The three pillars of privacy, defined in “The Right to Privacy” (4 Harvard L.R. 193 (Dec 15, 1890)), are 1) the right to know what information is gathered about you, 2) the right to know how it will be used, and 3) the right to be left alone. The European Union has incorporated these principles into the European Data Protection Directive, about to be replaced by the General Data Protection Regulation (GDPR). How often is the right to be left alone invoked?
European citizens can use two channels to remove personal information. First, they can reach out to the specific company asking its data protection officer to remove the data. Second, they can reach out to the national data protection officer to pursue erasure. How often do people use them? For some organizations, quite frequently.
The national Data Protection Officers do not publish lists of requests. However, some companies do. One well-known company is Google. Google publishes statistics on removal requests, in the form of a Transparency Report, here: https://transparencyreport.google.com/eu-privacy/overview. From May 2014 through November 13, 2017 Google has removed 839,556 URLs – about 43% of those requested – from search results, and declined to remove 1,104,867 – nearly 57%. The reasons for not removing a URL include the information may be strongly in the public interest, the information may reside in a government document, or the information may come from a reputable journalistic source.
European citizens can request information removal using this form: https://www.google.com/webmasters/tools/legal-removal-request?complaint_type=rtbf About 2,000 removal requests arrive at Google every week.
Organizations in the US may be subject to the GDPR through the Privacy Shield. This agreement (two actually, one with the EU and the other with the Swiss) permits US-based organizations that opt in to share personal information about EU and Swiss citizens. The Privacy Shield replaces the Safe Harbor legislation, which the EU has determined is inadequate. The European Commission deemed the Privacy Shield adequate for data transfer under EU law on July 12, 2016. The Swiss Government did so on January 12, 2017. Opting-in requires self-certification with the US Department of Commerce at https://www.privacyshield.gov/PrivacyShield/ApplyNow. The Department of Commerce maintains a list of organizations that have opted in at https://www.privacyshield.gov/; as of this writing more than 2,500 companies are listed. The Federal Trade Commission prosecutes violators as described at https://www.ftc.gov/tips-advice/business-center/privacy-and-security/privacy-shield .
Any organization that opts-in must respond to requests to remove data under the GDPR. Those requests will go to the organization’s Data Protection Officer. The organization will use its Identity and Access Management (IAM) system to find and delete all relevant records concerning that individual. The national Data Protection Agency, or the FTC, can bring a legal action against an organization that fails to respond to such requests. (The FTC recently brought charges against three organizations that announced they were participating in the Privacy Shield when in fact they had not signed up. They are listed on the FTC’s web site.)
Are you working for a US-based firms that holds personal information about European Union or Swiss citizens? If so, you should do three things. First, opt in to the Privacy Shield. Second, put a Data Protection Officer in place. Finally, ensure your IAM solution is comprehensive and effective. Removal requests will come. Be prepared.
Please add your thoughts in the comments below or follow me on Twitter: @WilliamMalikTM.
