Doesn’t anyone realize that the right to be forgotten online is one big illusion?
5 May, 2017
By Koen Maris,
Chief Technology Officer – Cyber Security at Atos
According to Koen Maris, the GDPR-legislation testifies a narrow understanding of today’s technical reality and is the ‘right to be forgotten’ untenable in a digital world.
Every time I attend a presentation on GDPR – you know – the General Data Protection Regulation, which aims to guarantee more privacy to the consumer – I get the undefined feeling the boy should have had when the emperor passed by “in his new clothes”; isn’t anyone really seeing that he is naked? Translated to GDPR terms, this means: doesn’t anyone truly realize that the right to be forgotten is simply one big illusion?
The provisions of GDPR are clearly written by lawyers with little or no insight in today’s technical reality and digital world. We have been evolving for some time from the ‘Internet of Things’ to the ‘Internet of Me’, in which every aspect of our life is connected to the Internet in one way or another- from our TV’s and our fitness devices to even our scales. Each of these devices and associated services must request your permission to use and/or share certain information with third parties. Who can, for heaven’s sake, keep up with what one is giving permission to, and to whom? Are we going to make lists for this? And should we give our approval for each separate use of our data so that that one comprehensive ‘I agree’ box will make up for dozens of boxes that you have to discard each one? Because that is what the strict application of GDPR actually means under the heading of ‘privacy by design’.
The government registration number: the ultimate GDPR infringement
In fact, the problem is even deeper in our society. Just think of our government departments and their many forms. It already starts with the National Registration Number: you can read our age. A choice made many years ago, but in these privacy-sensitive times it also has huge consequences. Is your date of birth necessary if you fill in your tax form? Actually not, and yet it is included. This is not the only thing that is stated on most government forms: almost always your name, address, date of birth and place of birth is requested. A blessing for administrative officials? Perhaps, but at least a blessing for hackers. With each successful burglary, the data thief just receives additional information that was not required for processing the form. It seems that GDPR will work at two speeds: strict for commercial companies and much more tolerant for public services.
The right to be erased? Simply dangerous!
One of the most important provisions within GDPR is the right to be forgotten. But what does that mean? Many people fill this in as “the right to be erased”, but has anyone thought about how dangerous this can be? I’ve ever experienced it myself, and many with me; if someone dies in your neighborhood, and they accidentally delete your name from the state register instead of the person deceased, it may take years to rectify the mistake. If your data is really deleted forever, it becomes even more complex and Kafka is very close.
A practical example, rather on the business side; An employee leaves your company and demands that all non-tax data (in other words, all data about performance and evaluation) are to be deleted. Sometime later, another employee wants to consult that kind of data to benchmark performance, general conditions, etc. But that data has disappeared forever.
Moreover, this right to be forgotten is incorrect to other rights and obligations. Just consider the duty of telecom companies to track all customer data for at least two years. How can they do this if I demand that they delete my data forever? If I ask such questions to GDPR experts, I never get a satisfying answer. Worrying, right? But also understandable, as the law will introduce all kinds of exceptions that will slowly and surely kill the idea and thus protect certain industries from certain duties.
Legal versus practical: the fine border around breach notification
GDPR also contains some other hot issues. The famous ‘breach notification’-obligation, for example, imposes companies to immediately report any hack or data leak to official agencies. But to what extent does your company have to follow this?
In the Netherlands, where the GDPR has already been converted into an enforceable law, we are already seeing those issues. Some companies even inform the government departments when they, by mistake, have sent a letter to a wrong person, because that is also a data leak. Other companies don’t see this as a reason for enabling these services, because they do not know when to report an incident. That second category is actually illegal. In addition, such a small incident can have major consequences. Moreover, that same Dutch government fears that one only sees the tip of the iceberg. In any case, this isn’t an evident aspect of the new regulations. The executive agencies will therefore have to build laws and use cases for years in order to reach a clearer view.
GDPR incompatible with blockchain
I talked about the risk of data erasure. But also technically this can have huge consequences. Any “ICTer” knows that deleting records can have a significant impact on the integrity of a file. And this has become even more complex with the advent of, for example, the blockchain technology. This technology is based on tracking and building on transactions from the past. You can’t suddenly delete data from one person, because then the entire system will collapse. Blockchain is increasingly used for financial applications such as bitcoin, but also in other sectors. If GDPR is applied to this, it can have huge consequences for the companies and their customers.
Think about privacy, worry about integrity
With all the statements and presentations about GDPR, I get the impression that the commercial opportunities are more important than the interests of the citizens. Privacy assurance is a noble goal, but hopefully it is clear that it is far from achievable at the same time. As a private person, I would also worry less about my privacy than the integrity of my data.
Movie stars have already understood this. When George Clooney held his wedding in Venice, he knew in advance that privacy was an impossible case. So he went for the better option: check the integrity of the photos taken at the party. Everyone invited was given a camera by Clooney himself, with which they could take their snapshots. The goal: to control what data goes outside at what time. The devices were ‘burner phones’ – disposable devices used for only one purpose. This way, he could watch the integrity of the images that reached the outside world. That is the model we should pursue as a society: you should think about privacy, but you should really worry about integrity!