How to secure your digital identity.
With the recent deployment of the EU’s General Data Protection Regulation 2016/679 (otherwise known as the GDPR), it has never been easier for EU citizens to have their personal details removed from computer systems. The wording within the GDPR when defining personal information is extremely broad:
“personal data” shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
Whilst this clearly demonstrates personal information like a name is defined as personal information, it also means that other information that can be used to identify a person, including a combination of identification elements such as physical characteristics, pseudonyms, occupation, address etc. The definition is also technology neutral. It does not matter how the personal data is stored – on paper, IT systems, CCTV systems or any another system.
Under Article 17 of the GDPR, any EU citizen has the right to be forgotten. The actual phrasing is:
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
But how is this achieved?
1. Search Engines.
You can request removal from search engines realatively easily by filling in the relevant forms. Ironically, you may need to provide ID (for security) and some of them employ tracking session IDs but for the sake of the privacy, I have tried to omit these where possible.
Fill in the URLs from specific websites you would like removed and place them in the relevant fields. The Search Engines do not like to make it easy so it may take a while.
2. Withdrawing Consent.
You can state in writing to a company that you withdraw your consent to hold your personal information and request it’s deletion. Simply email them with the following template.
I hereby withdraw my consent for you to collect, process or store any personal data related to (personal information such as name or email address here).
I request that you delete any and all data related to, and belonging to (personal information such as name or email address here) that your company stores, pursuant to my rights under Article 17 of the GDPR.
Unfortunately, most other countries (including the United States) do not offer the same rights regarding the ‘Right to be forgotten’. If you are in one of these countries, we advocate contacting your local representative to encourage the same rights and protection.
You may still request deletion, however there is no law compelling deletion. For more information please see the helpdesk articles available here.
Private Internet Access strongely beleives in the right to be forgotten (except where it poses a risk to others), irrelevant of country.
We honour all deletion requests made to our Legal department however if you request your information be purged from our systems and you have an active acount, it will terminate your service and our Customer Support agents will not be able to provide assistance with a resolution.
Jayson is the Senior Vice President of Customer Experience at Private Internet Access. With a long history as an engineer with experience working in communications and electronics warfare in the British Army, he has worked on both sides of the proverbial fence. A staunce advocate of open source technology, Jayson is not adverse to hard work to achieve a goal. He enjoys drinking mead, amazing vodka and good conversation about sustainability and beekeeping.