This paper studies the effects of the EU’s General Data Protection Regulation (GDPR) on the ability of firms to collect consumer data, identify consumers over time, accrue revenue via online advertising, and predict their behavior. Utilizing a novel dataset by an intermediary that spans much of the online travel industry, we perform a difference-in-differences analysis that exploits the geographic reach of GDPR. We find a 12.5% drop in the intermediary- observed consumers as a result of GDPR, suggesting that a nonnegligible number of consumers exercised the opt-out right enabled by GDPR. At the same time, the remaining consumers are more persistently trackable. This observed pattern is consistent with the hypothesis that privacy-conscious consumers substitute away from less efficient privacy protection (e.g, cookie deletion) to explicit opt out, a process that would reduce noise on remaining consumers and make them more trackable. Further in keeping with this hypothesis, we observe that the average value of the remaining consumers to advertisers has increased, offsetting most of the losses from consumers that opt-out. Our results highlight the externalities that consumer privacy decisions have both on other consumers and for firms.'The European Data Protection Board’s Draft Guidelines for Search Engines and the Future of the ‘Right to be Forgotten’ Online, Part 1' by David Erdos comments
Securing workable, balanced and effective individual rights regarding personal data disseminated online is vital to the future of data protection and should be a significant focus of attention for the European Data Protection Board going forward.
Consequent to the Court of Justice’s C-131/12 Google Spain (2014) judgment, the right to delisting and related ex post action by search engines has assumed particular practical importance. The European Data Protection Board (EDPB)’s draft guidelines on this topic – which recently closed for consultation – is, therefore, very welcome. Nevertheless, it is also vital that in due course the Board produce more comprehensive guidance. Indeed, under the General Data Protection Regulation (GDPR), it has a specific legal duty to “issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services” (GDPR, art. 70(1)(d)). This guidance will clearly need to encompass a much wider range of online actors than just search engines including individual websites, social networking sites such as Facebook and other online platforms such as Twitter.
Nevertheless, the current Guidelines will be important starting point and so, based on what I sent into the consultation, I set out below some thoughts on the detail of the draft and how it might be improved. This is divided into the three main topics addressed: (1) the scope of the guidance and of ex post rights vis-à-vis search engines, (2) the substantive grounds for exercising these ex post rights, and (3) the substantive exemptions from these ex post rights.Part 2 of his excellent piece is here.
Erdos' 'Disclosure, Exposure and the ʻRight to be Forgottenʼ after Google Spain: Interrogating Google Search’s Webmaster, End User and Lumen Notification Practices' (University of Cambridge Faculty of Law Research Paper No. 1/2020) argues
Google’s essentially blanket and unsafeguarded dissemination to webmasters of URLs deindexed under the Google Spain judgment involves the disclosure of the claimant’s personal data, cannot be justified either on the purported basis of their consent or that this is legally required but instead seriously infringes European data protection standards. Disclosure of this data would only be compatible with the initially contextually sensitive context of collection where it was (i) reasonably necessary and explicitly limited to the purposes of checking the legality of the initial decision and/or bona fide research and (ii) was subject to effective safeguards that prevented any unauthorised repurposing or other use. Strict necessity thresholds would need to apply where disclosure involved special category data or was subject to reasoned objection by a data subject and international transfers would require appropriate safeguards as provided by the European Commission’s standard contractual clauses. Disclosing identifiable data on removals to end users would directly and fundamentally undermine a data subject’s rights and, therefore, ipso facto violate purpose limitation and legality, irrespective of a data subject claims rights in data protection, defamation or civil privacy. The public’s legitimate interests in receiving information on personal data removals should be secured through safeguarded scientific research that the search engines should facilitate and promote.