Check-in and access this session from the IGF Schedule.

IGF 2018 WS #295
GDPR and the Right to be Forgotten: Mapping the Challenges

    Organizer 1: Prasanth Sugathan, Software Freedom Law Centre, India
    Organizer 2: Sukarn Singh Maini, SFLC.in - Software Freedom Law Centre, India
    Organizer 3: Priyanka Chaudhuri, Software Freedom Law Centre, India

    Speaker 1: Prasanth Sugathan, Civil Society, Asia-Pacific Group
    Speaker 2: William Hudson, Private Sector, Western European and Others Group (WEOG)
    Speaker 3: Judith Lichtenberg, Civil Society, Western European and Others Group (WEOG)
    Speaker 4: Daphne Keller, Civil Society, Western European and Others Group (WEOG)
    Speaker 5: Nanjira Sambuli, Civil Society, African Group

    Moderator
    Online Moderator
    Rapporteur
    Format

    Panel - 60 Min

    Interventions

    Our panel discussion will comprise of 5 experts from the industry, technical field and civil society communities. Each speaker will have a specific line of expertise and will intervene accordingly. Our moderator will open the panel discussion with a brief introduction of the topic and our panel experts, post which each member will be given an opportunity to present their views on our pre-decided issues. Around 10 minutes will be allocated to discussing each issue which gives our panelists a total of 8 minutes of speaking time including any time for discussion amongst each other. 20 minutes at the end of our panel discussion shall be reserved for audience participation, both physical and online (10 minutes each for both categories), which shall be regulated by our session moderator with assistance from our online moderator.

    Diversity

    There will be diversity amongst our speakers on the lines of gender – we will ensure proportional female and male representation. Our speakers will represent distinct stakeholder groups, will belong to different age groups and will bring about unique policy perspectives. Every effort will be made to include speakers from varied regions/ geographies by circulating session details in multiple stakeholder groups and mailing lists across nationalities.

    Our session will be in the form of a 60 minute panel discussion, bringing in experts from the multi-stakeholder community, including legal/policy professionals. Panelists will discuss some pertinent issues revolving around GDPR and the right to be forgotten. This discussion will address the following broad issues:

    1. Considering the broad wording of the right to be forgotten under GDPR (Article 17), what shall be the test to determine in which cases a request for the erasure of data shall be accepted or rejected?
    2. Should data controllers be the first forum of determination for which requests of data erasure shall be accepted and which shall not?
    3. Can other laws and regulations which affect intermediaries and determine their liability be looked at for a lead into how requests for data erasure are to be dealt with?
    4. What can other countries who are grappling with data protection regulations and privacy laws learn from the debate around right to be forgotten?
    5. How will the implementation of the Right to be Forgotten under GDPR affect jurisprudence around the subject in other jurisdictions?
    6. In what ways could the Right to be Forgotten affect access to information in the rest of the world?

    Our panel will consist of 5 experts (including the moderator) who will spend 10 minutes on each issue listed above, which gives each speaker 8 minutes per issue. 20 minutes will be set aside for audience interaction at the end of the panel discussion, divided equally between physical and online audience.

    The panel moderator will open the session and introduce each issue to the panel in detail. Having knowledge of each experts background, the moderator will be in a position to steer conversation as the discussion proceeds. Every speaker will get around 8 minutes each to present their views and the remaining 20 minutes of the allocated time will be reserved for audience partipation, split equally between physical members and the onine community.

    On May 25, 2018, the General Data Protection Regulation (“GDPR”) - a law for protecting the processing and movement of personal data of people residing within the territory of the European Union (“EU”) - came into force across the EU. The GDPR casts a wide net on organisations handling the personal data of EU citizens, introducing several key provisions like data collection, consent, data portability, data breaches, extra-territorial applicability and much more. Article 17 of the GDPR provides users with a right of erasure, or a right to be forgotten (RTBF), which essentially means that users can request data controllers under some circumstances to erase any of their personal data that the controllers possess.

    This right gives unprecedented autonomy to users to determine what personal details shall be retained by data controllers and what not. Though this provision is a step in the right direction, it might have negative ramifications too. As the right to be forgotten is broadly worded in the GDPR – enabling any user to demand that their personal data be erased by data controllers, this will lead to certain requests for erasure of data by persons who wish to hide incriminating information about themselves. As we increasingly use the Internet as a pubic directory/ news forum to obtain essential information which affects our views and decisions, this selective ‘hiding’ of data could affect the right to information and the right to freedom of expression. There is data provided to data controllers by users themselves and data which is about the users – generated by third parties. The request for erasure of this second type of data can be problematic if it is not balanced with right to information and freedom of expression.

    Our panel discussion will be centered around issues arising out of the right to be forgotten as it exists within the GDPR. Panelists and participants will discuss the challenges associated with enforcing this right within the GDPR framework, and how businesses and other controllers can reconcile its principles with data protection obligations. Emphasis will be placed on how developing nations could learn and take cue from the debate around the RTBF and adopt sound principles before plainly copy pasting regulations from Europe or other western countries.

    Online Participation

    We will have designated time (10 minutes) for online participation at the end of our panel discussion – this allocation is equal to our participation time for physical members as well. Once our session moderator closes the panel discussion and after questions from the physically present audience have been addressed, they will invite participation from the online community and pass responsibility to the online moderator for conducting the discussion.