The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Can a company refuse a right to be forgotten request based upon technical feasibility?
Answer: While the GDPR recognizes in the context of other individual rights an exemption where compliance would involve “disproportionate effort” or “impossib[ility],”1 the section of the GDPR that confers upon data subjects a right to have their information deleted contains no such exception.
Some European supervisory authorities are likely to argue that the absence of a “disproportionate effort” or “impossibility” exception should be interpreted as meaning that companies are not excused from their obligation to delete information (if such deletion is required by the GDPR) due to a lack of technical feasibility. Indeed, in the context of other data subject rights – such as the right to data portability – the Working Party made clear that the “the overall cost of the processes created to answer data portability requests should not be taken into account to determine the excessiveness of a request” and that “overall system implementation costs should . . . [not] be used to justify a refusal to answer portability requests.”2 There is a reasonable probability that the European Data Protection Board would take a similar outlook and find that the cost of designing (or redesigning) a system so that it has the technological capability of deleting data should not be asserted as a rationale for not honoring a deletion request.