What is the right to be forgotten?
What is the right to be forgotten? The “right to be forgotten” or “right to erasure” gives people control over their own personal data. It can prevent a person’s personal information from floating around indefinitely and potentially harming them or their privacy in the future.
Originally, the right to be forgotten was a European concept. We can attribute it to the ruling of a Spanish court against Google. Later, in 2018, the GDPR formally enshrined it as one of the rights of data subjects. Understanding this right will help you respond properly when someone asks you to erase or remove their personal data from your records.
What exactly does GDPR say about right to erasure? When does it apply? And when might your right to process someone’s data override their request for you to delete it? Let’s talk about when you should delete people’s data in response to a request. We will also see when you may have a right—even an obligation—to keep it.
Origen of the right to be forgotten
In 2014 a Spanish court decided that a person’s privacy interest is so important that they could ask for data about them to be removed from Google search results, even if the data was in no way prejudicial.
When deciding whether a data controller must delete someone’s data, they considered other factors besides explicit harm to the person. Was the data “inadequate, irrelevant or no longer relevant, or excessive in relation to [the] purposes [of processing]? The amount of time that elapsed would also be a factor.
This set a precedent in Europe that had a strong influence on the GDPR. So what does the European Union’s General Data Protection Regulation (GDPR) say about responding when a person asks you to delete their data? When is deletion mandatory?
GDPR's Right to be forgotten
According to Article 17 of the GDPR, EU citizens and residents have the right to ask you to erase their personal data. They can also request their information be de-indexed from search results. You must do so without undue delay whenever one of the following grounds applies:
- You no longer need the data for the purpose for which you originally collected it.
- You rely on consent as the lawful basis for processing the data. The person has withdrawn consent by asking you to delete their data.
- You rely on legitimate interests as the lawful basis for processing a person’s data. Now, the person has asked you to delete it and there is no overriding legitimate interest for you to continue processing it.
- You process personal data for direct marketing purposes and the person objects to this.
- You processed the personal data unlawfully.
- A legal ruling or obligation in the EU or member states requires you to erase the data.
- You have processed a child’s personal data to offer their information society services.
This last one is important. Pay special attention to any request concerning data about a child, and fulfill it right away. Children’s personal data always gets special protection under GDPR. If a child is under 16, GDPR requires the parent’s consent for you to process their personal information. Even if the person is now an adult, consider their age at the time when you got consent.
Right to erasure globally
As mentioned, a person’s right to ask companies to delete their data began as a European concept. But since then, other countries and regions have adopted similar laws or principles. And just like the GDPR, the new regulations have quite a broad scope. This gives most of the world some degree of control over their personal information online. It is safe to assume that your company should prepare to comply when people ask you to erase their data.
For example, in Argentina, the Personal Data Protection Law gives people the right to request deletion, destruction, or anonymization of their personal information. However, the limits of this right have already been highlighted in a prominent court case. It was established that removing publicly available information might affect “freedom of expression and deprive society of access to relevant information”. The Court decided that news or information that is part of public debate may remain relevant to the public, regardless of how much time passes. Note that this decision involved a public figure.
Similarly, in Brazil, the General Data Protection Law (LGPD) includes ‘Right to Erasure’. This allows Brazilian citizens to ask organizations to remove their personal data from their databases. As in Argentina, this has already been subject to litigation. The Supreme Court of Brazil confirmed in 2021 that people cannot use the right to erasure to “prohibit the publication of facts…lawfully obtained, including historical facts related to crimes”.
In the United States, there is no comprehensive federal law that specifically addresses the right to erasure. However, some states have adopted laws that require the removal of specific types of sensitive information, or all personal information in some cases. The California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA), for example, both provide consumers with the right to request the deletion of their personal information. Conditions and exceptions apply.
China’s PIPL protects Chinese consumers. It requires organizations to respond to a variety of data requests, including requests to delete personal information. It does not specify the criteria for such requests and the limits on them. However, citizens of China may have the right to bring lawsuits against you if you reject their requests.
What should a request for erasure look like?
A request to be deleted, also known as a request for erasure or a right to be forgotten request, is a formal request someone makes to an organization or data controller to delete their personal information.
However, the request does not have to be particularly formal or arrive in special way to be legally binding. A request for erasure could even come in the form of an email or DM on social media. It may simply say, “Hi, please delete all my personal information from your records.” This still deserves your attention. Make you acknowledge the request and get more information so you can fulfill it properly.
Giving people clear guidance on how to make requests will make it much easier to respond to them. Ideally, requests for erasure should:
- Clearly state that the request is for deletion or erasure of personal information.
- Identify the personal information the person wants you to delete.
- Provide proof of identity/verification.
- State the legal basis for the request.
- Provide any additional information relevant to the request. For example, the reason for the request, any specific concerns the person has, and so on.
Erasure when data was shared or made public
What if you already shared or made someone’s personal data public online? According to GDPR Recital 66, you should “take reasonable steps, taking into account available technology and the means available” to inform anyone you’ve authorized to process the data that the data subject has requested erasure. Let them know that they should erase any links to, copies, or replications of the data.
When the right to erasure does not apply
In most cases, when you receive a request to delete someone’s data, you should comply promptly. However, there are times when your right or obligation to process someone’s data will override their right to erasure.
Therefore, the right to erasure is not absolute. GDPR says you will not have to delete a person’s data if you need it for one of the following reasons:
- To exercise the right of freedom of expression and information.
- To comply with a legal obligation in EU or Member State law, for the public interest, or to exercise official authority.
- For reasons of public interest in the area of public health.
- For archiving purposes in the public interest, such as scientific or historical research purposes or statistical purposes.
- For the establishment, exercise or defense of legal claims.
This means you must evaluate requests for erasure on a case-by-case basis. Consider other fundamental rights involved. Does the information involve a public figure? Would deleting the information endanger public safety, conceal a crime or other misconduct? Does my company, the public or someone else need the data in case of a legal claim? Am I legally required to keep the data? Is it even possible/technically feasible to delete all the data?
Right to be forgotten examples
Here are two “Right to be forgotten” examples of requests you might receive, but you do NOT have to erase the data:
- Somebody who used to work for you asks you to erase all their personal data. However, you need some of their personal data to comply with your legal obligation to disclose employee salary details to the authorities. You can refuse the request to erase the person’s data, explaining that you have a legal obligation to process it.
- You are a healthcare provider. You receive a request from a former patient to erase all of their personal data. However, your insurance requires you to keep patient records in case of complaints or legal claims. You refuse the request to erase the individual’s data, explaining that you must keep the data in case of complaints or legal claims.
Here are two examples of requests you might receive, when you SHOULD delete the data:
- A former customer asks you to delete their credit card numbers, ID numbers, and other personal information since they have switched providers. You search and delete all the data and respond to them with confirmation that you fulfilled their request.
- Someone signs up for your newsletter. At the time, they checked a box giving you consent to use their email to send them promotional content. Now, they ask you to take them off their list and delete any other personal information you have about them. You remove them from your list of leads. Then you search and delete all their data. Then you respond with confirmation that you fulfilled their request.
Why comply with the right to erasure
Most of us are not dealing with public figures. We process our customers’ data simply to provide them with goods and services. It is in our interest and theirs to respect their privacy rights. Responding promptly to any data request, especially requests for deletion, can be a headache. But it is a great way to build our brand value and show we are trustworthy.
If you need help responding to data requests, please take a look at our RequestManager.