Does anyone really realize that the right to be forgotten is one big illusion?
Whenever I attend a presentation on GDPR – you know: the General Data Protection Regulation who wants to guarantee the consumer more privacy – I get the vague feeling that the boy must also have had when the emperor paraded by ‘in his new clothes’: does nobody really see that he is naked. Translated into GDPR terms: does anyone really realize that the right to be forgotten help is one big illusion.
The provisions in the GDPR are obviously written by lawyers with little or no understanding of today’s technical realities and digital world. For some time now we have been moving from an ‘internet of things’ to the ‘internet of me’, in which every aspect of our lives is connected to the internet in one way or another: from our TV to our fitness equipment to even our scales.
Each of these devices and associated services must ask for your permission to use and/or share certain data with third parties. Who the hell can keep track of what he’s given permission to? Are we going to have to make lists for that? And we will soon have to give our approval for every single use of our data.
So that that one encompassing “I agree” – box makes way for dozens of boxes that you have to tick off each separately? Because that is what the strict application of the GDPR actually means under the heading of ‘privacy by design’.
The National Register Number: The Ultimate GDPR Breach
In fact, the problem is even more deeply ingrained in our society. Just think of our government services and their many forms. It all starts with the national register number: you can read our age from that. A choice that was made many years ago, but also has enormous consequences in these privacy-sensitive times. Do people need your date of birth when you fill out your tax form? Not really, and yet this is there.
That is not the only thing that is stated on most government forms: people almost always ask for your name, address, date of birth and place of birth. A boon for administrative officials? Maybe, but at the very least a boon for hackers. With every successful break-in, the data thief is simply given extra information that was not even necessary for the processing of the form.
Also read: help with right to be forgotten
Right to be erased? Downright dangerous
One of the most important provisions of the GDPR is the right to be forgotten. But what exactly does that mean? Many fill this in as ‘the right to be erased’, but has anyone ever thought about how dangerous this can be? I’ve experienced it myself, and many with me: if someone close to you dies, and they accidentally delete your name from the national register instead of that of the deceased, it can sometimes take years before that wrong is rectified.
If your data is really erased for good, this becomes even more complex and Kafka is suddenly very close. A practical example, more on the business side: an employee leaves your company and demands that all non-tax data (in other words, all data about performance and evaluation) be deleted. A while later, another employee wants to consult that kind of data to benchmark performance, general conditions, etc… But that data is gone, for good.
Moreover, this right to be forgotten is at odds with other rights and obligations. Just think of the obligation for telecom companies to keep all customer data for at least two years. How can they do this if I demand that they delete my data for good? When I ask such questions to GDPR experts, I never get a satisfactory answer.
Disturbing, right? But at the same time also understandable, since all kinds of exceptions will be introduced in the law that slowly but surely erode the idea and thus exempt some branches of industry from certain obligations.
Legal versus practical: the fine line around breach notification
GDPR also contains a few other hot topics. The famous ‘breach notification’ obligation, for example, which requires companies to immediately report any hack or data breach to official authorities. But how far should you, as a company.
In the Netherlands, where the GDPR has already been converted into enforceable law, we are already seeing this problem arise. Some companies even notify the relevant government departments when they have unwittingly sent a paper letter to the wrong person, because that is also a data breach.
Also read: Right to be Forgotten Meaning
Other companies see no reason to use these services because they do not know when to report an incident or not. The second category is therefore actually illegal. Moreover, such a small incident can have major consequences. The same Dutch government actually fears that they are only seeing the tip of the iceberg. In any case, this is also a far from obvious aspect of the new regulations.