With this ruling, the derivative impact and proposed process now requires that sensitive links to personal information must be removed by these operators and search providers (after authorization by an EU Compliance Officer and Data Commissioner for the request). The process and state specific implementations approached by each EU member state to address this ruling will take years to sort out.
The impacts of this ruling will be far reaching across social networks, online aggregation services, social network sites, and search engine repositories across the globe. These repositories have very expansive and complicated historical memories. No one can definitely tell the government or the citizen where these records are located, replicated, archived, how they are linked; or in which nation states they are maintained. The instrumentation at the data level to tag, track, and locate (TTL) this data simply has not been possible.
"There will be a massive impact to search engine providers, operators, and carriers to technologically implement this new ruling and requirement.”
– James Blom, EVP Guardtime
The solution proposed today by government however means a massive audit, compliance and governance process. The EU has proposed “throwing auditors at the problem”
The impact with this people-based proposal will likely mean massive new market opportunities for auditing consulting companies, as there will be widespread outsourced EU compliance officers working for the data commissioners who are taking in these requests and are responsible for the implementation. They will also be responsible for the documented evidence as verification to balance ‘the right to be forgotten’ in consideration of the public interest.
Revolution in logistics - containerization of cargo
Here we argue that technology will lead the way and throwing bodies at the problem is a recipe for a bureaucratic nightmare. There is a historical precedent for this. In a previous era longshoremen who handled cargo at ports needed to be certified and cargo handling companies had annual security audits by government officials. Eventually, containerization made those audits irrelevant, solving the problem using technology and dramatically increasing the amount and speed of international trade.
The new EU privacy laws are no different, and it will soon become obvious to everyone that manual audits can never work. Where is the transparency? Why do this with people when irrefutable data-level instrumentation now exists to tag, track and locate relevant data across the globe.
As always technology will lead the way.
How does Guardtime address this problem with Keyless Signatures?
If data is in silos and then combined or centralized with other data, any changes made to that data can be tagged with meta-data evidence, which can be annotated with forensic traceability and proof – with the non-repudiation (identity) characteristics essential to regulators.
A Keyless Signature provides proof of time, identity, and authenticity without the reliance on secret keys, or trust anchors like administrators. Evidence is portable and can be verified by the government, the corporation, or the citizen. The convergence of non-public and public data can be instrumented in such a way to ensure governance frameworks are being enforced properly at the scale required to enforce EU Privacy rules. In this way, Guardtime KSI is an enabling technology at the data-level for big data trust and privacy enforcement.
KSI Wrapper – data containerization anyone?
With Guardtime, data begins to maintain it’s own history and account record as it travels the networks between public, private, and hybrid environments – it’s provenance can be asserted, trusted, and verified independent of the sender/receiver.
Technology must be leveraged to automate and bring forensically provable workflow auditability to this requirement. Such transparency can be efficiently addressed with KSI to tag, track, locate these records, while at the same time annotating a forensic chain of custody for all custodial decisions, irrefutably providing an audit trail for all government, citizen, and service provider interactions throughout the sanitization process.
Guardtime PaaS Workflow and Governance for Privacy Enforcement
Today, Guardtime PaaS Workflow Governance and Compliance management uses KSI to act as middleware layer to Cloud Service Providers for a number of PaaS applications. Adapted to this recent ruling, Guardtime PaaS Workflow Governance can serve as the intermediary connector to the search engine provider and government regulators to act as a trust broker to definitely log, audit, document, and approve search engine repository sanitization activities.
As a Process and Practice
Once authorization is obtained by the data commissioner and/or data privacy officer, authorization for the search hit is expunged with complete forensic traceability on both the search repository, the object store maintaining the data, and the workflow processes associated with the interaction to ensure that the government, responsible corporations, and individuals can mutually audit the compliance activities.