The right to be forgotten is a legal right defined by the GDPR that allows persons in the EU to request that their personal data be deleted.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
The "right to be forgotten" is the concept that an individual's personal data stored by an organization or service provider has to be erased on the individual's request. It is a legal right granted under the General Data Protection Regulation (GDPR), which protects the personal data of individuals in the European Union (EU). However, the right to be forgotten is not an absolute right: it does not always apply to jurisdictions outside the EU, and there are certain additional circumstances when an individual may not be able to delete their data.
Suppose Alice signs up for a monthly email newsletter about French wine, but later decides that she prefers Belgian beer to French wine, and therefore the newsletter is no longer relevant for her. As a result, she unsubscribes from the wine newsletter. The right to be forgotten ensures that in addition to unsubscribing (as required by the ePrivacy Directive), she can request that the newsletter publisher deletes her name, email address, and all other personal information from their records.
This right has also been used to remove certain types of personal information from search engine results. For instance, individuals have the right to remove personal information about themselves from search results pages (within certain limits), requiring search engines like Google to not display links to pages where that information appears.
This right is actually called the "right to erasure" in the GDPR. However, it is commonly referred to as the right to be forgotten nonetheless.
The concept of a right to be forgotten predates the GDPR and has been invoked in previous legal cases. However, the GDPR-defined "right to erasure" is more precise; it includes the conditions of when the right does and does not apply, and it gives organizations a timeline of one month to respond to erasure requests.
The GDPR (General Data Protection Regulation) is a data privacy legal framework that applies to data collection and processing within the EU. The GDPR contains a number of requirements for data processing, collection, and handling, along with defining several rights for "data subjects," meaning individuals in the EU. One of these rights is the right to erasure, which is described in GDPR Article 17.
Recent court rulings have indicated that while online information providers (such as search engines) can be required to eliminate information within a certain jurisdiction, they do not have to remove it globally. An individual can have their data erased from search results within the EU, but users in non-EU countries may still see this data in their search results.
The GDPR does not define a specific process for an individual to exercise their right to be forgotten. So long as the request reaches the data controller or processor and meets certain conditions, it should be considered a valid request and the individual's personal data should be erased.
Individuals can make such a request either verbally or in writing. Once the data controller or processor receives the request, they have one month to respond — either by erasing the requested data or by providing a reason why the data cannot be erased.
Typically, the individual must provide specific information along with their request, such as confirmation of their identity, what data they want erased, and a reason for the erasure.
Reasons for exercising this right can include:
More information can be found in GDPR Article 17.
Individuals may not be able to erase their data under several different circumstances. For instance, the right to erasure does not apply when it conflicts with the right to freedom of expression — as an example, a politician could not use the right to be forgotten to remove a critical newspaper article from a website. Other times when the right does not apply include the following:
There are several other cases as well. The full list of when the right does not apply can be found in GDPR Article 17.
The Fair Information Practices are guidelines for data collection and usage that were developed in the US in the 1970s. While the Fair Information Practices are not part of any legal framework, many data privacy regulations in force today are roughly aligned with them.
One of these practices is called the individual participation principle, which holds that individuals have a number of rights, including the right to have their personal data corrected or erased.
The GDPR gives individuals a number of rights regarding personal data usage, including:
Learn more in What is the GDPR?