Beware your digital footprint when shopping online

Law must address 'right to be forgotten'
Written by Patrick Van Eecke, Contributor on

Law must address 'right to be forgotten'

While online shopping continues to grow in popularity, the laws to protect shoppers' privacy have fallen far behind the technology. Lawyer Patrick Van Eecke explains how we can protect our data online.

With the end of the year upon us and Christmas shopping in full swing, consumers are hitting the high street and online stores with a vengeance. Recent research from the government's digital inclusion champion Martha Lane Fox highlights e-retail's financial benefits, suggesting the average family wastes £560 per year by not shopping online.

The disclosure of privileged information while shopping however, means consumers leave behind digital traces over which they have no control.

When you order a train ticket online, buy DVDs on an auction site or simply visit a random website, you leave behind digital traces. The vendor will store your order, the credit card processor will store your transaction details, and every website you visit stores your computer address, computer type and browser type. Your telecom provider is even legally required to store information about the web pages you visit and the emails you send.

The advent of the interactive, user-driven web 2.0 services - such as YouTube, MySpace and Wikipedia - has accelerated the accumulation of digital traces. On your Facebook profile, you tell everyone who you are and who your friends are. Through your personal blog and Twitter messages, you chat about your whereabouts. With Google's Latitude service, all your friends can see in real-time where in the world you are. Even your Amazon user ratings tell something about you.

Our digital traces have an enormous impact on our privacy, not only for individuals but also for companies. A comment on a newspaper article you submit today may still be visible five years from now. Employees leave behind digital traces that can often be directly connected with their company, possibly affecting its reputation. Instances of digital traces backfiring on a company have become far too common.

There are European laws for dealing with the protection of personal data and privacy, which set out some basic principles for any processing of personal information. However, they were developed prior to the public adoption of the internet, and therefore do not take into account all the particular features and privacy challenges of today's online technologies.

The basic rule imposed by these laws is that you generally have to consent before your personal data can be stored and processed online. This basic rule legally protects you against unsolicited data aggregation, such as surreptitiously installed malign software. However, such unsolicited software may not be the most important problem - at least not from a legal point of view.

A much more important issue under current law is that anything becomes possible as soon as your consent is obtained. Even though the law in principle imposes the deletion of all personal data for which storage is no longer necessary, this principle can be reversed through an individual's consent. The principles that personal data cannot be used for secondary purposes and that data cannot be shared with other parties can be equally circumvented through consent. Get someone's consent, and his data essentially becomes yours.

In principle, only an individual's informed and freely given consent is valid. Websites therefore publish privacy policies that try to explain which data they collect and how they will use this data. However, almost nobody reads these privacy policies, because they are too long, too vague and too tedious. Everybody just clicks OK, and thus freely unlocks personal data heaven.

A fundamental rethink of the concept of online privacy, and consideration into introducing a 'right to be forgotten' should be addressed. This right would require the permanent deletion of any personal data after a certain period of time, even when the data was originally obtained with consent. France has already taken a first step towards introducing such a right.

Of course, the inherent global nature of the internet entails that a right to be forgotten cannot be effective on a local level. We may therefore need to discuss this prerogative on a global level. Until then, it is important to remain vigilant when leaving behind digital traces, both in a personal and a professional context.

Patrick Van Eecke is a partner in the technology, media and commercial group at law firm DLA Piper.

Editorial standards