The Right to Erasure: To Be, Or Not To Be, Forgotten?

“Privacy is dead and social media hold a smoking gun”, said Cashmore, perfectly describing a world in which more than half of the global population uses social media. However, people still worry about what remains of their privacy. This explains the effort put into crafting the most notable example of legislation about privacy: the European General Data Protection Regulation (GDPR). Among the significant developments introduced by the GDPR, the right to erasure stands out because of the control granted to individuals. This essay will briefly discuss the GDPR and its rationale. Consequently, it will analyze the right to erasure. On the one hand, it will illustrate how it allows data subjects to protect their privacy on social media by giving them control over data processing and its significance. On the other hand, this essay will evaluate the challenges that arise when applying them, namely, the practical impossibility of total erasure, the blurred notion of data owner, and legitimacy issues. Therefore, this essay aims to demonstrate that, however noble the intention of the GDPR was, users’ privacy still needs protection and the control provided is more of an illusionary feeling rather than an effective solution to privacy concerns.

The General Data Protection Regulation

The GDPR is an EU regulation enforced since 2018 with the intent of providing protection of natural persons and their personal data, namely information connected to an identified or identifiable individual (European Union Commission, 2012). In January 2012 the EU Commission presented its proposal of the current legislation underlining the need for harmonization of data privacy laws across the EU through a binding legislative act that would replace the previous EU Data Protection Directive 95/46/EC. The Commission emphasized the importance of an updated legal framework that would ensure the effectiveness of Article 8 of the EU Charter, about the protection of personal data, and the fundamental right to respect for private and family life, contained in Article 8 ECHR (European Union Commission, 2012). These objectives represent the ratio of the GDPR and the reason behind the introduction of several provisions conferring rights to data subjects, i.e., the right to erasure. (General Data Protection Regulation, 2016). Said right is activated by data subjects against the controller, defined by Article 4 GDPR as the body that determines the means and purposes of the processing of data. Social media fit into that definition since they hold those responsibilities, for instance, Instagram decides how uploaded pictures are stored and processed within the platform (Georgiades, 2020).

The Right to Erasure: to be Forgotten

During the preparatory works of the GDPR in 2012, Reading, former Vice-President of the Commission, underlined the importance of the codification of the right to erasure, stressing the impact that personal information can have (Reading, 2012). Not only is data monetary valuable, but it also displays users’ personal information for the world to see, making social media more of a digital business card rather than a simple platform for self-expression and communications (Maglieri, 2018). In fact, nowadays more than 50% of employers use social media to carry out checks during the recruitment process and to surveil their employees, sometimes resulting in people getting fired because of their posts on social media (Herman, 2020). Social media has therefore been described as an interpersonal surveillance tool to observe what friends, partners, and celebrities are doing and saying (Tokunga, 2011). As a result, past publications have the potential to haunt users in the future and hurt their reputations. If it were not for the right to erasure, personal data would be an indelible footprint, especially when considering the complicated nature of the concept of forgetting in the Internet era in which information is constantly being stored and recorded (Georgiades, 2020). As a consequence of the importance of an accurate and appropriate representation of oneself on social media, individuals need now more than ever the chance to have a fresh start that reflects their growth. The concept of a “reputation bankruptcy” developed by Harvard Law Professor Jonathan Zittrain (Zittrain, 2008), which allows individuals to have a clean slate, has been adopted in different areas of law by several States, for instance in Italy where article 178 of the Criminal Code regulates the erasure of past convictions from one’s criminal record after a variable period of time. So, it is only reasonable that such an attitude should be employed on the Internet as well, allowing users to delete embarrassing pictures, old statements that no longer reflect their personality, “likes” and messages and, ultimately, to regain control over their image on social media, especially when considering the cruciality of control in the definition of privacy given by Public Law expert Alan F. Westin (Westin, 1967). Such control is indicated by the proprietary approach to personal data assumed in the provision (Ausloos, 2012). Article 17 empowers users by handing them the wheel controlling the data flow. When requested to do so, controllers must stop the processing of data and that old embarrassing picture can no longer be available on social media platforms, distributed among third-party controllers, and stored.

Who decides when to forget when forgetting is impossible?

As evident from the provision the right to erasure is not absolute. Its most significant limitations derive from the need to balance erasure with freedom of expression and public interest, as provided by Article 17 GDPR. While free speech and people’s right to be informed on matters of public interests hold predominant roles and need to be ensured, a first issue arises when reflecting on the body to whom the balance of interests is entrusted. Google’s Transparency Report demonstrates that the controller is the first decision maker, raising doubts about legitimacy (Abril and Lipton, 2014). Certainly, when the right to erasure is denied on grounds of freedom of expression and users can take legal actions in Courts that are bound to apply EU law (De Mars, 2020). However, this process makes Article 17 more arduous to apply and users’ chance to be forgotten rests in the hands of an entity that lacks any type of public power but acts as a quasi-judicial body that still enjoys greater control (Vazquez, 2020). On a practical note, the emerging trend of social media blockchains may clash with the right to be forgotten. Blockchains are a Distributed Ledger Technology (DLT) storing transaction records visible to participating users and forbidding modifications (Guidi, 2020). Social media based on this technology entail end-to-end encryption for exchanges between users and provide protection against possible data breaches. The downside is the incompatibility of an unalterable data storage system with the right to be forgotten. If data cannot be modified, erasing it is out of the question, making the application of Article 17 impossible and stripping users of their control over personal data (Finck, 2019). Additionally, blockchains rely on decentralization, so it is difficult to identify the single controller who is responsible for the processing of data, resulting in a conflict with the controller’s obligation to be responsible for the compliance of rights conferred by the GDPR and to disclose its identity and contact details to facilitate users’ communications. As a result, users cannot feel protected on a platform where authority is not clearly defined. Lastly, when a user uploads data on social media it is unambiguous that the right to erasure must be exercised by submitting a request to the controller, i.e., the social media platform that carries out the processing. However, when data about the user is uploaded by another user, scholars disagree on whether the controller of such data is the social media platform or the user who published it (Koops, 2011). Both the social media platform and the user may argue that the burden of responsibility lies on the other and the requesting user may enter an endless cycle with no real prospect of data being removed. Furthermore, once data is shared among users it is difficult to keep track of whom the original controller is resulting in a laborious path for the user who wishes to be forgotten. The repercussions of this scenario fall on the users who are once again alone on their journey to forget while others can dispose of their data.

The GDPR was revolutionary in its attempt to change the imbalanced relationship between controllers and data users in favor of the latter. The rights to erasure finally gave the long-awaited control to users who can claim ownership over their personal data. Indeed, users have a chance at starting over in an era when all uploaded data is stored and reshared and can reclaim provided data to transfer it easily. However, not even the significant advantages can eliminate the practical complications that follow their application. In fact, the right to erasure is a limited right that must be balanced against other conflicting interests, such as the right to freedom of expression and the right to be informed on matters of public interest. This results in a limited application that rests in the hands of the controller who is not vested with public powers but acts nevertheless as a quasi-judicial body. The right to erasure’s efficacy is tempered by the emerging blockchain social media that entail the unalterable storage of data. Furthermore, the resharing of data creates incertitude over who retains power over it, resulting in an arduous identification of the controller that burdens the user instead of empowering him. The depicted scenario displays how control is still illusionary and the efforts made to respond to privacy concerns do not ultimately protect it as promised. Perhaps privacy’s resurrection is a utopia.