Is it illegal to intentionally design a social network that can't comply with right-to-be-forgotten (and possibly other laws)?

Question

If I intentionally design (and program) a social network that uses a technology (blockchain,...) which does not allow for alteration / erasing of user data, what happens in case of a right-to-be-forgotten request? Were there already any cases like this?

What happens for other cases where the technical design disallows compliance with government request (for example, using end-to-end encryption for all communication, meaning I can't give goverment agencies like FBI access to private data on request)?

Answer 1

As a designer and programmer you virtually have nothing to worry about apart from your wasted time. Such a network would likely never evolve (unless in Darknet) just because the would-be blockchain node owners would not have the balls to keep the nodes up.

If a court in country A orders information deleted, the node owners residing in A would have to comply. Technically impossible? Well, then take the node down. Information will be available from nodes in other countries anyway? Does not matter — nodes in A will be taken down regardless.

Note that the right-to-be-forgotten is only a small part of the obstacle. Defamation, hate speech, child pornography etc. published in a system that does not allow to delete information will cause the whole system to be deleted.

Answer 2

The GDPR (and most other relevant laws) does not regulate design.

As for the GDPR: It specifically regulates processing of personal data.

So I am going to assume you're asking: As a controller, is it illegal to operate social network that can't comply with right-to-be-forgotten (and possibly other laws)?

And in that case, the answer is: Yes.

There is a clear obligation in the GDPR for the controller to make sure any ICT system under his/her supervision is capable of doing whatever the GDPR requires from a ICT system.

Btw. that goes for others laws as well. And if there are no specific laws for contested area (such as the DMCA in the USA and the e-commerce directive in the EU), general liability will usually kick in and make whoever controls the system liable (but not for the designer, liability targets whoever it is that is in charge).

Answer 3

As the operator of the deployed system (see Free Radical's answer) you are also required to keep internal documentation on your compliance with the GDPR, including procedures to follow in case of an information or deletion request or information becoming too old to keep. This can be something like "an admin with superuser privileges enters databases X, Y and Z and types in the following commands," it does not have to be an automated system.

Failure to document the processes can be fined, even if no user ever requests to be deleted.

Answer 4

In general, when regulations of an industry require that devices provide some feature, manufacturers have to ensure that the technology supports it.

For instance, automobile regulations in the US require seatbelts. You can't get around it by saying "our car design doesn't support the attachment of seatbelts."

When new requirements are added to an existing industry, they generally set a date for compliance in the future, so that existing suppliers have time to update their products. There are also often grandfather clauses: when seatbelt requirements were added, cars manufactured before the compliance date were exempted.

But it's unlikely that a grandfather clause would be included in regulations for online services. Unlike physical products like cars, the provider can update the service in place, you don't have to be concerned with all the existing products that have already been sold.