The so-called right to be forgotten (RTBF) is probably one of the most actively debated aspects of the original proposal by the EU Commission for the General Data Protection Regulation.
Article 17(1) of the GDPR establishes that data subjects obtain the right to have their personal data erased if:
- the data is no longer needed for its original purpose and no new lawful purpose exists;
- the lawful basis for the processing is the data subject’s consent, the data subject withdraws that consent, and no other lawful ground exists;
- the data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing;
- the data has been processed unlawfully; or erasure is necessary for compliance with EU law or the national law of the relevant member state
In addition, Article 17(2) of the Regulation requires that, where the controller has made any personal data public (e.g., in a social network) and the data subject exercises the right to erasure, the controller must take reasonable steps (including applying technological solutions but taking costs into account) to inform third parties which are processing this published personal data as controllers that the data subject has exercised this right.
Exemptions to the right of erasure are listed in Article 17(3), which allows organisations to decline data subjects’ requests to the extent that processing is necessary:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or member state law to which the controller is subject or for the performance of a task carried out in the public interest, like public health, archiving and scientific, historical research or statistical purposes; or
for the establishment of, exercise of or defence against legal claims.
The GDPR also entitles data subjects to request information about the identities of recipients to whom the personal data has been disclosed. Consequently, Article 19 requires that where a controller has disclosed personal data to particular third parties, and the data subject has subsequently exercised their right of rectification, erasure or blocking, the controller must notify those third parties of the data subject’s exercise of those rights.
The controller is exempt from this obligation only if it is impossible to comply with it or would require disproportionate effort, which must be proven by the controller. As Recital 66 mentions, this extension of the right of erasure is meant to strengthen the right to be forgotten specifically in the online environment, where personal data is notoriously difficult to control once it has been shared and distributed—so online service providers will probably find dealing with this obligation especially difficult.