GDPR: social media and the right to be forgotten
George Ketsopoulos speculates why teenagers learn Latin but not how the internet works in his shortlisted entry to the BARBRI International Privacy Law Blogging Prize
In 2017, Facebook reached over 2.2 billion active monthly users. This is more than the population of Africa and Europe combined and it excludes Facebook-owned platforms WhatsApp and Instagram.
We have granted Facebook immense access to our personal information. If you request a copy of your data you receive a folder, around two gigabytes in size, containing everything you have ever posted, messaged and “liked” on Facebook. And have you ever added a person’s number on your phone and had them pop up as a recommended friend on Facebook? It is because WhatsApp reads your contacts list and shares this with Facebook, even if you haven’t given Facebook your mobile number.
So far, social media companies (I focus on Facebook as it is the most ubiquitous) have enjoyed a lack of real regulation. There were no substantial legal repercussions over the Cambridge Analytica scandal and the stock market displayed little reaction as well.
But we haven’t reached Minority Report level surveillance yet. On 25 May 2018, the General Data Protection Regulation (GDPR) came into force, whose main purpose is to protect “fundamental rights and freedoms of natural persons” in respect to personal data. While it is an EU-wide regulation, it is extra-territorial in the sense that if a company has customers in the EU, it has to comply with the GDPR irrespective of place of incorporation and web server location.
The GDPR covers a lot of things, and you should have a read yourself, but one of the most interesting tools it gives consumers is the right to erasure. More popularly known as “the right to be forgotten”, Article 17 allows a person to demand a company erase all “personal data concerning him or her”.
While this sounds great on the surface, it is clear that the EU does not understand how the internet and computers work.
On a single computer level, most people know that when you delete a file on your phone or computer, it doesn’t really get deleted. It is more accurate to say it is “forgotten”, as you merely delete the path to the file’s location on storage. Eventually, it will be overwritten by other files but this works randomly. Until then, people with access to your hard drive can recover the data. They don’t need to be a genius for that. They need to have a lot of time on their hands and the ability to use Google search. There are two easy ways to delete your hard drive: a drill and a hammer.
Contrary to popular belief, the internet is not much more sophisticated on a conceptual level. It is a network of computers. Using a very simplified model, the internet is comprised of clients (the users’ computers), web servers and a lot of cables. When you send a message, click on a picture or “like” Beyoncé’s latest song, this information gets stored on Facebook’s web servers. When you upload something on the cloud, it gets stored on the respective company’s servers. If you exercised your Article 17 right and asked Facebook to delete your data, it would technically remain on the server until it was overwritten.
So what does “delete” really mean for the purposes of the GDPR? I cannot answer that. What is more concerning is that the EU cannot answer that either. Article 4 of the GDPR defines various terms such as “personal data” and “profiling” but the European Commission did not bother to define “delete”. As one of the first real steps to regulate the digital revolution, this is a gross omission.
No one can say with certainty whether the deleted data can be recovered. Facebook’s platform is closed-source and its systems architecture is a mystery. Nevertheless, in the era of big data it is very plausible that an algorithm can scan Facebook’s database and recover recently “deleted” data regarding a particular individual.
What are the practical implications of this? For the average person who requested their social media data be deleted, it is highly unlikely this will make a difference. Some people, however, may suffer the consequences of the uncertainty around Article 17. Consider, for example, a journalist or a political dissident who had to recently delete their Facebook data to protect themselves from a totalitarian government. If that government asked Facebook to retrieve the deleted data or cease operations in their country, what would Facebook do? What if a government demanded the data to secure a criminal conviction?
There are far better solutions to protect user data on social media. One suggestion is for popular social media to be open-source. Social media has become part of our personal, professional and political lives. Allowing the community to examine how social media platforms work on a programming level will provide accountability, and help prevent hacking and scandals such as with Cambridge Analytica.
Another option is to have a data tax. If social media companies had to pay a reasonable amount per unit of personal data they handle, they would think twice about keeping every single piece of information about us — from our location to our overall browsing habits.
Finally, as with many areas in life, debate and education will lead to better decisions. Teenagers learn Latin but not how the internet works. And let us not forget that this debate is much bigger than social media. If you feel uneasy about how much of your private life is on social media, then you better sit down before you consider how big Google’s file on you is, especially for us Android users. In the end, it is up to us, the consumers, to understand how valuable our private information is and educate ourselves on what happens to our personal data. And perhaps legislators should learn how the internet actually works before passing legislation of a global reach.
George Ketsopoulos studied law at UCL and will soon be a graduate computer science student there. He cares a lot about online privacy and IP rights..
BARBRI International will be hosting an Independence Day party at its London office on 4 July. Register to attend here.
Join the conversation