Dylan Curran recently wrote an OpEd on TheGuardian where he makes the case that information-based companies should put an expiration date on the data they collect, giving people greater freedom online without necessarily affecting profit margins. His argument comes down to two paragraphs buried in his piece:
This is why we need online privacy: we have the right to be curious or conduct digital actions without constantly being tracked, or fearing future reprisals. As Edward Snowden has put it: “Ask yourself: at every point in history, who suffers the most from unjustified surveillance? It is not the privileged, but the vulnerable. Surveillance is not about safety, it is about power. It’s about control.” […]
Therefore, I propose legislation to allow companies to harvest as much information as they like, but with one caveat: they must delete the information from their servers in quarterly blocks. This would allow us to keep using the services we like in the exact fashion that we do now.
This is unrealistic. Companies like Facebook — the easiest target here — cannot be trusted to follow any legislation. Many of these large organisations have histories of ignoring laws, evading taxes, and buying off politicians to solve problems. Legislation requiring personal data to be deleted on a rolling basis cannot honestly be audited, and will therefore result in little more than lip service. To make matters worse, a lot of the organisations that harvest our data with wanton abandon are completely unknown to most of us.
Ultimately this needs to come down to personal choice. People who are unconcerned with the data collection practices that currently run rampant online can keep doing what they're doing. For those who want to pull back and try to reclaim some form of anonymity online, there needs to be trustworthy resources people can use to learn how to reduce their digital fingerprints. Even with GDPR going into effect this month, it will be almost impossible for anyone — not just citizens of the EU — to ensure that all of their historical data is removed from databases around the world.
The right to be forgotten and personal data management is something that each one of us will likely need to manage ourselves. Hoping companies will "do the right thing" on our behalf, with or without legislation, while we change none of our habits is a level of naïveté that is simply unrealistic.