GDPR legislation – The Right to be Forgotten

In March 2014 the European Parliament passed the General Data Protection Regulation (GDPR). This places an obligations on companies anywhere in the world that store and process data held on EU citizens.

Some of the provisions of the legislation include:

• Individuals must provide explicit consent for data about them to be held and processed. Companies must be able to provide evidence of this consent being knowingly given.
• Companies must provide good reasons for the retention of personal data and demonstrate that it is still needed or relevant. This reverses the burden of proof.
• Individuals can request the deletion of data about them. This requires that businesses adopt appropriate data retention and deletion policies.
• A ruling by the European Court of Justice in May 2014 decided that search engines are responsible for the content on EU citizens they index and serve as search results. This precedent makes it likely that content held, for example, by the Internet Archive’s Wayback Machine would also have to comply with the GDPR.

Like previous attempts by the European Parliament to legislate on data privacy (The Cookie Law, for example), the GDPR is well intentioned but half-baked.

However, the working reality of the GDPR over the last 6 months appears to be that individuals receiving negative reviews or commentary are using the legislation to ‘erase history’. The recent case of a concert pianist using the GDPR to remove a negative review in the Washington Post shows how this ruling is currently doing more to protect fragile professional egos than it is to protect citizens from their teenage faux-pas.

Meanwhile, most businesses (etailers included) are still failing to provide a means for customers to control the data being held about them. This would be a more useful application of the GDPR ruling, anything that helps customers manage the recommendations they receive would be a good start.