We live in the age of data—every day, data is collected about us by websites we visit, devices we wear, etc.; and this data has effects on various aspects of our life, from shopping recommendations to credit scores. Consequently, laws that seek to regulate the processing of individuals’ personal data and allow people more control over their data are beginning to take shape in several parts of the world, such as the GDPR in the EU and the CCPA in California. In a number of cases, however, due to the complex nature of the technology and systems involved in data processing, there exist gaps in our understanding of their properties and capabilities, leading to incomplete, unclear, and sometimes undesirable specifications in the laws regulating these systems.
This project aims to address these concerns in a few important cases by providing technical analyses of (and formal definitions for) some fundamental concepts that these laws speak about— concepts that seem intuitively clear at first glance, yet turn out to require careful treatment in the context of complex systems. In particular, we seek to address interpretations of the “right to be forgotten” and the “right of access to data” using established cryptographic paradigms.