GDPR – The Right To Be Forgotten

In light of recent headlines purporting our ‘Right to be Forgotten’ is newly enshrined in the General Data Protection regulation (GDPR) I thought I’d take a closer look.

The ‘right to be forgotten’ actually has its roots in the 1995 Data Protection Directive:

Article 12

Right of access

Member States shall guarantee every data subject the right to obtain from the controller:

(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;

This Article (among others) was heavily cited in the famous “Google Spain” judgement which led to what we now refer to as the “Right to be forgotten” (RTBF). The geographic scope of that ruling is still being fought in the French courts.

Although this ruling is heralded as a landmark decision – and rightly so – it comes with many caveats and it’s interesting to note that two years after this ruling, Google denies 75% of RTBF requests. These refusals can be broken down as follows:

Concerns your professional activity – 29.7%

You are at the origin of this content – 19.9%

The information is about another person – 9.4%

No name on page – 8.4%

Your profile on a social network – 7.6%

Topical and in the public’s interest – 7.4%

Relevant, topical and in the public’s interest – 6.3%

Does not refer to a physical person – 5.8%

You are a public personality – 3.5%

Government data – 1.6%

Other – 0.5%

The crux of Google’s defence in the Google Spain case was their claim they were not “Data Controllers” but merely “Data Processors”. This argument was not accepted.

I mention this in light of GDPR Article 17 – Right to erasure (‘right to be forgotten’):

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

As you can see the RTBF can be exercised only against Data Controllers.

We know from the Google Spain ruling that search engines fall under the ‘Data Controller’ category, but what of other social media platforms and websites?

I ask this as an actor is suing Facebook over a bogus profile they failed to remove. In such instances, would the social media platform be deemed a Data Controller under GDPR, or simply a Data Processor – with users deemed as Data Controllers – and effectively shielded from RTBF.

Nobody really knows at this point.

The GDPR RTBF also comes with caveats as in Article 17:

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e) for the establishment, exercise or defence of legal claims.

Reasonable enough, except this will now force Data Controllers to become arbiters of “public interest” and “freedom of expression and information” presumably as directed by Member State laws. Balancing rights against obligations is an onerous responsibility.

Also, under the “Right to Object” (Article 21) the burden lies with the Data Controller to demonstrate “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”

The Data Controller must also notify third parties of the erasure:

Article 19:

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

And all of this must be done swiftly – Article 12 (3):

The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

Given the above complexities, coupled with the eye-watering fines for non-compliance, I suspect the ‘right to be forgotten” may morph into “delete if in doubt” for some companies.

I might be wrong. Much of this is in flux as lawyers put flesh on the bones and we await further clarification.

In the UK the Information Commissioner’s Office have just announced their plans to roll out GDPR guidance over the next couple of years.

Interesting times.