Jun 30, 2020
By: Silvio Micali
Article 17 of the European Union’s General Data Protection Regulation establishes the right to erasure of personal data (‘right to be forgotten’, RTBF). To be sure, data privacy laws and different forms of the RTBF are not unique to the European Union. Other legal systems, such as Brazil, Australia, or Canada have similar or stricter rules. But such laws exceed the scope of this blog, which is solely concerned with the European Union’s RTBF.
The RTBF applies to personal data only: name, birthdate, government identifier, residential address, employer, education, bank account #, credit card #, blood type, gender, sexual orientation, marital status, language, disability, religion, etc. More generally, it may apply to any piece of data which, when considered alone or in combination with other data in the possession of a data collector, can identify the data subject.
This said, the RTBF does not give the data subject an absolute right to erase her data whenever she wants. For example, when applying for a mortgage, the borrower may consensually give the lender all kinds of relevant personal information to keep at least for the duration of the loan, in which case the borrower has no RTBF. More generally, the RTBF does not apply to non-personal data. It does not guarantee privacy, for instance, about the price paid to purchase a given piece of real estate. Such information may be protected contractually, but not under the RTBF or other data privacy laws.
In strict data privacy jurisdictions, the basic rule on the storage of personal data requires that such data must be (1) stored or processed with the specific consent of the data subject and (2) tagged and clearly associated with such consent. How this consent and tagging requirements are implemented is a very important and challenging topic, but it is not my focus here. Neither is it my goal to explain in which cases the RTBF will be upheld in any given jurisdiction.
My focus is on personal data that, after having been made available (for whatever reason), must be erased (no matter how, why, and by whom this erasure is requested).
More precisely, my focus is on RTBF compliance for truly decentralized, permissionless blockchains in general, and for the Algorand blockchain in particular.