Data & Privacy Exposures are not limited to security breaches
The Right to be Forgotten isn't just a Google issue
When considering data protection, data losses tend to spring to mind. However, this year, the risks of holding data for too long have been at the fore.
The recently publicised "right to be forgotten" case saw the European Court of Justice rule that Google Spain was a data controller due to its capacity to find, index, store and make information available to the public on its website.
The European Court of Justice (ECJ) ruled that search engines must remove web links from search results when requested to do so if the information collated is deemed to be out of date, no longer relevant, or excessive.
At the time of writing, it is estimated that over 91,000 "forget-me" requests covering a total of 328,000 links have been submitted since Google launched the service. Google is no longer alone - Microsoft has now confirmed that it is implementing its own form for Bing, leaving Yahoo as the only major operator without a means of requesting removal.
The Google decision, combined with heightened public awareness over excessive data collection in light of the NSA scandal, means that data controllers need to be extra vigilant over the data they maintain – what it is, why it is retained, how it is stored and, importantly, for how long? It is a legal obligation independent of keeping data secure yet one that carries risks that must be considered by any organisation that controls personal data.
Hans Allnut & Helen Nuttall 24 July 14
You might also like ...
June 2015 Cyber Risk legal update
Cyber Insurance, Privacy and Data Security Newsletter
Whilst we are still reeling from the ground-breaking Vidal-Hall decision earlier this year, the ICO has also issued some interesting guidance and publications which have themselves progressed the interpretation of existing data protection law.