This is part three of a five-week series discussing General Data Protection Regulation (GDPR) and its implications for U.S. businesses and organizations.
In the United States, website operators and owners take for granted the fact that they can collect and analyze information regarding individuals with impunity. As for those availing themselves of the convenience of the internet, we do so knowing that our every move is tracked, stored, analyzed, and then sold to the highest bidder. If, and when, personal information is compromised, we receive a ubiquitous data breach notification letter. Such practices, and the approach to data privacy, stands in stark contrast to entrenched practices in the European Union and the GDPR.
The right to erasure—otherwise known as the right to be forgotten—is a tenant of an EU citizen’s “rights.” An individual’s right to be forgotten is the ability to have once-public data about oneself removed from public access and/or private information erased. The GDPR buttresses this right. Under the GDPR, an individual has the right to demand that a data controller erase all personal data, without undue delay, under the following circumstances:
- When the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- When the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- When the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- When the personal data have been unlawfully processed;
- When the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; or
- When the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
If a data controller is obligated to erase public data, after taking into consideration available technology and the cost of implementation, controllers processing data are to be informed of the individual’s request to have such information erased.
The right to be forgotten, however, is not without its limitations. The right to be forgotten does not extend to following situations:
- For exercising the right of freedom of expression and information;
- For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- For reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- For the establishment, exercise or defence of legal claims.
The right to be forgotten belongs to the individual; a data controller cannot waive or opt-out of compliance. Absent one of the above exceptions, compliance with the right to be forgotten is mandatory; moreover, the GDPR places the burden of establishing one of the above mentioned exceptions on the data controller.
For U.S. based internet operators or businesses subject to the GDPR, the right to be forgotten may seem to be a novel idea; however, it is a quickly approaching reality that must be addressed; due to the its mandates and burden shifting, compliance with the right to be forgotten has the potential to be very onerous for many. As with other provisions of the GDPR, the right to be forgotten will require that new policies and everyday practices be adopted and implemented. The right to be forgotten may also necissitate the implementation of new software or technology investments to ensure that if individuals exercise their right to be forgotten, the data controller can ensure that such information is, indeed, forgotten.