What is the right to be forgotten?
The "right to be forgotten" is the concept that an individual's personal data stored by an organization or service provider has to be erased on the individual's request. It is a legal right granted under the General Data Protection Regulation (GDPR), which protects the personal data of individuals in the European Union (EU). However, the right to be forgotten is not an absolute right: it does not always apply to jurisdictions outside the EU, and there are certain additional circumstances when an individual may not be able to delete their data.
Suppose Alice signs up for a monthly email newsletter about French wine, but later decides that she prefers Belgian beer to French wine, and therefore the newsletter is no longer relevant for her. As a result, she unsubscribes from the wine newsletter. The right to be forgotten ensures that in addition to unsubscribing (as required by ePrivacy regulations), she can request that the newsletter publisher deletes her name, email address, and all other personal information from their records.
This right has also been used to remove certain types of personal information from search engine results. For instance, individuals have the right to remove personal information about themselves from search results pages (within certain limits), requiring search engines like Google to not display links to pages where that information appears.
Right to be forgotten vs. right to erasure
This right is actually called the "right to erasure" in the GDPR. However, it is commonly referred to as the right to be forgotten nonetheless.
The concept of a right to be forgotten predates the GDPR and has been invoked in previous legal cases. However, the GDPR-defined "right to erasure" is more precise; it includes the conditions of when the right does and does not apply, and it gives organizations a timeline of one month to respond to erasure requests.
What is the GDPR?
The GDPR (General Data Protection Regulation) is a data privacy legal framework that applies to data collection and processing within the EU. The GDPR contains a number of requirements for data processing, collection, and handling, along with defining several rights for "data subjects," meaning individuals in the EU. One of these rights is the right to erasure, which is described in GDPR Article 17.
Does the GDPR right to be forgotten apply outside of the EU?
Recent court rulings have indicated that while online information providers (such as search engines) can be required to eliminate information within a certain jurisdiction, they do not have to remove it globally. An individual can have their data erased from search results within the EU, but users in non-EU countries may still see this data in their search results.
How can someone exercise their right to be forgotten?
The GDPR does not define a specific process for an individual to exercise their right to be forgotten. So long as the request reaches the data controller or processor and meets certain conditions, it should be considered a valid request and the individual's personal data should be erased.
Individuals can make such a request either verbally or in writing. Once the data controller or processor receives the request, they have one month to respond — either by erasing the requested data or by providing a reason why the data cannot be erased.
Typically, the individual must provide specific information along with their request, such as confirmation of their identity, what data they want erased, and a reason for the erasure.
Reasons for exercising this right can include:
- The purpose for which the data was collected no longer applies
- The individual revokes their consent to data collection
- The organization is using the data for marketing, and the individual objects to this usage
- The organization collected or processed the data unlawfully
- There is a legal obligation for the organization to delete the data
- The individual objects to their data being processed, and the processor has no legitimate interest in processing the data
More information can be found in GDPR Article 17.
When does the right to be forgotten not apply?
Individuals may not be able to erase their data under several different circumstances. For instance, the right to erasure does not apply when it conflicts with the right to freedom of expression — as an example, a politician could not use the right to be forgotten to remove a critical newspaper article from a website. Other times when the right does not apply include the following:
- The data is being used to comply with a legal obligation
- The data is in use for performing a task that is in the public interest
- The data is used for archiving in the public interest for scientific, historical, or statistical research and the erasure is likely to seriously impair the research
- The data is part of a legal defense
There are several other cases as well. The full list of when the right does not apply can be found in GDPR Article 17.
How does the right to be forgotten relate to Fair Information Practices?
Fair Information Practices is a set of guidelines for data collection and usage that was developed in the US in the 1970s. While the Fair Information Practices are not part of any legal framework, many data privacy regulations in force today are roughly aligned with them.
One of these practices is called the individual participation principle, which holds that individuals have a number of rights, including the right to have their personal data corrected or erased.
What other rights do individuals have under the GDPR?
The GDPR gives individuals a number of rights regarding personal data usage, including:
- Right to be informed: Individuals must be given easy-to-understand information about how their data is collected and processed
- Right to data portability: Individuals can transfer their data from one data controller to another
- Right of access: Individuals have the right to obtain a copy of collected personal data
- Right to rectification: Individuals can correct inaccurate data about themselves
- Right to restrict processing: Under certain circumstances, individuals can limit the way their personal data is being processed
- Right to object: Individuals can object to data collection and processing, and the data controller or processor must provide legitimate reasons for using the data (reasons that are not related to direct marketing)
- Right to object to automated processing: Individuals can object to a decision that legally affects them that is based on automated data processing
Learn more in What is the GDPR?