One of the fundamental data privacy rights protected under the General Data Protection Regulation (GDPR) is the right to be forgotten. This GDPR provision can be quite a burden for organizations because each request to delete a data subject’s personal data needs to be evaluated individually and carefully. In this article, we will explore the right to be forgotten, how it is codified in various laws, and the strongest arguments against it in the United States.
What is the right to be forgotten?
By the most common definition, the right to be forgotten, or the right to erasure, is the right to request that one’s personal information to be removed from an organization’s records. The purpose of the right to be forgotten is founded in the reality that in the digital age, it’s all too easy for outdated personal data to harm the individual’s reputation. However, the right to privacy must be balanced against another right, freedom of expression.
The right to be forgotten has been upheld by courts in various parts of the world. In 2006, Argentina supported the legitimate interests of its citizens with legislation requiring the delisting of embarrassing and harmful content from the Internet. In 2014, the French supervisory authority CNIL and the EU Court of Justice (ECJ) ordered Google to remove links to pages containing damaging or false information about Mario Costeja González from its search engine results, after the Spanish man sued Google Spain and Google Inc. for continuing to show information about his debts a decade after he had settled them.
The Google’s case was the first time the right to be forgotten was formally recognized in Europe, and it has shaped data privacy protection in the laws there. In 2016, the European Union enacted the GDPR, which requires businesses to limit their processing of personal data, protect individuals’ right to privacy, and develop comprehensive privacy policies to avoid steep fines and other legal ramifications.
How is “the right to be forgotten” covered by laws?
During the recent years, the nature of the Internet that “never forgets” catalyzed the debates and resulted in arrival of the “Right to be forgotten” terms in the laws protecting individuals’ right to privacy.
In particular, the statutory obligations of the GDPR limit personal data processing activities and guarantee every EU resident the right to have all their personal information erased by an organization. Under GDPR Article 17, individuals have the right to send a erasure request and the organization must use suitable measures to delete their personal data without “undue delay” and at no cost to the individual. In addition, the GDPR includes Article 19, which is called “Notification obligation regarding rectification or erasure of personal data or restriction of processing.” This provision requires any controller who receives an erasure request to inform everyone with whom it has shared the individual’s data about that request, using all available means and appropriate measures.
Why does “the right to be forgotten” exist in the EU but not in the U.S.?
Today, Europeans are protected by top courts and privacy laws. They can send removal requests to any organization that holds data about them — including big tech companies. In fact, in May of 2014, the ECJ ruled that individuals can force the removal of links from search engine results if those links lead to articles about them that are “inaccurate” or true but “inadequate, irrelevant or no longer relevant, or excessive.” The exception is if there is an overriding public interest for the search results to remain public, such as scientific or historical research purposes or the defense of legal claims.
Since that ruling, Google has received 867,145 requests to delete 3,388,761 URLs, and it has delisted most of those URLs from its search across sites like Facebook, Twitter and YouTube. The company now even has an online form to simplify the process of submitting a delisting request. However, in 2019, the same court added that Google is not required to respond to requests globally; the ruling is applicable in EU countries only. The European Court of Justice ruling explained the reasons as follows: “Currently, there is no obligation under the EU law, for a search engine operator who grants a request for de-referencing made by a data subject … to carry out such a de-referencing on all the versions of its search engine.”
The debate around the-right-to-be-forgotten applicability in the U.S. is hot and heavy, in part because of the American right of freedom of speech, which is enshrined in the United States in the First Amendment of the Bill of Rights. Forcing information to be delisted can be seen as narrowing this freedom and bringing the risk of censorship.
How does the “right to be forgotten” stand against “the right to remember”?
Data privacy is a complex issue. Internet users leave their footprints when they shop online, post on social media or simply visit a website, and third parties, including data brokers, avidly collect and analyze the data. How will they use that information? What if the data becomes irrelevant or could damage your reputation? What if you’ve experienced defamation or learned that your private data is exposed to the public? How can you remove the content? How long will your digital past continue to haunt you?
Taking matters to court can actually complicate your journey to be forgotten. For example, coverage of Mario Costeja González suing Google has made him a public figure — hundreds of articles have been published about the story. Does Google have to remove all links to stories about this case from its search results? Only the ones that contain González’s name? These are intriguing questions.
The right to be forgotten has its pros and cons, and data privacy laws are continuing to evolve. For example, in November 2019, a German court ruled that the name of a person who was convicted of murdering two people and got a life sentence had to be removed from online search results. This decision was very controversial in Europe and elsewhere, in light of the argument that criminals should not be allowed to have their crimes erased from public view.
How can you ensure that you can properly process data subject requests?
The GDPR requires organizations to respond quickly to requests from data subjects, including requests from people exercising their right to be forgotten. To ensure compliance, you need to be able to determine exactly what information you have about an individual and where that information is stored.
A data discovery and classification solution will scan your data repositories for the types of data you consider important (based on industry standards like the GDPR or your custom requirements), sort it into categories, and label it with a digital signature denoting its classification. You can use those labels to implement controls that protect data in accordance with its value and applicable regulations, and to quickly find the exact data you need to comply with a data subject request. Some solutions even enable you to set up a workflow that will send all data that meets certain criteria to one place so it can easily be reviewed and appropriate content can be deleted.