What is the Right to Erasure (Right to be Forgotten) under GDPR?
Under Article 17 of the GDPR, an individual has the right to have personal data erased. This right to erasure is also referred to as ‘the right to be forgotten’ aka to have the data deleted so no third party can trace them via internet/search engine. Information may be user display name, profile photo, email address, etc. Recitals 65 and 66 in Article 17 state: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” if one of a number of conditions applies. “Undue delay” is approx. a month and reasonable steps must be taken to verify that the person requesting the erasure is actually the data subject.
As with anything, the right is not absolute and is limited in application but important to examine when the right actually applies. An individual has the right to have their personal data erased if:
- the personal data that was collected is no longer required or necessary for the purpose it was originally collected for or processed;
- the individual previously provided consent to hold his/her data and subsequently withdraws their consent, therefore removing the lawful basis for holding the data;
- the individual objects to the legitimate interests or business purpose for the processing of their data and there is no way to override the legitimate interest to continue holding and processing their data;
- the individual objects to the collection of personal data for direct marketing purposes;
- the personal data is processed in breach of a lawful basis for holding the data, so its collected or processed unlawfully;
- it is required in order to comply with a legal ruling or obligation; or
- an organization has processed a child’s personal data to offer information society services (emphasis placed on the right to have personal data erased if the request relates to data collected from a child/minor).
The right to erasure does not apply in the following instances:
- if the underlying reason is to exercise the freedom of expression;
- to comply with a legal obligation;
- if the processing is required to carry out a public interest task or in the exercise of an official authority;
- if the processing is required to archive public interest, scientific research, statistical research; or
- if the processing is required to establish, exercise, or defend a legal claim.
In addition, the GDPR has outlined two circumstances where the right does not apply to specific categories of data:
- if the processing of personal data is necessary for public health purposes in the public interest; or
- processing is necessary for the purposes of preventative or occupational medicine and the data is being processed under the responsibility of a health processional for example where fiduciary duties exist around patient privacy, etc.
Data controller duties to the right to erasure:
- the data controller must erase the data without undue delay. As mentioned earlier, this is within a month. The controller must also communicate the erasure to the recipient of the personal data unless 1) it is impossible to do so or or 2) requires a disproportionate effort.
- controllers must inform all other controllers in the data chain that are processing the data that it must be deleted of any links to, copies or replications of by taking steps that are reasonable and mindful of technology limitations and cost of implementation.
Removing data isn’t as straightforward as it seems. A valid request means every piece of information about a person must be removed – from every file, register, database, mailing list, back-up server. Gone forever with no chance of being recovered by the data controller, external third parties that the data has been shared with and everyone in the chain. It is unclear whether this is feasible given the fact that most operating systems don’t erase a file completely when it is deleted – it still lurks somewhere in the hard drive. Is that adequate under the GDPR standard? Only time will tell.