The discussion on the right to be forgotten is as much about the scope of the right: what is desirable and what is feasible? The right, as described in the draft of the new Data Protection Regulation, is supposed to be very broad and can be used to have personal data deleted when a data subject asks a processor to do so. In practice, however, it may be difficult to find the controller or processor who is responsible for the data. In addition, there are numerous data collections the data subject is not even aware of. So, instead of asking the question of whether a right to be forgotten could improve privacy, it might be worthwhile to ask the question of whether personal data need be remembered in the first place.
The Internet facilitates massive collection of data on individual web behavior. On a (relatively) small scale this is done by web shop owners, who implemented statistics functionalities in their web sites. Web shops usually also use cookies in order to be able to ‘remember’ the contents of a shopping cart when a visitor is searching for other products or moved to another web site in the meanwhile and returns to the shop later. The cookie is installed on the computer of the visitor and makes the computer recognizable on later occasions. In the case of a web shop, the functionality and advantages are clear.
Data collection, however, also takes place on a completely different scale: Internet wide. For instance, Google is able to monitor a large piece of the Internet via Google applications used by other web sites – Google maps for a description of the physical address, Google analytics for statistical purposes, YouTube presentation videos and Google search within some web sites.
Another company engaging in this kind of data collection is Facebook. A case in point is the monitoring and tracking by Facebook that was facilitated via the famous Like button. About a year ago, Facebook was monitoring potentially every web user via a rather sophisticated system. Facebook members always receive a cookie, including a unique identifier linked to their personal profile page. In addition, anyone who ever visits facebook.com, even without creating an account or logging in, receives a cookie from Facebook. Finally, Facebook was issuing cookies to every web user visiting a web site which had integrated Facebook Connect (now called Facebook for web sites), the application to log on to a web site with your Facebook username and password. So, non-members who had never even visited the facebook.com domain were receiving a cookie on their computer. From that moment on, the cookie was sending information to Facebook every time a web site with a Like button was visited, regardless of whether the button was actually clicked. This allowed Facebook to monitor individual web behavior of members and non-members. Facebook claimed the cookie setting via Connect to be a bug in the software. They fixed it after being confronted with the findings I briefly describe above (and which are more fully documented in my paper here). Nevertheless, a quite similar process was discovered last November, when it appeared that logged-out members could still be tracked due to persistence of a cookie that was supposed to expire at the end of a Facebook visit; again, it was a bug.
The question arises whether there really is a need to collect and remember all this detailed information on the browsing behavior of individuals, even when they are not a member of Facebook and have, thus, never even had the opportunity to give (or refuse) their consent. Interestingly, Facebook indicates that it is not interested in the data and that the data are not used and are deleted after 90 days. If there is no interest in the data, there seems to be no need for collecting and storing them in the first place.
Another issue has to do with the deletion of data. Facebook members can delete content they had placed on their profile pages. This deletion is a clear indication that there is no longer consent for processing these data. However, last year Max Schrems, an Austrian student and Facebook member, submitted a data subject access request to Facebook. He received the files from Facebook (1200 pages!) and it appeared that there was also information stored that was deleted. There is no interest in keeping the data for the purpose of providing the service, which includes displaying the data, so the legitimate ground for processing was no longer present. It seems that Facebook is not that careful in deciding what data to collect, store, and keep in their databases after a user deletes the data from the profile.
Taking the above examples into account, it seems that a right to be forgotten may be very difficult to enforce and impracticable to control. Data are stored, copied, and transferred in and between numerous databases and the responsible companies do not seem to be very respectful towards privacy and data protection laws. Therefore, taking a close look at the attitudes of data processing companies is important in the first place. Before discussing the right to be forgotten, an important gain can be achieved by discussing the need to be remembered. Massive, unlimited collection of data that are not necessary for running a business, and for the collection of which no consent has been obtained, should be stopped. When data are not collected at all, there is no need to forget at all.
Arnold Roosendaal LLM MPhil is a partner and researcher at Fennell Roosendaal Onderzoek en Advies in the Netherlands. He also works as a researcher at Tilburg University, where he is doing a PhD on digital representations of individuals. He has numerous international publications to his name and frequently performs as a speaker or panelist at conferences: arnold@fennellroosendaal.nl