This is only the most basic example. What does it have to do with “right to be forgotten,” though?
Right to be forgotten is a great concept…to an extent. The idea is to allow citizens to keep data associated with their person confidential. While many people reading this blog are surely information security practitioners and know how to find “hidden” search results, most ordinary citizens don’t or don’t care to. Let’s face it, 75% of internet users don’t even scroll past the first page of search results, so why all the hullabaloo around removing personal data and information?
For one thing, the more data an organization—be it a search engine, an electricity provider, a retailer, or your doctor’s office—stores, the more it has to lose. Though businesses argue that more data equals better customer service (i.e., the more information the business knows about its customers, the more effectively it can serve/tailor services to individual needs), the reality is that the number of people who would request removal of their data is quite small. Google, the largest search engine on the planet, has only received about 590,000 requests over 3+ years. Even the biggest businesses in the world store a mere fraction of the data Google has, meaning they might receive—maybe—a few dozen requests per year. That’s nothing in the grander scheme of things, even accuracy in business intelligence and data analytics.
If the Court of Justice rules in favor of cross-border deletion, EU citizens will win big when it comes to data privacy. However, even with “right to be forgotten,” companies are permitted to store data in internal systems after it has been removed from public accessibility. With GDPR on the horizon, EU companies must take extra steps to secure that data, even if it isn’t technically “active.” At the end of the day, these extra steps, and the privacy ruling are of benefit to information security. Though security and privacy are often viewed by security practitioners as separate functions, each has implications on the other. In the U.S., where privacy is considered an entitlement, lawmakers are wary of taking bold steps similar to the European Union’s. However, keeping in mind that cybersecurity is becoming an increasing concern among politicians and private sector citizens alike, a “right to be forgotten” bill could prove beneficial. But it has to go one step further. To truly be effective, individuals must retain the right to have personal data removed from organizations’ systems if the data is no longer relevant, inappropriate, or out of date. Doing so will decrease the number of records that may be breached or stolen, improving outcomes for all.
Once again, the number of U.S. citizens who might take advantage of this benefit is TBD, but likely minimal, resulting in a small amount of work for data handlers. (In the entirety of the EU the numbers have been limited, to date.) The fact is, though, the fewer data that are available to be lost or stolen, the fewer data that will be lost or stolen. Security already has a big enough job, and the amount of data amassed isn’t decreasing any time soon. However, if citizens gain a right to insist on the removal of their data from organizations’ systems (provided they are not currently doing business in any way with that organization), the less security teams need to secure. At the end of the day, securing a database with 10,000 names versus 100,000 records isn’t going to change the security controls around that database. Nonetheless, when that database with 100,000 records is leaked/breached/stolen, the consequences are going to be higher than if only 10,000 records were leaked/breached/stolen. Now multiply the issue over 10, 20, 50 business systems your organization uses every day.
Leaving aside the privacy issue (which is controversial), giving individuals better control over the removal and usage of their personal data benefits information security. I.e., if you don’t have it, you can’t lose it, and if you can’t lose it, risk is diminished. At the end of the day, security professionals have enough to worry about without having to consider the reams of inactive data that may be have been purchased by the marketing team from some questionable third-party list provider. Or personal information from someone who registered to watch a webcast 8 years ago but hasn’t interacted with your company since. And the list of “why do you still have that data” goes on.
At the end of the day, people should be able to decide for themselves what information is accessible or retained by others. If this decision results in fewer records and personal information that are at risk, everyone wins.