Right to Be Forgotten – When It Applies & When It Doesn’t

One of the most complex topics in the European Union’s landmark General Data Protection Regulation (GDPR) is the Right to be Forgotten, also known as the Right to Erasure. On the outset, the concept seems simple – individuals can request for their personally identifiable data to be removed if they have provided it to a data controller, hence they can be “forgotten”.

But, in a world of connected data where information is shared across servers, people, territories and what not, the Right to be Forgotten is a complex regulation which has many enterprises tripping up after the implementation of GDPR. While the moral and philosophical effects of this rule are for a different topic, this article tries to understand this right and explain where and when it applies.

The role of personal data

The first point to keep in mind is that this is not an absolute right. The Right to Erasure or Right to be Forgotten is provided to all individuals but only if they meet certain specifications. As the specific Article 17 of the GDPR regulation says:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
4. the personal data have been unlawfully processed;
5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

The criteria to meet

This makes it clear that an individual cannot randomly request to be forgotten. They must fit some of the criteria – i.e. their personal data is no longer necessary in relation to the reason for its collection, the consent has been withdrawn, etc. This is a point which enterprises must keep in mind when considering the right to be forgotten requests.

Furthermore, the same article also makes it clear that enterprises do not have to comply with the request in case of the following circumstances:

• for exercising the right of freedom of expression and information
• for compliance with legal obligations
• for reasons of public interest in the area of public health
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• for the establishment, exercise or defense of legal claims.

Hence while enterprises must comply with GDPR requirements which also involved compliance with a user’s right to be forgotten, they must also work according to the clauses provided in the article. It is important that there is recognition that GDPR is more than just security compliance; it is a regulation with both legal and social consequences.