'The right to be forgotten' explained for website owners
The 'right to be forgotten' (formerly known as 'the right to erasure') is an EU law stating that 'data controllers' - which in the context of the web would refer to websites owners that collect data from their users - must erase any data of a personal nature upon request by the user when the circumstance satisfies necessary criteria. This law has been in place since 2014, however General Data Protection Regulation (GDPR) added some further stipulations when it came into force in 2018.
The story of the 'right to be forgotten' ruling begins in 2014 when a Spaniard by the name of Mario Costeja González requested that Google Spain remove references in the search engine results to stories regarding the auction of his repossessed home, which Mario explained were now irrelevant and had been resolved for a number of years. Mario believed there was no need to have this historic information available to the public any more, and subsequently battled with the American search giant for six years. Mario won his fight and the 'right to be forgotten' was approved by the European Court of Justice to be passed into law, who added that in this particular case, the right to privacy was greater than the financial interest of the company. Importantly however, the court made it clear that the 'right to be forgotten' is not an absolute rule, but a principal that will be weighed on a case-by-case basis.
In the words of the Information Commissioners Office (ICO), they explain that:
“Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.”
Once an individual has informed a data controller (e.g. a website owner) that they would like their data to be removed verbally or in writing, the data controller has one month to respond to the request. The individual requesting the data removal only has the right to do so if:
- Their personal data is no longer necessary for the original purpose it was collected for.
- The individual’s original consent for their data to be collected has now been withdrawn.
- The individual decided to opt out of their data being held for marketing purposes.
- The data has been processed unlawfully.
- The data has been processed to offer information society services to a child.
- There is no overriding legitimate interest from the individual to continue to allow their data to be processed, which is the primary reason for holding the data initially.
If an individual fails to meet this criteria then their data may not be removed. There are also some additional reasons you may not be able to have your personal data removed, such as:
- The data is being used to exercise the right of freedom of expression and information.
- The information is being used to comply with a legal obligation or ruling.
- The data is used for the performance of a task carried out in the public interest or in the exercise of official authority.
- The personal data is used for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing.
- The data is being used for the establishment, exercise or defence of legal claims.
A recent dispute between a French privacy regulator and Google was brought to court to determine whether the search engine should apply the ruling globally or just to searches within the EU. The ruling concluded that Google would only need to remove the data from inside the EU and had no obligation to 'de-reference' all versions of its search engine. Google subsequently deployed geoblocking features that stops certain countries from accessing listings in other parts of the world. The court also made a second ruling that some results should be pushed down the listings over time instead of being removed.
Since the law came into place in May 2014, over 845,000 requests to be forgotten have been made, which equated to 3.3 million links; however, only around 45% of these were subsequently delisted.
If you are a 'data controller' or a 'data subject' looking for more information on 'the right to be forgotten' law, we recommend the ICO website for more information.