Journal

GDPR: social media and the right to be forgotten

By on
7

George Ketsopoulos speculates why teenagers learn Latin but not how the internet works in his shortlisted entry to the BARBRI International Privacy Law Blogging Prize

In 2017, Facebook reached over 2.2 billion active monthly users. This is more than the population of Africa and Europe combined and it excludes Facebook-owned platforms WhatsApp and Instagram.

We have granted Facebook immense access to our personal information. If you request a copy of your data you receive a folder, around two gigabytes in size, containing everything you have ever posted, messaged and “liked” on Facebook. And have you ever added a person’s number on your phone and had them pop up as a recommended friend on Facebook? It is because WhatsApp reads your contacts list and shares this with Facebook, even if you haven’t given Facebook your mobile number.

So far, social media companies (I focus on Facebook as it is the most ubiquitous) have enjoyed a lack of real regulation. There were no substantial legal repercussions over the Cambridge Analytica scandal and the stock market displayed little reaction as well.

But we haven’t reached Minority Report level surveillance yet. On 25 May 2018, the General Data Protection Regulation (GDPR) came into force, whose main purpose is to protect “fundamental rights and freedoms of natural persons” in respect to personal data. While it is an EU-wide regulation, it is extra-territorial in the sense that if a company has customers in the EU, it has to comply with the GDPR irrespective of place of incorporation and web server location.

The GDPR covers a lot of things, and you should have a read yourself, but one of the most interesting tools it gives consumers is the right to erasure. More popularly known as “the right to be forgotten”, Article 17 allows a person to demand a company erase all “personal data concerning him or her”.

BARBRI International is hosting an Independence Day party and you're invited! Click here to register to attend

While this sounds great on the surface, it is clear that the EU does not understand how the internet and computers work.

On a single computer level, most people know that when you delete a file on your phone or computer, it doesn’t really get deleted. It is more accurate to say it is “forgotten”, as you merely delete the path to the file’s location on storage. Eventually, it will be overwritten by other files but this works randomly. Until then, people with access to your hard drive can recover the data. They don’t need to be a genius for that. They need to have a lot of time on their hands and the ability to use Google search. There are two easy ways to delete your hard drive: a drill and a hammer.

Contrary to popular belief, the internet is not much more sophisticated on a conceptual level. It is a network of computers. Using a very simplified model, the internet is comprised of clients (the users’ computers), web servers and a lot of cables. When you send a message, click on a picture or “like” Beyoncé’s latest song, this information gets stored on Facebook’s web servers. When you upload something on the cloud, it gets stored on the respective company’s servers. If you exercised your Article 17 right and asked Facebook to delete your data, it would technically remain on the server until it was overwritten.

So what does “delete” really mean for the purposes of the GDPR? I cannot answer that. What is more concerning is that the EU cannot answer that either. Article 4 of the GDPR defines various terms such as “personal data” and “profiling” but the European Commission did not bother to define “delete”. As one of the first real steps to regulate the digital revolution, this is a gross omission.

No one can say with certainty whether the deleted data can be recovered. Facebook’s platform is closed-source and its systems architecture is a mystery. Nevertheless, in the era of big data it is very plausible that an algorithm can scan Facebook’s database and recover recently “deleted” data regarding a particular individual.

What are the practical implications of this? For the average person who requested their social media data be deleted, it is highly unlikely this will make a difference. Some people, however, may suffer the consequences of the uncertainty around Article 17. Consider, for example, a journalist or a political dissident who had to recently delete their Facebook data to protect themselves from a totalitarian government. If that government asked Facebook to retrieve the deleted data or cease operations in their country, what would Facebook do? What if a government demanded the data to secure a criminal conviction?

There are far better solutions to protect user data on social media. One suggestion is for popular social media to be open-source. Social media has become part of our personal, professional and political lives. Allowing the community to examine how social media platforms work on a programming level will provide accountability, and help prevent hacking and scandals such as with Cambridge Analytica.

Another option is to have a data tax. If social media companies had to pay a reasonable amount per unit of personal data they handle, they would think twice about keeping every single piece of information about us — from our location to our overall browsing habits.

Finally, as with many areas in life, debate and education will lead to better decisions. Teenagers learn Latin but not how the internet works. And let us not forget that this debate is much bigger than social media. If you feel uneasy about how much of your private life is on social media, then you better sit down before you consider how big Google’s file on you is, especially for us Android users. In the end, it is up to us, the consumers, to understand how valuable our private information is and educate ourselves on what happens to our personal data. And perhaps legislators should learn how the internet actually works before passing legislation of a global reach.

George Ketsopoulos studied law at UCL and will soon be a graduate computer science student there. He cares a lot about online privacy and IP rights..

BARBRI International will be hosting an Independence Day party at its London office on 4 July. Register to attend here.

Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.

7 Comments

Anonymous

Latin is the foundation of Western civilisation.

Without the basics of Latin, you cannot access much scientific literature, great works of art and much else.

That’s why teenagers study it.

G

True but to be honest the subheading isn’t 100% on point. The problem isn’t with Latin, the problem is with technologically illiterate people legislating a very technical area of the tech sector.

Just Anonymous

“While this sounds great on the surface, it is clear that the EU does not understand how the internet and computers work.”

We all realised that the day the ECJ came out with its ridiculous decision in Google Spain, requiring an internet search engine to remove search links to information that had lawfully entered the public domain.

G

Thanks for your comment. I hold the apparently unpopular decision Google Spain is a good step, starting from a premise that privacy is a natural right on the same order as freedom of expression. Why does the consensus consider it a ridiculous decision?

What about websites that do FOI requests to obtain mugshots and publish them. Sure, for that there is probably some form of criminal liability as they ask money to take it down but it’s pretty easy to do it yourself out of spite for a negligible cost.

Just Anonymous

“Why does the consensus consider it a ridiculous decision?”

Speaking purely for myself, I endorse the following analysis from Guy Vassall-Adams QC of Matrix Chambers:

https://eutopialaw.com/2014/05/16/case-comment-google-spain-sl-google-inc-v-agencia-espanola-de-proteccion-de-datos-mario-costeja-gonzalez/

His fundamental point (with which I entirely agree) is that no privacy rights should attach to the data at all (and so there is nothing upon which a ‘right to be forgotten’ can bite. Put another way, once information has been lawfully published in the public domain, individuals lose (or should lose) any legitimate expectation of privacy in that information.

Your analogy with mugshots is invalid because in such circumstances, the individual concerned may well have a claim for misuse of private information. That wasn’t the case for the information concerned in the Google Spain judgment.

G

Thanks for your reply, great case note.

I do agree the reasoning is extremely flaky and didn’t expect more from the ECJ but I also don’t expect legislators to be smart, fast or impartial enough to catch up with tech monopolists.

Anyways, cheers, I now get why the majority doesn’t like Google Spain.

Ethical marketer

Hi Just joining the conversation. Don’t forget this isn’t an absolute right. Only really for under 18s and social media. But the EU hadn’t asked any social media platform a. if they could do this, or b. if they would comply before the regulation agreed! Only where the personal data was processed under the consent basis is the Right to Erasure an issue. Then it also depends on the RIghts and Freedoms of others. So if you have a social media photo of a group larking about – who decides if half those on the photo want it to remain, and half don’t?
I’ve just read an article about shadow profiles and the social platforms habit of collecting data on all of us even if we’re not even on social. Most don’t know that the social sharing buttons on the website allow them to monitor every move we make on that site whether or not we have an account with them.

Join the conversation

Related Stories