The “Right to be Forgotten” (RTBF) is a key element of the new EU General Data Protection Regulation (GDPR), but the concept pre-dates the latest legislation by at least five years. It encompasses the consumers’ rights to request that all personal data held by the company —or “controller” in GDPR-speak — be removed on request. But it goes further: the GDPR rules (see its article 17 ) says that search engines (like Google) have to delete references to personal data that comes up publically in search results.
In other words, consumers have the right to retain their privacy on the Internet. The notion of RTBF is beginning to become more common all around the world. California recently passed RTBF in the California Consumer Privacy Act. North Carolina is working on RTBF laws, and there are early efforts to bring the issue before the US Congress.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
All that to say: RTBF looks to be a new “normal” in the coming years.
Editor’s note: The Right to be Forgotten, Right to Erasure, and Right to Delete are conceptually similar enough that we are going to simply call them all Right to be Forgotten for this blog.
Right to Be Forgotten History
The RTBF as a concept grew out of the long held belief that after a certain amount of time, a person’s past should not be regarded when they seek employment. With the advent of the internet and indexed search engines (like Google), those types of records became more accessible.
Time for a quick history lesson: In 2014, the Spanish judiciary ruled in favor of a right to be forgotten in the case Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González (2014). The case revolved around a newspaper announcement in La Vanguardia for Costeja’s forced property sale required to settle social security debt in 1998. In 2009, Costeja contacted the newspapers because searching for his name brought up the old announcement. The newspaper denied the request since it was a government ordered publication. Costeja then contacted Google Spain to remove the search result.
Eventually, the EU courts ruled that Google needed to remove the search results, but – and this is important – the newspaper didn’t have to remove the original article. The ruling effectively established precedence and validated RTBF as law, with several caveats.
Today, RTBF is enshrined in the GDPR’s article 17. And the RTBF has reached US’s shores as the Right to Erasure, which is now law in California.
Can I Ask a Company to Delete My Data?
In general, if you are in a jurisdiction where RTBF or similar laws exist you can submit a Data Subject Access Request (DSAR) to remove or request what personal data about you a company has stored. That doesn’t mean the data controller would or should fulfill every DSAR. There are legal differences between public, private, and erroneous data to consider.
When is the Right to Be Forgotten Applicable?
First, you need to make the request directly with the data collector that holds the data that you want deleted. Google has a specific request form for this, Facebook another, and so on.
The “data controller,” the entity that currently has the data you want removed, then must consider your request based on legal precedents. Some valid reasons for RTBF request include:
- Data exists on the internet that is old and outdated, or otherwise not currently relevant
- The data subject decides that the data controller no longer have the right to access their data, and the data isn’t in the public domain
- Someone stole the data or changed the data
- A judge or other judicial body ruled this data deleted
In short, the “data subject” – the person making the request – has a strong legal framework to demand that data controllers must erase their personal data in many instances. For example, blatantly false or abusive data has a good case for erasure. There are, of course, exceptions.
Are There Exceptions to the Right to Be Forgotten?
There are several exceptions to RTBF:
- The data should be available because of freedom of information or expression.
- The data is part of an active or recent legal proceeding.
- The data is of importance to public health.
- The data should be archived for public interest because it is significant to scientific or historical research.
For the most part, exceptions to the RTBF revolve around public interest, freedom of speech, and freedom of information.
Controversy Regarding the Right to Be Forgotten
Not surprisingly, RTBF is controversial with compelling arguments on both sides of the issue. On one hand, you have an individual’s right to privacy, and on the other, you have freedom of speech and freedom of information.
The controversy boils down to where does one draw the line between the two? In the previously mentioned Costeja case, that line was the search result. The factual information that Costeja sold the property to settle debt is a matter of public record, and should not be deleted from the internet. However, the courts ordered Google to delete and suppress the search result that linked to the public information that Costeja sold the property. The ruling says that since Costeja repaid the debt long ago, the search results are “inadequate, irrelevant, or excessive.” The court granted Costeja RTBF based on those grounds but stopped short of saying any data deletion request must be granted.
Recently, France brought a case to the European Court of Justice that requests the GDPR’s RTBF extend universally to people outside the EU. Critics, including Google, argue that ruling in favor to extend RTBF might result in global censorship and infringement of freedom of information rights.
On the other side, France says that if RTBF isn’t universal then the Google search result will still show up in other countries – rendering the protection of RTBF effectively useless. If Google deletes the result from Google.fr, anyone could just use the U.S version of Google to see the same result.
The question of where to draw that line between Right to Privacy and Freedom of Information is not going away. Stay tuned as lawmakers, lawyers, and judges make new rules and verdicts – it’s a fascinating discussion.
Right to Be Forgotten in The News
The Recent News is All About Google v France
- ‘Right to be forgotten’ could threaten global free speech, say NGOs
- The ‘Right to Be Forgotten,’ Globally? How Google Is Fighting to Limit the Scope of Europe’s Privacy Law
- Google in legal battle with EU over ‘right to be forgotten’
Canada’s Privacy Commissioner Asked the Courts to Rule on Right to be Forgotten
A UK Charity Asks Courts to Grant RTBF to Childhood Cancer Survivors
The Right to be Forgotten is going to prove to be a tricky rule for organizations to navigate as more guidelines are developed and evolved. Each organization needs a strategy in place to manage an RTBF request based on the data that you save and the applicable RTBF laws.
Companies need to:
- Identify and classify personal identification information (PII) on their network.
- Government ID numbers
- First and last name
- Mother’s Maiden Name
- Biometric data
- And more
- Have a process in place to comply with a DSAR or deletion request
Varonis DatAnswers creates an index of your data and helps identify files that contain data subject identifiers, enabling companies to process each DSAR appropriately. Unstructured data can contain millions of dollars’ worth of potential fines if a data controller mishandles a DSAR and the customer’s data gets shared or reused again. The Varonis Data Transport Engine can then help move, collect, and secure all of those files into one single location, so that you can easily quarantine or delete the data – and more easily comply with RTBF.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.