Now you see me
In 2014 the Right to be Forgotten ruling against Google was made. Individuals have the right to request that on line sources remove links to information about them that they believe is detrimental to their life and/or wellbeing. This has now been re-articulated in the GDPR – Global Data Protection Regulations.
I spent a while looking through documents about this specific part of the Data Protection Act and to be honest it’s confusing and my head was most definitely hurting. In some cases the Human Rights Act has been jointly cited, just to make things even more complicated. It also seemed to me unclear whether the search engine that removes the link is required to inform the publisher of the document that the link has been removed, because in most cases the ruling has only covered the search engine – the document still exists, but it’s harder (not impossible?) to find it. The latest interpretation of the GDPR legislation also states that the online host is not responsible for user generated content as they are not the legal controllers of that content – Twitter users beware.
But how far does the right to be forgotten go and how can we realistically meet the legislative requirements?
Over the years the most common request from a consumer has been “remove me from your database”. A perfectly reasonable request and one which I will always, without hesitation, react to. The problem I have is that I can’t do it.
Let me explain. The right to be forgotten is unquestionable but in terms of data protection the wording causes complex issues. If I am a search engine and you put in a request to be forgotten, what you’re asking for is for people not to be reminded of you or an event that involved you. To action this (and if those crazy Google guys and gals are reading this, apologies for my simplifying of the tech side of this – please don’t hate me!) I can remove the code that grabs your information (the reminder) when the right search terms are put in. Now you no longer appear.
The logic is fairly simple – no reminder = removal of link.
However, if I am a sales or charity database and you want to be forgotten I have to ensure that you are not removed but are suppressed. If I go and legally buy some data for potential new customers or supporters, the first thing I want to do is remove anyone I already have on my database (I don’t want to waste money buying something I already own). The very next thing I must do is to ensure I remove anyone who has specifically told me they want me to cease and desist all communications with them.
You can see the problem.
If I don’t retain your information on my database I can’t know that you have requested a ‘do not contact’. I have no choice but to keep your details but make sure you are not contacted (very easy to do on a database).
To be frank this makes me uneasy because it feels this part of the law creates a legal paradox; to enable an individual their legal right to be forgotten, you have to retain their data in order to exclude them thus violating the law that you are trying to adhere to. My head really is hurting now.