Europe's top cybersecurity agency said today that "a purely technical enforcement" of the proposed right to be forgotten is impossible.
However, it suggested that search engine operators and sharing services within the European Union could be ordered to filter references to "forgotten" information.
The so-called "right to be forgotten" is a key part of Justice Commissioner Viviane Reding's proposals for revised data protection rules in the EU. If approved, the new Data Protection Regulation would be directly applied in all 27 EU member states. It has yet to be passed by the European Parliament, but has met with widespread approval among parliamentarians. According to Reding, individuals have the right to insist that personal information be deleted and companies must comply unless they can show legitimate grounds for retaining the data.
The ENISA agency has published a report on the technical aspects of the issue, in which it said that clearer definitions and legal clarifications are needed and that there are "technical limitations" to enforcing this new right.
The report said that there should be proper clarification of who can ask for the deletion of shared personal data and under what circumstances. "Particular care must be taken concerning the deletion of personal data stored on discarded and offline storage devices," it continues.
The aim, explains the ENISA report, is to "minimise the amount of personal data collected and stored online".
The new report comes after the agency's examination of the privacy implications of online behavioural tracking.
In that study, the agency said that particular attention should be given to tracking and profiling online, and enforcement solutions should be deployed to force compliance with regulations regarding personal data protection.
The agency also recommends the use of encryption for the storage and transfer of personal data.