Legal Tidbits!
We've put together this short FAQ about some of the legal details of our campaign to ask companies to delete our data.
1.What is the right to erasure?
The right to erasure (or deletion) is just one of a number of data rights that may be found in data protection law, including the European Union's new law, the General Data Protection Regulation, better known as "GDPR".
You have the right to ask that your data be deleted and, in most cases, the data controller (which in your letter is the data brokers / ad-tech companies) must comply. This right applies where there is no lawful basis for the company to keep processing data about you ("processing" includes collecting, generating, using and sharing data). The companies should fulfil your request where certain situations apply. These include where you withdraw your consent (if you even gave it in the first place) and where you object to how the companies are using your data and the company has no overriding legitimate grounds for continuing to process your data.
Privacy International considers that these companies do not have a legal basis for processing your data, which is why we have filed complaints with the appropriate regulators about their activities.
2. Where does the right to erasure apply?
The right to erasure is one of the data rights in the EU's GDPR, which took effect in May 2018. Companies have the obligation to respect the rights in GDPR if they are based in the EU or process personal data of people in the EU. The companies which PI is taking action against have operations in the EU, but where they have separate operations in other countries the data rights in GDPR will unfortunately not always apply. Whilst PI is pushing for strong data protection laws around the world and for companies to respect individuals rights around the world, there is still a gap in legislation, implementation, and enforcement in many countries.
3. Can PI help me with this request?
Privacy International is not in a position to advise you individually on your request, but we have provided high level directions here. We've tried to provide you with as much information upfront as possible, including some of our staffs' experiences in requesting deletion of their data. Privacy International has not been nor will be legally representing you in connection with your request. You are responsible for providing any additional information or submissions to the companies you contact or to any regulatory body with which you may file a complaint.
4. What if the companies do not respond to my request(s)?
Before encouraging you to assert your right to erasure (deletion), some of PI's staff road-tested the process. We know it is not always smooth sailing. Our what to expect guide should provide you with some tips and includes suggestions if a company does not respond to your request. Companies are obliged to respond within a month (although the clock stops whilst they are waiting for you to answer any questions they may ask you - so try to respond to them quickly so as not to slow down the process). If the companies do not fulfil your request, you can complain to the Data Protection Authority where you live. A list of the Data Protection Authorities and their contact details can be found here. If you do not live in the EU, a good place to start is the Data Protection Authority of the country where the company is based. Please see our guide for more information on where the companies we have highlighted are based.
5. Are there other tools to help me exercise my data rights?
Other NGOs have been working on tools to support individuals to exercise these rights. Here are a few: Data Rights Finder, My Data Done Right, personaldata.io