On October 18th, I will be defending my PhD at the University of Leuven. The title of the PhD is: The Right to Erasure – Safeguard for Informational Self-Determination in a Digital Society? In this blogpost, I try to give a brief glimpse of what the PhD is about.
It is not without a sense of irony that the Internet – originally designed to make it very hard to monitor or control individual behaviour – has become the breeding ground for some of the most important information and power asymmetries of our time. One of the main elements enabling these asymmetries, primarily playing out between individuals and commercial entities, is the processing of (personal) data. This constitutes the starting point of the dissertation. With technology infiltrating ever more aspects of our daily lives, data processing by the economic operators driving the information society have an increasing impact on individuals and society at large. Golden cages are constructed around us, that anticipate and govern how we interact with the world. As such, these growing, data-driven asymmetries are affecting core values such as individual autonomy, dignity and freedom. Because a constant influx of data is what keeps the information society running, data protection law constitutes the go-to legal framework to resist and break down these golden cages.
Against this backdrop, I set out to investigate the role of individual empowerment over personal data in countering power asymmetries online. The dissertation’s modest aim was to dissect ‘data empowerment’ in the information society through the lens of the right to erasure in Article 17 of the GDPR. Indeed, it does not have the ambition to come up with a grand new theory. Instead, its starting point is a legal framework that just entered into force, i.e. the GDPR, unravel its complexities and explain how it can meaningfully contribute to data subject empowerment in the face of information and power asymmetries in the online environment. In this quest, I scrutinise and answer the following basic question(s):
Does the right to erasure meaningfully contribute to safeguarding the fundamental right to data protection in the face of online power asymmetries?
- What is the rationale of the right to erasure and when does it apply?
- How to balance rights, freedoms and interests when accommodating the right to erasure?
- What are the practical challenges to realising the right to erasure and how might they be overcome?
These questions are arranged in such a way as to reflect the logical sequence of analyses to be followed when applying the right to erasure. Firstly, one needs to know if the right can be invoked in the first place. In case the answer is yes, secondly, one needs to evaluate how the right to erasure can be applied in a balanced way, i.e. considering all interests, rights and freedoms at stake. Thirdly, if the right to erasure is applicable, and if a balance can be identified, one still needs to consider how to make it work in practice. These three steps determined the structure of this dissertation, each one being comprehensively tackled in a corresponding part.
It is hard to summarise the conclusion of a PhD in just a few blog-paragraphs. At the risk of losing a lot in translation, the following more abstract points can still be made (for a more nuanced argumentation, I invite you to read the PhD itself):
In the dissertation I make the case that data autonomy lies at the very core of the fundamental right to data protection (Art.8 Charter). The right to data protection aims to prevent control over personal data from being subsumed in relationships characterised by massive power asymmetries. As such it differs from the GDPR’s prerogative, which is to safeguard all fundamental rights and freedoms as they are affected in the context of personal data processing (Art.1 GDPR). One way in which the GDPR contributes to safeguarding the fundamental right to data protection in the Charter, is by installing empowerment measures such as data subject rights (cf. Chapter III in the GDPR).
All things considered, the right to erasure in the GDPR can be expected to contribute to data autonomy (Art.8 Charter) in the information society. But perhaps not in the way one might think at first. Indeed, the right’s main added value is how it emphasises, clarifies and centralises key data protection safeguards into one provision. Rather than being an autonomous provision data subjects can invoke against a controller, it is a convenient proxy through which individuals can ‘exercise control’. Put differently, the right to erasure constitutes a central hub for data subject empowerment in the GDPR. As such, the right to erasure has two concrete functions: firstly, it gives shape to the control/autonomy imperative of Article 8 of the Charter, putting an evocative and accessible tool in data subjects’ hands. This may prove particularly useful in an increasingly datafied environment where many rights, freedoms and interests are affected. Secondly, as an ex post empowerment measure, the right to erasure also constitutes a crucial check on whether the GDPR is safeguarded throughout the processing lifecycle. This ‘compliance-monitoring’ function might prove particularly useful in light of under-resourced data protection authorities.
Of course, the right to erasure is no silver bullet to data subject empowerment. The right to erasure and data subject empowerment measures more broadly are often criticised for over-responsibilising individuals. Also, it is not the toolbox that defines the craftmanship. What’s more, as individual measures, one may question their capability of guaranteeing data autonomy in society more broadly. Certainly, one cannot look at such empowerment measures in isolation, but needs to consider the GDPR as a whole, including the strong protective measures as well (e.g. data quality principles in Art.5 GDPR). A right or freedom should also not be actively exercised to be meaningful or enjoyed. Still, when implemented badly, the right to erasure may result in potential under- and/or over-compliance, which in turn might negatively affect other fundamental rights, freedoms and interests. Such circumstances should be avoided via interpretative guidance through co-regulatory and/or DPA initiatives but also strict enforcement.
Put *very* briefly, in the face of massive data-driven power asymmetries, a sound regulatory framework is critical in ensuring data subject empowerment. Ideally, such a framework should render the actual exercise of data subject rights superfluous, or at least only a last resort solution. The norm should be that individuals can move freely both physically and digitally. The fact that this might go against some of the predominant business-practices in today’s information society ecosystem should not mean that control is to be surrendered. Surveillance capitalism, just like environmental pollution or sub-prime lending, is not some acquired right, even if very profitable.