A Policy-Based Conjunctive Scheme for Digital Forgetting of Co-Owned Data

The Right to be Forgotten (RTBF) was first established as the result of the ruling of Google Spain SL, Google Inc. v AEPD, Mario Costeja González, and was later included as the Right to Erasure under the General Data Protection Regulation (GDPR) of European Union to allow individuals the right to request personal data be deleted by organizations. Specifically for search engines, individuals can send requests to organizations to exclude their information from the query results. It was a significant emergent right as the result of the evolution of technology. With the recent development of Large Language Models (LLMs) and their use in chatbots, LLM-enabled software systems have become popular. But they are not excluded from the RTBF. Compared with the indexing approach used by search engines, LLMs store, and process information in a completely different way. This poses new challenges for compliance with the RTBF. In this paper, we explore these challenges and provide our insights on how to implement technical solutions for the RTBF, including the use of differential privacy, machine unlearning, model editing, and guardrails. With the rapid advancement of AI and the increasing need of regulating this powerful technology, learning from the case of RTBF can provide valuable lessons for technical practitioners, legal experts, organizations, and authorities.

This research tests the presence of a difference of approaches to the Right to Be Forgotten (RTBF), as introduced in Article 17 of the General Data Protection Regulation (GDPR), in the media and public sphere. The focus is put on how European and US newspapers have framed the Right between 2010 and 2018. The objective is to understand how news media have presented and described the RTBF to their readers at the national level in Italy, the UK, and the US, and how such discourses reflect alleged cultural disparities. The RTBF is hereby conceptualized as a multi-dimensional notion. It is argued that the Right can be seen from perspectives other than those related to free speech and privacy, as advanced by the academic literature. The umbrella concept of transparency is introduced as a new way to frame the RTBF, concerning transparency for and from the people, on an individual level. On the one hand, Article 17 GDPR refers to a right to transparency for the people, to know and access lawful online information about, in particular, public figures or criminals. The notion also entails a form of transparency from the people: individuals should be transparent about their past, in real life and online. On the other hand, the RTBF can also refer to a right to be “not fully transparent” online, or a right to non-transparency from the people. This implies that not all information should be published on the Internet, especially when it represents personal and sensitive data.

Right to be Forgotten (RTBF) is a legal concept representing an individual's right to control their personal data held by an electronic system operator. The legal basis for implementing the RTBF in Indonesia is outlined in Article 26 (3) and Article 26 (4) of the ITE Law, which were adopted through the first international regulation recognizing RTBF, namely Article 17 of the General Data Protection Regulation 2016. However, the implementation of RTBF in Indonesia remains a subject of debate. One of the reasons is that the ITE Law only obliges electronic system operators to provide mechanisms for deleting irrelevant information or electronic documents but does not impose sanctions on those who refuse to accept requests for data removal. This results in legal ambiguity within the ITE Law, particularly in Article 26 (3) and Article 26 (4), which form the basis for implementing the RTBF concept in Indonesia. This article aims to conduct a comparative legal approach to the implementation of RTBF in Indonesia and several other countries where RTBF has already been applied. The goal is to identify adoption models that can be considered for implementation in Indonesia to address the regulatory uncertainties surrounding RTBF implementation. The research yields several key points of discussion, including: (1) The limits of RTBF usage in Indonesia; and (2) A comparison of RTBF in Indonesia with other countries that have also implemented RTBF as a means of protecting personal data.

This article redefines the right to be forgotten (RTBF) as the key element of digital constitutionalism, paying attention to both its strictly legal and normative embodiment in Pakistan. It places the right in the context of the larger developmentof data subject rights and relies on the original jurisprudence such as the Google Spain judgment and the General Data Protection Regulation (GDPR) in the EU. The article criticizes the constitutional silence of Pakistan through a theoretical approach based on autonomy, human dignity and informational self-determination and then assesses the legislative gap on data deletion. In contrast, Latvia proposes a good example of Article 96 of the Constitution, Personal Data Processing Law, 2018, and the important position of the Data State Inspectorate. Based on the comparative constitutional approach, the article has provided a solid legal roadmap of Pakistan; it has suggested the amendment of the Constitution, the formulation of a data protection law, and the creation of an independent regulatory body. Finally, the article develops the right-based solution to digital privacy, which is vital to maintaining human dignity in the age of the algorithm. Keywords: Data Protection; Digital Privacy; Latvia; Pakistan; Right to Be Forgotten.

The right to be forgotten (RTBF) refers to an individual's ability to request that a search engine remove links to information about himself or herself from search results. The RTBF has been the law of the land in Europe since a 2014 ruling by the Court of Justice, and it has fervent supporters in many parts of the world, but archivists, librarians, and others whose business it is to provide public access to information have challenged it internationally. This article reviews the legal and historical background of the RTBF, outlines some recent applications of the 2014 ruling, and briefly introduces the new European General Data Protection Regulation (GDPR). It concludes with a discussion of several specific points where the right to be forgotten comes into tension with the professional values of archivists, including their values of accountability, the preservation of the historical record, and equal access to information.

In Europe and indeed worldwide, the General Data Protection Regulation (GDPR) provides protection to individuals regarding their personal data in the face of new technological developments. GDPR is widely viewed as the benchmark for data protection and privacy regulations that harmonizes data privacy laws across Europe. Although the GDPR is highly beneficial to individuals, it presents significant challenges for organizations monitoring or storing personal information. Since there is currently no automated solution with broad industrial applicability, organizations have no choice but to carry out expensive manual audits to ensure GDPR compliance. In this paper, we present a complete GDPR UML model as a first step toward designing automated methods for checking GDPR compliance. Given that the practical application of the GDPR is influenced by national laws of the EU Member States, we suggest a two-tiered description of the GDPR, generic and specialized. In this paper, we provide (1) the GDPR conceptual model we developed with complete traceability from its classes to the GDPR, (2) a glossary to help understand the model, (3) the plain-English description of 35 compliance rules derived from GDPR along with their encoding in OCL and (4) the set of 20 variations points derived from GDPR to specialize the generic model. We further present the challenges we faced in our modeling endeavor, the lessons we learned from it and future directions for research.

In the digital era, data privacy has become a critical issue as vast amounts of personal information are collected, processed, and stored by corporations, governments, and online platforms. The growing reliance on data-driven technologies, including artificial intelligence and big data analytics, has heightened concerns over the security and ethical handling of personal data. Amid these concerns, the Right to Be Forgotten (RTBF) has emerged as a legal and ethical concept aimed at granting individuals’ greater control over their digital footprint. This right, enshrined in the European Union’s General Data Protection Regulation (GDPR), allows individuals to request the removal of their personal data from search engine results and other online repositories when it is no longer relevant, necessary, or lawfully processed. While RTBF enhances personal autonomy and privacy, it presents significant challenges, including conflicts with freedom of expression, the practicality of enforcement across jurisdictions, and the implications for transparency in digital records. Additionally, the implementation of RTBF varies globally, with jurisdictions like the United States resisting its adoption due to strong protections for free speech. The tension between privacy rights and public interest necessitates a nuanced approach to data governance, incorporating technological solutions such as differential privacy and automated compliance mechanisms. As digital ecosystems expand, policymakers must balance privacy protections with the legitimate interests of businesses, media, and society at large. This paper explores the legal, ethical, and technical dimensions of RTBF, providing a comparative analysis of global frameworks and proposing policy recommendations to ensure effective data privacy governance in an increasingly interconnected world.

This article examines the escalating legal and philosophical conflict between the individual’s right to be forgotten (RTBF) and the societal imperative to preserve a complete and accessible historical record, conceptualized here as the “right to history.” The central problem is framed not as a simple clash of legal principles but as a profound communicational conflict over who controls the narrative of the past in an age of digital permanence. Employing a methodology that combines comparative legal analysis with a communicational framework approach, this article dissects the legal architecture of the RTBF, with a particular focus on the European Union’s General Data Protection Regulation (GDPR) (European Parliament and Council of the European Union, 2016). It argues that current legal frameworks, while aiming to protect individual dignity, pose significant challenges to the integrity of public digital archives, thereby threatening journalistic freedom, the principle of open justice, and the core mission of cultural heritage institutions (Vavra, 2018). The analysis reveals how the RTBF has evolved from a tool for mediating access to information into a mechanism for altering the primary source material of history itself. The article concludes by rejecting a simple binary opposition between these rights and proposes a nuanced, context-aware balancing framework. This multi-factor framework offers specific criteria—including the nature of the information, the role of the individual, the passage of time, the original context of publication, and the medium of the archive—to reconcile the legitimate claims of individual data subjects with the non-negotiable societal need for a preserved, searchable, and reliable past.

Ensuring privacy and security in healthcare data sharing is critical due to the sensitive nature of patient information and the growing threat of cyber attacks. This paper explores the development of privacy-preserving data-sharing protocols for healthcare systems by integrating cryptographic techniques and blockchain technology. The study aims to establish a secure framework that facilitates seamless data exchange among healthcare stakeholders while maintaining data integrity, confidentiality, and access control. Key cryptographic mechanisms, including homomorphic encryption, zero-knowledge proofs, and attribute-based encryption, are employed to ensure that only authorized entities can access patient records without exposing sensitive details. Blockchain technology is leveraged to create a decentralized and tamper-resistant ledger, ensuring transparency and auditability in data-sharing transactions. Smart contracts are utilized to enforce predefined access policies automatically, enhancing security and compliance with regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). The findings indicate that the proposed framework significantly mitigates risks associated with unauthorized access, data breaches, and single points of failure. Comparative analysis with traditional centralized systems demonstrates improved efficiency, scalability, and security in healthcare data management. The integration of blockchain and cryptographic techniques ensures robust privacy-preserving mechanisms without compromising accessibility or interoperability. This research provides a novel approach to secure data sharing in healthcare, fostering trust among stakeholders while ensuring compliance with privacy regulations. Future work will focus on optimizing computational efficiency and addressing scalability challenges to facilitate widespread adoption in real-world healthcare ecosystems.

This paper reviews the economic literature on the European Union's General Data Protection Regulation (GDPR). I highlight key challenges for studying the regulation including the difficulty of finding a suitable control group, variable firm compliance and regulatory enforcement, as well as the regulation's impact on data observability. The economic literature on the GDPR to date has largely-though not universally-documented harms to firms. These harms include firm performance, innovation, competition, the web, and marketing. On the elusive consumer welfare side, the literature documents some objective privacy improvements as well as helpful survey evidence. The literature also examines the consequences of the GDPR's design decisions and illuminates how the GDPR works in practice. Finally, I suggest opportunities for future research on the GDPR as well as privacy regulation and privacy-related innovation more broadly.

A troubling new trend seems to be emerging: Some national courts are issuing extraterritorial injunctions that require web search engine providers (such as Google and Bing) to de-index content on a global basis. In Google, Inc. v. Equustek Solutions, Inc., the Supreme Court of Canada held that the Canadian domestic courts may lawfully issue global de-indexing orders that require online content to be removed not only in Canada but also world-wide. Meanwhile, other national courts and transnational juridical bodies are actively considering whether or not to embrace the use of global de-indexing orders to further national policies regarding intellectual property, informational self-determination, and privacy. Injunctions that require a search engine provider to de-index search results, when limited to the territory of the issuing court, do not present any serious conflict of laws issues or problems. After all, a particular country may decide to extend broad – or relatively weak – legal protection to the freedom of speech (including even core political speech). Nor do they implicate international law norms that generally restrict the jurisdiction of national courts to a particular sovereign’s territory or citizens. Global de-indexing orders, however, are another kettle of fish. Domestic courts should be careful what they wish for before endorsing globally-applicable de-indexing orders. If widely adopted and deployed, world-wide injunctions requiring the de-indexing of search results have the potential to sow legal chaos – and to significantly disrupt global flows of information and ideas over the Internet. In the context of speech restrictions designed to promote privacy interests, such injunctions could easily lead to a race to the bottom, with the least speech protective jurisdiction that possesses the power to force private corporations to comply with the injunctive orders of its domestic courts effectively determining the scope of freedom of expression in the U.S. and Europe. To be sure, the Court of Justice of the European Union held, in its recent CNIL decision, that the General Data Protection Regulation (GDPR) does not have extraterritorial effect. Even so, however, it clearly signaled that the EU could lawfully apply the right to be forgotten (RTBF) on a world-wide basis if the European Parliament wished to give the RTBF global effect. The EU should think carefully before it follows the lead of the Supreme Court of Canada in Equustek. As much as the EU might wish for European data privacy standards to serve as the world’s legal yardstick, its leaders should consider very carefully whether they are prepared to have China set the metes and bounds of freedom of expression in both Beijing and Brussels.

Blockchain technology and privacy regulation: Reviewing frictions and synthesizing opportunities

The goal of this study is to explore the Right to Be Forgotten (RTBF) as a specific legal aspect of the EU General Data Protection Regulation (GDPR) within the context of digital journalism and related media policy issues. We address this issue in cases where requests have been made to unpublish news items or other (visual) content from online media archives because they contain embarrassing, irrelevant and/or outdated, yet truthful content. To do this, we researched the editorial policies of five Slovenian online news media outlets in their responses to such unpublishing requests. First, we reviewed regulation and key legal decisions and then used in-depth semi-structured interviews with editors of these outlets. Our research showed that unpublishing requests from 2018 and 2019 cite or imply the RTBF as having an EU-wide legal basis, yet the media outlets analyzed have not established clear internal policies. This opens the door to inconsistent and/or arbitrary decisions. The legal foundations for unpublishing online news items are vague and, at least in Slovenia, subject to opposing interpretations which might lead to new restrictions on media freedom. To avoid additional potential for the manipulation of media, both legal and self-regulatory frameworks need to be updated and clarified.

Although regional data protection and privacy regimes are often cited as major barriers to crossborder digital trade, mitigating consumer privacy concerns through regulations can potentially increase the demand for foreign digital products or services. This study delves into this by assessing the impact of the General Data Protection Regulation (GDPR) on the global mobile app market. Contrary to the belief that such regulations hinder digital trade, our data show a notable post-GDPR increase in top foreign apps in European Union countries, suggesting that the GDPR may alleviate privacy concerns and encourage the adoption of foreign digital products. This finding is crucial for policymakers dealing with data and privacy issues as it indicates the potential of these regulations to balance economic growth with privacy and security protection. The study suggests that data and privacy regulations can address data concerns without significantly harming digital trade. Additionally, it uncovers an opportunity for multinational companies. Although compliance costs are higher, clear privacy regulations could lessen consumer domestic bias, opening doors to international markets. Therefore, evaluating privacy regulations’ impact on global markets means considering both their benefits for demand and their costs for suppliers.

The challenges and opportunities of mental health data sharing in the UK