The new General Data Protection Regulation (“GDPR”) introduces “the right to be forgotten”. The right will in certain circumstances enable the individual to control which of the individual’s personal data is publicly available.
What does the right to be forgotten mean?
The right is a clarification and elaboration of the right to erasure, rectification or blocking that existed in the Data Protection Directive. Basically, it means that you can require a company to delete, rectify or block personal data that you no longer want published, stored or processed. In short, a useful tool to obtain better control of your personal data.
The Google case
The right was recently applied in a ruling from the European Court regarding Google where it was deemed that Google had to process enquiries from individuals regarding removal of links from freely accessible websites which appeared when the individuals searched their names. The right was not explicitly mentioned in the ruling as it was not drawn up yet at the time, but the ruling is a cornerstone of the adoption of the right.
As a consequence of the ruling, Google has been forced to employ a complete staff of employees just to handle requests regarding the right to be forgotten!
Whom to contact to be forgotten
In the above mentioned Google ruling, Google was obliged to process all requests. But the new GDPR does not inform us who other than search engines such as Google will be obliged to comply with the right to be forgotten.
It is not clear if hosting platforms, such as Facebook, LinkedIn, Twitter or other service providers on the internet must comply. In many ways it would be strange, if Google has to comply with the rules, if Twitter does not. This would mean that Google would have to remove search results that show information regarding a person on Twitter, but Twitter would not have to remove the post from their own platform.
However, one thing is certain. If a company does not comply with the right to be forgotten, it can result in sky-high fines.
What about third parties using personal data?
According to the GDPR, companies that publish personal data are required to take all reasonable steps, including technical, to secure that third parties that process the data are informed of his/her request to erase the data.
Among other things, this means that Google must take all reasonable steps to secure that everyone who has had access to the information from the Google service is informed of the request to erase the data. This is a time consuming obligation which will be a burden for many companies, but at the same time it will ensure the individuals a more effective right to be forgotten.
The exception
Requests regarding the right to be forgotten can be rejected due the interest in protection of freedom of expression and information.
However, it is a problematic way out because the GDPR has no guidelines for interpretation of the freedom of expression and information. Experience has taught us that member states have rather different interpretations of the balance between the freedom of expression and information compared to the right to privacy. Therefore, it is not likely that the GDPR will provide a harmonised approach to the exception based on the freedom of expression.
The future prospects
In short, the right to be forgotten provides some useful tools for the individual to feel that it is more secure to share personal data.
It will be interesting to see if the other hosting platforms, such as Facebook, LinkedIn and Twitter, also have to comply with the obligation. In that case, individuals are given quite a significant control of their personal data in the future.
(I would like to thank my Bird & Bird colleagues, student assistant Mathias Bartholdy, junior associate Amalie Langebæk and associate Kamilla Pierdola Mondrup, for assisting with this blog entry.)