Page - 212 - in Intelligent Environments 2019 - Workshop Proceedings of the 15th International Conference on Intelligent Environments

Since the data controllers must present information also about the existence of the right to be forgotten (RTBF), we further evaluate it to prove our statement regarding the impracticability of the transparency rule in the frame of the current GDPR rules. 2.2. Withdrawing Consent Microsoft once stated that computers are very good at remembering things. Absent a system failure, computers never forget [2]. According to this statement, by asking AI developers to delete data, as Article 17 of the GDPR orders, the law sets up these systems for failure. Article 17 of the GDPR defines the conditions of the right to erasure, for example, in case the data is being processed outside of the scope of initially indicated purposes. If there is no other legitimate basis available for the data controller to continue data processing, then data subjects erasure request must be fulfilled. Why would anyone ever want a system to forget something related to them? Con- sidering the AI systems, data subjects might not like to consider themselves as part of a particular group decided on by an algorithm or might not want to disclose the entirety of their private choices to others. As a result, they might want to remove themselves from the algorithmic model which evolves dynamically as long as new data is being con- tributed, fed into it. However, both technically and legally, exercising RTBF is especially hard in todays data-driven AI systems. RTBF has evolved in its legal perspective in a way that data subjects may request search engines to hide information related to their past which is no longer public interest information. It was interpreted as right not to be found or right not to be seen in different jurisdictions, such as Italy, because being fully forgotten is technically not possible and promising such a result could mislead the data subjects as well as the courts [26]. The Italian interpretation as well as the Google v. Spain [27] rationale, from where GDPRs RTBF originates, in fact, state repetitively that balancing this right against other fundamental rights such as right to obtain information, or freedom of expression is based mostly on public interest. If a court believes that a particular information related to a data subject is in the area of public information, RTBF cannot be exercised (conditionality). Practically, the decision to remove or not remove a particular data (from a search query) is left first up to the data controllers who created the data as part of their business investment or use the AI system to produce something new. In these cases, most often, they might find that deleting data is against their intellectual property rights (as propri- etary information) and business interests. They may refuse to delete such data based on Article 17 of the GDPR which paves the way for data controllers not to delete, only remove data from all publicly available sources, because such data might be useful for future purposes such as law enforcement [28] or developing new business solutions. Re- moving data from a database (which is technologically more feasible than data erasure) and data erasure are not the same. In their analysis, Villaronga Kieseberg and Li [29] state that the current law appears to treat human and machine memory alike but they obviously are not the same. Ability to forget something is exclusively human (or relevant to any other biologically existing creatures), but the question whether a robot could actually for- get something is not a philosophical or biological one but a technical one. Starting from this point, the above-mentioned paper, proves that it is technically impossible to delete data from databases since each data added to them is stored in various points throughout a network of databases (in real life). Logs and backups are inseparable parts of a sys- G.GultekinVarkonyi /Operability of theGDPR’sConsent Rule in Intelligent Systems212