Why does one want to be forgotten?
Have you ever wondered if that embarrassing photo of yours from college days still exists somewhere in the vast World Wide Web? What if it was a comment on an online discussion forum falsely accusing you of a crime? Since the rise of social media, we have been warned that everything you do online will likely be there forever, exposed to the public.
On top of your data exposed on the internet, recent scandals in 2018 revealed just how much companies are collecting your private data with or without your knowledge. The Cambridge Analytica incident showed how customer data can be shared and abused by companies.
Sutapa Amornvivat, PhD, is CEO of SCB ABACUS, an AI-powered data analytics subsidiary of Siam Commercial Bank, where she previously headed the Economic Intelligence Centre and the Risk Analytics Division. She received a BA from Harvard and a PhD from MIT. email Scbabacus@scb.co.th.
With the arrival of the "right to be forgotten" in the EU's General Data Protection Regulations (GDPR), you can now ask companies to delete such personal data.
So, what exactly is the right to be forgotten?
It is the concept that people should have the right to ask companies to delete data collected about them. The idea is that personal data belongs to people, and they should be able to delete it, as and when they wish.
Despite being a current buzz-phrase, the right to be forgotten is nothing new. It has been officially recognised in France's laws since 2010. In 2014, a Spanish man asked Google to delete information about him from the past which appeared in its search results; the Court of Justice of the European Union (CJEU) ruled in favour of his right to be forgotten based on what is implicitly suggested in the EU's Charter of Fundamental Rights for European citizens. That ruling mandated that Google must accept requests to delist websites to protect user privacy.
The renewed interest in the right to be forgotten came in 2018 as the EU's General Data Protection Regulations (GDPR) took effect which made this right explicit. It is also one of the most controversial and difficult rules to comply with.
Why is it controversial?
The Google Spain case sparked a major debate over whether this law is just, and rightly so. This debate is highly relevant for Thailand now as we will soon embrace the new data protection laws. Several key questions stemming from the debate remain unanswered.
Firstly, does the "right to be forgotten" of an individual interfere with the "right to know" of the public? The flip side of erasing a piece of information is that it is no longer available to the public. Giving courts and governments the authority to delete data by exercising the right to be forgotten could lead to a slippery slope of power abuse (such as mass censorship). In George Orwell's classic novel 1984, the fictional Ministry of Truth has the power to rewrite history. Are we ready for the possibility of such authority? Moreover, making certain information accessible for some, but not others, could worsen inequality among the public.
Currently, the data to be erased must be deemed "irrelevant, outdated, excessive, or inaccurate". But who should be responsible for this decision? This blurred line can be a threat to freedom of speech. The rule of thumb, for now, is whether knowing a given piece of information is beneficial to the public.
Why is it difficult to comply?
Secondly, is it even possible to erase history? Suppose that it is deemed necessary to delete someone's data. Stories are rarely about one person. It is not easy to delete information about one individual without affecting others.
Say, if a customer requests a bank to erase his data, deleting his profile would be the obvious step. The hard part is how to best handle transaction data. Should money transfer information to this customer be deleted as well? Should it be kept as is, kept partially (changed to money transferred to an anonymous person), or deleted entirely?
Imagine a web of information that links a large network of individuals. How do we deal with the situation when an individual's data is embedded in a complex algorithm? How far should a company go to erase all traces of a user's history? Clear boundaries will need to be defined if we are to institute such a right.
The problem could get even more complicated in the case of blockchain, the new decentralised ledger technology set to disrupt banking and many other industries. The core promise of blockchain is that once a block of data is added to the chain (the ledger), it cannot be altered or deleted. This immutability makes the system trustworthy. New research is being done to address the right to be forgotten in blockchain, but this could defeat blockchain's purpose. As many companies adopting the technology, the tension with the new laws will only multiply.
Are companies prepared?
Heavy fines and penalties are at stake. Failure to comply with the GDPR, including the right to be forgotten, can result in a fine of up to 20 million euros or 4% of worldwide annual revenue. Some countries such as Italy, Austria and Germany, impose an additional penalty of imprisonment for company directors.
Based on the current trend, it is possible that the right to be forgotten will soon arrive in Thailand. Companies that are collecting and processing customer data should be prepared. The first step would be to recognise the importance of customer privacy and understand exactly what kind of customer data you are collecting and processing.
The concern for data privacy will become increasingly significant especially when companies try to strike a balance between data privacy and optimal user experience design. Too strict of a law could be a double-edged sword. One clear example is that now we are forced to accept long, cryptic terms of service, instead of seeing what is really important.
Ensuring the right to be forgotten represents a step forward for privacy protection in this age of technology. However, in practice, there is still a considerable gap between concept and implementation. Moving forward without addressing the complex reality of implementation would mean the risk of taking one step forward, but two steps back.