GDPR Right to be Forgotten, CCPA Right of Erasure (RtbF/RoE)
Forget about forgetting
Without the right technical capabilities, efforts to enable the ‘right to be forgotten’ under CCPA and GDPR may be doomed to fail
The right to be forgotten/right of erasure (RtbF/RoE) is a legal concept whereby individuals have a statutory right to have personal information erased from the Internet. The notion isn’t new, but on the back of a European Court of Justice ruling in 2014, the principle of right to be forgotten (or right of erasure) has gained significant traction. The concept is easy enough to understand, it’s the execution many organisations are finding difficult.
An RtbF has been enshrined in European law for more than twenty years – first in the EU’s Data Protection Directive of 1995, and more recently under the sweeping rules of GDPR.
The first high-profile legal case came in 2014, when a Spanish court case asked Google to remove links to an old newspaper article about an individual’s previous bankruptcy. The European Court of Justice ruled in the individual’s favour, saying search engines are data controllers, and as such are required to take requests to remove old or irrelevant information seriously. As widely resulted in the press at the time, Google suddenly found itself managing a flurry of take-down requests to remove links from search queries.
Now with California’s CCPA set to expand the application in US law next year, organizations of all sizes will have to work out how to operationalize the right to be forgotten – and fast.
What are the challenges?
Under CCPA, RtbF/RoE enables consumers to have businesses delete any personally identifiable information (PII) it has about them – so long as the data isn’t covered by one of nine exceptions (for example, to ensure compliance with a separate legal obligation).
The majority of US privacy laws don’t currently have a formal right to be forgotten, however the Children’s Online Privacy Protection Act (COPPA) has a provision regulating the online collection of information from children under the age of 13. CCPA dramatically expands the number of people able to formally request their information be forgotten, and the number of organizations that have to address those requests.
CCPA also places obligations on data controllers that go beyond the requirement to take individual erasure requests seriously. Organisations must also determine a time limit for automatically erasing all the different categories of PII that they hold.
Easy to legislate, less easy to action
When you imagine a right to be forgotten, asking search engines and web sites to remove outdated or inaccurate info is likely the first thing that comes to mind. Under CCPA and GDPR it goes well beyond that, and will have significant implications for organizations as consumers and employees seek to limit the amount of personal information companies can retain.
If we consider all the different types of data companies hold about their customers, social media followers, employees, contractors, suppliers, and so on, the right to erasure isn’t something that can easily be switched on. Most organisations are digital to one extent or another now, using data they’ve collected themselves, as well as publicly available data, for marketing, accounting, HR and other business purposes.
That data is held in a variety of locations, systems, and data formats that make mapping all the personally identifiable information in company systems extremely difficult. For example, a host of biometric information is covered under CCPA, as is any record of an individual’s browsing history or other interactions with a company website or app.
Adding to the complexity is an evolving data landscape. How do you erase personal data held in a blockchain (where transaction inputs and outputs are deliberately masked)? What if there are paper documents with PII that haven’t yet been digitized? What if the PII exists in a small segment of a corporate video or webinar? Those are significant challenges but perhaps the biggest is simply knowing where all the PII in company systems lives. And even if you can map your PII accurately, how will you know if it is covered by one of the nine exemptions, or ensure timely communication to applicants, regulators, or other relevant third parties?
Drilling down deeper, removing or destroying data – even when obligated to do so – can bring its own set of problems. Not only does PII need to be identified, it then needs to be destroyed in a way that doesn’t damage the integrity of other data. Simply deleting data from a complex relational database, for example, risks corrupting the records where that data was found, as well as causing index and search irregularities across the system.
Not all solutions are the same
Enabling the right to be forgotten/right of erasure is complex and needs to happen at a granular level, understanding where your all your PII sits and considering the potential knock-on effects of data deletion.
Companies that have already implemented a date loss prevention (DLP) system may find themselves in a stronger position to achieve CCPA (and GDPR) compliance when January 2020 arrives.
DLP is essential for tracking enterprise data and organizing it. This includes classifying files and data streams to determine the presence of PII and other data with regulatory sensitivities. That capability is important both for data protection and to understand in detail where, and what type, of CCPA covered information sits across your systems.
DD or DP? Accurate detection is the key to success
Not all Discovery / DLP systems are calibrated for the complexities of PII however, and that will make a difference to compliance success where RtbF/RoE is concerned.
Common DLP & Discovery programs rely on pre-set algorithms and regular expression patterns to determine what sensitive data is – a generic approach that can throw up numerous false positives, all requiring investigation and time. GTB’s data protection and Next-Gen Data Loss Protection programs use an intelligent, scientific based approach to find and manage sensitive data. Rather than rely on broad definitions, GTB programs analyze data dynamically to identify relevant files.
Would you like to know more about compliance and DLP solutions from GTB? Why not get in touch with us today?