18 April 2011
The European Commission (EC) has recently defined its four top priorities for modernising the EU legislation on protecting data and privacy, which are relevant to research and include:
1. The right to be forgotten. Commissioner Viviane Reding, who is in charge of the legislative update, has popularised the phrase 'right to be forgotten' to describe the right of individuals to have their data deleted and no longer processed when the information is no longer needed for legitimate purposes.
In practice, this could mean that people who want to delete profiles on social networking sites would be able to rely on the service provider to remove their personal data such as photos. Data controllers would be obliged to automatically delete or refrain from processing data after a fixed period of time. This could extend to personal data stored on mobile devices or computers. which in theory, should be automatically deleted or blocked after a fixed period of time.
EU politicians also want to allow anyone to take their data from one social network and put it directly into another. Although this may work well with transferring holiday photos, with regards to research it begs the bigger question of how would this work for transferring data between research panels and communities which are often bespoke products for particular clients?
2. Individuals must be informed about which data is collected and for what purposes. They need to know how their data might be used by third parties, what their rights are and which authority to address if those rights are violated. Research companies are already transparent in accordance with codes of conduct, but they will need to ensure that they and their data processing partner companies meet the new requirements.
3. Enforcing 'privacy by default'. This involves privacy settings that should be easy to understand and operate and reinforces the principle that no data should be collected or passed to third parties for processing for another purpose unless explicit consent has been given by the data subject.
4. Homogeneous privacy standards for European citizens should apply independently of the region where their data is being processed. This means that research companies based in the US or China, which are collecting data from EU citizens, will also have to apply EU rules regardless of the means used to collect that data.
The ICC/ESOMAR code already includes issues relevant to many of these points, but ESOMAR is concerned over how such rights would work in practice for research companies.
Commissioner Viviane Reding's speech on the right to be forgotten can be found here. Please contact firstname.lastname@example.org for more information.