There are at least two opposing points of view on data retention, and they may well be at the core of many privacy debates across the globe. At issue is the idea of the "right to be forgotten," which has been talked about in many nations and at many levels of privacy discourse, and was illustrated one year ago when two French lawmakers introduced a bill that would give individuals that very right.

Bruno Rasle, executive director of the AFCDP, the French Association of Data Protection Correspondents, explains that the phrase the "right to be forgotten" can be construed in two ways, which causes some confusion.

"In the first sense, the 'right to be forgotten' is a prohibition, made in France, against the indefinite retention of personal data. The French Data Protection Act (Informatique et Libertés Law) requires the data controller to define a retention period compatible with the intended purpose," he says.

The CNIL has made some recommendations, and the AFCDP has created a special working group to determine appropriate retention periods, he explains, noting that the CNIL's reference to the "right to be forgotten" relates to the all-too-rare occurrence of the purging of personal data. In reality, he says, there is no "right to be forgotten," as such, in French law.

The second meaning, Rasle suggests, is the right to rectification and objection.

"Some people wrongly interpret these last two rights as an opportunity for them to demand of the data controller, at all times, to erase all personal information about them," he explains. "In fact, the data controller is obliged to delete data only if they are inaccurate, outdated or whose collection is prohibited."

Hunton & Williams LLP Senior Policy Advisor Marty Abrams adds that there is a difference between the idea of a "right to be forgotten" and a "right not to be seen."

In the offline world, he notes, humanity has had "thousands of years to hone this," but online, "the ability to be forgotten and the ability to be unseen have been lost."

The norms around the idea of being unseen in the offline world do not yet translate online, he points out, using the analogy of a domicile as a protected space where individuals live out the private moments of their lives and keep personal belongings, photographs and information. In the online world, the equivalent is a personal computer, where many people store their personal financial information, family photographs, personal writings, book purchases, movie preferences and other private information.

"The books that I read are private to me, but are they private to me when they're sitting on a digital device?" he asks, suggesting our personal computers have, in many ways, become more of a reflection of who we are than our homes, but privacy protection does not extend to these online spaces in the same way.

This "freedom to observe" data and processes is an American concept, steeped in the constitutional right of freedom of expression, he notes. "In Europe, every step of data is processing, and processing needs a legal basis."

This desire to be forgotten parallels the point of view of those who believe the digital history we create online--sometimes intentionally, and sometimes without even realizing it--should be allowed to "fade away" through a process called data degradation. Then, there is the other side to the argument, the perspective that data must be stored and maintained, either to protect it or as part of a business plan that relies on what has come to be seen as a key commodity: online clicks, posts and visits that can paint pictures of Web users' likes and dislikes.

As technology professional Sean Gallagher writes for internet evolution on data degradation, "Chances are that you've left a considerable electronic trail behind you in your travels across the Internet. Your e-mail address, mailing address, birth date, age, credit card numbers, and more are all stored in scores of e-commerce systems, social networking sites and maybe even a job board or two. And your business likely has a trove of similar data about everyone you've ever done a transaction with over the Web."

Although sharing different views on how data should be managed, both Jeff Chester of the Center for Digital Democracy and Linda Woolley of the Digital Marketing Association, for example, spoke of the value of data during a recent appearance on CSPAN's "The Communicators" series.

"Consumers have to understand personal data is a commodity," Woolley said, while Chester noted that what people do online is "the new currency...Data is power."

When it comes to managing what both sides seem to agree is valuable data, such distinct views--to keep or to delete--prompt questions as to whether there's room for compromise or the natural course of events will be for these opposing forces to collide.

As Winston Maxwell notes in a report on the French proposal for the Hogan Lovells Chronicle of Data Protection, the proposal was aimed in part at facilitating data subjects' ability to request the deletion of their personal data as "part of a broader French government campaign to create a citizen's 'right to be forgotten' on digital networks."

On that subject, Rasle refers to concerns voiced recently by the CNIL's president, Alex Türk, on cloud computing, where the "dissemination and duplication of personal data make him fear that, despite the purges, personal data never really disappear and could reappear one day or another."

Data degradation, however, as Gallagher points out in his report, "is the exact opposite of what most IT managers strive to do with customer data," as it is an asset that can be used in myriad ways. 

In terms of maintaining or deleting data, Rasle notes, "In reality, these rights depend strongly on the quality of information that was issued by the data controller" to ensure that individuals are "aware of the real implications of collection and also about their rights."

Rasle points to recent comments by European Commissioner Viviane Reding, who has said, "Transparency must be strictly applied."

As Gallagher writes in his report, "For most uses beyond the transactional relationship with customers, we don't need high-resolution data. Often, the data can be 'anonymized' to a large degree for the purposes of larger analytical tasks, and there's definitely a shelf-life attached to the value of data for any given transaction."

Abrams, meanwhile, points to the use of analytics as taking the issue beyond data itself to the idea of process degradation and integrity.

"In a world where every piece of information is feeding into analytic processes that predict future behavior or future outcomes, then the existing data protection principles don't encompass the privacy risks that come from the use of information in predictive processes," he explains. "The information can be sound, and the information can still be relevant, but when put into an analytic process, can lead to outcomes that come to the heart of privacy."

As every analytic model has a failure rate and can lose predictive value over time, it is impossible to consider online data without considering process factors.

"When you think of the impact of information," Abrams says, "you have to really think of it in terms of advanced analytics."
When it comes to balancing issues of data degradation and preservation, Rasle says it will be chief privacy officers playing a crucial role to "ensure the company listens to the people concerned, that their rights are recognized, that their information is assured" and to champion privacy by design and data minimization.

Or, put another way, he says, the "easiest personal data to forget are those we never collected."

Written By

Jennifer Saunders, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»