Think about what the "Right to be forgotten" means at a technical level. It means you need to permanently delete records from your databases -- not just mark them with a deleted flag as well as delete records from your backups and reports generated that may contain personal information. In addition your organization may also be held responsible for removal of data given to third parties.

This is a big deal and it has many concerned over how it can be implemented as well as enforced.

No, this is not a "big deal", unless your company is already non-compliant with existing data protection laws.

Article 12 of directive 95/46/EC [1] specifies:

Member States shall guarantee every data subject the right to obtain from the controller:

...

(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;

(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

Article 17 of the proposed regulation [2], a.k.a. the "the right to be forgotten/erasure" strengthens existing erasure/data minimization laws. You are already required to erase data upon request under certain circumstances, and under the circumstances described in article 17 (1) and existing law, you should no longer be storing the data to begin with.

[1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:...

[2] http://ec.europa.eu/justice/data-protection/document/review2...

This means that the companies will not collect and maintain too much data about me to start with. There can be a reasonable amount of data - like name, DOB, address - that can stay public in any case. Other data will have to be deleted.

Any kind of personal data must stay privat unless I decide that can be revealed/public. Name, DOB, and address are personal data. I must have the right to prevent companies giving my address away (public or other companies).

That'd be the ideal scenario I suppose.

Encrypt row fields with a per user salt.

Backup this salt separately from the rest of the data in an easier to access media.

When deletion of a full row is needed, you just need to delete the salt from the comparatively smaller and quicker salt backups, as well as the live row+salt.

I believe that this is the current situation in Germany and I assume other E.U. countries.

It's debatable whether Germany's data protection laws include a right to be forgotten, but, in any case, it is not on the scale that is being proposed by the revised Data Directive. Other EU countries do not have the "right."

What they do have, that exceeds protection in the US, is the right for many EU citizens to request a copy of all of the information a company has on an individual, as well as, in many cases, the requirement that a company gain explicit permission before collecting or sharing personal information.

Poland also have it (right tu update and delete your data) since 1997. In practice it wasn't a problem (or at least no big complains). We had our share of social networks.

About this law: http://www.privireal.org/content/dp/poland.php

There's already an easy way to keep any non-monopoly company from maximizing profit on your back: Don't do business with them.

What about the companies that secretly collect information from you, but are not visible because they are included as JS/cookies/whatever on other sites?

What about my friends who upload and tag my photo on Facebook?

If you weren't doing business with Facebook how would they be able to tag you?

Unless they've changed it recently, it's possible to use any name as a tag regardless of whether that individual is on Facebook.

I know this because pictures of long-dead relatives posted by family members are tagged.

Perhaps not so much about tagging the photo, but a) uploading a photo of me or b) giving facebook my email address (yes, thats common practice).

That is your friends passing your info along without your consent, not Facebook breaking the law.

In case of the email address: I think facebook is violating german law by storing my personal information which I'd consider private. (I am not sure if they still do that.)

I think "Sure, any regulation will have bad side effects" was the rallying cry of the SOPA backers

The point isn't "all regulation is good." The point is that "some companies will go out of business" isn't necessarily a good argument.

To continue your SOPA connection, "Google will go out of business if SOPA is enacted," isn't a good argument in and of itself. You're assuming that Google staying in business is a good thing.

Arguing against regulation of X because companies that have built a business around X being a certain way will go out of business necessitates that an explanation of why X continuing on in the same manner is in the interests of the general public.

I agree, though I don't think I should be assumed to rely just on that fallacy. The problem here is that just because a law purports to serve an ideal doesn't meant that its side effects should just be waved off as a necessary evil.

As an example, stopping terrorism is generally seen as a good thing, yet opinions differ on whether the laws that purport to prevent terrorism are good, and the government has also used such laws (such as e wire tapping allowances) to justify non-counter terrorism ops.

Good point :)

I think my point is: "if we don't implement SOPA, we (the companies) are all gonna die!"

Don't know how to express it in general, but I hope I can make my view clear.