The BBC is reporting that a new law is going to be proposed to the EU on Wednesday. It would include the provision for a “right to be forgotten” that would require all data on a person retained by social networks, etc to be deleted unless there are “legitimate” grounds to retain it.

This new “right to be forgotten” proposal is part of an overhaul to the 1995 Data Protection Directive.

Details of the revised law were revealed by the Justice Commissioner, Viviane Reding, at the Digital Life Design conference in Munich.

A spokesman for the commissioner clarified to the BBC that the revision was mostly for teenagers and young adults.

“These rules are particularly aimed at young people as they are not always as aware as they could be about the consequence of putting photos and other information on social network websites, or about the various privacy settings available,” said the spokesman.

He said that currently teenagers and young adults have no way of deleting embarrassing information when they apply for jobs. This new bill, however, would not allow people to erase their police or medical records.

Other measures in the bill include a requirement for all firms to notify users and the authorities of any possible data loss within 24 hours.

It would also force firms to explicitly seek permission to use a person’s personal data. Internet users must also be notified when their data is being collected, what it’s being collected for and how long it’s going to be stored.

People, under the bill, must be able to easily access their personal data and move it to another firm, or delete it, if they so wish

There are some circumstances which this new right would not apply though. Commissioner Reding told DLD delegates that “the right to be forgotten cannot amount to a right of the total erasure of history.”

If passed, the law would create a new set of data privacy rules in the EU for the first time. The rules would also apply to overseas companies active in the EU, even if their servers were based in other parts of the world.

The commissioner suggested that it would simplify regulations and save firms around $3 billion a year.

Microsoft and Facebook both voiced concerns over the scope of the bill and how much data users would be allowed to control. Facebook, however, said in a statement that they agree regulation such as this should “encourage job creation and economic growth” and that they look forward to seeing how the EU Data Protection Directive develops.

Firms that fail to abide by the proposed rules could be fined as much as one percent of their global revenues.

The new rules need to be approved by the EU’s member states and ratified by the European parliament though, so any changes won’t be happening for at least a few years.

With the NSLs, federal agents could collect telephone, Internet, financial, credit, and other personal records about Americans without the need for judicial approval. The vast amount of power that this gave the FBI became a major concern in Congress once the Justice Department came forward with its reports of how the system had been misused.

"Congress has already dedicated several hearings to the FBI’s abuse of investigative power and is thinking about how to prevent such abuses in the future," said EFF Staff Attorney Marcia Hofmann.

"But if there is going to be meaningful debate about this issue, we need more information than what the Administration chooses to make public, and we need it now."

The EFF filed suit under the Freedom of Information Act demanding that the FBI release all records pertaining to the NSL abuse, hoping that the information will spur meaningful and informed debate concerning the implications surrounding the government’s methods in gathering the personal data of ordinary American citizens.

"There are a lot of questions right now about the government’s integrity when it comes to domestic surveillance. The FBI must follow the law and release these records to the public," said EFF Senior Counsel David Sobel.
 
Considering that search records have been used in federal cases involving murder, any conversation about the topic of privacy has to be inclusive of online practices. ISPs are already selling clickstream data to third parties, and it’s doubtful that the government would have to do much arm-twisting to get their hands on that same information.

With that in mind, it’s interesting to see how the Xbox live community has gone up in arms over the hijacking of numerous accounts. The interesting note here is that the Xbox Live support team are the ones responsible for handing out user information to the hijackers.

Normally, you’ll find that online companies have creeds or mission statements assuring the utmost standards of security for the user data they house. The actual safety of that data, however, falls into serious question when held under a microscope. Careful examination unveils that anyone halfway decent at pretexting can convince support personnel to cough up sensitive information.

Okay, so what is pretexting? From Wikipedia:

Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone. It’s more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g., for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.

If hackers were so easily able to obtain access to multiple Xbox live accounts, what is to stop them from calling up banks, credit card agencies, and other institutions and implementing the same methodology to get their hands on financial records, account numbers, and pin codes?

The naiveté that fuels the notion of data privacy on the Internet, or anywhere else for that matter, is pretty dangerous. Ironically enough, there may be only one person who has any real power to keep your information secure — you.