Implementing the Right to be Forgotten When the Internet Never Forgets

Implementing the Right to be Forgotten When the Internet Never Forgets
Author: RV Raghu, Past Board Director, ISACA, and director of Versatilist Consulting India Pvt. Ltd
Date Published: 28 October 2020

The internet never forgets, or so the adage goes. But what started off as a catchy saying or something that might be relevant to a technology subculture has evolved into a global reality, especially with dropping storage costs, access to cheap internet and, more importantly, the propensity of the human race to share data willy-nilly. This data-sharing is both voluntary, as on social media, or as something that gets traded for access to ostensibly “free” services.

In recent years, the debate has raged wide and deep on how much of the data that is shared should be remembered, and why. If we step back from the technology-infused world we all live in for a moment, where remembering is the norm and forgetting is considered a bug, it becomes clear that this constant “remembering” is something that snuck up on us over the last decade or so. What makes us essentially human is our ability to forget. Just imagine for a moment you are able to remember every single moment of your life, whether you want to or not. Also keep in mind the idea that not only can you remember every moment, but those around you can access that moment, and I am sure you will be worried sick. There are several examples that illustrate what this constant remembering, especially in the public domain, means to people who have been denied jobs, entry to countries, access to public facilities/services, had personal relationships affected, and worse.

While civil society has been discussing the impact of this ubiquitous remembering, in some parts of the world, legislators have tried to take action to make forgetting possible, at least in some cases. This gives back the data subject--AKA you and me--a modicum of control over her/his data. The GDPR regulation was one of the first to articulate what is often referred to as the “right to be forgotten,” though this is not what is explicitly stated, but rather actually the right to erasure, which is something different. While the right to be forgotten envisions the ability to make sure that data in the public domain is not retained forever and not accessible to all, the right to erasure goes one step ahead and aims to delete the data itself. The nuts and bolts of these concepts are nuanced, especially since erasure has deeper consequences and implications from a historical perspective and is debated hotly. However, the right to be forgotten might be something that all of us could use now and then. 

I will elaborate on the right to be forgotten in my conference session “Implementing the Right to Be Forgotten: A Framework Approach” at ISACA’s first virtual privacy conference, Privacy in Practice, on 8 December. Without going into the foundational or legal aspects of the right to be forgotten, the session will touch upon practical questions from an implementation perspective. While the flow may seem almost linear and easy in terms of implementing the right to be forgotten, in reality, many entities may be involved in the actual honoring of this right. Also to be addressed will be direct and indirect data that may be part of the request, as well as the possibility that some (or all) of this data might also be with third parties. This means you need to find the data not only within your enterprise but also with third parties, and then delete them per the data subject’s request.

By now I am sure this looks like a Herculean task, but all is not lost. A “by design” approach adopting policies that put privacy first, such as the OECD privacy principles, along with a framework of supporting policies, processes and tools, will go a long way to making a daunting task a bit easier. If your interest is piqued, be a part of ISACA’s virtual privacy conference on 8 December and learn more on how you can practically implement the right to be forgotten. Until then, remember, information in the public domain is like toothpaste: once it is out of the tube, you can’t get it back in, and once information is in the public domain, it will never go away, so think twice before you share on social media, and be aware of the receiving party’s privacy, data use and retention policies.