Does GDPR require self-service/automated account deletion?
5
124
180
resolved Oct 14
Resolved
NO

GDPR requires organizations to delete user data upon request (with a few specific exceptions). Does it place requirements on how such request must be made? E.g. does it require self-service, automated deletion processing, or can all deletion requests be handled by contacting customer support and then manually processed?

Resolution

Resolves YES if GDPR requires organizations to offer a self-service/automated account deletion option. Resolves NO if contacting support and manual processing is GDPR compliant.

If the answer is clear, based on discussion and analysis in the comments here, resolves as above. If it is not clear, then resolution will proceed by the following procedure:

  • With 90% chance, I will resolve the market N/A. (I will generate a random number between 0 and 1, and check it is less than 0.9.)

  • Otherwise, I and any other interested participants will make reasonable efforts to find a GDPR compliance expert to answer the question, and resolve to YES or NO based on their answer.

Background on resolution procedure

See https://dynomight.net/prediction-market-causation/ for a great explanation of the reasoning behind this randomization procedure. Basically, it's a way to predict what the answer will be, in a fully incentive-compatible prediction market, but with only a 1/10 chance of having to go to the expense of actually discovering the answer. This particular case might not be that expensive, but you could imagine a prediction market that asks "Would a GDPR lawsuit against organization X succeed?" and commits to a small, randomized chance of going through with the lawsuit to resolve the question.

Get Ṁ600 play money

🏅 Top traders

#NameTotal profit
1Ṁ105
2Ṁ16
3Ṁ7
4Ṁ0
Sort by:
GDPR

"GDPR"

predicted NO

No.

The full text of the GDPR can be found here: https://eur-lex.europa.eu/eli/reg/2016/679/oj

The relevant portion is Section 3 (Rectification and erasure). This section infers a number of rights to EU citizens; the three which are relevant to this question are:

- The right to rectification (Article 16): the right to have inaccurate personal data corrected "without undue delay".

- The right to erasure (Article 17, commonly known as the 'right to be forgotten'): the right to have their personal data erased, again, "without undue delay", subject to certain limitations.

- The right to restriction of processing (Article 18): the right to restrict the processing of their personal information.

The obligations these rights place upon the data controllers (ie. Manifold) are surprisingly brief and non-specific for EU regulations. None of the articles specify any particular method by which the controller must fulfil their obligations - there is no mention of any requirement for controllers to implement automated processes to fulfil their obligations under these articles. Articles 16 and 17 require the controller to remove or correct data "without undue delay", but there's no precise definition of that phrase in the regulation (sadly this is not surprising for EU regs). Paragraph 59 of the introduction to the GDPR mentions that the data controller "should be obliged to respond to requests from the data subject without undue delay and at the latest within one month", which at least provides an upper bound.

In mature legal jurisdictions, stock phrases such as this would normally be interpreted in accordance with the precedent established by case law. Unfortunately, the case law of the ECJ contains no such precedent, and in the absence of this a number of people, lawyers and laymen, have taken to creating their own definitions, which are then uncritically repeated.

(For example, this article on Linkedin claims that in a (completely unrelated branch of law related to arboreal disease), "the ECJ found that the term 'without undue delay' was 'not compatible with a time limit of several weeks or even, as in the present case, several months, given its customary meaning in everyday language'". However, if you track the citation given for this (C-443/18) to its source (Implementing Decision 2015/789, Article 7(2)), the decision actually uses the much stronger phrase "immediately" - there is no mention of "undue delay" in the entire decision!)

Consequently, we must instead defer to the guidance issued by national regulators. While the UK has now left the EU, it was a member at the time the GDPR was implemented and has transposed the regulation into domestic law; the guidance issued by the UK Information Commissioner's Office (ICO) can therefore be treated as as reliable source (additionally, domestic regulators such as the ICO are responsible for the enforcement of GDPR and so their own rules will for practical purposes be more important than the actual law until the time that they are successfully contested at the ECJ). The ICO's guidance on the relevant rights can be found here.


Again, there is no mention of any requirement for automated processing of requests. Instead, the ICO has emphasized the 'one month' deadline from the introduction to the regulation:

"You must respond to a request for erasure without undue delay and at the latest within one month, letting the individual know whether you have erased the data in question, or that you have refused their request."

For those who mistrust UK regulators, the equivalent page from the equivalent Irish body (the Data Protection Commission) can be found here. Unsurprisingly, given its friendly relationship with the US tech companies which were the primary targets of the GDPR, the guidance provided by the DPC is much less detailed and less onerous than that of the UK ICO.

In short, neither the primary legislation, nor the case law surrounding it, nor the guidance provided by English-language domestic regulators impose any obligation on data controllers such as Manifold's staff to provide automated processes for data erasure, rectification or restriction of processing. Requests that are received for data erasure or rectification must handled "without undue delay", with an upper bound of 1 month from the time of the request.

predicted NO

@JohnRoxton Wow, thanks for the super detailed answer, very interesting to read about the state of the case law and regulatory guidance.

I think that's plenty sufficient to settle it as NO. Will resolve tomorrow barring any objections.

Featuring because this is a really interesting market structure, testing an important question!

predicted NO

I'll add a bounty for comments that provide a clear resolution to the question.