‘Right to be forgotten’ is the claim of an individual to have any data pertaining to him deleted, with no trace. The foundation of this right was laid by the European Court of Justice in its 2014 judgement in Google Spain SL v/s Agencia Española de Protección de Datos & Mario Costeja Gonzalez[1], wherein it held that European citizens have a right to request commercial search firms like Google to remove links to private information when asked, provided the information is no longer relevant[2]. This case set the precedent for the principle of the right to be forgotten under the General Data Protection Regulation (GDPR)[3] in the European Union.
Under the GDPR, the right to be forgotten has its basis in Recitals 65 and 66 as well as Article 15 and Article 17. Recital 65 iterates the right of a data subject to have his personal data erased when it is no longer necessary for the purpose for which it was collected. Therefore, the right to be forgotten is also known as the right to erasure in the EU[4]. On the other hand, Recital 66 talks about the obligation of the data controller who made the personal data public to take reasonable steps and technical measures to inform the data controllers processing such data about the request for erasure[5].
Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course!
Furthermore, Article 15 provides for the right to rectification or erasure of personal data or restriction of its processing[6]. This right to erasure is not absolute and can only be exercised in certain conditions. Article 17 obligates the data controller to fulfil the request of erasure without undue delay[7], if one of the following grounds is met[8]–
- The personal data is no longer necessary for the purpose for which it was collected or processed;
- Processing is based on consent and the data subject withdraws the same;
- The data subject objects to the processing, and there is no overriding legitimate interest to continue the processing of data;
- Personal data has been processed unlawfully;
- Erasure is required to comply with a legal obligation; or
- Personal data has been collected to offer information society services to a child.
It is pertinent to note that the data controller can deny the exercise of the right to erasure if the processing of personal data is necessary for[9]–
- Exercising the right of freedom of expression and information;
- Complying with a legal obligation;
- Public interest in the area of public health;
- Archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- Establishment, exercise or defence of legal claims.
Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course!
Furthermore, the data controller can request a reasonable fee from the data subject for fulfilling his request of erasure[10].
[1] Google Spain SL v. Agencia Española de Protección de Datos & Mario Costeja Gonzalez, C‑131/12.
[2] EPIC.ORG, https://epic.org/privacy/right-to-be-forgotten/ (last visited Apr. 26, 2021).
[3] Regulation (EU) 2016/679.
[4] Id., recital 65.
[5] Supra note 46, recital 66.
[6] Supra note 46, art. 15(1)(e).
[7] Supra note 46, recital 59- A time period of one month.
[8] Supra note 46, art. 17(1).
[9] Supra note 46, art. 17(3).
[10] Supra note 46, art. 12(5)(a).