Op-ed: Forget me (not)

Author: Sutapa Amornvivat, Ph.D.
Published in Bangkok Post newspaper/ In Ponderland column 23 January 2019

Why does one want to be forgotten?

Have you ever wondered if that embarrassing photo of yours from college days still exists in the vast World Wide Web? What if it was a comment on an online discussion forum falsely accusing you of a crime?  Since the rise of social media, we have been warned that everything you do online will likely be there forever, exposed to the public.

On top of your data exposed on the internet, recent scandals in 2018 revealed just how much companies are collecting your private data with or without your knowledge. The Cambridge Analytica incident shows how customer data can be shared and abused by companies.

With the arrival of the “right to be forgotten” in the EU’s General Data Protection Regulations (GDPR), you can now ask companies to delete such personal data.

So, what exactly is the right to be forgotten?

It is the concept that people should have the right to ask companies to delete data collected about them. The fundamental idea is that personal data belongs to people, and they should be able to delete it, as and when they wish.

Despite being a new buzzword, the right to be forgotten is nothing new. It has been officially recognized in France’s laws since 2010. In 2014, a Spanish man asked Google to delete information about him in the past, which appeared on Google search results; the Court of Justice of the European Union (CJEU) ruled in favor of the right to be forgotten based on what is implicitly suggested in the EU’s Charter of Fundamental Rights for European citizens. The ruling outcome mandates that Google must accept requests to delist websites to protect user privacy.

The renewed interest in the right to be forgotten came in 2018 as the EU’s General Data Protection Regulations (GDPR) took effect last year which made this right explicit. It is also one of the most controversial and difficult rules to comply.

Why is it controversial?

The Google Spain case sparked a major debate around whether this law is just, and rightly so. This debate is highly relevant for Thailand now as we will soon embrace the new data protection laws. Several key questions stemmed from the debate remain unanswered.

Firstly, is the “right to be forgotten” of an individual interfering with the “right to know” of the public? The flip side of erasing a piece of information is that it is no longer available to the public. Giving courts and governments the authority to delete data by exercising the right to be forgotten could lead to a slippery slope of power abuse (such as mass censorship). In the classic George Orwell’s nineteen-eighty-four, the fictional Ministry of Truth has the power to rewrite a history. Are we ready for the possibility of such authority? Moreover, making certain information accessible for some, but not others could worsen inequality among the public.

Currently, the data to be erased must be deemed “irrelevant, outdated, excessive, or inaccurate.” But who should be responsible for this decision? This blurred line can be a threat to freedom of speech. The rule of thumb for now is whether knowing a given piece of information is beneficial to the public.

Why is it difficult to comply?

Secondly, is it even possible to erase history? Suppose that it is deemed necessary to delete someone’s data. Stories are rarely about one person. It is not easy to delete information about one individual without affecting others.

Say, if a customer requests a bank to erase his data, deleting his profile would be the obvious step. The hard part is how to best handle transaction data. Should money transfers information to this customer be deleted as well? Should it be kept as is, kept partially (changed to money transferred to an anonymous person), or deleted entirely?

Imagine a web of information that links a large network of individuals. How do we deal with the situation when an individual’s data is embedded in a complex algorithm? How far should a company go to erase all traces of user history? Clear boundaries will need to be defined, if we were to institute such right.

The problem can get even more complicated in case of blockchain, the new decentralized ledger technology set to disrupt banking and many other industries. The core promise of blockchain is that once a block of data is added to the chain (the ledger), it cannot be altered nor deleted. This immutability makes the system trustworthy. New research is being done to address the right to be forgotten in blockchain, but this could defeat blockchain’s purpose. As many companies are adopting the technology, the tension with the new laws can only multiply.

Are companies prepared?

Heavy fines and penalties are at stake. Failure to comply with the GDPR, including the right to be forgotten, can result in a fine of up to 20 million euros or 4% of worldwide annual revenue. Some countries such as Italy, Austria, Germany, impose an additional penalty of imprisonment for company directors.

Based on the current trend, it is possible that the right to be forgotten will soon arrive in Thailand. Companies that are collecting and processing customer data should be prepared. The first step would be to recognize the importance of customer privacy and understand exactly what kind of customer data you are collecting and processing.

The concern for data privacy will become increasingly significant especially when companies try to strike a balance between data privacy and optimal user experience design. Too strict of a law could be a double-edged sword. One clear example is that now we are forced to accept these long cryptic terms of service, instead of seeing what is really important.

Ensuring the right to be forgotten represents a step forward for privacy protection in this age of technology. However, in practice there is still a considerable gap between concept and implementation. Moving forward without addressing the complex reality of implementation would mean the risk of taking one step forward, but two steps back.