Our new Data Protection and Privacy Support Portal "PrivacyAssist" in now available. Learn More!
Resources
Glossary
    ← Back to glossary

    Right to Be Forgotten

    Glossary Contents

    The 'Right to Be Forgotten' is a concept that has emerged in the realm of data privacy, and it has significant implications for both individuals and organizations. This principle, also known as the 'right to erasure', allows individuals to request that their personal data be deleted or removed under certain circumstances. The 'Right to Be Forgotten' is a crucial aspect of data privacy, and understanding it is essential for anyone dealing with personal data.

    While the 'Right to Be Forgotten' may seem straightforward, it is a complex topic with many nuances. This article will delve into the intricacies of this right, its origins, its implementation, and its impact on data privacy. We will explore the various aspects of the 'Right to Be Forgotten', providing a comprehensive understanding of this critical data privacy principle.

    Origins of the Right to Be Forgotten

    The 'Right to Be Forgotten' has its roots in European law. It was first recognized in the 1995 Data Protection Directive of the European Union (EU), which laid the groundwork for data protection principles in the region. The directive included provisions that allowed individuals to request the deletion of their personal data under certain conditions.

    However, the 'Right to Be Forgotten' gained prominence with the landmark case of Google Spain v. AEPD and Mario Costeja González in 2014. The European Court of Justice ruled in favor of Mr. González, who had requested that Google remove links to outdated information about him. This ruling established the 'Right to Be Forgotten' as a fundamental part of data privacy in the EU.

    Impact of the Google Spain Case

    The Google Spain case had a profound impact on the interpretation and application of the 'Right to Be Forgotten'. The ruling emphasized the importance of balancing the individual's right to privacy with the public's right to information. It also highlighted the role of search engines in data processing and their responsibilities under data protection law.

    This case led to a surge in requests for data deletion, not just in Europe but around the world. It also sparked debates about the global applicability of the 'Right to Be Forgotten', with implications for cross-border data transfers and international law.

    Right to Be Forgotten in the General Data Protection Regulation (GDPR)

    The 'Right to Be Forgotten' was formally codified in the EU's General Data Protection Regulation (GDPR), which came into effect in 2018. Article 17 of the GDPR provides for the 'Right to Be Forgotten', allowing individuals to request the erasure of their personal data under certain circumstances.

    The GDPR sets out the conditions under which the 'Right to Be Forgotten' can be exercised and the obligations of data controllers in responding to such requests. It also provides for exceptions to the right, recognizing that the right to erasure is not absolute and must be balanced against other rights and interests.

    Conditions for Exercising the Right to Be Forgotten

    Under the GDPR, individuals can exercise their 'Right to Be Forgotten' in several situations. These include when the data is no longer necessary for the purpose for which it was collected, when the individual withdraws consent or objects to the processing, and when the data has been unlawfully processed.

    However, the 'Right to Be Forgotten' is not absolute. The GDPR provides for exceptions where the processing of data is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defense of legal claims.

    Obligations of Data Controllers

    Data controllers have significant responsibilities under the GDPR when it comes to the 'Right to Be Forgotten'. They are required to take reasonable steps to inform other controllers who are processing the data that the individual has requested the erasure of any links to, or copy or replication of, that data.

    Furthermore, data controllers must respond to requests for erasure without undue delay and in any event within one month of receiving the request. This period can be extended by two further months where necessary, taking into account the complexity and number of requests.

    Global Impact of the Right to Be Forgotten

    While the 'Right to Be Forgotten' originated in Europe, it has had a global impact. Many countries outside the EU have incorporated similar principles into their data protection laws, reflecting the growing recognition of the importance of data privacy.

    However, the global application of the 'Right to Be Forgotten' has also raised complex legal and practical issues. These include questions about the extraterritorial scope of the right, the balance between privacy and freedom of expression, and the technical challenges of data erasure.

    Extraterritorial Scope of the Right to Be Forgotten

    The extraterritorial scope of the 'Right to Be Forgotten' has been a contentious issue. The question is whether European data protection laws, including the 'Right to Be Forgotten', apply to data processing activities outside the EU.

    In 2019, the European Court of Justice ruled in the Google v. CNIL case that the 'Right to Be Forgotten' does not have global scope. This means that search engines are not required to remove links to information worldwide in response to a request for erasure from an EU resident. However, they must take measures to prevent or seriously discourage access to the links from within the EU.

    Balance Between Privacy and Freedom of Expression

    The 'Right to Be Forgotten' must be balanced against other rights, including the right to freedom of expression and information. This balance is often difficult to strike, as the removal of information can impact the public's right to know and the freedom of the press.

    The GDPR recognizes this tension and provides for exceptions to the 'Right to Be Forgotten' where the processing of data is necessary for exercising the right of freedom of expression and information. However, determining when these exceptions apply can be a complex task, requiring a case-by-case assessment.

    Technical Challenges of Data Erasure

    The 'Right to Be Forgotten' also presents technical challenges. Data erasure is not a simple task, especially in the age of big data and cloud computing. Data is often stored in multiple locations and formats, making it difficult to locate and delete all copies of the data.

    Furthermore, data erasure must be carried out in a way that ensures the permanent removal of the data. This means that the data must be deleted in such a way that it cannot be recovered or reconstructed. This requires sophisticated data deletion techniques and technologies.

    Data Deletion Techniques

    There are several techniques for deleting data, each with its own advantages and disadvantages. These include overwriting, which involves replacing the data with other data; degaussing, which involves demagnetizing the storage medium; and physical destruction, which involves physically damaging the storage medium.

    However, these techniques may not be suitable for all types of data or storage media. For example, overwriting may not be effective for solid-state drives, and physical destruction may not be feasible for cloud storage. Therefore, data controllers need to choose the appropriate data deletion technique based on the nature of the data and the storage medium.

    Data Deletion Technologies

    There are also various technologies available for data deletion. These include data erasure software, which can overwrite data with random information; hardware-based data destruction devices, which can physically destroy storage media; and secure deletion services, which can provide professional data deletion services.

    However, these technologies also have their limitations. For example, data erasure software may not be able to delete data from damaged or inaccessible storage media, and hardware-based data destruction devices may not be suitable for large volumes of data. Therefore, data controllers need to select the right data deletion technology based on their specific needs and circumstances.

    Conclusion

    The 'Right to Be Forgotten' is a fundamental aspect of data privacy. It empowers individuals to control their personal data and protects them from the potential harms of data misuse. However, it also presents significant challenges for data controllers, who must navigate complex legal, practical, and technical issues to comply with this right.

    Understanding the 'Right to Be Forgotten' is crucial for anyone dealing with personal data. By delving into the origins, implementation, and impact of this right, we can gain a comprehensive understanding of this important data privacy principle. As data privacy continues to evolve, the 'Right to Be Forgotten' will undoubtedly continue to play a key role in shaping the future of data protection.

    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    Get Started For Free
    Schedule Demo
    PrivacyEngine Onboarding Screen