IAPP-GDPR Web Banners-300x250-FINAL

There are at least two opposing points of view on data retention, and they may well be at the core of many privacy debates across the globe. At issue is the idea of the "right to be forgotten," which has been talked about in many nations and at many levels of privacy discourse, and was illustrated one year ago when two French lawmakers introduced a bill that would give individuals that very right.

Bruno Rasle, executive director of the AFCDP, the French Association of Data Protection Correspondents, explains that the phrase the "right to be forgotten" can be construed in two ways, which causes some confusion.

"In the first sense, the 'right to be forgotten' is a prohibition, made in France, against the indefinite retention of personal data. The French Data Protection Act (Informatique et Libertés Law) requires the data controller to define a retention period compatible with the intended purpose," he says.

The CNIL has made some recommendations, and the AFCDP has created a special working group to determine appropriate retention periods, he explains, noting that the CNIL's reference to the "right to be forgotten" relates to the all-too-rare occurrence of the purging of personal data. In reality, he says, there is no "right to be forgotten," as such, in French law.

The second meaning, Rasle suggests, is the right to rectification and objection.

"Some people wrongly interpret these last two rights as an opportunity for them to demand of the data controller, at all times, to erase all personal information about them," he explains. "In fact, the data controller is obliged to delete data only if they are inaccurate, outdated or whose collection is prohibited."

Hunton & Williams LLP Senior Policy Advisor Marty Abrams adds that there is a difference between the idea of a "right to be forgotten" and a "right not to be seen."

In the offline world, he notes, humanity has had "thousands of years to hone this," but online, "the ability to be forgotten and the ability to be unseen have been lost."

The norms around the idea of being unseen in the offline world do not yet translate online, he points out, using the analogy of a domicile as a protected space where individuals live out the private moments of their lives and keep personal belongings, photographs and information. In the online world, the equivalent is a personal computer, where many people store their personal financial information, family photographs, personal writings, book purchases, movie preferences and other private information.

"The books that I read are private to me, but are they private to me when they're sitting on a digital device?" he asks, suggesting our personal computers have, in many ways, become more of a reflection of who we are than our homes, but privacy protection does not extend to these online spaces in the same way.

This "freedom to observe" data and processes is an American concept, steeped in the constitutional right of freedom of expression, he notes. "In Europe, every step of data is processing, and processing needs a legal basis."

This desire to be forgotten parallels the point of view of those who believe the digital history we create online--sometimes intentionally, and sometimes without even realizing it--should be allowed to "fade away" through a process called data degradation. Then, there is the other side to the argument, the perspective that data must be stored and maintained, either to protect it or as part of a business plan that relies on what has come to be seen as a key commodity: online clicks, posts and visits that can paint pictures of Web users' likes and dislikes.

As technology professional Sean Gallagher writes for internet evolution on data degradation, "Chances are that you've left a considerable electronic trail behind you in your travels across the Internet. Your e-mail address, mailing address, birth date, age, credit card numbers, and more are all stored in scores of e-commerce systems, social networking sites and maybe even a job board or two. And your business likely has a trove of similar data about everyone you've ever done a transaction with over the Web."

Although sharing different views on how data should be managed, both Jeff Chester of the Center for Digital Democracy and Linda Woolley of the Digital Marketing Association, for example, spoke of the value of data during a recent appearance on CSPAN's "The Communicators" series.

"Consumers have to understand personal data is a commodity," Woolley said, while Chester noted that what people do online is "the new currency...Data is power."

When it comes to managing what both sides seem to agree is valuable data, such distinct views--to keep or to delete--prompt questions as to whether there's room for compromise or the natural course of events will be for these opposing forces to collide.

As Winston Maxwell notes in a report on the French proposal for the Hogan Lovells Chronicle of Data Protection, the proposal was aimed in part at facilitating data subjects' ability to request the deletion of their personal data as "part of a broader French government campaign to create a citizen's 'right to be forgotten' on digital networks."

On that subject, Rasle refers to concerns voiced recently by the CNIL's president, Alex Türk, on cloud computing, where the "dissemination and duplication of personal data make him fear that, despite the purges, personal data never really disappear and could reappear one day or another."

Data degradation, however, as Gallagher points out in his report, "is the exact opposite of what most IT managers strive to do with customer data," as it is an asset that can be used in myriad ways. 

In terms of maintaining or deleting data, Rasle notes, "In reality, these rights depend strongly on the quality of information that was issued by the data controller" to ensure that individuals are "aware of the real implications of collection and also about their rights."

Rasle points to recent comments by European Commissioner Viviane Reding, who has said, "Transparency must be strictly applied."

As Gallagher writes in his report, "For most uses beyond the transactional relationship with customers, we don't need high-resolution data. Often, the data can be 'anonymized' to a large degree for the purposes of larger analytical tasks, and there's definitely a shelf-life attached to the value of data for any given transaction."

Abrams, meanwhile, points to the use of analytics as taking the issue beyond data itself to the idea of process degradation and integrity.

"In a world where every piece of information is feeding into analytic processes that predict future behavior or future outcomes, then the existing data protection principles don't encompass the privacy risks that come from the use of information in predictive processes," he explains. "The information can be sound, and the information can still be relevant, but when put into an analytic process, can lead to outcomes that come to the heart of privacy."

As every analytic model has a failure rate and can lose predictive value over time, it is impossible to consider online data without considering process factors.

"When you think of the impact of information," Abrams says, "you have to really think of it in terms of advanced analytics."
When it comes to balancing issues of data degradation and preservation, Rasle says it will be chief privacy officers playing a crucial role to "ensure the company listens to the people concerned, that their rights are recognized, that their information is assured" and to champion privacy by design and data minimization.

Or, put another way, he says, the "easiest personal data to forget are those we never collected."

Written By

Jennifer Saunders, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»