Understanding the Right to Be Forgotten Under GDPR
The General Data Protection Regulation (GDPR), implemented by the European Union (EU) in 2018, was a revolutionary step in the world of data privacy and protection. One of the most crucial and highly discussed rights granted by the GDPR is the “Right to be Forgotten,” formally known as the “Right to Erasure.” This right has garnered significant attention in the digital age, where vast amounts of personal data are collected, stored, and shared across the internet. The right aims to empower individuals by giving them control over their personal information, ensuring that their data is not kept indefinitely or misused by data controllers.
In this blog article, we will explore the scope, significance, and implications of the Right to Be Forgotten under the GDPR. We will also delve into its limitations, real-world applications, controversies, and its potential future impact on the digital landscape.
Introduction to the Right to Be Forgotten
The Right to Be Forgotten, enshrined in Article 17 of the GDPR, grants individuals the ability to request the deletion of their personal data from a data controller under certain circumstances. It reflects the growing recognition that individuals should have the ability to reclaim control over their personal data, especially in cases where that data is no longer necessary or has been unlawfully processed.
The origins of the Right to Be Forgotten can be traced back to the landmark ruling by the Court of Justice of the European Union (CJEU) in the Google Spain SL v. Agencia Española de Protección de Datos case in 2014. The court ruled that individuals have the right to request the removal of links containing their personal data from search engine results if that data is deemed irrelevant, outdated, or no longer necessary. This ruling laid the groundwork for the inclusion of the right in the GDPR, giving individuals the legal backing to request the erasure of their data from data controllers.
The Legal Framework of Article 17: Scope and Provisions
Article 17 of the GDPR sets out the right to request the erasure of personal data under six specific circumstances:
- The data is no longer necessary: If the data is no longer required for the original purpose for which it was collected or processed, the individual has the right to request its deletion.
- Withdrawal of consent: If the data subject initially gave consent for the processing of their personal data and later withdraws that consent, the data must be erased.
- Objection to processing: If the data subject objects to the processing of their data, and there are no overriding legitimate grounds for the processing, the data must be erased.
- Unlawful processing: If the data was processed unlawfully, the data subject can request its deletion.
- Compliance with legal obligations: If the erasure is required to comply with a legal obligation under EU or Member State law, the data controller must delete the data.
- Data collected from children: If the data was collected in relation to the offering of information society services to a child, and the processing occurred based on the child’s consent, the right to erasure may apply.
The right is, however, not absolute. It must be balanced against other fundamental rights, including the right to freedom of expression and information, as well as compliance with legal obligations. Additionally, the right does not apply if the processing is necessary for the performance of a task carried out in the public interest or for the establishment, exercise, or defence of legal claims.
Mechanics of Exercising the Right to Be Forgotten
For individuals who wish to exercise their Right to Be Forgotten, the process generally involves submitting a formal request to the data controller. This request can be made in writing or electronically, and the data controller is obligated to act “without undue delay” and, in most cases, within one month of receiving the request.
The request should clearly outline which data the individual wants to be erased and the legal basis for the erasure. For instance, if the individual withdraws their consent for processing, they should state this in their request. The data controller then has the responsibility to assess the request and determine whether any exemptions apply. If the request is granted, the controller must erase the data and notify any third parties with whom the data has been shared, where feasible.
If the controller refuses the request, they must provide a clear justification for the refusal, and the individual has the right to lodge a complaint with the relevant Data Protection Authority (DPA) or seek judicial remedies.
The Role of Data Controllers and Processors
Data controllers bear the primary responsibility for ensuring compliance with the Right to Be Forgotten. Controllers must implement appropriate technical and organisational measures to ensure that data can be deleted effectively upon request. This includes developing procedures for handling erasure requests, ensuring that they are able to promptly remove personal data from their systems, and keeping records of erasure requests.
Processors, who process data on behalf of controllers, also have obligations under the GDPR. When a controller requests the deletion of data, the processor must comply by erasing the data from its systems. Data controllers must ensure that their contracts with processors include provisions that allow them to enforce the right to erasure.
Balancing the Right to Be Forgotten with Other Rights
While the Right to Be Forgotten is a powerful tool for protecting individuals’ privacy, it must be balanced against other fundamental rights and interests, such as freedom of expression, freedom of the press, and the public’s right to access information.
The GDPR acknowledges these competing interests by setting out specific exemptions to the right. For instance, if the personal data is processed for the exercise of the right to freedom of expression and information, the request for erasure may be denied. Similarly, data processed for scientific or historical research, or in the public interest, may be exempt from erasure requests.
One of the most contentious areas of this balancing act is the role of search engines, such as Google, in processing personal data. While individuals may request the removal of search results containing their personal data, search engines must weigh the privacy interests of the individual against the public’s right to access that information. In practice, this has led to numerous legal challenges and cases where individuals and media organisations have clashed over the removal of information that is deemed important to the public.
Real-World Applications and High-Profile Cases
Since its introduction, the Right to Be Forgotten has been invoked in numerous high-profile cases, many of which have centred on the removal of personal data from search engine results. One notable case involves Mario Costeja González, whose legal battle against Google Spain led to the 2014 CJEU ruling that established the Right to Be Forgotten.
In that case, González requested the removal of links to articles that detailed his involvement in a financial matter dating back to the 1990s, arguing that the information was outdated and irrelevant. The CJEU ruled in his favour, stating that individuals have the right to request the removal of search engine results if the data is no longer relevant or necessary. This ruling set a precedent for similar cases, and search engines have since received thousands of requests for data removal.
However, not all requests for data erasure are straightforward. Media organisations, for example, have raised concerns about the potential for the Right to Be Forgotten to be used as a form of censorship, particularly in cases where individuals seek to have information removed that is of legitimate public interest. Courts and DPAs must navigate these complex issues, balancing the rights of individuals with the need to protect free speech and access to information.
Challenges and Controversies Surrounding the Right to Be Forgotten
The implementation of the Right to Be Forgotten has not been without its challenges and controversies. Some of the key concerns include:
- Impact on Freedom of Expression: One of the most significant criticisms of the Right to Be Forgotten is its potential to restrict freedom of expression and information. Critics argue that individuals could use the right to suppress legitimate news stories, particularly those that are critical of their behaviour or actions.
- Jurisdictional Issues: The internet is global, but the GDPR only applies within the EU. This has raised questions about the extent to which the Right to Be Forgotten can be enforced outside of the EU. In a 2019 ruling, the CJEU held that search engines are not required to remove links globally, only within the EU. This decision underscored the limitations of the GDPR’s jurisdiction in a borderless digital environment.
- Difficulties in Implementation: For data controllers, implementing the Right to Be Forgotten can be technically challenging, particularly when personal data is widely disseminated across the internet. In some cases, the data may have been shared with third parties or copied by other websites, making it difficult to ensure complete erasure.
- Abuse of the Right: There is also the potential for abuse of the Right to Be Forgotten, particularly by individuals seeking to hide past wrongdoing or controversial behaviour. Courts and DPAs must carefully consider the merits of each case to prevent the right from being misused for illegitimate purposes.
- The Role of Technology: The rise of new technologies, such as artificial intelligence (AI) and machine learning, adds another layer of complexity to the Right to Be Forgotten. AI systems, which rely on vast amounts of data for training, may inadvertently use personal data that has been subject to an erasure request. Ensuring that such systems comply with the GDPR is a significant challenge for regulators and data controllers alike.
The Future of the Right to Be Forgotten
As the digital landscape continues to evolve, the Right to Be Forgotten will likely face further scrutiny and adaptation. Some of the key developments that may shape the future of the right include:
- Global Expansion: While the Right to Be Forgotten is primarily a European concept, there are signs that other countries and regions may adopt similar provisions. For instance, countries such as Canada and Japan have begun to explore the possibility of implementing their own versions of the Right to Be Forgotten. This trend could lead to a more global approach to data privacy and erasure rights.
- Technological Solutions: As technology advances, new tools may emerge to help individuals exercise their Right to Be Forgotten more effectively. For example, blockchain technology has been proposed as a means of securely managing and tracking personal data, while ensuring that individuals retain control over their information.
- Increased Regulation of Big Tech: The growing power and influence of major tech companies, such as Google and Facebook, has led to increased calls for greater regulation of these platforms, particularly in relation to data privacy. The Right to Be Forgotten may play a key role in shaping future regulatory frameworks, as governments seek to hold tech companies accountable for the data they collect and process.
Conclusion
The Right to Be Forgotten is a powerful tool for protecting individuals’ privacy in the digital age. By granting individuals the ability to request the deletion of their personal data, the GDPR empowers people to regain control over their information and safeguard their privacy. However, the right is not without its limitations and challenges. Balancing the right against other fundamental rights, such as freedom of expression, remains a complex and contentious issue.
As technology continues to evolve and the global digital landscape shifts, the Right to Be Forgotten will undoubtedly play a pivotal role in shaping the future of data privacy and protection. Policymakers, regulators, and data controllers must continue to adapt and refine the implementation of this right to ensure that it remains a meaningful and effective tool for protecting individuals’ privacy in an increasingly interconnected world.