Current EU data protection law can feel like a dense dark jungle where it is difficult to find one’s way. Not only are there different layers of EU regulation operating in the field, from EU fundamental rights to secondary legislation, such as the General Data Protection Regulation (GDPR), but there is also overlap with other areas from competition law to consumer law. Just as in a jungle, everything is interlinked and intertwined, and dangers lurk where you least expect them. In this environment, Jef Ausloos’s book ‘The Right to Erasure in EU data protection law: from Individual Rights to Effective Protection’ (Oxford University Press 2020, £70 hardback, also available as e-book) provides a needed, clear and comprehensive map to navigate these difficulties and understand the world of ‘datafication’ and dominant internet platforms we are inhabiting.
The first thing to realise about Ausloos’s book is that its content reaches much wider than the right to erasure. Rather, Ausloos uses the right to erasure as set out in Article 17 of the GDPR as an example to explore the whole underbelly of EU data protection law in detail. He starts this investigation by providing an introduction to the current problems faced by individuals and their personal data, which he summarises as a loss of control for individuals (p. 4). Starting from this focus on the loss of individual control, Ausloos then provides his theory on the fundamental right to personal data protection (Article 8 of the Charter of Fundamental Rights of the European Union) and its connection to the GDPR. He finds that control constitutes the essence of this fundamental right, whereby control can also be achieved via ‘an infrastructure that regulates disproportionate power’ (p. 61), thus contributing his answer to the long-held discussion on the substance of Article 8 of the Charter. For the GDPR, Ausloos asserts that control constitutes but one of the elements, as the GDPR is ‘instrumental’ protecting all the fundamental rights affected by personal data processing (p. 73).
These two findings (control as the essence of Article 8 of the Charter, and the GDPR as instrumental for EU fundamental rights more generally) then inform the three parts and nine chapters of the book, with the first part diving deeper into the data subject right of erasure. Ausloos begins this journey by giving a thorough assessment of the scope of Article 17 GDPR. Especially interesting is his explanation of the six ‘triggers’ of the right of erasure in Article 17(1) GDPR (p. 198) and the six exceptions of Article 17(3) GDPR when the right of erasure does not apply, as Ausloos demonstrates how each ‘trigger’ and ‘exception’ is linked to other provisions within the GDPR but also externally, thereby making the right to erasure ‘not about erasure per se’ but ‘a switchboard for redirecting data subjects in search of ex post empowerment to the relevant provisions’ (p. 274). The second part of the book further dissects this ‘switchboard’ by assessing ‘balancing’ in the GDPR. This is prompted by Ausloos’s finding that the right to erasure ‘virtually always results in a balancing act’ (p. 277) (though Ausloos is also adamant that such balancing is not required for the exceptions in Article 17(3) GDPR which instead require a ‘necessity test’, p. 253). In summary he concludes that the right to erasure (and the right to object) is in the context of internet platforms an ex post evaluation of the balancing done ex ante by the controller when relying on legitimate interest as a legal basis for the processing. The final part of the book then concludes with considerations on the right to erasure ‘in practice’. What stands out here is Ausloos’s assessment that it is in fact the right to object that constitutes the real tool of ex post empowerment as it allows for a targeting of the processing operation, whereas the right to erasure has an all-or-nothing approach which in practice might often not apply due to the exceptions, but still has symbolic meaning (p 439).
The brief descriptions of the content of this book provided in the previous paragraphs can only do limited justice to the depth and detail in which this book navigates and discusses EU data protection law seen from the prism of the right to erasure. The reader is taken through the above-mentioned jungle with ease in a book so readable that the considerable number of pages (525) just seems to fly by. It is without debate that future scholars researching any topic linked to the GDPR would be well advised to consider this book as essential reading. Though practitioners, such as DPOs, having to deal with the right to erasure in practice should also not miss out on this contribution – as it provides rather detailed guidance on the right to erasure including a scheme on how to best assess its applicability (Ausloos suggests starting by testing whether any of the exceptions of Article 17(3) apply) that trumps existing (very limited) advice published for example by the European Data Protection Board. The research is as up to date as a book in the fluid area of data protection law can be (an issue beautifully pointed out by Ausloos in his ‘note to readers’). To sum up, this book is highly recommended, and the EU data protection law community needs more such content.
Laura Drechsler is a PhD researcher at the Brussels Privacy Hub at the Law, Science, Technology and Society Research Group (LSTS) at the Vrije Universiteit Brussel funded by the Research Association Flanders (FWO). She is also an Assistant Editor of the GDPR commentary (‘The EU General Data Protection Regulation (GDPR): A Commentary’, Oxford University Press 2020).