Personal data, the right to be forgotten, and the right to acknowledge reality.

The term “personal data” means different things to different people. In the US, the definition is fairly narrow. In Europe, it’s literally the entry point for their General Data Protection Regulation, or GDPR.

I think the way that GDPR defines personal data is one thing Europe really got right.

They say personal data “can be any information that is related to an identified or identifiable person.”

“Any information” means that it’s, by design, meant to be as broad as possible.

That gives them plenty of room to adapt as new technologies generate new types of data that can be linked in subtle ways back to individuals. The US has all sorts of loop holes for personal data because the definition is so narrow. But let me not digress now.

What is probably not correct is how the GDPR mandates the infamous “right to be forgotten”.

Before I can explain what I don’t like about it we need a two more concepts: 1) the data controller and 2) the data processor.

A data controller is a person, public authority, or agency that processes personal data. The processor is the entity that uses the data. These can be the same entity. But often people separate the processor as being another body that uses the data on behalf of the controller.

As an example, if I have an online store and use Gmail to email my customers, then I am the data controller and Google is the data processor.

The reason the separation is important is because the data processor has additional requirements and compliance risk. If the controllers use processors that are not properly vetted they are legally responsible.

Where things break down is when we bring in public blockchains.

Public keys are clearly personal data from the GDPR perspective. To verify a transaction in a public blockchain you need the need the provenance of the transaction.

How exactly can someone have the right to be forgotten in a public Blockchain? Who is going to enforce removing your public key from a public blockchain? And why should your right supersede everyone’s ability to independently verify the blockchain?

AI and machine learning has similar problems. Let’s say I have a computer vision model that has been trained from your photos. What is it meant to have the right to be forgotten in this case? The whole point of machine learning is that after it’s processed the data the machine has “learned”.

Can we do machine unlearning? I don’t know.

There’s also really fundamental issues for research. Let’s say I’m conducting a study on individuals that have joined with informed consent. I use their data to come up with news findings that society values. Does the right to be forgotten mean that I have to give up my rights for reproducibility from the dataset?

These are far more examples where the right to be forgotten conflicts with the right to acknowledge reality. I have a problem with this.

For me, embracing reality and learning how to deal with it effectively, has been the single most important skill I’ve learned while building a company.

Reality is important. It’s also a right worth defending.