The General Data Protection Regulation

The enforcement of the GDPR on the 25th of May 2018 has caused prolonged controversy due to the severe impact on the processing of personal data under this new regulation. Of its provisions, the most radical and controversial one is the “Right to be Forgotten” (RtbF). In simple terms, the RtbF—along with the provisions for withdrawing consent—allows individuals, under certain conditions, to request the retroactive erasure of all of their personal data. In this chapter, we present the main data protection principles enshrined in the GDPR, and we explore the various notions of forgetting and the need to be forgotten—including the case of revoking consent—both in the social and in the technical context. In this regard, we review all controversies around the new stringent definitions of consent revocation and the RtbF in reference to their impact on privacy and data protection rights. Furthermore, we document frequent consent misuses as well as current frameworks for managing and revoking consent. We also shed light on the common misconception that equates the RtbF defined under the GDPR with the one enforced by the CJEU decision at the Google Spain case in 2014.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic €32.70 /Month

Buy Now

Price includes VAT (France)

eBook EUR 117.69 Price includes VAT (France)

Softcover Book EUR 147.69 Price includes VAT (France)

Hardcover Book EUR 147.69 Price includes VAT (France)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Notes

The Article 29 Working Party (WP29), set up under Article 29 of Directive 95/46/EC (DPD), is an independent European advisory body on data protection and privacy bringing together the European Union’s national data protection authorities. As from 2018 the Article 29 Working Party has been transitioned into a new legal framework under the GDPR, the European Data Protection Board (EDPB).

Homomorphic encryption allows computations to be carried out on the ciphertext without decrypting it first and thus, the encrypted result, when decrypted, matches the result of operations performed on the plaintext. Homomorphic encryption has been employed, among others, in pilot studies for protecting the privacy of genomic information [60, 61].

See footnote Footnote 40 .

References

  1. European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Off. J. Eur. Union L119, 1–88 (2016) Google Scholar
  2. Data Protection Directive, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Off. J. Eur. Union L281, 31–50 (1995) Google Scholar
  3. P. de Hert, V. Papakonstantinou, The new general data protection regulation: still a sound system for the protection of individuals? Comput. Law Secur. Rev. 32(2), 179–194 (2016) ArticleGoogle Scholar
  4. A. Cavoukian, Privacy by design—The 7 foundational principles (2011) Google Scholar
  5. M. Langheinrich, Privacy by design-principles of privacy-aware ubiquitous systems, in International Conference on Ubiquitous Computing (Springer, 2001), pp. 273–291 Google Scholar
  6. M. Oostveen, K. Irion, The golden age of personal data: How to regulate an enabling fundamental right?, in Personal Data in Competition, Consumer Protection and Intellectual Property Law. (Springer, 2018), pp. 7–26 Google Scholar
  7. L. Edwards, Privacy, security and data protection in smart cities: a critical EU law perspective. Eur Data Prot L Rev 2, 28 (2016) ArticleGoogle Scholar
  8. I.H. Gleibs, Turning virtual public spaces into laboratories: thoughts on conducting online field studies using social network sites. Anal. Soc. Issues Public Policy 14(1), 352–370 (2014) ArticleGoogle Scholar
  9. P.D. Reynolds, Ethical Dilemmas and Social Science Research (Jossey-Bass Inc Pub, San Francisco, USA, 1979) Google Scholar
  10. B. Hofmann, Broadening consent—And diluting ethics? J. Med. Ethics 35(2), 125–129 (2009) ArticleGoogle Scholar
  11. J.P. Ioannidis, Informed consent, big data, and the oxymoron of research that is not research. Am. J. Bioethics 13(4), 40–42 (2013) ArticleGoogle Scholar
  12. M.A. Rothstein, A.B. Shoben, An unbiased response to the open peer commentaries on “does consent bias research?’’. Am. J. Bioethics 13(4), W1–W4 (2013) ArticleGoogle Scholar
  13. F. Stevenson, N. Lloyd, L. Harrington, P. Wallace, Use of electronic patient records for research: views of patients and staff in general practice. Family Practice 30(2), 227–232 (2012) ArticleGoogle Scholar
  14. M. Sheehan, Can broad consent be informed consent? Public Health Ethics 4(3), 226–235 (2011) ArticleGoogle Scholar
  15. K.S. Steinsbekk, B.K. Myskja, B. Solberg, Broad consent versus dynamic consent in biobank research: is passive participation an ethical problem? Eur. J. Hum. Gen. 21(9), 897–902 (2013) ArticleGoogle Scholar
  16. J. Katz, Informed consent-must it remain a fairy tale. J. Contemporary Health Law Policy 10, 69–91 (1994) Google Scholar
  17. C.M. Simon, J. L’heureux, J.C. Murray, P. Winokur, G. Weiner, E. Newbury, L. Shinkunas, B. Zimmerman, Active choice but not too active: public perspectives on biobank consent models. Gen. Med. 13(9), 821–831 (2011) Google Scholar
  18. B. Brown, A. Weilenmann, D. McMillan, A. Lampinen, Five provocations for ethical HCI research, in Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (ACM, 2016), pp. 852–863 Google Scholar
  19. E.C. Hayden, A broken contract. Nature 486(7403), 312–314 (2012) ArticleGoogle Scholar
  20. M. Mostert, A.L. Bredenoord, M.C. Biesaart, J.J. van Delden, Big Data in medical research and EU data protection law: challenges to the consent or anonymise approach. Eur. J. Hum. Gen. 2, 956–960 (2015) Google Scholar
  21. P. Bernal, Collaborative consent: harnessing the strengths of the internet for consent in the online environment. International Rev. Law Comput. Technol. 24(3), 287–297 (2010) ArticleMathSciNetGoogle Scholar
  22. J. Kaye, E.A. Whitley, D. Lund, M. Morrison, H. Teare, K. Melham, Dynamic consent: a patient interface for twenty-first century research networks. Eur. J. Hum. Gen. 23(2), 141–146 (2015) ArticleGoogle Scholar
  23. T. Ploug, S. Holm, Meta consent: a flexible and autonomous way of obtaining informed consent for secondary research. BMJ: Br. Med. J. 350 (2015) Google Scholar
  24. S. Barocas, H. Nissenbaum, Big data’s end run around procedural privacy protections. Commun. ACM 57(11), 31–33 (2014) ArticleGoogle Scholar
  25. F.H. Cate, V. Mayer-Shönberger, Notice and consent in a world of Big Data. Int. Data Privacy Law 3(2), 67–73 (2013) ArticleGoogle Scholar
  26. J. Hemerly, Public policy considerations for data-driven innovation. Computer 46(6), 25–31 (2013) ArticleGoogle Scholar
  27. B.D. Mittelstadt, L. Floridi, The ethics of big data: current and foreseeable issues in biomedical contexts. Sci. Eng. Ethics 22(2), 303–341 (2016) ArticleGoogle Scholar
  28. O. Tene, J. Polonetsky, Big data for all: Privacy and user control in the age of analytics. Nw. J. Tech. Intell. Prop. 11, xxvii Google Scholar
  29. E. Luger, T. Rodden, An informed view on consent for UbiComp, in Proceedings of the 2013 ACM International Joint Conference on Pervasive and Ubiquitous Computing (ACM, 2013), pp. 529–538 Google Scholar
  30. A. Morrison, D. McMillan, M. Chalmers, Improving consent in large scale mobile hci through personalised representations of data, in Proceedings of the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, Foundational (ACM, 2014), pp. 471–480 Google Scholar
  31. L. Curren, J. Kaye, Revoking consent: a ‘blind spot’ in data protection law? Comput. law Secur. Rev. 26(3), 273–283 (2010) ArticleGoogle Scholar
  32. E.A. Whitley, Informational privacy, consent and the “control’’ of personal data. Inf. Secur. Tech. Rep. 14(3), 154–159 (2009) ArticleGoogle Scholar
  33. S. Benford, C. Greenhalgh, B. Anderson, R. Jacobs, M. Golembewski, M. Jirotka, B.C. Stahl, J. Timmermans, G. Giannachi, M. Adams et al., The ethical implications of HCI’s turn to the cultural. ACM Trans. Comput.-Hum. Interact. (TOCHI) 22(5), 24 (2015) ArticleGoogle Scholar
  34. J. Kaye, The tension between data sharing and the protection of privacy in genomics research. Annu. Rev. Genom. Human Gen. 13, 415–431 (2012) ArticleGoogle Scholar
  35. S. Holm, Withdrawing from research: a rethink in the context of research biobanks. Health Care Anal. 19(3), 269 (2011) ArticleGoogle Scholar
  36. O. Parry, N.S. Mauthner, Whose data are they anyway? Practical, legal and ethical issues in archiving qualitative research data. Sociology 38(1), 139–152 (2004) ArticleGoogle Scholar
  37. A.D. Kramer, J.E. Guillory, J.T. Hancock, Experimental evidence of massive-scale emotional contagion through social networks. Proc. Natl. Acad. Sci. 111(24), 8788–8790 (2014) ArticleGoogle Scholar
  38. J. Jouhki, E. Lauk, M. Penttinen, N. Sormanen, T. Uskali, Facebook’s emotional contagion experiment as a challenge to research ethics. Media Commun. 4(4), 75–85 (2016) ArticleGoogle Scholar
  39. R. Schroeder, Big Data and the brave new world of social media research. Big Data Soc. 1(2), 2053951714563194 (2014) ArticleGoogle Scholar
  40. R.M. Bond, C.J. Fariss, J.J. Jones, A.D. Kramer, C. Marlow, J.E. Settle, J.H. Fowler, A 61-million-person experiment in social influence and political mobilization. Nature 489(7415), 295–298 (2012) ArticleGoogle Scholar
  41. E.O. Kirkegaard, J.D. Bjerrekær, The OKCupid dataset: a very large public dataset of dating site users. Open Differ. Psychol. 46 (2016) Google Scholar
  42. M. Zimmer, “But the data is already public”: on the ethics of research in Facebook. Ethics Inf. Technol. 12(4), 313–325 (2010) Google Scholar
  43. K. Lewis, J. Kaufman, M. Gonzalez, A. Wimmer, N. Christakis, Tastes, ties, and time: a new social network dataset using Facebook.com. Social Netw. 30(4), 330–342 (2008) Google Scholar
  44. I. Brown, L. Brown, D. Korff, Using NHS patient data for research without consent. Law Innov. Technol. 2(2), 219–258 (2010) ArticleGoogle Scholar
  45. F. Pelliccia, G. Rosano, Medical research could soon be jeopardized by new European union data protection regulations. Euro. Heart J. 35(23), 1503–1504 (2014) Google Scholar
  46. M. Ploem, M. Essink-Bot, K. Stronks, Proposed EU data protection regulation is a threat to medical research. BMJ 346 (2013) Google Scholar
  47. P. Quinn, A.K. Habbig, E. Mantovani, P. De Hert, The data protection and medical device frameworks-obstacles to the deployment of mHealth across Europe? Eur. J. Health Law 20(2), 185–204 (2013) ArticleGoogle Scholar
  48. G. Rosano, F. Pelliccia, C. Gaudio, A.J. Coats, The challenge of performing effective medical research in the era of healthcare data protection. Int. J. Cardiology 177(2), 510–511 (2014) ArticleGoogle Scholar
  49. J.M.M. Rumbold, B. Pierscionek, The effect of the General Data Protection Regulation on medical research. J. Med. Internet Res. 19(2) (2017) Google Scholar
  50. P. Lee, K. Pickering, The general data protection regulation: a myth-buster. J. Data Protect. Privacy 1(1), 28–32 (2016) Google Scholar
  51. C. Bartolini, L. Siry, The right to be forgotten in the light of the consent of the data subject. Comput. Law Secur. Rev. 32(2), 218–237 (2016) ArticleGoogle Scholar
  52. Article 29 Data Protection Working Party, Opinion 15/2011 on the Definition of Consent. WP 187. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp187_en.pdf (2011)
  53. E. Vayena, A. Mastroianni, J. Kahn, Caught in the web: informed consent for online health research. Sci. Transl. Med. 5(173), 173fs6 (2013) Google Scholar
  54. H.C. Pöhls, Verifiable and revocable expression of consent to processing of aggregated personal data, in International Conference on Information and Communications Security (Springer, 2008), pp. 279–293 Google Scholar
  55. E.A. Whitley, N. Kanellopoulou, Privacy and informed consent in online interactions: evidence from expert focus groups, in International Conference on Information Systems (ICIS) (Association for Information Systems, 2012) Google Scholar
  56. J. Kaye, L. Curren, N. Anderson, K. Edwards, S.M. Fullerton, N. Kanellopoulou, D. Lund, D.G. MacArthur, D. Mascalzoni, J. Shepherd et al., From patients to partners: participant-centric initiatives in biomedical research. Nat. Rev. Gen. 13(5), 371–376 (2012) ArticleGoogle Scholar
  57. G. Karjoth, M. Schunter, M. Waidner, Platform for enterprise privacy practices: privacy-enabled management of customer data, in International Workshop on Privacy Enhancing Technologies (Springer, 2002), pp. 69–84 Google Scholar
  58. S. Pearson, M. Casassa-Mont, Sticky policies: an approach for managing privacy across multiple parties. Computer 44(9), 60–68 (2011) ArticleGoogle Scholar
  59. M.C. Mont, S. Pearson, P. Bramhall, Towards accountable management of identity and privacy: sticky policies and enforceable tracing services, in Proceedings of 14th International Workshop on Database and Expert Systems Applications, 2003 (IEEE, 2003), pp. 377–382 Google Scholar
  60. E. Ayday, J.L.. Raisaro, J.P. Hubaux, Privacy-enhancing technologies for medical tests using genomic data. Technical Report (2012) Google Scholar
  61. Y. Erlich, A. Narayanan, Routes for breaching and protecting genetic privacy. Nat. Rev. Gen. 15(6), 409–421 (2014) ArticleGoogle Scholar
  62. C. Stuntz, What is homomorphic encryption, and why should I care. Craig Stuntz Weblog (2010) Google Scholar
  63. C. Gentry et al., Fully homomorphic encryption using ideal lattices. STOC 9, 169–178 (2009) ArticleMathSciNetMATHGoogle Scholar
  64. D. Micciancio, A first glimpse of cryptography’s holy grail. Commun. ACM 53(3), 96 (2010) ArticleGoogle Scholar
  65. L. Urquhart, T. Rodden, New directions in information technology law: learning from human-computer interaction. Int. Rev. Law Comput. Technol. 31(2), 150–169 (2017) ArticleGoogle Scholar
  66. D. Le Métayer, S. Monteleone, Automated consent through privacy agents: legal requirements and technical architecture. Comput. Law Secur. Rev. 25(2), 136–144 (2009) ArticleGoogle Scholar
  67. S. Spiekermann, A. Novotny, A vision for global privacy bridges: technical and legal measures for international data markets. Comput. Law Secur. Rev. 31(2), 181–200 (2015) ArticleGoogle Scholar
  68. J. Rooksby, P. Asadzadeh, A. Morrison, C. McCallum, C. Gray, M. Chalmers, Implementing ethics for a mobile app deployment, in Proceedings of the 28th Australian Conference on Computer-Human Interaction (ACM, 2016), pp. 406–415 Google Scholar
  69. E. Maler, Extending the power of consent with user-managed access: a standard architecture for asynchronous, centralizable, internet-scalable consent, in Security and Privacy Workshops (SPW). (IEEE, 2015), pp. 175–179 Google Scholar
  70. M. Lizar, D. Turner, Consent Receipt Specification, Version 1.1.0. https://kantarainitiative.org/file-downloads/consent-receipt-specification-v1-1-0/ (2018)
  71. T.C. Styliari , M. Nati, Researching the transparency of personal data sharing: designing a concert receipt. Digital Catapult (2016) Google Scholar
  72. L.J. Bannon, Forgetting as a feature, not a bug: the duality of memory and implications for ubiquitous computing. CoDesign 2(01), 3–15 (2006) ArticleGoogle Scholar
  73. P. Connerton, Seven types of forgetting. Memory Stud. 1(1), 59–71 (2008) ArticleGoogle Scholar
  74. N. Tirosh, Reconsidering the “Right to be forgotten”—Memory rights and the right to memory in the new media era. Media Culture Soc. 39 (2015) Google Scholar
  75. P. Ricoeur, Memory, History, Forgetting (University of Chicago Press, 2004) Google Scholar
  76. M. Volf, The End of Memory: Remembering Rightly in a Violent World (Wm. B. Eerdmans Publishing, 2006) Google Scholar
  77. F. Nietzsche, On the Use and Abuse of History for Life (1874) Google Scholar
  78. V. Mayer-Shönberger, Delete: The Virtue of Forgetting in the Digital Age (Princeton University Press, 2011) Google Scholar
  79. E.S. Parker, L. Cahill, J.L. McGaugh, A case of unusual autobiographical remembering. Neurocase 12(1), 35–49 (2006) ArticleGoogle Scholar
  80. J.L. Borges, Funes, the memorious, in Avon Modern Writing No. 2 (Avon Books, 1954) Google Scholar
  81. J.F. Blanchette, D.G. Johnson, Data retention and the panoptic society: the social benefits of forgetfulness. Inf. Soc. 18(1), 33–45 (2002) ArticleGoogle Scholar
  82. A.L. Allen, Dredging up the past: lifelogging, memory, and surveillance. Univ. Chicago Law Rev. 75(1), 47–74 (2008) Google Scholar
  83. J.A. Burkell, Remembering me: big data, individual identity, and the psychological necessity of forgetting. Ethics Inf. Technol. 18(1), 17–23 (2016) ArticleGoogle Scholar
  84. M. Hand, Persistent traces, potential memories: smartphones and the negotiation of visual, locative, and textual data in personal life. Convergence 22(3), 269–286 (2016) ArticleGoogle Scholar
  85. N.N.G. de Andrade, Oblivion: the right to be different from oneself: re-proposing the right to be forgotten, in The Ethics of Memory in a Digital Age (Springer, 2014), pp. 65–81 Google Scholar
  86. M. Dodge, R. Kitchin, “Outlines of a world coming into existence”: pervasive computing and the ethics of forgetting. Environ. Plan. B: Plan. Des. 34(3), 431–445 (2007) Google Scholar
  87. J. Bentham, Panopticon or the Inspection House vol 2 (Payne, London, 1791) Google Scholar
  88. L. Gorzeman, P. Korenhof, Escaping the panopticon over time. Philos. Technol. 30(1), 73–92 (2017) ArticleGoogle Scholar
  89. J. Rosen, The Web Means the End of Forgetting. http://www.nytimes.com/2010/07/25/magazine/25privacy-t2.html (2010)
  90. D.J. Solove, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale University Press, 2007) Google Scholar
  91. J. Hendler, Web 3.0 emerging. Computer 42(1) (2009) Google Scholar
  92. C. Bizer, T. Heath, T. Berners-Lee, Linked data-the story so far, in Semantic Services, Interoperability and Web Applications: Emerging Concepts, pp. 205–227 Google Scholar
  93. C. Gurrin, H. Lee, J. Hayes, iForgot: a model of forgetting in robotic memories, in 5th ACM/IEEE International Conference on Human-Robot Interaction (HRI) (IEEE, 2010), pp. 93–94 Google Scholar
  94. C. Sas, S. Whittaker, Design for forgetting: disposing of digital possessions after a breakup, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (ACM, 2013), pp. 1823–1832 Google Scholar
  95. S. Kulk, F.Z. Borgesius, Google Spain v. González: did the court forget about freedom of expression. Eur. J. Risk Reg. 5, 389 (2014) Google Scholar
  96. V. Mayer-Shönberger, Omission of search results is not a “right to be forgotten” or the end of google. Guardian 13 (2014) Google Scholar
  97. K. O’Hara, The right to be forgotten: The good, the bad, and the ugly. IEEE Internet Comput. 19(4), 73–79 (2015) ArticleGoogle Scholar
  98. R.M. Baum, It’s Not Censorship. http://cen.acs.org/articles/92/i22/s-Censorship.html (2014)
  99. A. Mantelero, The EU proposal for a general data protection regulation and the roots of the “right to be forgotten’’. Comput. Law Secur. Rev. 29(3), 229–235 (2013) ArticleGoogle Scholar
  100. W.G. Voss, C. Castets-Renard, Proposal for an international taxonomy on the various forms of the “right to be forgotten”: a study on the convergence of norms. Colorado Technol. Law J. 14(2), 281–344 (2016) Google Scholar
  101. European Data Protection Supervisor, Opinion of the EDPS on the Data Protection Reform Package. https://edps.europa.eu/sites/edp/files/publication/12-03-07_edps_reform_package_en.pdf (2012)
  102. B.J. Koops, Forgetting footprints, shunning shadows: a critical analysis of the “right to be forgotten” in big data practice. SCRIPTed 8 (2011) Google Scholar
  103. N. Xanthoulis, The right to oblivion in the information age: a human-rights based approach. US-China Law Rev. 10, 84 (2013) Google Scholar
  104. J. Ausloos, The “right to be forgotten”—worth remembering? Computer Law Secur. Rev. 28(2), 143–152 (2012) Google Scholar
  105. European Convention on Human Rights, Convention for the protection of human rights and fundamental freedoms (European convention on human rights, as amended) (ECHR) (1950) Google Scholar
  106. J. Rosen, The right to be forgotten. Stan. L. Rev. Online 64, 88 (2011) Google Scholar
  107. B. Malle, P. Kieseberg, E. Weippl, A. Holzinger, The right to be forgotten: towards machine learning on perturbed knowledge bases, in International Conference on Availability, Reliability, and Security (Springer, 2016), pp. 251–266 Google Scholar
  108. D.C. Nunziato, The death of the public forum in cyberspace. Berkeley Technol. Law J. 20, 1115–1757 (2005) Google Scholar
  109. A.H. Stuart, Google search results: buried if not forgotten. NCJL Tech. 15, 463 (2013) Google Scholar
  110. L. Mitrou, M. Karyda, EU’s data protection reform and the right to be forgotten: a legal response to a technological challenge? in 5th International Conference of Information Law and Ethics 2012 (2012) Google Scholar
  111. D. Lindsay, The “Right to be Forgotten” Is Not Censorship. http://www.monash.edu/news/opinions/the-right-to-be-forgotten-is-not-censorship (2012)
  112. P. Korenhof, Forgetting bits and pieces: an exploration of the right to be forgotten in online memory process, in Tilburg Institute for Law and Technology Working Paper Series, vol. 4, issue 6 (2013) Google Scholar
  113. M.L. Ambrose, Speaking of forgetting: analysis of possible non-EU responses to the right to be forgotten and speech exception. Telecommun. Policy 38(8), 800–811 (2014) ArticleGoogle Scholar
  114. S.C. Bennett, The right to be forgotten: reconciling EU and US perspectives. Berkeley J. Int’l L 30, 161 (2012) Google Scholar

Author information

Authors and Affiliations

  1. Department of Informatics, University of Piraeus, Piraeus, Greece Eugenia Politou, Efthimios Alepis, Maria Virvou & Constantinos Patsakis
  1. Eugenia Politou
You can also search for this author in PubMed Google Scholar You can also search for this author in PubMed Google Scholar You can also search for this author in PubMed Google Scholar You can also search for this author in PubMed Google Scholar

Corresponding author

Rights and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Cite this chapter

Politou, E., Alepis, E., Virvou, M., Patsakis, C. (2022). The General Data Protection Regulation. In: Privacy and Data Protection Challenges in the Distributed Era. Learning and Analytics in Intelligent Systems, vol 26. Springer, Cham. https://doi.org/10.1007/978-3-030-85443-0_3

Download citation

Share this chapter

Anyone you share the following link with will be able to read this content:

Get shareable link

Sorry, a shareable link is not currently available for this article.

Copy to clipboard

Provided by the Springer Nature SharedIt content-sharing initiative