Forgetting, non-forgetting and quasi-forgetting in social networking: Canadian policy and corporate practice

Abstract

In this paper we analyze some of the practical realities around deleting personal data on social networks with respect to the Canadian regime of privacy protection. We first discuss the extent to which Canadian privacy law imposes access, deletion, and retention requirements on data brokers. After this discussion we turn to corporate organizational practices. Our analyses of social networking sites privacy policies reveal how poorly companies recognize the right to be have ones personal information deleted in their existing privacy commitments and practices. Next, we turn to Law Enforcement Authorities (LEAs) and how their practices challenge the deletion requirements because of LEA own capture, processing, and retention of social networking information. We conclude by identifying lessons from the Canadian experience and raising them against the intense transatlantic struggle over the scope of deletion of data stored in cloud-based computing infrastructures.