What is the right to be forgotten?

The “right to be forgotten” is a central part of the European General Data Protection Regulation (GDPR). The main idea behind it is to protect people whose data is processed online or offline. The right to be forgotten calls for some digital personal data to be deleted under certain conditions.

What does the “right to be forgotten” mean?

The right to be forgotten under the GDPR is one of the most important resources for consumers to protect their privacy and personal data. It enables people to have digital personal data permanently deleted by companies or those responsible for a website (known as “data controllers”), regardless of whether the company collects and stores the data or just makes it publicly available.

How does the right to be forgotten apply in the US?

The GDPR is a European Union regulation, but it can affect US companies. US businesses with a branch or even just an employee in the EEA are subject to the GDPR just like European companies. In addition, any company that targets people in the EU with its goods or services is required to comply with the GDPR. So if you’re selling your products to individuals in Europe, you’ll need to make sure your website is compliant. This also means that individuals in the EU can submit claims to you under the right to be forgotten.

The California Consumer Privacy Act (CCPA) also contains a right to be forgotten and applies to any data pertaining to California residents. At this time, there is no right equivalent to the European right to be forgotten under US federal law.

How did the GDPR right to be forgotten come about?

The GDPR has its origins in the Google ruling that the European Court of Justice (ECJ) handed down on May 13, 2014. The court held that data subjects can under certain conditions request the deletion of links that contain outdated or irrelevant information about them. In the ECJ ruling, the obligation to delete upon request pertains to search engines that make personal data publicly accessible. The ruling primarily pertains to private individuals and notes that, in the case of public figures or press archives, the right to be forgotten needs to be weighed against the right to information.

Where is the right to be forgotten legally defined?

In the Google ruling, the ECJ applied existing EU data privacy guidelines, which took concrete shape in 2016 as the European General Data Protection Regulation (GDPR). The right to be forgotten can be found in article 17 of the GDPR under the heading “right to erasure”. The term “right to be forgotten” appears in the heading in parentheses.

Right to be forgotten vs. right to erasure

The right to be forgotten can be understood as an extension of the right to erasure in the GDPR. Article 17 of the GDPR primarily serves to regulate the obligation to delete for data controllers who directly process personal data or make it publicly accessible. This includes media outlets and companies that directly process and store people’s data. If the requirements for deletion are fulfilled, the data controller must immediately and demonstrably delete the relevant links or data.

The right to be forgotten appears in article 17(2) of the GDPR and pertains to third parties that don’t collect personal data themselves but do make it publicly available (as search engines such as Google do, for example).

What are the conditions of the right to be forgotten?

There are some specific requirements for data to be deleted by data controllers and relevant third parties, including that:

• There is no longer a need for the storage and accessibility of the data in terms of the original purpose of collecting and processing the data
• Data subjects have withdrawn their consent for the processing and storage of the data
• There is no overriding legal reason for the storage of the data
• The collection and processing of the data happened unlawfully and/or without consent
• Data controllers are legally required by the GDPR to respect the right to erasure and the right to be forgotten
• The personal data pertain to minors and were collected for online services

If data subjects can prove their claim, the company in question is required to delete the data “without undue delay”. Usually this means that the controller needs to inform the data subject within a month of their request about actions taken or reasons why the request has been rejected.

Examples of the right to be forgotten

The right to be forgotten is an important instrument for protecting an individual or company’s reputation, appearance and privacy. In practice it would apply if, for example, a search engine still showed results relating to a person’s bankruptcy, court case, or “embarrassing” behavior 10 or 20 years after the fact. It’s also important for the resocialization of people formerly convicted of crimes, especially when it comes to minor misdemeanors. The right to data erasure enables individuals and companies to protect their rights and safeguard their career opportunities and professional image.

How does deleting personal data work?

The GDPR doesn’t clearly define a method for carrying out required erasures. However, they do specify that it’s mandatory that the erasure happen demonstrably and immediately. Here are some potential methods:

• Destruction and disposal of physical media by experts
• Professional overwriting of the relevant storage locations, provided it can be proven that that resulted in the removal or unusability of data
• Deleting associated links, shortcuts, search entries, search terms and coding
• Listing and deleting search engine algorithms

What are the exceptions to the right to be forgotten?

In some cases, the deletion of personal data upon request can conflict with freedom of information and the obligation to retain data. Although the GDPR gives private individuals the right to more privacy, certain conditions and exceptions ensure that critical data cannot be deleted if it is subject to a storage obligation or is of public, medical, tax or security interest. However, especially when it comes to longer storage periods, it’s important to note that personal data that is no longer being processed but is still required to be retained is subject to stronger access protection.

Overview of exceptions to the EU right to be forgotten

Below are some cases in which an exception to the right to be forgotten might apply:

• The data are still needed for processing.
• The people in question have consented to the data processing that is still needed.
• The data are still needed to fulfill a person or company’s public or legal obligations.
• The processing of the data is a matter of public interest.
• The data is being processed in the context of archiving, research or collection of data for statistics that are in the public interest
• The data plays a demonstrable role in legal proceedings.

Note that freedom of speech and freedom of information take precedence over the right to erasure and the right to be forgotten.

How can you assert your right to be forgotten?

In order to request that your data be deleted and removed, you first need to know that the data exist. That’s where the right of access in article 15 of the GDPR comes in. This allows you to get information about data pertaining to you that is being stored or processed by a company. Based on the right to access, you can then apply your right to erasure and being forgotten via an email or letter to the data controller.

There is not any predetermined form that your request needs to take. However, in order to be able to prove that you made the request, you should always make it in writing. You can find free templates on the EU’s GDPR website. To avoid a drawn-out request or a rejection, you should be sure to include proof of identity for the person making the request and/or the person who the data in question pertain to.

How can you apply your right to be forgotten with Google?

Companies like Google and Facebook provide free online forms that you can use to make a request. The Google support page has information about the process of making a request and what the form will ask for. To have a Google entry deleted, you’ll need to provide the following information:

• URLs in question with the search results you want deleted
• Proof that the data are relevant to you and reasons for deleting them
• The search query that leads to the results (e.g. your own name)
• Email addresses that lead to the search results in question
• Background information and proof that show that the deletion and removal is warranted

Is there a general right to privacy and data removal?

At first glance, it might seem that the right to be forgotten means that your personal data can’t be made publicly accessible without your permission. But when you give your consent for your data to be processed in the course of your everyday online activities, you don’t necessarily have a general right to deletion. And indeed, the unjustified deletion of data can even be considered a data breech. That’s especially the case if there are obligations for data storage or if critical data are involved. Think about, for example, illicitly deleting data to cover up criminal activity.

Is it enough to anonymize data?

One alternative to deletion is thoroughly anonymizing data. Processed and stored data can be so deeply anonymized that it can no longer be understood as personal data. The GDPR is not directly applicable if, for example, data that’s used for statistical analysis or research is sufficiently anonymized.

That’s the case if, for example, no party would be capable of making a connection between people and relevant or irrelevant data sets. Methods for anonymization include randomizing, generalizing or preventing connections. Anonymization as an alternative to deletion is addressed in article 4 of the GDPR.

How does the right of erasure apply to companies?

European data protection regulations like the GDPR and the ePrivacy Regulation have a big impact on companies when it comes to data protection and the right to be forgotten. The GDPR, for example, stipulates that companies cannot arbitrarily collect data and that they can only process data with a user’s written consent. And the ePrivacy Regulation requires that people explicitly allow the use of cookies and trackers on websites.

Since processing data is essential in online marketing and ecommerce, you should make arrangements for data protection and data sovereignty from the outset of your venture. Arrangements include:

• An accessible and visible privacy policy compliant with GDPR on your website
• Tools and strategies for evaluating and implementing requests for deletion
• Legally compliant notices about cookies and tracking
• Legal safeguards with respect to the processing and transfer of data, e.g. data protection officers and IT legal departments (especially after the expiration of the EU-US privacy shield).

Click here for important legal disclaimers.