Episode 16 of the “Are You DataSmart” Podcast covers the major operational issues caused Article 17 of the GDPR, Right to erasure (‘right to be forgotten’). Deleting records causes amnesia-like symptoms for businesses and will afflict every business that receives a withdrawal of consent or a notice to erase data about an individual or data subject. Specifically:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
Jay: “Are You DataSmart?” the weekly podcast on data security, information management, and all things related to the data you have, how to protect it, and maximize its value. I’m Jay Ward.
Christian: And I’m Christian Ward. Today, we’re gonna discuss, well, a topic that’s kind of easy to forget, amnesia. Jay, I’ve been looking at the GDPR and there is a pretty serious operational deficiency that I wanna talk about, which is, it allows for people to delete records. In fact, it’s sort of a pillar of the whole concept of giving more control over your personal data to individuals. And while I certainly commend the effort, it dawned on me that there is a little bit of a problem, and we recently wrote a blog post about this. The Jason Bourne series, “The Bourne Identity,” “The Bourne Supremacy,” and “The Bourne Ultimatum” were my favorite, as a kid, growing up. Like, I read every Ludlum book after that. And partially because the thrilling nature of a secret operative having such a serious case of amnesia that he literally has to piece back together his life to figure out who he was and what he was. There’s actually, unfortunately, a lot of similarities here.
So, right now, when I read Article 17 of the GDPR, which is the right to erasure, or commonly known as the right to be forgotten, it specifically states that the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her, without undue delay, and the controller shall have the obligation to erase personal data without undue delay, where one of the following grounds apply. And it goes on to explain the individual grounds. The first thing I wanted to kind of talk through is, if that is true, what is the extent to the erasure that is necessary, because it starts to present some real operational problems that I’ve seen on some other data strategies over the years. What do they really mean in terms of erasure?
Jay: Well, this situation sort of reminds me of the beginning of Monty Python’s The Holy Grail where they have the title card and they say, “We’ve sacked the people who’ve done that, and now we’ve sacked the people who’ve sacked them, and we’ve sacked the people who’ve sacked…” and it goes on forever. It’s turtles all the way down, as we like to say. And the situation with Article 17, Right of Erasure, is that if a data subject exercises a deletion request and you comply within 30 days, and you, no kidding, delete absolutely everything, well, you now have no record even of the request for the deletion. So, how can you prove that you did it? It gets into some very inception-esque difficulties in terms of proving what was done, what’s real, and what’s not. So, in general, I think, you can say that the Right of Erasure in Article 17 means, you know, just delete the data that’s no longer necessary or that’s beyond the scope of what’s originally been agreed to or if they withdraw their consent, you delete, and then, you know, you worry about the marginal cases later. But, ultimately, every case will become a marginal case if you’re not functionally segregating the data that has to be deleted from the data about the deletion of the data. And it’s a very difficult concept to get right. And people, really, it’s just the beginning of the time when the GDPR’s enforced and people are very unsure about what to do.
Christian: Yeah. I think my concern, as I was reading through this, was predicated upon a prior life experience. So, working as chief data officer in the past at a major data aggregator here in the United States, I would often, let’s say once a quarter, get a phone call from, let’s say, an irate business or a, you know, something much more serious like a shelter for battered individuals or something like that. Something that really, truly needed to be private. And our database was used to create maps back then. And I get a phone call, like…Or even from the Boy Scouts and Girl Scouts of America, you realize that all their campgrounds can never show up on a map. It’s a security request that they have to many mapping companies. Because there’s no one to…people to know that many children in one particular location, and there’s a lot of really valid reasons for other things, like military installations and such.
So, I’d get this phone call where someone would say to me, “Hey, you guys are the source of this data. Please take it out of your database.” And I would say to them, “So, you want me to delete the record?” And they would say, “Yes.” I’d say, “That’s not what you want. I think that’s what you think you want, but that’s not really what you want.” And they would continue to be mad for about 20 minutes, and then I would slowly have to explain that if I delete the record and there is no further record of them, then the very next month, when I compile and pull in external data sources, as I’m making my own database, I have nothing to compare it to, to say, “Oh, wait, that record? Don’t let that record show up again.” And so, the methodology that is really unused in most industries of data is not one called deletion, it is called suppression. And I think your point about maintaining a record of the request to delete, is the way to sort of manage suppression going forward. Because I don’t think the spirit of the law was meant to be, hey, if I delete everything and then two days later the person, the subject, the data subject, comes right back into my data coffers through some other third-party source, I don’t think the spirit of the law was that on an ongoing fashion, once again, immediately, we have that same data record. And I think they are looking for you to no longer have that record. What do you think?
Jay: I think there’s an unintentional aspect of gamesmanship that’ll apply if we’re too literal about the enforcement of Article 17. You know, consider for instance where you try to get, as you’ve written about, Christian, a first-time user benefit, you know, 10% off, free shipping, or whatever. You get that, you demand deletion, and in the very next day, you’re like, “I want the same benefits.” You create a permanent benefit and an incentive to game the system that way. In the same way, you can, if we deleted all records of who you are and the fact that you’ve requested deletion, if, as Christian says, there’s an external data source that we can pull from and you haven’t requested deletion from them and it comes back into the data that we have, we could say, “Look, we have no way of knowing and we’ve just gone right back to processing the data to begin with.”
So, I think what we have to do is craft solutions to the sort of interstitial Article 17 problem of deleting the deletion. And there are ways to do it. I mean, you can reside in the safe harbor for anonymized data, you know. You can create a hashed chart of, you know, the requests, enough to allow you to meaningfully identify who the individual is, but because it’s anonymized and you’re no longer processing the data, you’re just storing it in… For instance, in fear of a potential litigation or an audit down the line, there are justifications that you can use that actually make sense, but it does depend on the circumstances, and in some ways, it will depend on the data protection authority. You know, I can see situations where there might be a diversion between the way, you know, the ICO handles it and the way the Data Protection Commission in Ireland does. So, in order to really come up with a solution that works, you have to sort of thoughtfully process internally how you wanna deal with this issue, come up with a fairly robust explanation for what it is, document that, hold on to it, and then, you know, as time goes on, adjust.
Christian: So, I agree with that. I think I’m very concerned about how the regulars actually will interpret a logical approach to deletion. But beyond that, what do you think about sort of the process of the ongoing deletion? So, what we find in the data world a lot of times from, you know, an architecture perspective is I’m gathering data from multiple sources. That could be direct data from the data subject, such as if they open an account or they revisit my website. If that happens after a deletion request, you know, there’s an argument to be made that they’ve re-engaged with the company, they’ve recreated an account, and that sort of allows us to say, “Okay, you’ve re-engaged and that deletion request, which had been handled in the past, is no longer necessary to continue.” But I’m more concerned about the other side of data aggregation. So, for many businesses, they take a data quality, a data append approach, and they ingest lots of third-party databases to sort of augmenting the information that they have about data subjects or potential marketing subject, people they want to reach out for their products and services. So, what about the ongoing nature of it? So, do we take it literally that the request for deletion is at a moment in time or is there an approach here that says, “Look, hey, Facebook, I wanna be out of your database.” They comply, let’s say. They take me out. I’m gone. But two seconds later, someone takes a photo of me at a party and very easily they recreate my account with facial recognition. Without storing my data to some extent, to be able to say, “Oh wait, that person said they don’t wanna be in here.” How do we fight not the active re-extentiation[SP] of an account, but the passive re-instantiation of an account?
Jay: Right. If you think about the scenario where it says tag someone and they’re not on Facebook, but the person is posting a photo manually types in a name?
Christian: You can tag a dog now. So, you can tag anything.
Jay: Yeah. So, I think there’s two responses to that. The first is that because there is no universal signifier for an individual that you can identify them across systems. You can’t crosswalk[SP] Jay Ward from, you know, five or six different systems, there’s no way to say this deletion request applies to every source that you get. So, Facebook, if you’re getting information from Dropbox, you know, I didn’t request that Dropbox delete my data, but I did request that you did, and so, you’ll have to know who I am. You can’t do that. So, it is, in some ways, technologically impossible to achieve that kind of level of deletion without having it be actually suppression. I do think that longer term, you know, some of the other components of the GDPR, data portability, for instance, they want there to be systems that make it easy to transfer data across platforms. And that, I guess, is an effort to make it easier to crosswalk data, so that when a request for deletion goes out or for a request that limits processing even more than deletion, the limitations on processing become really, really complicated if you don’t have the ability to crosswalk. That’s where I can see, you know, the potential long-term for this to be a possible thing to do. But, technologically and practically, it would be very difficult to just full on delete and not have this sort of recurring problem that you’ve identified.
Christian: So, I think, then, what we’re gonna find out very quickly is, I can hear the entrepreneurial steam engines beginning to churn, which is people are gonna build platforms to analyze or to ask for deletion or removal of all data subject material. Then they’re going to use crawlers and other means to analyze what’s out there to see if they can identify that you once again have them in your data set. I think it’s a dangerous proposition for many companies where they have a deletion request and a passive recreation of an account where access point occurs. Because if that happens, it’s gonna be very hard for the company to demonstrate that they did comply. And so, that ongoing record of yes, we got the deletion request, here’s who it was, and we continued an ongoing suppression campaign… I’m hoping we that the regulators ultimately see the valid nature of that. Just like the person that called me irate to say, “Take me out of your database, you know, you can’t have a Boy Scouts or Girl Scouts of America campground address in your data set that’s showing up in maps, get it out of there,” my point to them is, you need me to maintain essentially what we call suppression tables. The suppression tables maintain an ongoing outlook to try to actively match when incoming passive data is being used in the compilation process so I can match it and then say, “You know what, that record? Don’t let that record go anywhere. Just suppress it.”
Jay: Right. And there’s precedent for that. I mean, the ICO, in the past, has issued guides about suppression in the context of direct marketing. And I think if they don’t, I think if the data protection authorities don’t at least find some way to mediate, to ameliorate rather, this problem, it’s a liability trap. Because if you don’t comply and you keep some information in the hopes that you’re going to protect, you know, the real will of the data subject, well, then you violated Article 17 and The Right of Erasure and you’ve done it intentionally. And so, the penalties and fines can be commensurate for an intentional violation of the GDPR. If you do fully delete everything and you don’t maintain a record of it and then the data comes back in through a passive channel and you keep that information, now you have unintentionally, but nevertheless, still violated the GDPR because you’re processing the data of the data subject after a deletion request. So, this is one of those instances where there’s no clarity because the regulation, the text of the regulation, doesn’t presuppose every scenario, and so we have to wait for guidance. So, there’s this sort of like terrifying and feeling of, right, well, what’s gonna happen next? Kind of like a Jason Bourne movie. Although, more like the Great Wall where you’re watching it and you’re wondering like, “Oh god, why is Matt Damon doing this?” You know? I think that’s a better example because you have no idea what’s going to happen and you just know that either way, you’re gonna be filtered for [inaudible 00:14:24]. So, if we don’t get clarity from the regulators soon, I think everybody’s gonna be in this position where they’re sort of halfway through full deletion and not. And that’s a troubling prospect.
Christian: Yeah. I agree. I think, ultimately, the process will both protect businesses and individuals if a middle ground can be found between a chaos of total deletion, which ultimately opens up all of these problems to the more ordered path, which is deleting any use, access or ongoing passage of data from one business to another, which actually is a little bit the way the CCPA is going for a solution to this. The California Consumer Privacy Act doesn’t have the concept of deletion. It has the concept around not allowing data to be passed on to an additional process or an additional party. And so, really, what you’re doing is allowing for suppression to occur. Again, I think that’s where this probably ends up a little bit more likely. Although, deletion, to some extent, still makes sense. So, it’s gonna have to be a middle road. Otherwise, I know a lot of people are gonna get 50,000 sky miles with five credit cards over five months, and very quickly be anointed the world’s largest sky mile holder due to the ability to remove, and then once again, first time apply, because that’s definitely going to happen.
Jay: Yeah. I mean, again, if you don’t think that people will find these sort of, as I call them, interstitial parts of the GDPR and take advantage of them, you’ve never experienced working in commerce, because this is exactly what people do. It’s like…it reminds me of the guy who got 7 million Pepsi points or whatever it was and said that he wanted an elephant, and the courts were like, “Well, I mean, you kinda got to give this guy an elephant. [inaudible 00:16:15].” They backed off of that, of course, but, you know, there will always be people who game the system just because they can game the system. And this is an invitation for that.
Christian: Excellent. Well, we’re gonna dive into suppression further in the blog post in the weeks to cover more of the features and functions operationally of how a business should think about complying with deletion, but maintaining a concept or some level of record, so that you can actually suppress data in an ongoing manner, because the passive ingestion and creation of accounts following a deletion request is probably the most thorny portion of this subject. So, that ends this episode of “Are You DataSmart?” We thank you for being with us and we look forward to talking to you next time. Thanks again.