After the new right to data portability in the General Data Protection Regulation (GDPR), the right to be forgotten, a.k.a. right to erasure, proves to be the hardest data subject right to operationalize and even the second most difficult GDPR obligation in practice overall as the IAPP-EY Annual Privacy Governance Report 2017 showed.
The notion of the right to be forgotten isn’t new. And so isn’t the principle. Just ask Google (among others). You undoubtedly already conducted a search query somewhere in Europe to read “Some results may have been removed under data protection law in Europe” with a link to a page explaining why this is the case.
Although there are other countries, regions and especially legal cases where the right to be forgotten plays or played, it has been predominantly a European matter. The right to be forgotten really entered the EU privacy sphere with the 2014 judgement of the Court of Justice of the EU under the predecessor of the GDPR (Directive 95/46/EC), in case C‑131/12, indeed involving Google.
The ruling recognized the right of EU data subjects to request the removal of links by search engines, who are data controllers. This right, now called the right to erasure, is a fundamental data subject right in the GDPR, in and beyond the context of publicly available personal information.
What the GDPR essentially does is detailing, broadening and defining the scope of the right to be forgotten, making it that fundamental data subject right and requiring data controllers to enable EU citizens to exercise the right.
The right to erasure and GDPR: a complex matter
As you can imagine the right to erasure isn’t exactly a walk in the park in a highly connected data sphere, especially in areas such as publicly available data (online), data-driven marketing but even an enterprise data context.
After all, when is personal data erased? Add to that the complexity of today’s data landscape and even emerging data models such as blockchain, for instance. And of course we don’t even have to go that far: for most organizations knowing where the data of their customers and other data subjects is stored is still hard, making erasure de facto, well, close to impossible. Last but certainly not least the duty to, where possible and feasible, communicate erasure to third parties (recipients), has proven to be a headache.
Let’s start with a look at what the right to erasure is, what the GDPR says about it and then move to the essence. For once we won’t start with the GDPR article that explains the right to erasure (Article 17) but with the GDPR recitals as they introduce it better.
What is the right to erasure? The GDPR recitals on the right to request erasure of personal data
The right to erasure or right to be forgotten grants data subjects a possibility to have their personal data deleted if they don’t want them processed anymore and when there is no legitimate reason for a data controller to keep it.
As most rights it is not absolute. GDPR Recital 65 among others covers a data subject’s right to have personal data concerning him/her rectified and the right to be forgotten where retention of the personal data would infringe the stipulations of the GDPR or another law to which the controller is subject.
Regarding the GDPR you can think about the data processing principles (fairness, transparency, purpose limitation, storage limitation, data minimization and so forth), the lawful basis for processing personal data, rules on consent and the processing of personal data of children in the scope of collecting them via information society services, sensitive personal data rules (with explicit consent being key here) and so on.
GDPR Recital 65 further details the particular situations where the right to erasure applies:
- where the personal data are no longer necessary to achieve the purposes for which they are collected or processed (think about those essential processing principles),
- where a data subject has withdrawn his or her consent (obviously also the mentioned explicit consent),
- where a data subject objects to the processing of his/her personal data (the right to object is another data subject right),
- where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet,
- where the processing of personal data does not otherwise comply with the GDPR.
So, it’s not an exhaustive list (it is in Article 17 though).
GDPR Recital 65 also further zooms in on the exceptions as they are established in GDPR Article 17 and mentions
- the right of freedom of expression and information,
- compliance with a legal obligation,
- the performance of a task carried out in the public interest,
- a task carried out in the exercise of official authority vested in the controller,
- public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes,
- the establishment, exercise or defence of legal claims.
GDPR Recital 73 mentions restrictions with regards to the right to be forgotten and other data subject rights such as public security, the context of criminal penalties and prosecutions, the protection of the freedoms of others and more.
GDPR Recital 66 specifically tackles the right to erasure in the scope of publicly available data. For many this is the really hard part. It does relate with what we said about the search engines but is much broader and goes for all data controllers.
To see how far it reaches, the full text of GDPR Recital 66: “To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject’s request”.
Last but not least there is GDPR Recital 59 that essentially covers the facilitation of the exercise of data subject rights, of course also the exercise of the right to be forgotten, which as said isn’t that simple in practice.
The grounds upon which the right to be forgotten can be exercised: Article 17
Whereas GDPR Recitals shed light on the reasoning and context, the GDPR Articles contain the essence. As said, in the case of the right to be forgotten that is essentially GDPR Article 17.
It kind of summarizes the essence regarding the right to be forgotten, the exceptions and the fact that it is a data controller task. So, let’s summarize.
The grounds upon which a data subject can exercise the right to be forgotten (at least one is enough) as Article 17 summarizes them:
- The personal data is not necessary in the context of the purpose of collection and/or processing.
- Consent to process is withdrawn by the data subject AND there is no other legal processing basis. This goes both for consent overall as for explicit consent.
- The right to object is exercised, in general and in the context of direct marketing IF there are no other legal processing grounds.
- The processing of the personal data has been done in an unlawful way.
- The personal data have to be erased for legal obligations to which the data controller is subject.
- Processing occurs in the context of children and their personal data collected via information society services
Data controller duties and exceptions to the right to erasure
The data must be erased without undue delay (maximum one month normally). The controller also must communicate erasure to each recipient of the personal data UNLESS 1) that proves to be impossible or 2) a disproportionate effort.
The data controller must inform the data subject about the recipients if requested.
When personal data have been made public and erasure is needed controllers must inform controllers which are processing the personal data that must be deleted by such controllers of any links to, or copy or replication of, the personal data BUT:
- Taking “reasonable” steps, including technical measures,
- Taking account available technology and cost of implementation
When the right to erasure does not apply (and thus data controllers have no duties), the personal data processing can, among others, be necessary
- In the scope of the right of freedom of expression and information
- When compliance with another law requires the data controller to process those data
- To carry out a task in the public interest in general
- When the data controller needs to process the data in the context of the previously mentioned ‘vested authority’
- In the scope of healthcare, social care and public health
- n the context of public interest, specifically public health (e.g. preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, the management of health or social care systems, protecting against serious cross-border threats to health and more),
- Purposes of archiving in the public interest, purposes of scientific or historical research, and statistical purposes with specific caveats,
- In the scope of the establishment, exercise or defense of legal claims
Profiling and the right to erasure: input and output data (WP29 guidelines)
In its Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (the GDPR), the WP29 points out that in the scope of profiling there can be an element of prediction (think analytics) whereby the risk of inaccuracy can be higher.
The input data may be inaccurate or irrelevant, or taken out of context and there may be something wrong with the algorithm used to identify correlations.
Taking this into account, the WP29 guidelines on profiling and individual decision-making, adopted on 3 October 2017, point out that the right to erasure apply to the mentioned input AND output data.
Also, if profiling is based on consent and consent gets withdrawn, the controller must erase the relevant personal data – unless there is another legal basis for the profiling (as we saw).
The right to be forgotten in conclusion
As you could read and see, the right to be forgotten or right to erasure is not an absolute or unconditional right. It has many exceptions and limitations. Data controllers need to take into account the aspects of possibility, proportion, costs and so forth.
Enabling the exercise of the right to be forgotten is complex and needs to be done on a granular level, looking at the impact of/on various technologies and case by case, including potential overriding legitimate grounds.
It’s also essential to prioritize. It is clear that in some cases (e.g. unlawful processing, explicit consent) by definition more is at stake. It is also clear that data regarding children need to be prioritized. Although in practice often exceptions will apply it is also key to see the grounds whereby the right to erasure can be invoked. In the infographic we added some context.
Next in regulations and compliance: EU DORA Digital Operational Resilience Act
Top image: Shutterstock – Copyright: Lightspring. All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.