European 'right-to-delete' law: How enforceable is Facebook?

New European law will require companies like Facebook to delete personal data if a user requests it. But amidst an Irish privacy audit, how compliant is, and will Facebook be?
Written by Zack Whittaker, Contributor

Soon to-be-debated European law will offer European citizens' the right to have their data deleted by third-party providers, including social networks like Facebook, Twitter and Google+.

But European member states, which will ultimately fulfil the law passed by the upcoming European Data Protection Directive, may not be able to guarantee that individuals' personal data has in fact been deleted, a leading UK politician has said.

Taking a second to think through the various variables, contingencies, problems and reasoning, there is no logical way to regulate the major data hoarders of our time, including one high up on the European's list: Facebook.

(Source: Flickr, CC)

Ed Vaizey, UK minister for culture, communications and creative industries, has warned that European law may be well in theory, but difficult to enforce at the local member state level.

In a speech, he said:

"[But] we also need to be clear about the practicalities of any regulation. For example, how do we enforce the ‘right to be forgotten’ when data can be copied and transferred across the globe in an instant? No Government can guarantee that photos shared with the world will be deleted by everyone when someone decides it’s time to forget that drunken night-out. We should not give people false expectations."

Vaizey went on to criticise how the Directive could be used to "make firms outside of the EU subject to EU law".

Last week, European Commissioner for Justice Viviane Reding said that individuals would have a right to force organisations to delete personal information and data about them, under the revised Directive, with a draft bill expected to go before European politicians in January.

Businesses and companies may not operate directly in Europe, but its users can be within the confines of the European zone.

Facebook, for example, only a few years ago had millions of European users but no physical presence in the continent. Feasibly, the European Commission, Europe's upper house, could have imposed a fine to the California-based social networking giant, but there was no legislative measure in place to enforce the punishment if the company had no presence on European soil.

But that will change when the loophole is closed during the upcoming revision to the Data Protection Directive.

But in reality, only when a company holds a physical presence in the region can fines and punishments be imposed.

Since Facebook opening a datacenter in Dublin and an office in London, the social networking giant is at the forefront of European regulators minds. Not only did European Commissioner Viviane Reding tell The Register that Facebook had "nowhere to hide" over its data protection principles and morals, or lack thereof, but only recently the company was heavily rebuked by the European Parliament's Privacy Platform last month by attendees and members of the panel.

Because Facebook does have a presence, along with Twitter, Microsoft, Google and Apple, all subsidiaries of their larger parent companies, this forces the parent corporation to abide by European law, as well as the law their headquarters is based.

This was one of the key premises behind the United States' counter-terrorism law -- the Patriot Act -- accessing European citizens' data and handing it back to their U.S.-based parent, thus making the data vulnerable to inspection by U.S. authorities and intelligence agencies. Gordon Frazer, managing director of Microsoft UK, admitted this exclusively to ZDNet earlier this year.

Having said that, there is no way to prove that data has not been deleted, unless a government or law enforcement agency -- or each member states' data protection agencies for that matter -- inspect or audit each and every company to ensure compliance is met.

Facebook says that it "is compliant" with European data protection laws, as said in a statement to ZDNet. There is no surprise there, of course, as you would not expect for a minute for the statement to read: "Oh, whoops. You're right; we weren't compliant, not for a minute. Glad someone reminded us".

But one thing does scream out at this current situation.

Facebook in California does not manage its European users; its subsidiaries in Ireland and London do, which makes Facebook liable ultimately under European law. That I think we have established.

But as Facebook is currently under the watchful eye of an Irish data protection privacy audit, in a bid to determine whether Facebook does in fact flout Irish and therefore European law, it could lead to massive and wide-scale consequences for the social networking giant.

If it goes against its word, Facebook is going to be not only in for a rocky few months, but it will be crucified by the European regulators. And, since Europe has the vast majority of its total user base, the social networking giant needs to pull its proverbial finger out, otherwise Facebook could see criminal charges thrown at it left, right and center.

Facebook's downfall could be the modern day Enron. I say that with no melodrama, nor frankly with any remorse.


Editorial standards