"Right to be forgotten"
The Regulation includes a right for data subjects to request from a data controller the erasure of personal data relating to them and will impose on data controllers a broad obligation to have those data deleted “without delay”, including by third parties to which the data may have been disclosed. The provisions are central to concerns that the Regulation will impose disproportionate technical and cost burdens on businesses, in particular small and medium-sized enterprises. The effectiveness of the right in the context of personal data held by online service providers has also been called into question.
Article 12 of the current EU Data Protection Directive 95/46/EC enables data subjects to obtain from data controllers the rectification, erasure or blocking of their personal data if the data are being processed in breach of the Directive, in particular where the accuracy of the data is in issue.
Members States have implemented these rights in different ways. For example, whilst German data subjects already benefit from a strong right to have data erased, individuals in the UK may only force the rectification, blocking, erasure or destruction of their personal data if a court is satisfied that those data are inaccurate. In addition, the existing rights only apply to the data held by the data controller and not data shared with third parties.
The qualified nature of rights under the Directive means that, today, users leaving an online service such as a social media platform have difficulty ensuring that the data they have provided to the relevant service provider is deleted rather than just “disabled” and retained in the provider’s records. In the words of the Information Commissioner’s Office, the UK data protection authority, the Regulation seeks to shift the “balance of power” between data subjects and controllers by granting individuals a specific “right to be forgotten” and the power to prevent data processing unless it can be justified by the data controller.
The European Commission has highlighted social media as a particular target for the new right, advocating that “people who want to delete profiles on social networking sites should be able to rely on the service provider to remove personal data, such as photos, completely”.
Changes in detail
Under Article 17(1) of the Regulation, a data subject would have the right to obtain from the data controller the erasure of personal data relating to them in the following circumstances:
(A) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
(B) the data subject withdraws consent to processing and there is no other legal ground for the processing of data
(C) the data subject objects to the processing of personal data pursuant to Article 19 (which relates primarily to processing in the “legitimate interests” of the data controller or for direct marketing or research purposes)
(D) the processing of the data has been unlawful
(E) the data controller has a legal obligation to erase the data (for example, due to a ruling of a court or EU regulatory authority), or
(F) the data have been collected in relation to the offering of online services.
Under Article 17(1), the data controller would have to erase all data “without delay”. In addition, data controllers have some responsibility in relation to data being held by third parties where the controller has been responsible for making the data public. In these circumstances, the controller must also “take reasonable steps” to inform other data controllers that the individual has requested the erasure of copies of and links to the data (Article 17 (2a)). The data controller may take into account “available technology” and the cost of implementation when deciding what are “reasonable steps”.
The right to be forgotten is not absolute and only applies in the circumstances described above. In addition, it does not apply if it is necessary to process the data to exercise the right to freedom of expression, to comply with a legal obligation or perform a task in the public interest or related to public health, for research purposes, or in connection with legal claims.
Article 17a, ), also introduces a somewhat different, but equally important right – a right to restrict the processing that is being carried out. Under this Article, the data controller would have to “restrict” processing of the data, rather than erase it, if requested by the individual in the following circumstances:
(A) where the data subject contests the accuracy of the data (only for a period providing the data controller an opportunity to verify the accuracy of the data)
(B) where the data controller no longer needs to process the data, but the data subject requires the data to be retained in connection with a legal claim, or
(C) where the data subject argues that the processing is not in the data controller’s legitimate interests, and time is needed to determine whether the interests of the data controller override those of the individual.
If the processing of data is "restricted" under Article 17a, the data must only be processed with data subject's consent or to protect the rights of another natural or legal person, in connection with a legal claim or for reasons of important public interest (Article 17a(2)). The data controller would be required to inform the data subject before lifting any restriction on processing (Article 17a(43)).
Whilst the right to erasure of data already exists in EU data protection law, the Regulation takes individuals’ rights further, particularly in relation to the handling or replication of data by third parties.
Concerns have been raised about practical compliance by data controllers with the obligations in Articles 17 and 17(a). In particular, the “right to be forgotten” is thought to present a significant technological burden for online service providers. Where information has been made public, for example, the ICO has pointed out that third parties are more likely to republish already-published information without the data controller’s knowledge, making the task of informing relevant third party controllers about the data subject’s wishes difficult. The Article 29 Working Party, in its Opinion 01/2012 on the draft Regulation as at 23 March 2012, noted that there may be cases where the data controller has taken all reasonable steps to contact relevant third parties, but is not aware of all existing copies or when new copies appear after the data controller has informed all known third parties.
The ICO, the UK Government and commentators have acknowledged that the “right to be forgotten” is unlikely in practice to guarantee individuals the erasure of all data they have disclosed (including, for example, technical data such as an IP address). Individuals could therefore be given a false impression of the degree of legal protection when seeking to have their data deleted. The European Commission has stressed that the “right to be forgotten” is a qualified right which will only apply if there is no legitimate reason for personal data to be retained and which will not take precedence over freedom of expression or freedom of the media. This is certainly made clear in the text of the Regulation. In addition, the fact that data controllers can have regard to the available technology and cost associated with taking reasonable steps to inform third parties limits the scope of the obligation on data controllers.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.