The right to be forgotten and data privacy (Articles 17 & 19)

Article 17 of GDPR defines the right to be forgotten and explains the responsibilities of organizations holding personal data. According to Article 17, controllers must erase data without "undue delay" if the following conditions apply:

• Personal data is no longer needed to meet the controller's original purposes.
• The data subject withdraws consent to share personal data under Article 6 or Article 9 of GDPR and there is no lawful justification to deny this request.
• The data subject objects to processing under Article 21, and there is no legitimate reason to deny this request.
• The controller is found to be illegally processing personal data.
• Data erasure is required under the laws of European Union member states.
• Personal data has been collected without obtaining the consent of children, as required by GDPR article 8.
  
  

If one of these conditions applies, the controller must take "reasonable steps" to ensure the deletion of personal data. This includes informing other controllers that process the data subject's information. And it includes associated data processors.

Article 19 complements Article 17 by setting out notification requirements. According to Article 19, data controllers must inform anyone who has received personal data related to the data subject. This requirement only applies if notification is possible and if the controller does not need to make a "disproportionate effort."

The origins of the right to be forgotten

The European Union has allowed extensive rights to erase data since a landmark 2014 decision by the Court of Justice of the European Union (the European Court of Justice).

In this case, a Spanish citizen called Mario Costeja González requested that Google erase search results about historic social security debts. Lawyers argued that these issues had been resolved, but information remained on public websites. This potentially harmed the reputation of González, and there was no public interest in publishing the information.

The court found that data processed by search engines like Google represented personal data. Individuals could make legal claims to request that search engines remove data relating to their identity. The judgment included links to web pages containing personal information.

This judgment came before the EU introduced GDPR in 2018. However, it effectively created a "right to be forgotten" across Europe. GDPR formalized this right and turned legal claims into regulatory obligations. Regulations established precise requirements for controllers and pathways to delete data.

How the right to be forgotten aligns with other privacy rights

Articles 17 and 19 are not the only legal clauses in GDPR that relate to privacy rights. Compliant organizations must cover all privacy-related regulations when building data processing operations.

For example, other Articles to consider include:

• Article 16, which ensures a right to rectify (change) personal data.
• Article 15, which ensures a right to access personal data held by data controllers and processors.
• Article 21, which provides a right to object to data processing.
• Article 22, which allows data subjects to challenge automated data processing tools.
  
  

Compliant organizations must also implement security controls and access systems to prevent the disclosure of personal data.

Under Article 32, controllers must implement "appropriate technical and organizational measures" to manage privacy and data security risks and ensure that the data erased cannot be recovered.

When does the right to be forgotten apply?

The right to be forgotten is not an absolute right. As with other General Data Protection Regulation elements, legal claims to delete data are conditional. Organizations may reject requests to erase personal data. But compliant bodies must know when rejection is appropriate. Improper rejection can lead to extensive regulatory penalties.

Data controllers must allow an erasure request regarding personal data when:

• There is no legitimate reason to hold personal data. Controllers must define a lawful justification for processing when they start gathering data. Individuals can request data removal if this justification no longer applies or there is no public interest.
• Individuals remove permission to hold or share personal data. Subjects provide consent to gather and share data when they interact with controllers. However, GDPR allows individuals to withdraw consent to share data. In this case, companies must erase data if there is no overriding legal reason to continue data collection.
• Data subjects successfully object to data collection. This applies if there is no legitimate reason to continue processing data. However, if the data is used in direct marketing, there is no legitimate justification to deny the right to be forgotten.
• Controllers or processors have unlawfully processed personal data. If regulators find that organizations have breached data processing standards, individuals can demand the erasure of personal data.
• New laws or regulations require the removal of personal data about European Union residents. For example, laws may criminalize previously legitimate data collection forms.
• Data collection relates to children. All requests to erase personal data regarding individuals under 18 are deemed legitimate.
  
  

This list opens up many scenarios where data erasure is mandatory. However, data controllers retain the scope to collect and store data. The right to erase personal data may not apply where data collection practices are compliant, and organizations obtain consent. Let's consider a few case studies to explain how the right to be forgotten works in practice.

Scenario 1: Deletion of information about spent convictions

One of the most common right-to-be-forgotten scenarios is removing personal data about historical crimes or interactions with law enforcement bodies.

For example, an individual may commit minor fraud offenses to keep their business afloat. News websites report these crimes, including the individual's name and business. But after five years, the conviction expires. The individual's punishment is over. Yet the record of the conviction remains.

In this case, the individual may request the erasure of information about their convictions. If the crimes were minor and the offenders have served their punishment, there may be no public interest in publishing that information. Making the information available could harm the individual without a reasonable justification.

This rule does not apply to larger frauds. Enron would not have a right to be forgotten. However, an EU citizen may successfully appeal, and compliant organizations should allow their request.

Scenario 2: Removal of information about crimes when not-guilty verdicts are returned

In other situations, individuals are accused of crimes but not found guilty in a Court of Law. When these cases involve serious offenses like child abuse or murder, they can permanently taint the reputation of the innocent individual.

The right to be forgotten allows EU residents to request the removal of news stories or forum discussions about crimes they did not commit. There is no public interest in this content remaining accessible, and it harms the data subject involved.

It is important to note that before GDPR came into force, companies routinely refused to delete personal data regarding criminality. Google resisted requests by innocent individuals. And it even refused requests by the victims of stalking and sexual harassment.

Since GDPR came into force, regulators have made it far easier to erase personal data. Companies that reject requests must document the reasons for their decisions.

The role of consent in data privacy

GDPR-compliant companies must understand the relationship between the right to be forgotten and GDPR consent requirements.

Consent is a critical part of GDPR. It establishes a voluntary agreement between data subjects and controllers. This agreement enables controllers to share personal data with processors, store data, and use it in marketing operations.

Under GDPR, individuals must provide "informed consent." They do not just tick a box marked "I agree to data processing." The data controller is legally obligated to provide details about how it uses, shares, and stores personal data. Individuals must understand what will happen to their data and how it will be used.

When data subjects do not freely and voluntarily provide consent, data processing is illegitimate. Data subjects can withdraw from processing whenever they wish and request complete erasure of data held about them.

Moreover, withdrawing consent must be as easy as providing consent in the first place. A data controller cannot impede data subjects or make it difficult to exercise their rights.

This means that protecting the right to be forgotten involves:

• Writing clear and informative privacy statements
• Allowing individuals to provide voluntary consent to share data
• Erasing data when consent is deemed invalid
• Providing easy ways to request deletion

Ensuring data privacy in research and statistics

GDPR generally applies to data collection within the EU. However, it includes some exemptions related to the public interest. One of the most important exemptions is for statistical or historical research.

Some GDPR requirements still apply. Data used in research studies must be pseudonymized or anonymized to protect participants' identities. Research bodies must apply data protection measures to guard sensitive data. Participants must also provide informed consent.

However, the right to erase data does not apply if data processing is for research purposes. To meet this clause, research must be of public interest. Market research generally does not qualify. But historical research into healthcare policy would.

Research bodies can refuse requests to delete data if doing so will "render impossible or seriously impair the achievement of the objectives" of their studies. In practice, this insulates researchers from most deletion requests.

Requesting data erasure: A step-by-step guide

Each data controller must create a pathway to delete personal data. Doing so helps to understand how data subjects exercise their right to be forgotten.

The general process goes as follows:

1. Contact organizations to inform them about data deletion

Individuals let the data controller know that they wish to remove personal data. Individuals must be specific about why they desire deletion and what data must be removed. Data subjects can request partial deletion of personal data. Or they can request complete information erasure.

2. Ensuring the request reaches the right individual

Data subjects can request data removal from anyone linked to a data controller. They do not have to send requests to the Data Protection Officer. Companies must ensure that erasure rights requests reach the appropriate destination.

Requests to the data controller can also be made verbally or in writing. Email is not the only avenue for data subjects. Organizations must make staff aware that individuals can make deletion requests in person and ensure that all requests are dealt with efficiently.

3. Confirming the request to have data erased

When a data controller receives a request under the GDPR right to be forgotten, they must send a confirmation notice. The controller should send this confirmation as quickly as possible to avoid penalties regarding "undue delay."

4. Assessment of the deletion request

Organizations must determine whether the request is legitimate and whether they have a legal obligation to erase private information. As outlined above, there are several exemptions from Article 17. Compliance officers should carefully assess each case to ensure they have a robust legal basis.

5. Deletion of personal data

If the request is approved, the data controller must proceed to data removal. The data controller is responsible for deleting data held on its servers. It must also require deletion by data processors with whom the data controller has a direct relationship.

Controllers have a legal obligation to delete data within one month of a) agreeing to comply with the request or b) receiving confirmation about the identity of the applicant.

An extra two-month period may apply in exceptional circumstances. However, there must be good reasons to extend the compliance period. Controllers cannot use it as a default option.

6. Informing other data holders or processors

Data controllers have a legal obligation to communicate with organizations that may hold the personal data of successful applicants. And they must take reasonable steps to ensure that these organizations comply with deletion requests. This applies to public websites like discussion forums and social media that host individual information about the subject.

Conclusion: Don't forget the right to be forgotten

The right to be forgotten is a fundamental legal obligation for GDPR-compliant bodies. The right emerged from the refusal of companies to delete out-of-date or harmful user data.

Regulators place great importance on enabling deletion requests and protecting individual privacy rights. Companies must have a clear process to delete personally identifiable information to avoid costly regulatory fines.

Not all requests are legitimate. Companies can retain data that is not harmful and is relevant to their business operations. Research benefits from a legal exemption. There is also a public interest in making some information available to citizens. However, organizations must know the difference between respecting individual rights and using data effectively.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.