EU Justice Commissioner Viviane Reding will imminently table a draft bill that will – if passed in Parliament – require internet firms to be upfront about the user data they hold. The proposal has already been slammed by many businesses in the UK, where opposition to the draft regulation has been particularly fierce. Reding's " …
Business only has its own arrogance and greed to blame. In wanting to know more and more about us in the mistaken belief that we are all "marketing opportunities" they have highlighted their invasive and intrusive appetite for every crumb of information about us.
Well... its MY information.... not yours to take, I am not a marketing opportunity and I object to having my movements and interests categorized by companies that do not have my explicit consent to profile me.
Go find a real business model and stop leeching off of society.
Are they human?
One does wonder sometimes: who are these "business" people? They often seem to be so anti-people that I wonder if they are human themselves, have got families, human friends or do they just hate the world and all that is in it?
It does seem that as soon as they see anything that may cost them something, they forget completely that they too can benefit, whether it is privacy laws or climate change research. As far as they are concerned, so it seems in many cases, decency, quality of life, common sense and individual freedom go out the window if it may interfere with some outdated notion of "profit".
I suppose the real problem is that one can go into business with no requirement for sense, intelligence or decency. Indeed, those who seem to do well in business all too often seem to be completely deficient in those things that make us human.
If they were really clever, they would seize the opportunity in each change.
Why does anyone even bother to consult them or listen to them on anything outside their immediate competence (which rarely includes data privacy unless it is business data)?
' "While attractive to users of social networks, it will apply generally and will require many organisations to re-engineer business processes and technologies. '
Oh you mean as a benefit to the customer for a change, and not for the benefit of the company involved? You mean that might mean that scumbag ad agencies cannot trace and track you over the course of your browsing from site to site thus fucking up all their demographic tracking stats?
Oh my heart bleeds!
Fuck you EA
EA claims it's impossible to remove an EA account setup by hackers in your name when they stole your Xbox Live account. You don't know what details they used so you can't authenticate it..
Right to be forgotten
As I understand it the business process that needs to be changed is the one that says, when request received from Joe Bloggs, press delete key to remove details or simpler still, install delete button to press to remove all trace of Joe Blogg's details on this system and associated systems where data may be stored.
In reality business simply sees people as walking/browsing money ATMs to be exploited to the max. The idea that business is designed to meet the needs of the customer is long gone, business is designed to meet the needs of the company, and their need is to wring every penny possible from the customer.
>>"As I understand it the business process that needs to be changed is the one that says, when request received from Joe Bloggs, press delete key to remove details or simpler still, install delete button to press to remove all trace of Joe Blogg's details on this system and associated systems where data may be stored."
A fair amount of the time, it might be a case of 'making inaccessible' rather than deleting - a company I actually financially interact with can't wipe details of transactions as long as they might need to keep them for other legal reasons, but they should be able to limit access to them to only the legally-necessary ones.
Even when it comes to stuff like social networking where I hadn't been involved in any financial transactions, there would be a couple of issues.
Firstly, while having a delete button might be something many people would want, deletion might also be something that many people would want to be able to make difficult.
It'd be one thing if someone could have their phone picked up and someone make a facebook post in their name, but another if the office prankster could wipe out their entire history with a few clicks.
Some kind of initial data hiding on first request and subsequent erasing after a suitable confirmation process might be a workable solution, maybe giving people the option of deciding in advance how hard or complicated they want giving consent for deletion to be.
The hypothetical teenager regretting stuff they posted in the past is principally concerned with other people not being able to see it - exactly when the data ceases to exist might be a much less important thing to them.
Secondly, content may have to be kept (albeit inaccessible) for some amount of time even if the user clearly does want deletion.
If a person could set up an account and bully someone else, or libel them, or give their address and claim they're a child molester, that data, even if made inaccessible, might need to be kept for legal reasons - it might be that there'd be some limbo period legally required before any data truly could be wiped, even if it could be instantly hidden on user request.
Re: Right to be forgotten
Actually, in reality, idiots massively over simply things.
If you've got a site containing data on many people who are inter-related by company and other groupings and some of that data is financial and some is personal and some is shared based on said relationships / groupings how the hell does identifying, let alone deleting, what can be deleted of a single individuals data "seem fairly straightforward"?
Or are you incapable of understanding that just because you can't think of a reason it doesn't mean there is none?
If a lot of people are complaining about something that seems trivial to you, there are two possibilities, either they are _all_ idiots, or just you are.
Of course, you could just fall back to puerile whining about "business" and "they"....
What a lovely mess.
Businesses *claim* that it is impossible, and that laws forcing them to "forget" you are draconian. That's because there's no money in it.
These same businesses have all figured out and established data retention policies in order to systematically remove data that could be used against them in the courts that they are no longer legally required to keep.
When there's money in it, they can conform to the law. When there isn't, they claim they are unable to -- much as they did with the storage of identity information they had no right to, such as social security numbers. Once there was teeth in the regulations, meetings were held, databases were changed, and the world did *not* implode as claimed.
I, for one, welcome an age when businesses can be compelled to delete data they have no right to -- for example, browsing information. I remain unimpressed by their arguments, having unfortunately subscribed to a magazine or two that sold my personal information on, and on, and on -- easy to tell because of the unique mis-spelling of my name appearing on all kinds of garbage in my mailbox. In the meantime, I will go on using randomizers and deleting cookies just to screw with their data.
Fail icon for the unethical businesses and their apologists to print, cut out, and paste on their foreheads.
>>"I, for one, welcome an age when businesses can be compelled to delete data they have no right to -- for example, browsing information. "
And who here was suggesting that they *should* keep data like that against someone's wishes (assuming they're not compelled to keep it for some period by law)?
Voluntary? Er... no.
"...whether this additional requirement is really worthwhile given that individuals' personal data are so widely and voluntarily made available on the net."
Your data "widely availabale" - yes,
"voluntarily available" - you must be joking.
It's almost impossible to use the internet these days without having to "agree" to endless web sites endless T&Cs. All of which can be changed at a later date and it's your responsibility to check if T&Cs have subsequently changed.
...and a large number of clueless pillocks giving away their own privacy for any reason, voluntary or not, should not affect MY rights or make this 'not worthwhile'. Getting away with this for so long does not make it right.
How will Google wriggle out of this one?
Punter to Google: "I have a legal right to be forgotten. I want you to remove my name from all of your Search Results, your databases and any other files you hold on me. Because you offer a service in the EU, the EU law says you have to remove name from all of your systems worldwide".
Otherwise Google get fined X% of Revenue for each and every offence.
>>"Punter to Google: "I have a legal right to be forgotten. I want you to remove my name from all of your Search Results, your databases and any other files you hold on me. Because you offer a service in the EU, the EU law says you have to remove name from all of your systems worldwide"."
I can't really see that being remotely practical for various reasons.
Firstly, what if 'John Smith' complains?
Google will reply that it simply reports source information from elsewhere on the web, and it is the responsibility of the source to delete content.
In all fairness, this would also solve the 'John Smith' problem by requiring identification of the offending source
Same old same old
As soon as someone says "in the present business climate we cannot afford to <insert requirement here>" you know they are talking shit. If these "businesses" treated personal data properly from the word go they wouldn't have any problems.
Harmonising regulations across the EU will over time save businesses engaged in cross-border activities, and for websites that means pretty much everyone, currently has to check the rules for each country. The spooks won't like it because they currently rely on poor levels of data protection for there more or less nefarious actions "defending us" (usually from ourselves but, hey, let's not be picky.
What about backups?
So I back my customer database up and after 3 years of Fred Bloggs being a customer I am forced to forget him.... from all of my backup tapes? Really?
What about from my accounts system? Suddenly I've got loads of invoices with no customer details - HMRC are going to be cool with that? Really?
I understand the principle and in theory its good news for users - I mean every damned website I buy stuff from wants waaay too much "account information" for a simple financial transaction, I'd dearly love to go clean up and prevent their next website breach taking my details, but...
This stuff obvioiusly comes (being EU) from the lunatics on the continent who are paranoid to the extreme about "privacy" but this isn't realistic to implement is it?
I see we've gone from this story to the actual release of the draft law on El Reg now... so guess all the complaints in this story here will be ignored.
Backups -- troublesome, but doable. Better buy another tape drive or two. If backups are disc-based, it's easier. Get some batch jobs running, and be ready to mount/dismount the media.
Invoices with no customer details -- a non-issue. The right-to-be-forgotten applies to individuals, not corporations.
I have a hard time believing HMRC requires customer personal information on every Joe and Jaqueline who stops into a convenience store and buys a packet of crisps. You have the cash register tape with the purchase amount and date/time, and that's good enough.
It's *businesses* who buy train-car-loads of stuff, and the info on the invoice you produce for HMRC will have that business' info, which is not subject to this regulation.
...lunatics...paranoid -- your values aren't necessarily other peoples' values.
realistic to implement -- Companies which did NOT rush to hoard up (and sell on) peoples' personal data will be LEAST affected, which is how it should be.
It's like the company who went the "cheap" way and dumped their low-level radioactive waste in a lined holding pond -- which was located on a flood plain. The company took the profits, at the expense of others. Years later, when the government finally figured it out ("You're doing what?! Move that shit!") , the company screams and cries about how many millions of dollars it will cost them to move it to an approved holding facility. Tough noogies. They did the deed, they bear the (current, higher) costs of cleaning that up .
"Backups -- troublesome, but doable. Better buy another tape drive or two. If backups are disc-based, it's easier. Get some batch jobs running, and be ready to mount/dismount the media."
Lets see, your details are in a DB which is dumped and backed up every week. so I need to restore the DB from tape, load it up, delete the details and then resave to tape. Repeat for every week's tapes for X weeks/years.
then punter B comes along and requests the same thing, so I start again. Like painting the Forth Bridge.
Going to take more than just another tape drive or two to comply, going to take considerable manpower also. and a lot of spare disk if you have big DB's.
What someone else suggested was ensuring that the data is encrypted and then forgetting the key - making the data inaccessible would be a lot easier that removing it.
Anonymous for obvious reasons
Impossible to implement.
There's so many legitimate reasons why organisations need to keep SOME of your data for varying amounts of time, including legal and regulatory obligations, not to mention its relationship to other peoples' data and the fact it might be useful to the customer later on.
Going back to the SOME bit, this would involve an analysis exercise the scale of which is unheard of in business to decide what can be kept and what can go, and with the legal department having to be involved at every step this would be the mother of all projects for many large organisations and they WOULD get lots of it wrong. Information is often stored across a multitude of systems, often replicated and often in disagreement between systems. Most organistaions don't understand what data they hold and how it moves around and relates to other data.
It would also apply to central and local government so think of your council tax bills for a minute.
Not saying it doesn't sound like a nice thing in principle but in reality it would fail.
Right to be forgotten: what about credit reference agencies?
Does the right to be forgotten include the right to have unflattering data removed. For example, can a person with a poor credit record force the credit rating agency to delete it? What about the right to be removed from CCTV footage? Or the right to have one's data-retention-act-mandated logs deleted.
Or even giving some teeth to the rules on criminal records expiring (many police forces aren't good enough about this).
This law might do some good if it were targeted at government and commercial agencies, rather than just at facebook.
Aside: would it also make companies fish out their backup tapes to delete data from them...
"...whether this additional requirement is really worthwhile given that individuals' personal data are so widely and voluntarily made available on the net."
It is certainly worthwhile when some teenager's ill-thought out LOLs on facebook or whatever that may have been voluntary at the time then haunt them for years in the job market - the ability to retract 'voluntary' data, posted by you, copyright you, should be fundamental.
I everyone is getting a bit pararnoid here...
The new law would have to include provisions for exclusion of data that a company IS LEGALLY BOUND TO KEEP (for 7 years currently). Such as when any financial transaction takes place, product registration, taxes, social security, etc., etc., so this will mostly affect all these marketing tracker twats, rather than legitimate business!
Personal data should be defined as belonging to one or more layers...
LAYER 1. Data required to be stored for reasons of basic business law.
E.g. you can't demand that the information Amazon need about you for their financial records be "deleted"; that'd be illegal as it violates the integrity of their customer sales database. How can they know what their tax liabilities are if a bunch of their invoices and receipts have error messages where the purchaser's details should be?
This is basic business and finance.
LAYER 2. Data that is legally required to be stored for Data Retention laws, but which can be safely hidden from public view. This is data law enforcement offices may need to access. Checks and balances are needed to ensure this privilege is not abused.
This layer is for data that is used to answer questions like: "Was Suspect A _really_ messaging Person B when the murder took place?"
In a society increasingly reliant on IT, we do need _some_ level of data retention, or the police's job becomes effectively impossible.
LAYER 3. Data which should NOT be stored UNLESS specifically sanctioned by a legal mechanism, such as a warrant issued by a judge.
This includes—for example—text messages sent via IM protocols.
There's no justification for having such conversations recorded in perpetuity by a central server: text messages take up very little storage space and, should a user at either end of the conversation desire a permanent record, there's nothing to stop the client software doing the recording itself.
If law enforcement officers really do need to see what two potential suspects are discussing, they should require a warrant to have such conversations 'tapped' and recorded by the central server, just as is already the case with telephones. However, they do not have the right to demand every word you've ever written since you signed up.
A point to note is that, in order to prove Suspect A's alibi—that he was chatting via Skype with Person B at the time the crime took place, for example—it is only necessary to know that Suspect A _was logged into Skype and sending IMs_. It is _not_ necessary to know details about the actual conversation.
Hence the "layers": a telephone company will usually log when a call was placed, to which number, and for how long, but they don't record the conversation itself unless specifically asked to do so by a suitably worded warrant. And even then, they only record conversations for the period _after_ that warrant was issued, until its expiry.
Any new data protection system needs to take all the above layers of data into account. Lumping all personal data under the same label will never be workable.
Falls at second hurdle
Your layer 2 - "keeping personal data in case the authorities need it" is also "preventive snooping" and as such not in line with *existing* human rights legislation in many countries, though most notably in Germany where the Constitutional Court found the requirement for ISPs to store IP addresses for 6 months as unconstitutional noting in passing that snooping is always possible providing a warrant is obtained from a court where a judge agrees that there are reasonable grounds for suspicion.
Surely, you're excluding a lot amount of data with your 'Levels', such as data which doesn't necessarily (currently) need to be kept for legal reasons, but which by its very nature *is* likely to be stored indefinitely, like social networking/forum postings, etc?
And as for privacy, a lot of the motivation regarding 'the right to be forgotten' relates to stuff where there specifically /isn't/ an expectation of privacy at the time of creation (like people's old social networking postings, where their worry comes from the fact that anyone might be able to find them).
Effectively the regulations are substantially about granting an ability to people to require that the level of privacy attached to some pre-existing data relating to them is increased, potentially to the point of deleting the data.
'While attractive to users of social networks, it will apply generally and will require many organisations to re-engineer business processes and technologies.'
I would have thought the answer was fairly obvious.
If it costs a business to manage the data in compliance with the laws/regulations and the business does not wish to pay that cost, don't collect the data in the first place.
So, let me get this straight...
""The old adage of 'Be careful what you wish for' is apt in relation to the proposed rewrite of data protection laws. Companies have been struggling with unharmonised regulation across Europe for years, but the Commission's focus on the rights of the individual has resulted in some ideas that are widely seen as unworkable or which will lead to significant costs," said Jane Finlayson-Brown, a partner in Allen & Overy's data protection team."
So, Jane, lemme get this straight: Legislation that focuses on the rights of the individual is unworkable. Does that about sum up your twaddle-spurt?
"Oyez, Oyez, Hear Ye ..."
"I hereby demand that all knowledge of me be erased from the minds of the villagers, or I will dob them in to the Lord of the Manor. For His Lordship decrees that all citizens have a 'right to be forgotten'."
Meanwhile, in the real world I suspect most citizens are more concerned about businesses losing their data than keeping it. I believe the Hindus have something to say on this, although I doubt the EU bosses have consulted them. Anyway, more sinecures for their pals in yet more glutinous layers of spider-web bureaucracy, plus a vocal mob of surface-feeding Euro-citizens cheering for the EU, will please the unelected Euro-bosses. And who are we to question that?
I suppose a lot comes down to what's counted as 'personal information'.
If someone participates in a forum under their own name and later decides to leave, do they necessarily have a right to delete all their old posts irrespective of any agreement they signed up to regarding ownership of posts, or merely to have their identity changed from 'John Smith' (or, worse, 'Valentine VeryRareSurname') to 'deleted user #nnnn'.
If they should have a right to delete their posts, what about bits of those posts that someone else quoted, or other people's posts referring to them by name?
What is the limit of what is 'theirs' to delete?
Reading the posts here, and the original article, it strikes me that people have a very unrealistic view of how businesses work. The focus of most businesses is on making money, this is, as they say, what makes the world go round. For every business making mega bucks there are thousands making a passable profit, these businesses are, in total, more important to the economy and jobs than the biggies but they are also less likely to have the resources to implement and manage this type of legislation.
People seem to point at targeted ads. in these debates and use this as evidence that business is evil, now I hate targeted advertising that tracks my activity from site to site, but this is one of the most in your face and easily targeted problems, also one of the easiest to fix (adblock, private browsing etc)
'm not saying the laws don't need reviewing, but let's keep it real for everyone's benefit.
For those in doubt;
[making money] != [killing babies and eating puppies]
People who complain about businesses making money (and therefore driving the economy) remind me of teenagers who complain that their parents are ruining their lives and then ask for a tenner and a lift into town.