Right to be Forgotten: Explained

Learn about The Right to be Forgotten (RTBF), an individual’s right to request their data be removed from any organization's data stores.
Michael Buckbee
5 min read
Last updated June 6, 2022

The “Right to be Forgotten” (RTBF) is a key element of the new EU General Data Protection Regulation (GDPR), but the concept pre-dates the latest legislation by at least five years.  It encompasses the consumers’ rights to request that all personal data held by the company —or “controller” in GDPR-speak — be removed on request.  But it goes further: the GDPR rules (see its article 17 ) says that search engines (like Google) have to delete references to personal data that comes up publically in search results.

In other words, consumers have the right to retain their privacy on the Internet.  The notion of RTBF is beginning to become more common all around the world. California recently passed RTBF in the California Consumer Privacy Act. North Carolina is working on RTBF laws, and there are early efforts to bring the issue before the US Congress.

Get the Free Essential Guide to US Data Protection Compliance and Regulations

All that to say: RTBF looks to be a new “normal” in the coming years.

Editor’s note: The Right to be Forgotten, Right to Erasure, and Right to Delete are conceptually similar enough that we are going to simply call them all Right to be Forgotten for this blog.

Right to Be Forgotten History

The RTBF as a concept grew out of the long held belief that after a certain amount of time, a person’s past should not be regarded when they seek employment. With the advent of the internet and indexed search engines (like Google), those types of records became more accessible.

Time for a quick history lesson: In 2014, the Spanish judiciary ruled in favor of a right to be forgotten in the case Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González (2014). The case revolved around a newspaper announcement in La Vanguardia for Costeja’s forced property sale required to settle social security debt in 1998. In 2009, Costeja contacted the newspapers because searching for his name brought up the old announcement. The newspaper denied the request since it was a government ordered publication. Costeja then contacted Google Spain to remove the search result.

Eventually, the EU courts ruled that Google needed to remove the search results, but – and this is important – the newspaper didn’t have to remove the original article. The ruling effectively established precedence and validated RTBF as law, with several caveats.

Today, RTBF is enshrined in the GDPR’s article 17.  And the RTBF has reached US’s shores as the Right to Erasure, which is now law in California.

Can I Ask a Company to Delete My Data?

In general, if you are in a jurisdiction where RTBF or similar laws exist you can submit a Data Subject Access Request (DSAR) to remove or request what personal data about you a company has stored. That doesn’t mean the data controller would or should fulfill every DSAR.  There are legal differences between public, private, and erroneous data to consider.

When is the Right to Be Forgotten Applicable?

First, you need to make the request directly with the data collector that holds the data that you want deleted. Google has a specific request form for this, Facebook another, and so on.

The “data controller,” the entity that currently has the data you want removed, then must consider your request based on legal precedents. Some valid reasons for RTBF request include:

  1. Data exists on the internet that is old and outdated, or otherwise not currently relevant
  2. The data subject decides that the data controller no longer have the right to access their data, and the data isn’t in the public domain
  3. Someone stole the data or changed the data
  4. A judge or other judicial body ruled this data deleted

reasons for a right to be forgotten request

In short, the “data subject” – the person making the request – has a strong legal framework to demand that data controllers must erase their personal data in many instances. For example, blatantly false or abusive data has a good case for erasure. There are, of course, exceptions.

Are There Exceptions to the Right to Be Forgotten?

There are several exceptions to RTBF:

  1. The data should be available because of freedom of information or expression.
  2. The data is part of an active or recent legal proceeding.
  3. The data is of importance to public health.
  4. The data should be archived for public interest because it is significant to scientific or historical research.

For the most part, exceptions to the RTBF revolve around public interest, freedom of speech, and freedom of information.

Controversy Regarding the Right to Be Forgotten

Not surprisingly, RTBF is controversial with compelling arguments on both sides of the issue. On one hand, you have an individual’s right to privacy, and on the other, you have freedom of speech and freedom of information.

The controversy boils down to where does one draw the line between the two? In the previously mentioned Costeja case, that line was the search result. The factual information that Costeja sold the property to settle debt is a matter of public record, and should not be deleted from the internet. However, the courts ordered Google to delete and suppress the search result that linked to the public information that Costeja sold the property. The ruling says that since Costeja repaid the debt  long ago, the search results are “inadequate, irrelevant, or excessive.” The court granted Costeja RTBF based on those grounds but stopped short of saying any data deletion request must be granted.

Recently, France brought a case to the European Court of Justice that requests the GDPR’s RTBF extend universally to people outside the EU. Critics, including Google, argue that ruling in favor to extend RTBF might result in global censorship and infringement of freedom of information rights.

On the other side, France says that if RTBF isn’t universal then the Google search result will still show up in other countries – rendering the protection of RTBF effectively useless. If Google deletes the result from Google.fr, anyone could just use the U.S version of Google to see the same result.

The question of where to draw that line between Right to Privacy and Freedom of Information is not going away. Stay tuned as lawmakers, lawyers, and judges make new rules and verdicts – it’s a fascinating discussion.

Right to Be Forgotten in The News

The Recent News is All About Google v France

Canada’s Privacy Commissioner Asked the Courts to Rule on Right to be Forgotten

A UK Charity Asks Courts to Grant RTBF to Childhood Cancer Survivors

The Right to be Forgotten is going to prove to be a tricky rule for organizations to navigate as more guidelines are developed and evolved. Each organization needs a strategy in place to manage an RTBF request based on the data that you save and the applicable RTBF laws.

how to manage an RTBF request

Companies need to:

Varonis DatAnswers creates an index of your data and helps identify files that contain data subject identifiers, enabling companies to process each DSAR appropriately. Unstructured data can contain millions of dollars’ worth of potential fines if a data controller mishandles a DSAR and the customer’s data gets shared or reused again. The Varonis Data Transport Engine can then help move, collect, and secure all of those files into one single location, so that you can easily quarantine or delete the data – and more easily comply with RTBF.

Want to talk to one of our GDPR experts about how Varonis helps you manage DSARs and Right to be Forgotten? Get a free 1:1 demo and ask about GDPR.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

gdpr:-the-right-to-be-forgotten-and-ai
GDPR: The Right to Be Forgotten and AI
One (of the many) confusing aspects of the EU General Data Protection Regulation (GDPR) is its “right to be forgotten”. It’s related to the right to erasure but takes in far...
gdpr-data-breach-guidelines
GDPR Data Breach Guidelines
Index Personal Data Breach vs. Reportable Breach Notifying the Regulators Breach Notification and Ransomware Individual Reporting Breach Notification in Phases Notification Details This Is Not Legal Advice The General Data...
understanding-canada:-ontario’s-new-medical-breach-notification-provision-(and-other-canadian-data-privacy-facts)
Understanding Canada: Ontario’s New Medical Breach Notification Provision (and Other Canadian Data Privacy Facts)
Remember Canada’s profusion of data privacy laws? The Personal Information Protection and Electronic Documents Act (PIPEDA) is the law that covers all commercial organizations across Canada. Canadian federal government agencies,...
gdpr-by-any-other-name:-the-uk’s-new-data-protection-bill
GDPR By Any Other Name: The UK’s New Data Protection Bill
Last month, the UK published the final version of a law to replace its current data security and privacy rules. For those who haven’t been following the Brexit drama now...