Forgetting personal data and revoking consent under the GDPR: Challenges and proposed solutions

The European Union’s General Data Protection Regulation (GDPR) is a progressive legal requirement to protect a user’s data in the cyber space. This article discusses the controversies related to this legal doctrine and also addresses the feasibility of data protection based on current technology. One main critique of the GDPR is that it continually references how it operates to make sure no fundamental rights are broken, without ever addressing the idea of a right to privacy. Ultimately, the vague global definition of privacy is something that clouds the GDPR. Another issue with the GDPR is its approach to consent. In an effort to protect the end user’s data from becoming part of the growing market of Big Data, the GDPR makes it increasingly difficult to ask a user for consent. This creates an albeit confusing process that is critiqued for being vague. That being said, the ability to give and revoke consent seamlessly is not a technology that we have effectively mastered. One of the most important aspects of the GPDR is the fact that it is a regulatory document, rather than a directive, increasing the ability for enforcement, but a lack of technology to actually complete the laws delineated in the GDPR poses great issues. For example, the GDPR discusses an important, controversial right: the right to be forgotten. While this is a noble claim, from a computer science perspective, it is actually quite difficult to wipe someone’s data from a technological device. While computer experts are currently looking for technological solutions, this is not currently a right that can be met. Ultimately, the GDPR attempts to protect a user’s data and right to privacy, but is limited by current technological constraints.