The Right to be Forgotten - How it works

You've maybe heard about the right to be forgotten (RTBF) as part of the General Data Protection Regulation, but do you know how RTBF works for a data subject?

The Right to be Forgotten – How it works

You’ve undoubtedly heard about the right to be forgotten (RTBF) as part of the General Data Protection Regulation (GDPR). But do you know how the right to be forgotten works for the data subject?

Every business in the EU must be aware of the right to be forgotten and understand their legal obligation under the General Data Protection Regulation. The right to be forgotten also applies in specific circumstances for other countries, including Argentina and the Philippines.

Complexities and challenges under the General Data Protection Regulation

As with every aspect of the General Data Protection Regulation, compliance with the right to be forgotten is complex. There are connotations for the data subject and the business that wants to utilise sensitive personal information or personal data relating to an individual.

We’re going to examine exactly what the right to be forgotten means for personal data, how it’s applied by the European Court and what the European data protection law means in practice.

The UK law, for now, is broadly the same as the EU law. Following Brexit, the UK law changed to the data protection act, but follows the same right to be forgotten request laws as the legal aspects of the European Union law.

What exactly is the Right to be Forgotten?

The right to be forgotten can be defined as the right of the data subject to erase personal data they don’t want to show up via search engines. It can also mean that they want personal data erased from other directories, but for the most part, we’re talking about search results that show on Google or Bing, for example.

As we’ve mentioned, it’s not just the European Union that is tackling the issue of the right to be forgotten. Several other places have also put into practice some form of data protection rules covering the right to be forgotten.

Why would a data subject want to enact this part of the European data protection law?

The debate surrounding this kind of data erasure request has been long and involved. The whole issue hinges on individual’s data and their control over it.

People increasingly understand the potential stigmatisation that can occur should outdated or negative use of their personal data remain easily searchable on the Internet.

Controversy has arisen over how practical or warranted a right to be forgotten really is in terms of personal data. The European Court eventually concluded that the right to be forgotten forms an international human right.

The controversy is at least partly due to the nebulous rulings and decisions that have been made to exercise the right to be forgotten in the real world.

The right to be forgotten and freedom of expression

Arguments have been made that the right to be forgotten in a data protection context infringes other peoples’ rights to freedom of expression. Furthermore, the debate has included arguments about how the right to be forgotten and the right to privacy work and whether it amounts to a kind of censorship.

Debating what’s truly the best thing for the public interest and individual’s data is a tricky balancing act. For the European Union, it culminated in the GDPR. This replaced the previous data protection law in May 2018 and applies to all member states.

It’s worth briefly considering the differences in opinion from EU member states, the UK, and the US regarding data protection laws.

The idea of a ‘right to be forgotten’ can be traced back to the UK’s Rehabilitation of Offenders Act and France’s ‘le driot a l’oublie’, which in general terms allow for the idea that criminal convictions are spent after a certain timeframe. The idea is that any information society services held regarding criminal convictions shouldn’t impede the individual’s life or ability to get a job, for example when the time has been ‘spent’.

Opinions regarding the right to be forgotten in the US are very different. The US evokes the First Amendment of free speech and a ‘right to know’. The US considers any personal information as in the public interest and any attempt to remove them from a search engine or other directory as an infringement of this.

Back to the EU though, the European Court legally declared the right to be forgotten as an essential human right in 2014 as part of a case against Google. While the GDPR does have exceptions for media companies, Google is classified as a data controller, and as such is compelled under the law to adhere to a removal request in certain circumstances.

What does the right to be forgotten mean for data subjects and search engines?

In simple terms, the right to be forgotten allows a person to request for certain data to be deleted so that they can’t be traced via search engines by a third party. As we’ve specified, this applies in the European Union, the UK and other limited jurisdictions.

The individual in question is known as the ‘data subject’ and allows them to have all kinds of content deleted from specific records so that they are no longer visible via search engines. The data subject can request that personal data, identifiable information, photographs, and videos be taken down so that it no longer appears in search engine results.

It’s different from the right to privacy in that the right to be forgotten is not about private information per se, rather it’s about removing information that has been publicly known and vetoing third parties from accessing said information. The right to privacy, on the other hand, concerns information that isn’t publicly known.

It’s important to understand that the right to be forgotten is still in flux. Relatively speaking, it’s a new concept and has enormous implications across all kinds of aspects of privacy, data protection and Internet usage.

For those of us that live in a country that does apply the right to be forgotten, it’s possible to make legal claims to remove personal information and URLs from a search engine. You may come across the word ‘delisting’ referring to this too.

However, as the right to be forgotten is still under debate in many countries, its interpretation and implementation can vary from country to country.

The European Union has had long-standing data protection laws that included the right to erasure. This forms the nucleus of the right to be forgotten as it stands currently.

A shift from the right to erasure to the right to be forgotten

The 2014 judgement by the European Court shifted the interpretation of the previous understanding of the right to erasure. It essentially extended the remit of the right to be forgotten to cover the right to delisting.

Since then, any individual has had the right to make the request to erase personal data and certain links from any search index. This is considered a valid request if the results of the search engine show personal information that is: “Inadequate, irrelevant or no longer relevant, or is excessive.”

Since this ruling, there has been discussion and debate over what an erasure request means for search engines, for every data protection authority and for the public interest.

Search engine concern over practicality of the right to be forgotten

The ruling by the European Court caused concern for companies like Google, who wanted to understand the full ramifications of their legal obligation.

As a search engine operator, Google set up an Advisory Council in 2015 to figure out recommendations regarding the right to be forgotten.

By February 2018, Google said that it had already received 2.4 million requests for personal data to be delisted since the date of the 2014 judgement. Google has always stressed that it is attempting to balance the right to be forgotten and the individual’s privacy with public interest.

Global incorporation of the right to be forgotten

As we mentioned earlier, in May 2018 the new GDPR incorporated the right to be forgotten for EU states.

Since then, other jurisdictions have also been weighing up personal data processing and the public interest with the validity of protecting a person’s online reputation.

Courts, businesses and policy makers at different levels have been debating the right to be forgotten and data privacy for Internet users in countries from Canada to Japan and Brazil to India.

Critics stress their concern that the right to be forgotten could end up with widespread removal of online content from Google search results. However, those that are on the side of the right to delist content say that if such personal information is permitted to stay available online to a third party, it could cause injustice to individuals without legitimate interests for the public.

In 2019, however, the CJEU (Court of Justice for the European Union) ruled in a specific case that the right to be forgotten and the associated obligation to delete such information can only apply within EU territory.

Right to be forgotten decisions are made on a case-by-case basis

Competing interests and the overwhelmingly connected nature of our Internet driven society make the right to be forgotten (RTBF) far more complex than a person making a demand of an organisation.

Therefore, data processors set up an advisory council and why the European Commission continues to adapt the policies along with case law.

If you want to read the RTBF for yourself, it’s found in Article 17 of the GDPR, which states:

“The data subject shall have the right to obtain from the controller (usually a search engine such as Google but can be an organisation) the erasure of personal data concerning him or her without undue delay” if certain conditions apply.

It’s widely considered that any request for personal data removal should be dealt with within around a month. To ascertain the worth of the removal request, it’s vital to ensure that the right steps are taken to make sure the data subject is legitimate.

Due to their very nature, and to ensure that such data is removed from search engines without undue delay, EU law considers each case on its own basis. There can be no ‘one size fits all’ ruling with the RTBF, as balancing with public interest and other factors are many and varied.

When can legal claims to remove data from search results be made?

The GDPR must balance requests for data or URL removals against the public’s interest and consider whether they’re no longer relevant.

Individuals can act with regards to their sensitive data if they consider it as being stored unnecessarily if the data is incorrect or they no longer consent to the processing of said data.

There are specific circumstances laid out in Article 17 of the GDPR that clearly state when the RTBF can be claimed. The data subject’s request is considered viable if the following criteria are fulfilled.

  1. If the organization’s original reason for collecting and processing the personal data is no longer necessary. This could have been for direct marketing purposes or for statistical purposes, for example.
  2. If the personal data collected relies on the individual’s consent and they have now withdrawn the consent, they had given.
  3. If the organization in question uses legitimate interests as the reason for keeping and processing the person’s data, and the person objects. If there is no encompassing legitimate interest for the organization to continue to keep and process the data, then it’s the data subject’s right to request removal.
  4. If the organization can be shown to have broken the law when collecting and processing personal data.
  5. If the organization is compelled to take reasonable steps to delete the personal data erased to comply with a legal obligation or ruling.

When does the organization’s rights to process the data override the data subject?

There are certain circumstances in which the organization’s right to the individual’s data is considered as overriding legitimate interest of the individual. The following reasons are laid out in the GDPR:

  1. If the personal data is considered as important to exercise the right to freedom of information and expression.
  2. If the data is used to comply with a legal obligation or ruling.
  3. If the personal data relating to the individual is being used to perform a task in the public interest (such as, for example, scientific research or historical research), or when the official authority of the data processing organization is involved.
  4. The data is considered necessary for the public interest or for public health reasons.
  5. The data in question is necessary for either preventative or occupational medicine. However, this applies only when the data is under the control of a health professional who is obliged to stick to a legal obligation regarding professional secrecy or technical measures.
  6. The data is being utilized for legal claims or to establish a legal defence.

If the organization can properly justify that a data removal request is excessive or unfounded then it can either deny the request to remove personal data totally or can request a ‘reasonable fee’.

To ensure that all the versions are covered and every request for data to be forgotten online (i.e., removed by the organization who originally collected it), each request must be dealt with separately.

Therefore, we see examples when the European Parliament makes a change to legislation or explains the regulations to ensure the public’s interest is quantified.

All the variables involved with such a right means that every separate evaluation must be made carefully and considered against local laws as well as GDPR. Depending on the request, the data controller, or the data subject (or both) may have to justify certain elements of why and where the data is being processed.

What does a valid request look like for the right to be forgotten?

There is no specification under the GDPR regarding the specifics of a valid verbal request or written request.

The data subject can make the request either in writing or verbally and can make it to any member of the organization involved. In other words, the request to ensure that search results no longer show personal data doesn’t have to be made to a specified information commissioner or officer.

If the request meets the listed conditions in the section above it is considered valid, according to the European Commission and due to Brexit, the UK courts if it is based there instead.

Furthermore, the request doesn’t even have to mention the ‘right to be forgotten’, ‘request for erasure’, the GDPR or Article 17.

Obviously, this puts the onus on the organization to ensure its employees are fully trained on what constitutes a valid verbal request. Any employee could feasibly receive such a request and must know what to do with it and the organization’s obligations.

How should an organization react or respond to a request?

Organizations within the EU must ensure that it is fully conversant with the GDPR, the right to be forgotten and how and when people might make requests.

All data controlling companies should have processes in place, and training for employees to understand the law, what kind of data is involved and why individual data subjects might want to remove it from appearing in Google’s search results (or those of other search engines).

When a request is received, the organization must then delete the specified data within one month.

As we’ve explained, there are some exemptions and specific circumstances where the organization’s right to the data supersedes the subjects.

The organization must also tell any other party that has been privy to the data, about the request. Only in certain circumstances can they refuse to do this. For example, if this would be considered disproportionate or impossible. However, they must inform the subject that their data has been shared with other organizations if asked.

If the data in question has been shared publicly online, and therefore would appear in a search result either on social networks, websites, or any other public forum, then the data controlling organization must take all reasonable steps available to inform the owners of those sites to also delete URLs or copies of the data.

What happens if an organization refuses to adhere to the right to be forgotten?

When Google refused to implement the right to be forgotten in 2020, the data protection authority of Belgium (APD) fined the company a record (at the time) 600,000 Euros.

In this case, Google didn’t delete links that showed up in a search result that were deemed obsolete and harmful to a person publicly known in Belgium.

The ruling by the APD stated that Google was negligent as there was coherent and provable evidence that the content in question was irrelevant and outdated.

Google was then ordered to stop allowing references to these stories within EU member states. The company was also told to publish clearer information ab0ut who at the company is responsible for right to be forgotten requests.

Case studies: examples of the right to be forgotten

For individuals who are considering making a request for removal of their personal data under the right to be forgotten, it can be useful to see past examples.

The following case studies are also useful for organizations to further understand their legal obligations under this law, and how the European Parliament views such requests.

Webpages, URLs, and content have been removable for decades, but the GDPR formalized the concept and procedures.

All of this means that individuals do have more control over their personal data, and for those with, for example, a past criminal conviction, there is a viable route to ensuring that related information doesn’t show up via Internet searches forever.

However, as we’ve seen, it’s not always straightforward to achieve, and it’s not always guaranteed. We would always recommend that individuals and organizations alike should work with professional firms to achieve the results they want regarding content removal.

We’ve found that every case is different but usually an individual’s reason to make such a request is driven by a sense of unfairness, injustice, and a wish to be able to move away from mistakes made in the past.

Often, to be successful in a right to be forgotten request, the key is to be persistent. There must, of course, be a probable cause for the request. Google can be inconsistent when it comes to the decisions it makes regarding requests, and it’s possible that different locations within the EU may differ too.

While all member states must comply with the GDPR, it’s not impossible for Google Spain, for example, to respond differently to Belgium. To have the best chance for success, the submission must be comprehensive and comply with the law.

For anyone who wants to make a request under the right to be forgotten, but who feels their case may be shaky, it’s still worth approaching a professional firm and finding out what can be done.

Many cases are complex and cross different spheres, ranging from sports to finance and medical sectors. In a high number of cases, celebrities, and others already in the public eye, want to make these requests but find it more difficult to bypass Google’s barriers.

Google’s stance is often that the information is in the public interest when it rejects these kinds of requests.

Can celebrities utilise the right to be forgotten and get links removed?

The more well known the data subject is, and the more they are already in the public eye, the more difficult it can be to get content removed online.

Google often turns these requests down as a bulk decision has already been made that any information about a famous person is automatically in the public interest.

This presumption rests on the fact that celebrities must be subjected to public scrutiny more than other people. There is also an assumption that any information available about them online was originally instigated by them, and therefore isn’t subject to requests to be deleted.

It’s true that, in general, it’s more difficult to get information removed if it was placed there by the same data subject. The idea is that people in the public sphere, shouldn’t be able to manipulate information that is published online about them.

There are examples available of people who are known to the public being successful in their attempt to remove information about them.

As with every RTBF case, the devil is in the detail and decisions are made based on individual circumstances. There is no ‘one size fits all’ application of the legislation, nor of the request for erasure.

Data protection law means that Google must look at each case on its own merits. Under the legislation, an organization cannot tell someone who is well-known to the public that their request is automatically denied just because they are a celebrity.

It is possible for celebrities to get images and content removed under the RTBF, although convincing Google or other search engines to remove content is challenging. In order to succeed, the celebrity or well-known person must work with professionals to overcome the assumptions made about them.

The process is complex and convoluted for everyone, whether they’re in the public eye or not. But the important thing to remember is that is possible to get unwanted or outdated information removed from search results, provided the right approach is taken.

Checklist for organizations to comply with the RTBF

If you are an organization within the EU, the UK or other jurisdiction that follows the tenets of the GDPR, then t’s important to understand your obligations regarding people’s data.

Given that the RTBF gives people the right to ask for their data to be erased, every organization should fully understand how to comply. It’s also vital to be ready to respond to valid requests and to know how to process them.

The GDPR and Article 17 affects every different type of data controller, regardless of the sector or business field.

For example, let’s assume a job applicant uploads their details to your website’s career page. They then change their mind and want all of the details you have about them to be erased. Other examples include where someone wants to exercise the RTBF among their other rights.

For example, a client or customer has the right to ask you what data you hold about them (this is the right of data access) and then to ask you to transfer these to another organization (this is the right to data portability). They then exercise the right to erasure by asking for their personal record to be erased.

If your organization refuses to comply with these kinds of requests, then it may be on the hook for penalties. These include regulatory intervention, regulatory audits, sanctions or fines. This is why the RTBF is so important.

Organizations should prepare for data erasure requests

In order to ensure that your organization is ready for these types of requests, it’s important to do the following:

  • Make it easy to respond to requests so that people can access their own information easily and securely.
  • Train employees in compliance and ensure that the understanding is companywide.
  • Have the right kind of tools in place.
  • Work with us to ensure you have the right kind of framework in place.

For information, advice and consultation on every kind of GDPR issue, we would recommend heading over to Igniyte. Experts in reputation management, Igniyte have all of the expertise necessary to work with its clients on GDPR compliance and understanding.

This includes, of course, experience in facilitating successful data erasure requests. GDPR and the RTBF affects everyone in one way or another, whether as a data subject or as an organization controlling data. It’s important to take the time to ensure a thorough understanding and adherence with the law under GDPR.