The right to be forgotten is best known as one of the data privacy rights laid out in the General Data Protection Regulation (GDPR). But this European Union (EU) regulation is not the only law that addresses how organizations need to respond to requests from data subjects to erase their personal data.
In this article, we will explore how the right to be forgotten it is codified in various laws — and how it relates to other important principles, such as freedom of speech and the right to remember.
What is the right to be forgotten?
The right to be forgotten, or the right to erasure, is usually codified into protection regulations as the right to request that one’s personal information be removed from an organization’s records.
One reason an individual might want their personal data to be removed is to protect their reputation and interests. For example, in 2006, Argentina passed legislation requiring the delisting of embarrassing and harmful content from the internet. And in 2014, the French supervisory authority CNIL and the EU Court of Justice (ECJ) ordered Google to remove from its search engine results links to pages that showed information about a Spanish man’s debts a decade after he had settled them.
The Google Spain case marked the first time the right to be forgotten was formally recognized in Europe, and it has shaped data privacy protection in the laws there. In 2016, the European Union enacted the GDPR, placing a legal obligation on businesses by requiring them to limit their processing of personal data, protect individuals’ right to privacy, and develop comprehensive privacy policies to avoid steep fines and other legal ramifications.
How is a right to be forgotten request covered by the GDPR?
The statutory obligations of the GDPR limit personal data processing activities and guarantee every EU resident the right to have all their personal information erased by an organization (“data controller”). Under GDPR Article 17, individuals (“data subjects”) have the right to send an erasure request, and the organization must use suitable measures to verify the request is legitimate and then delete the personal data without “undue delay” and at no cost to the individual. Moreover, any organization that receives an erasure request must inform everyone with whom it has shared the individual’s data about that request, using all available means and appropriate measures.
What are the limitations to the right to be forgotten?
Today, Europeans can send removal requests to any organization that holds data about them — including big tech companies. In fact, in 2014, the ECJ ruled that individuals can force the removal of links from search engine results if those links lead to articles about them that are either “inaccurate” or true but “inadequate, irrelevant or no longer relevant, or excessive.” The exception is if there is an overriding public interest for the search results to remain public, such as for scientific or historical research purposes or the defense of legal claims.
Since that ruling, Google has received 1.4 million requests to delete 5.4 million URLs, and it has delisted almost half of those URLs from its search across sites like Facebook, Twitter and YouTube. The company now even has an online form to simplify the process of submitting a delisting request. However, in 2019, the same court added that Google is not required to respond to requests globally — the ruling applies only to EU countries.
How is the right to be forgotten codified in the US?
The debate around the right to be forgotten in the U.S. is hot and heavy, partly because of the American right to freedom of speech, which is enshrined in the First Amendment of the Bill of Rights. Forcing information to be delisted can be seen as narrowing this freedom and bringing the risk of censorship.
Although there is no far-reaching data privacy legislation at the federal level in the US, several individual US states have implemented their own data privacy laws. The first was the California Consumer Privacy Act (CCPA), which aligns relatively closely with the GDPR. Since California has a GDP larger than most countries, this compliance legislation has significant impact.
The CCPA requires for-profit organizations of a certain size to protect the personal information of California residents, defined as people who are either currently physically located in the state or are temporarily outside of California. Requirements include the following:
- Businesses must notify the consumers of what type of personal information is being collected about them, what that information is being used for, and whether that information is being sold to third parties.
- Businesses must provide an easy way (such as via their website or a toll-free number) for consumers to opt out from sharing their personal information.
- Unless there is a different regulatory reason to retain it, businesses must delete the personal information they have collected about a consumer upon request.
- A business must provide a listing of personal information collected in the past 12 months upon request.
- A breach of data that has not been encrypted or pseudonymized can result in steep fines.
How does the right to be forgotten stand against the right to remember?
Data privacy is a complex issue, with many right to be forgotten pros and cons. We have already seen that courts have upheld the rights of individuals to have true but outdated information about them removed from the internet. But taking matters to court can actually complicate your journey to be forgotten. For example, the coverage of the Spanish man who sued Google has made him a public figure — hundreds of articles have been published about the story. Does Google have to remove all links to stories about this case from its search results? Or only the ones that contain his name?
Another complication is the tension between an individual’s right to be forgotten and the public’s right to remember. For example, in November 2019, a German court ruled that the name of a person who was convicted of murdering two people and got a life sentence had to be removed from online search results. This decision was very controversial in Europe and elsewhere in light of the argument that criminals should not be allowed to have their crimes erased from public view.
How can you ensure proper processing of requests to be forgotten?
To comply with data privacy laws, your organizations must respond quickly to requests from individuals exercising their right to be forgotten. Therefore, you need to be able to determine exactly what information you have about an individual and where that information is stored.
A data discovery and classification solution will scan your data repositories for the types of data you consider important (such as personal data regulated by the GDPR), and label that data with a digital signature denoting its classification. You can use those labels to implement controls that protect data in accordance with its value and applicable regulations, and to you quickly find the exact data you need to comply with data subject requests. Some solutions even enable you to set up a workflow that will send all data that meets certain criteria to one place so you can easily review it and erase appropriate content.
One of the biggest challenges in this process is simply finding all content repositories in an environment. Due to a variety of circumstances, many organizations find themselves victims of shadow IT — groups or individuals within the organization implement on-premises or cloud technology without IT involvement and oversight. As a result, regulated data might be missed during processing of data subject requests, and it might be stored in insecure locations that increase the risk of a breach and penalties for compliance failures.
Once the data has been located, there are two general methods for locating the information related to specific data subjects:
- Full-text indexing — Many systems, including SharePoint, Windows Server and many cloud providers, index data so you can quickly search for specific phrases within documents. However, keep in mind that indexes can take up a large amount of storage, usually 20–40% of the space required by the indexed data, and indexing is a resource-intensive process.
- Pattern matching and recognition — Required data can also be located by looking for strings that match specific words or patterns, which are often defined using regular expressions (RegEx). These searches take comparatively fewer resources than full-text indexing and can return more targeted results. However, setting up the correct searches can require more expertise.
How can Netwrix help?
Netwrix compliance solutions offer a complete, multi-layered approach that enables you to quickly and accurately respond to data subject requests, as well as be ready to comply with changing requirements and new regulations.
Here are just a few of the benefits you can expect:
- Simplified compliance auditing — Netwrix solutions automate many of the tedious and time-consuming tasks associated with compliance auditing, freeing up your team to focus on more strategic initiatives.
- Comprehensive coverage — Netwrix solutions support not just GDPR but a wide range of regulations and standards: HIPAA, PCI DSS, SOX and more.
- Customizable reporting — Flexible reporting capabilities enable you to easily generate the reports you need to meet your specific compliance requirements.
- Proactive alerting — Netwrix solutions monitor your IT infrastructure in real time and alert you to any changes or issues that could impact your compliance posture.
- Easy deployment and management — Netwrix solutions are easy to deploy and manage, with minimal impact on your IT resources.
FAQs
What are examples of the right to be forgotten?
One reason a person a data subject might exercise their right to be forgotten would be if they believe their personal data was collected unlawfully or if a piece of embarrassing or misleading information about them is public for no reason. For example, someone who was falsely accused of a crime can demand that an old article insinuating their guilt be taken down.
Is the right to be forgotten a U.S. law?
While some US states have passed data privacy laws, there is no federal legislation enshrining the right to be forgotten as defined in the GDPR.
What is the right to be forgotten law?
Requirements concerning the right to be forgotten are codified in the GDPR and in the data privacy laws of some US states.
Who does the GDPR’s right to be forgotten apply to?
The GDPR right to be forgotten applies to all EU residents.
What are the cons of the right to be forgotten?
The main concern with the right to be forgotten is its potential to restrict access to information. For example, it could be used by governments for censorship purposes, or to erase information that is necessary for journalistic, medical or legal purposes.
What are the benefits of the right to be forgotten?
The main benefit of laws that guarantee the right to be forgotten is that individuals have more control over their personal data, especially in cases of data abuse. With these laws in place, data subjects have clear, structured methods for asking organizations to delete information about them.
