'Right to be forgotten' may not be enforceable - Vaizey

We don't yet have a Men in Black flashy thing


Ed Vaizey said that introducing a "right to be forgotten" into a revised EU Data Protection Directive might give "false expectations" to people who would seek to have their personal data deleted under the new regime.

"We support the idea that consumers should have more control over the processing of their data. And of course we support greater transparency. But we also need to be clear about the practicalities of any regulation," Vaizey said in a speech earlier this month.

"For example, how do we enforce the ‘right to be forgotten’ when data can be copied and transferred across the globe in an instant? No government can guarantee that photos shared with the world will be deleted by everyone when someone decides it’s time to forget that drunken night out. We should not give people false expectations," he said.

Last week EU Justice Commissioner Viviane Reding said that individuals would have a right to force organisations to delete the personal data they store about them under a revised EU Data Protection Directive. Formal proposals for the new laws are set to be announced before the end of January.

Vaizey also questioned proposals outlined by Reding to make non-EU based companies subject to the new data protection laws if they stored EU citizens' data in "the cloud".

Cloud computing refers to the storage of files and programs on an internet-based network rather than on local computers.

"We agree; data should be processed in accordance with expectations of privacy in Europe," Vaizey said. "But we need to be aware that questions of liability could jeopardise the ability of European firms to use the cloud for data processing and storage. We should question the logic of trying to make firms outside of the EU subject to EU law," he said.

Vaizey said new data protection laws should not "stifle innovation" and must be "future proof".

"It is all too easy for directives to become irrelevant when dealing with a medium as fast moving as the internet," Vaizey said. "We need to ensure that the international transfer of data, so critical to economic growth, can continue. And we need to ensure that changes are both practical and proportionate."

"Good data protection laws will allow innovation to continue, and technologies like the cloud to flourish while also ensuring appropriate protections for peoples’ personal data," he said.

In his speech at the Internet Advertising Bureau (IAB) in London, Vaizey defended the UK's approach to implementation of new EU laws on 'cookies'.

Cookies are small text files that websites store about users to remember their activity on the site. The Privacy and Electronic Communications Directive (E-Privacy Directive), from which laws governing the use of cookies are drawn, states that storing and accessing information on users' computers is generally only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".

The E-Privacy Directive was implemented into UK law in May. The amended Privacy and Electronic Communications Regulations state that website owners must obtain "informed consent" to tracking users through cookies.

The Information Commissioner's Office has previously issued guidance on how website owners can comply with this requirement, but it has left it up to individual companies to choose methods they believe comply with the laws. The Government is working with browser manufacturers to come up with a way to gather consent via browser settings.

"I believe our approach to implementation has struck the right balance by keeping in mind the original intent of the directive, complying with the letter of the law and also being flexible enough to allow business to find solutions which suit them best," Vaizey said in his speech.

"The key is finding solutions which engage users. There is no point in putting a block of text and a tick box in front of users. People will simply ignore it and click through. The consequences of users being forced to make an uninformed decision on something which can so profoundly affect the internet economy are potentially dire," he said.

Vaizey praised the advertising industry for developing its framework around online behavioural advertising (OBA) and said the self-regulatory code established by the IAB Europe (IABE) and European Advertising Standards Alliance (EASA) earlier this year formed a "crucial part" of the measures needed to comply with EU laws on cookies.

"The IAB’s Online Behavioural Advertising (OBA) Framework ... offers users further information about the ads they are seeing without doing so in an obtrusive or disruptive way. And it is a fantastic example of the willingness of industry to work together to find solutions which suit both business and users," Vaizey said.

"The OBA framework is an essential element of a series of measures being taken across industry, which we believe will give users more control over their privacy online," he said.

Under the IABE and EASA code website operators must give users access to any easy method for turning off cookie tracking on their site. The code also requires operators to make it known to users that they collect data on them for behavioural advertising.

Operators must also publish details of how they collect and use data, including whether personal or sensitive personal data is involved. Details of which advertisers or groups of advertisers they make the data available to also have to be published.

Companies that adopt the code will also have to display an icon telling users that the adverts track their online activity. Through the use of the icon web users will be able to manage information preferences or stop receiving behavioural advertising via a new pan-European website, www.youronlinechoices.eu. A user can click on the icon to see the relevant information. The initiative is supported by many leading content providers, including the BBC, Financial Times and Telegraph Media Group, as well as AOL, Microsoft and Yahoo!

The code has been criticised by EU privacy watchdogs. The Article 29 Working Party has argued that internet users' consent to cookies can only be deemed to have been given through statements or actions, rather than "mere silence or inaction", which it says does not constitute valid consent.

However, Vaizey defended the code and said it was important that website operators and browser manufacturers also help users exercise control over their privacy.

"The OBA framework is a crucial part of our package of compliance but it is not the only part. Obviously this isn’t only about advertisers," Vaizey said.

"Publishers (website owners) and Browsers have a big role to play here too. Publishers are just as responsible as advertisers for the cookies they place on a user’s machine. So they should do what they can to make the user aware of the cookies they use and consider how best they can seek consent from users especially if they are particularly intrusive. Browsers are also a crucial part of this, they are the natural place for users to exercise control over their privacy settings and by extension are a means to signify consent. We are working closely with browsers to find ways of ensuring users have increased and easy to understand controls, and easier access to those controls," he said.

Vaizey said that internet users need easily accessible information about why their data is collected and for what purposes, and that they should have "easy to use controls" to modify what information is collected about them.

"People give companies their data because they trust that those companies will not abuse or misuse that data and it is essential that people do not lose that trust in the future," Vaizey said.

"Behaviourally targeted, or preference based advertising is an incredible innovation that can be of huge benefit to both business and to the consumer," he said. "But it needs to be done right. Users should not feel stalked around the web by companies wishing to sell them something. Users should be able to understand why they are seeing the ads they are seeing, who is responsible for that ad, and be able to exert a level of control over the extent to which ads are tailored to their preferences."

"It is important that this is done in a way that allows consumers to genuinely engage with the process and be able to make informed decisions about the information put in front of them," the Culture Minister said.

"Users should not be forced to make a decision about something they don’t understand and may or may not care about. But that does not mean we shouldn’t give users the ability to make those decisions. There needs to be easy to understand information and easy to use controls in place so users can make those informed decisions and exercise their right to have complete control over their data and their privacy online," he said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Similar topics

Narrower topics


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022