25 JUNE 2019
Summary by Alessandra Calvi, Brussels Privacy Hub, VUB
On 25 June 2019, the Brussels Privacy Hub held the eighth event of the Meet the Author Series. This time, Jef Ausloos (KU Leuven/University of Amsterdam) presented his doctorate thesis entitled “The Right to Erasure: Safeguard for Informational Self Determination in a Digital Society?”. He debated the outcomes of his work with Meg Leta Jones (Georgetown University), that provided her US scholar perspective on the right to erasure, and Thomas Zerdick, one of the drafters of the General Data Protection Regulation (GDPR), currently at EDPS. Hielke Hijmans (VUB/Belgian DPA) chaired the discussion.
Hielke Hijmans introduced the author, praising his choice to deal with the right to erasure. He observed how the Google Spain case, the leading case in the EU on the right to erasure (“right to be forgotten”), was not well received in US. He outlined the importance of digital empowerment to reduce power asymmetries between the data subject and the controller, but questioned whether Art. 17 GDPR in conjunction with Art. 8 Charter of Fundamental Rights of the European Union (CFR) needed to be interpreted as part of informational self-determination or rather as belonging to the principle of fairness. He outlined how Art. 17 included at its core the balancing of fundamental rights, namely between privacy and data protection on the one hand and public interest on the other hand. He invited the panel to discuss the relationship between Art. 17 GDPR and 8 CFR and the territorial scope of Art. 17.
Jef Ausloos observed how the internet has become the breeding ground for some of the most important information and power asymmetries of our time, and how the processing of (personal) data is one of the main enablers of these asymmetries. His work, aimed at investigating the role of individual empowerment over personal data in countering power asymmetries online, takes as starting point Art. 17 GDPR on the right to erasure since it is a suiting example of data subject empowerment in the GDPR.
He continued by explaining the structure of his research. For answering his research question “Does the right to erasure meaningfully contribute to safeguarding the fundamental right to data protection in the face of online power asymmetries?”, he identified three main sub-questions reflecting the logical sequence of analyses to be followed when applying the right to erasure, namely: What is the rationale of the right to erasure and when does it apply? How to balance rights, freedoms and interests when accommodating the right to erasure?What are the practical challenges to realise the right to erasure and how might they be overcome?
Meg Leta Jones highlighted how the conversation on the right to erasure has gone very far in the EU, whereas in the US the debate on this right is still limited because, legally, the right to erasure does not have a human right foundation. Conversely, she clarified that the right to be forgotten is very popular among the US public, especially among parents when it is about the erasure of their children’s and teenagers’ data. She made clear that big tech companies have an interest in complying with GDPR standards at global level, but she also explained their concerns about the potential incompatibility between data protection regulations and the First Amendment of US Constitution on the freedom of speech.
She praised Ausloos for his interesting method of analysis, which could be applied also for other data subject rights, and for his revealing empirical findings. She noted that empowerment is an interesting contemporary term. She suggested to include cultural preservation, in the sense of record of modern history of the internet, within empowerment and expressed her interest in the extraterritorial reach of the right. She nevertheless concluded that informational self-determination and empowerment are not the same. She suggested to move from a control centric data protection regime to one acknowledging the power structures in the data economy, with collective rights as effective tools.
Thomas Zerdick admired the fact that the author worked on the actual legislation, rather than simply criticising the existing rules and suggesting how they should be, to come to the positive conclusion that the right to erasure does play an important role in the empowerment of the data subject. He praised his method of analysis going through the entire lifecycle of the right to erasure. He also outlined how Art. 17 GDPR has a twofold nature: as a right of a data subject on the one hand and as an obligation for the data controller on the other hand.
He continued by outlining some points of criticism. He invited the author to broaden his sources, to include also German literature in them. He questioned the understanding of the author on the relationship between Art. 8 CFR and Art. 17 GDPR, pursuant to which the former is posing only minimal safeguards, whereas the latter provides for a fully-fledged protection addressing also other fundamental rights. Zerdick emphasised the higher hierarchical position of the Charter above the GDPR. He invited the author to elaborate more on the alleged “extraterritorial” applicability of the right to erasure and on its relationship with the principles of data-protection-by-design and by-default. He proposed also to consider the idea of using data retention, in the sense of personal data having an expiry date, mandating its erasure after a pre-determined period, as an effective alternative solution to data erasure.
In his reactions to the comments received, Ausloos agreed that his methodology could have been applied to other data subject rights under the GDPR, but he chose Art. 17 GDPR for its hybrid nature and connection with other GDPR provisions. Conscious of the hierarchy between the Charter and the GDPR, he outlined how empowerment is the core of Art. 8 CFR and how Art. 17 GDPR creates an architecture for exercising control. He quoted Rodotà who compared data protection (electronic liberty) with the right to (physical) liberty (Art. 6 CFR). He clarified that extraterritoriality is a hot topic but not a data protection issue per se. He invited to distinguish between scope and reach of the GDPR, the second being linked to its enforceability. He referred to the pending Case C‑507/17 Google v. CNIL where AG Szpunar, in his opinion of 10 January 2019, took a stand against a worldwide de-referencing obligation to implement the right to erasure, arguing that the de-referencing should be limited only to the EU, where it could be achieved with IP filtering.
He warned that data-protection-by-design and by-default, albeit aimed at introducing a data protection mindset in the design of products, may be used against data subjects’ rights. He referred to Apple that denies data subjects to access to their voice recordings based on data-protection-by-design and by-default, arguing that they are not personal data and that in any case the link between recordings and servers disappeared erased once voice is sent to the cloud.
A lively Q&A with the audience followed, in which it was outlined how the right to erasure is not the only solution to unfair data processing because there are other data subject rights that may be useful (e.g. right to object). On the reach of the GDPR and right to erasure, it was pointed out how the sovereignty of other countries cannot be violated. Nevertheless, doubts on the difficulty to assess the validity of requests coming from around the world, where democracy and rule of law are not respected, were raised. It was argued that creating a right of de-listing neglects the interests of publishers and may hamper journalism. In this respect, Ausloos argued that he advocates for more transparency on de-listing. Concerns on the available technical solutions (as IP filters or “expiration dates”) to exercise the right to erasure were raised, considering that the notion of personal data is very broad, that many types of data can be copied and downloaded, and that everything leaves a digital footprint. The existence of grey zones, as the impossibility to exercise the right to erasure on allegedly anonymised data, or in case of disproportionate effort, was highlighted.
Hielke Hijmans concluded the debate, thanking the panellists and the audience for the fruitful discussion.
Keep up to date of our activities and developments. Sign up to our newsletter:
Copyright © Brussels Privacy Hub