From 25 May 2018, the ‘right to be forgotten’, which currently exists only ‘digitally’, will be extended by Article 17 of the General Data Protection Regulation (GDPR).
The European Court of Justice first established European citizens’ right to ask search engines to ‘deindex’ certain information concerning them under certain conditions in its judgment on the Google Spain v AEPD case of 13 May 2014. In particular, the Court stated that this right to be forgotten only applied to information concerning a ‘private’ individual (as opposed to a public entity). Although restricted, this newly created right generated much publicity and public interest.
Article 17 of the GDPR extends the right to be forgotten, specifying that the data subject has the right to have personal data concerning him or her erased by the data controller, as soon as possible. In this article we address some practical questions related to this new provision.
In what circumstances does the right to erasure apply?
This right to erasure is not an absolute right. Article 17 of the GDPR provides six cases in which the data subject may request the erasure of his or her personal data:
Although this list is exhaustive, it covers a large number of cases. Moreover, the right to object, where erasure can be requested (described in the third and fourth bullets above), is also extended by the GDPR:
‘The data subject shall have the right to object on grounds relating to his or her particular situation at any time, to processing of personal data concerning him or her based on [the execution of a public interest mission or arising from the exercise of public authority of which the controller is responsible, or legitimate interests pursued by the controller or a third party], including profiling based on these [situations]’ (Article 21 GDPR).
However, it should be emphasised that this right to erasure or to be forgotten will be overridden in a few specific cases where a higher interest is at stake. These are:
What are the controller’s obligations?
When the data subject requests the erasure of his or her personal data in one of the cases above, the data controller must delete the personal data concerned ‘as soon as possible’ and in any case within a maximum of one month after the request.
If the controller has made the personal data involved public and finds himself in a situation where he is obliged to erase it, he must take ‘reasonable measures, including technical ones’, taking into account the available technologies and the costs of implementation, to inform controllers processing such personal data that the data subject has requested its erasure, including any link to, copies or reproduction of it.
In accordance with Recital 59 of the GDPR, if controllers do not intend to follow up on a data subject’s request for deletion, they must give reasons for their refusal.
Article 13 of the GDPR states that the data controller must indicate to the data subject ‘the retention period of the personal data or, where this is not possible, the criteria used to determine this duration’. This is also likely to reinforce the idea that there is a right to erasure of certain information after the expiry of a certain period.
What penalties apply?
The GDPR allows each supervisory authority to impose administrative fines for non-compliance with its provisions. The amount depends on the provisions violated.
Regarding “rights which can be exercised by the data subjects”, including the right to be erased or forgotten, in the event of non-compliance with the rules above the controller may be liable to an administrative fine of up to EUR 20 million or, in the case of a company, an amount corresponding to 4% of the total annual global turnover for the previous year.
Action points
Organisations need to consider how to address the right to erasure, and if necessary to adapt internal processes concerning personal data processing. In particular they should: