The right to be forgotten is a very fascinating concept. Who wants to be forgotten when most people are trying to be unforgettable? The statement is rhetoric but, you cannot really be forgotten in that sense; only certain data about you may need to be purged, erased or forgotten. In the EU, the right to be forgotten is the law. It is called the Right to Erasure in Article 17 of the General Data Protection Regulation (GDPR). It stems from the right to privacy. Everyone indeed should have the right to privacy, but should people have a right to be forgotten? You may want to be forgotten in certain instances. When can you assert your right to be forgotten? Let’s look at some examples:
You might want to be forgotten, if a certain data about you is wrong and it’s widely populated on the Internet and comes up in searches when people type your name in.
You might want to be forgotten, if a prior conviction has been expunged still comes up in searches when people type your name in.
You might want to be forgotten, if you or someone else have posted some compromising or detrimental photos of you on social media.
You have the right to request the erasure of unwanted data and the controller of the data must comply without any undue delay. However, this is not an absolute right. It only applies only in these six specific circumstances:
Processing No Longer Necessary – when processing of the data is no longer necessary in relation to purpose the data was initially collected;
You Withdraw Consent – when you, the data subject, withdraws consent and where there is no other legal ground for the processing;
No Legitimate Grounds – when you object to processing of the data and there are no legitimate overriding grounds for ongoing processing;
Unlawful Processing – when processing of the data is unlawful;
Retention Period Over – when the personal data has to be erased to comply with legal obligation; such as, the legal retention period has passed.
When personal data was collected for in relation to information society services for a child
However, as an organization may refuse a data subject’s request to erase personal data where the organization need to comply with a legal obligation to keep the data; for vital interests or tasks that needs to be carried out in public interest; when archiving in relation to public interest, scientific/historic or statistical research or when the data is required for the exercise of legal claims. One last wrench into this whole discussion, the right to erasure or to be forgotten does not apply where processing is necessary for “exercising the right of freedom of expression and information”.
The right to be forgotten will be one of the most challenging areas for organizations to comply with in GDPR. Compliance with this may require revamping entire systems and considerable change to business logic. Organizations may have to rely on some out-of-the-box solutions to help purge the data. Solutions may include pseudonymization or anonymization of the data such that the data subject is no longer identifiable. It should also include monitoring any access to the data if the data is still accessible but has been pseudonymized.