All about the Right to be forgotten

According to Article 17 of the GDPR, EU citizens and residents have the right to ask you to erase their personal data. They can also request their information be de-indexed from search results. You must do so without undue delay whenever one of the following grounds applies:

• You no longer need the data for the purpose for which you originally collected it.
• You rely on consent as the lawful basis for processing the data. The person has withdrawn consent by asking you to delete their data.
• You rely on legitimate interests as the lawful basis for processing a person’s data. Now, the person has asked you to delete it and there is no overriding legitimate interest for you to continue processing it.
• You process personal data for direct marketing purposes and the person objects to this.
• You processed the personal data unlawfully.
• A legal ruling or obligation in the EU or member states requires you to erase the data.
• You have processed a child’s personal data to offer their information society services.

This last one is important. Pay special attention to any request concerning data about a child, and fulfil it right away. Children’s personal data always gets special protection under GDPR. If a child is under 16, GDPR requires the parent’s consent for you to process their personal information. Even if the person is now an adult, consider their age at the time when you got consent.

As mentioned, a person’s right to ask companies to delete their data began as a European concept. But since then, other countries and regions have adopted similar laws or principles. And just like the GDPR, the new regulations have quite a broad scope. This gives most of the world some degree of control over their personal information online. It is safe to assume that your company should prepare to comply when people ask you to erase their data.

Argentina
For example, in Argentina, the Personal Data Protection Law gives people the right to request deletion, destruction, or anonymisation of their personal information. However, the limits of this right were highlighted in a prominent court case. It established that removing publicly available information might affect “freedom of expression and deprive society of access to relevant information”. Further, the Court decided that news or information that is part of public debate may remain relevant to the public, regardless of how much time passes. Note that this decision involved a public figure.

Brazil
Similarly, in Brazil, the General Data Protection Law (LGPD) includes ‘Right to Erasure’. This allows Brazilian citizens to ask organisations to remove their personal data from their databases. As in Argentina, this has already been subject to litigation. The Supreme Court of Brazil confirmed in 2021 that people cannot use the right to erasure to “prohibit the publication of facts…lawfully obtained, including historical facts related to crimes”.

United States
In the United States, there is no comprehensive federal law that specifically addresses the right to erasure. However, some states have adopted laws that require the removal of specific types of sensitive information, or all personal information in some cases. The California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA), for example, both provide consumers with the right to request the deletion of their personal information. Conditions and exceptions apply.

China
China’s PIPL protects Chinese consumers. It requires organisations to respond to a variety of data requests, including requests to delete personal information. It does not specify the criteria for such requests and the limits on them. However, citizens of China may have the right to bring lawsuits against you if you reject their requests.

A request to be deleted, also known as a request for erasure or a right to be forgotten request, is a formal request someone makes to an organisation or data controller to delete their personal information.

However, the request does not have to be particularly formal or arrive in special way to be legally binding. A request for erasure could even come in the form of an email or DM on social media. In fact, it may simply say, “Hi, please delete all my personal information from your records.” Make you acknowledge the request and get more information so you can fulfil it properly.

Giving people clear guidance on how to make requests will make it much easier to respond to them. Ideally, requests for erasure should:

1. Clearly state that the request is for deletion or erasure of personal information.
2. Identify the personal information the person wants you to delete.
3. Provide proof of identity/verification.
4. State the legal basis for the request.
5. Provide any additional information relevant to the request. For example, the reason for the request, any specific concerns the person has, and so on.

Meanwhile, you can give people direction on how to make their requests in your privacy policy. You might also include a link to a secure request portal. Of course, make sure you explain that asking for deletion may limit your ability to provide them with services.

But, what if you already shared or made someone’s personal data public online? According to GDPR Recital 66, you should “take reasonable steps, taking into account available technology and the means available” to inform anyone you’ve authorised to process the data that the data subject has requested erasure. Let the processor know that they should erase any links to, copies, or replications of the data.

In most cases, when you receive a request to delete someone’s data, you should comply promptly. However, there are times when your right or obligation to process someone’s data will override their right to be forgotten

Therefore, the Right to be forgotten is not absolute. GDPR says you will not have to delete a person’s data if you need it for one of the following reasons, for example:

• To exercise the right of freedom of expression and information.
• To comply with a legal obligation in EU or Member State law, for the public interest, or to exercise official authority.
• For reasons of public interest in the area of public health.
• For archiving purposes in the public interest, such as scientific or historical research purposes or statistical purposes.
• For the establishment, exercise or defence of legal claims.

Of course, this means you must evaluate requests for erasure on a case-by-case basis. Consider other fundamental rights involved. Does the information involve a public figure? Would deleting the information endanger public safety, conceal a crime or other misconduct? Does my company, the public or someone else need the data in case of a legal claim? Am I legally required to keep the data? Meanwhile, is it even possible/technically feasible to delete all the data?

Here are two “Right to be forgotten” examples of requests you might receive, but you do NOT have to erase the data:

1. A former customer asks you to delete their credit card numbers, ID numbers, and other personal information since they have switched providers. You search and delete all the data and respond to them with confirmation that you completed their request.
2. Someone signs up for your newsletter. At the time, they checked a box giving you consent to use their email to send them promotional content. Now, they ask you to take them off their list and delete any other personal information you have about them. So, you remove them from your list of leads. Afterwards, you search and delete all their data. Finally, you respond with confirmation that you completed their request.

By and large, most of us are not dealing with public figures. We process our customers’ data simply to provide them with goods and services. It is in our interest and theirs to respect their privacy rights. Responding promptly to any data request, especially requests for deletion, can be a headache. But it is a great way to build our brand value and show we are trustworthy.

If you need help responding to data requests, please take a look at our RequestManager.