If you have ever entered your name into Google or any other internet search engine, then you may have been surprised at the results returned. Social media posts, information about legal proceedings (even if subsequently rejected in the courts), and comments on discussion boards might all be there, even if the information is very old and no longer represents who you now are.
The right to be forgotten provides a civil right to data privacy. It means that requests can be submitted for personal information to be removed not only from internet webpages but also from search tools such as Google. This means that the information can no longer be found online, even if it was originally posted on social media. The request for removal also includes its deletion from data processing, such as used in customer profiling or marketing, even if the person originally gave their permission.
While this sounds like a simple concept, the process for an individual to achieve results is not always straightforward. Then there are legitimate exceptions to the requirement for removal, such as those whose life is of public interest. With this in mind, you may want to consider getting right to be forgotten help, which often requires a combination of assistance from professionals within the field of online reputation management and legal advice.
What is the General Data Protection Regulation (GDPR)?
When the European Union presented the GDPR, it was considered to be a huge step forward for individuals rights. While Europe has had laws covering data protection for over forty years, the rules were not considered to meet the needs of an internet age. They were very limited in their ability to be applied to how we now carry out day to day tasks when using a search engine such as Google or communicating on social media.
Then there were issues with weak penalties, which failed to discourage the inappropriate use of personal information, and it was challenging to request personal data be removed or not utilized for processing purposes. As a result, EU countries had their own interpretations of the directive, which only added to the confusion and application.
Replacing the ineffective data protection law, the GDPR passed by the European Court imposed obligations onto organizations anywhere in the world if they collected data from EU citizens and those living within the EU. Since the law came into effect in May 2018, the GDPR has resulted in legal cases where significant fines, reaching tens of millions, have been levied against those who violate its standards.
The overall aim of the GDPR is to make it easier for EU citizens to understand how their data is being used, request its removal, and to have a process through which to make a complaint should its use fail to meet the regulation’s requirement.
What is The Right to Erasure?
The Right to be Forgotten, also known as the Right to Erasure, sits within article 17 of the GDPR. This new right states that when there is no compelling reason for the processing of their personal data, then an individual can request:
- The deletion/removal of their personal data.
- That there is no further distribution of their personal data.
Article 17 clearly states that data controllers have an obligation within the law to respond within one month of requests being made. However, it is clear that this a request to erase rather than an automatic right to data deletion. Complexity is added to the situation through the requirement to ‘take reasonable steps’ to advise other controllers of the erasure request in circumstances where the personal data has been shared.
Can I Be Charged a Fee For a Data Erasure Request?
In most cases, organizations are not allowed to charge a fee to comply with the right to be forgotten request. However, if they believe that a request is ‘unfounded or excessive,’ then they are allowed to charge a reasonable fee for the time it takes to meet the request.
Which Personal Data is Covered by the Right to be Forgotten?
The right to erasure covers seven circumstances in which an individual has the right to have their personal information removed:
- Where the data is no longer needed for the reason it was originally collected;
- When the data was held due to consent being given and the individual then rescinds that consent;
- When the legitimate reason for processing no longer applies;
- When the processing of the data is for direct marketing and a person no longer wishes their information to be used for that purpose;
- When the data has been processed unlawfully;
- There is a legal obligation requiring the data to be erased; or
- When information society services are offered to a data subject who is a child.
When Is Personal Information Not Covered by the Right to be Forgotten?
It’s important to know that the right to be forgotten does not apply in all situations. Where an organization has the right to use someone’s data, then that might override the individual’s right to be forgotten. The cases where this might happen include:
Freedom of expression and information
When this right is being exercised, then the data is being used within the remit of the GDPR. However, the implementation of this freedom does seem to vary within the EU, with different countries offering journalists, for example, differing levels of protection.
Data processed by a healthcare professional who is subject to professional secrecy by law
If a patient was to ask to have the medical records deleted, there are times when a Doctor for example, would not need to comply with the request. This includes circumstances when the data is used for a medical diagnosis, for the provision of health or social care, and when needed for the management of health care systems and services.
The retention of personal information for scientific or historical research is allowed though there do have to be safeguards in place through data minimization, which might mean anonymization of data through name removal. Information used should be limited to what is directly relevant and necessary and must only be kept for as long as needed to meet that requirement.
When a request is manifestly unfounded or manifestly excessive
The GDPR defines manifestly unfounded requests as being one where there may be malicious intent. This might be through being disruptive, the use of unsubstantiated accusations, or requesting benefit in exchange for withdrawing the request to erase data.
Manifestly excessive requires an assessment of whether it is a case of the request being clearly or obviously unreasonable. This might involve the consideration of resources available to meet the request and if there is substantive damage to the individual if the data is not removed.
How Do I Make An Application Under the Right to be Forgotten?
There are no prescribed methods of making a request under the right to erasure. Despite some organizations insisting that the request must be sent to one specific person, the GDPR is very clear in stating that it can be made to any part of the operation and be requested both verbally and in writing.
Once the request has been made, the organization is under a legal obligation to take no longer than one calendar month to reply, though, in complex situations, the time period can be extended by a further two months. However, they must take less than a month to make contact with the data subject to advise of the reason for the time delay.
In some situations, the organization may request confirmation of ID, but this does need to be in proportion to the type of personal data held. For example, a request for name and address erasure from a marketing database is unlikely to require any validation prior to deletion being undertaken. Whereas a request to erase that same name and address from held by a government department may.
How Does The Right to Be Forgotten Affect Search Engine Results?
Even before GDPR came into force in 2018, there had already been landmark legal cases laying out the ground with regards to an individual’s right to erasure. In May 2014, the European Court of Justice decided that Google would need to amend some search results when requested under the ‘right to be forgotten.’ Despite stating that they did not control the information, only provide links to it, the courts still stated that search engines have a responsibility to have links removed on request if they are to irrelevant and outdated information.
While the search engine stated that being forced to have its links removed was tantamount to censorship, the courts declared that it was a victory and in the public interest to protect personal data. At the time of the ruling, it was felt that it had resulted in huge consequences for anyone who published online material about individuals. However, the courts stayed strong and insisted that individuals’ rights towards their personal data should be the top priority, though it did state that there can be a public interest defence with regards to people in public life.
Despite the 2014 case and the subsequent enactment of the GDPR, Google has still found itself in deep water with Information Commissioner in various EU member states. In 2000, for example, the Belgian Data Protection Authority fined Google Belgium 600,000 Euro for failing to comply with an individual’s request to be forgotten. Despite the individual being in public life, he stated that when a search was carried out on him via Google, it presented out of date political labelling and a harassment complaint, which was later declared unfounded.
The decision by Google not to delete the search results resulted in the highest fine ever sanctioned by the Belgium Data Protection Authority.
How Can a Reputation Management Company offer Right to be Forgotten help?
In theory, an individual can make an erasure request verbally or in writing; the law does not require that a specific form is filled or a particular individual is the recipient of requests. But as you can see, it’s not always straightforward.
When deadlines haven’t been met, or your application has been ignored, then it’s good to know that right to be forgotten help is at hand through established reputation management companies. Their experience making requests can be essential when the situation is heading towards the need for legal claims to get action to be taken.