Our experience in advising clients about GDPR and assisting them in the compliance process is that there are often misconceptions about the so-called “right to be forgotten”. The purpose of this post is to address some of these misconceptions.
- The “right to be forgotten” was not created by the GDPR
The GDPR replaced the EU’s 1995 Directive which provided in Article 12(b) that “Member States must guarantee every data subject the right to obtain from the controller: (…), as appropriate, the rectification, erasure or blocking of data, the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data.” In the famous Google Spain decision rendered on 13 May 2014, the European Court of Justice referred to that Article and to the two articles of the European Charter of Fundamental Rights which deal with data protection, and held that the operator of a search engine is obliged, in certain circumstances, to remove links to web pages containing information relating to a person. The right to be forgotten, also called right to erasure, had therefore existed in European law (via the 1995 Directive) for more than 20 years when the GDPR came into force in May 2018. What the GDPR does, essentially, is to define in its Article 17 when and how the right to erasure may be exercised.
- The right to be forgotten is not absolute
Article 17 of the GDPR on the right to be forgotten actually provides a list of circumstances where data subjects have grounds to request the erasure of their personal data. The common misconception that the right to be forgotten is absolute probably comes from another misconception on consent.
The fundamental rules set out in the GDPR are essentially the same as those in the 1995 Directive. One of the basic principles is that any data processing must be based on one of the legal grounds listed in the GDPR, which include the consent of the data subject. While consent often appears to be an attractive avenue to data use, in particular in the internet world where it is fairly easy to get people to click, it has a major drawback: that consent can be withdrawn at any time (Article 7.3 of the GDPR). This is probably why people sometimes believe that a data subject can always request the deletion of his/her data. But that is not the case: withdrawal of consent is only one of the particular circumstances in which data subjects can have their personal data erased. The other circumstances are when:
- the personal data is no longer necessary for the purpose for it was originally collected or processed;
- the processor relies on legitimate interests, the individual objects and there is no overriding legitimate interest to continue this processing;
- the personal data is processed for direct marketing purposes and the individual objects;
- the personal data has been processed unlawfully;
- erasure is required to comply with a legal obligation; or
- the personal data is processed to offer internet services to a child.
One can see from this list that, in most cases, this right to be forgotten is not so much a brand new right as a new enforcement tool: it enables the data subject to correct a form of non-compliance. For example, it is a rule that data should not be kept or used longer than what is strictly necessary. If the data has, in fact, been kept longer, the data subject can request and obtain its deletion.
- The right to be forgotten is not unrestricted
Contrary to what a lot of people think, there are certain limitations on the right to erasure. Under the GDPR, the right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
Here again, this is not totally new and two of the above limitations were discussed in the Google Spain case. The plaintiff complained about the publication of a forced sale of his house that had taken place more than 10 years before. He asked the newspaper to remove the information and Google to remove the link to that publication. The newspaper argued before the Spanish Data Protection Authority that the information was originally published in compliance with Spanish law, upon a request from the Spanish Ministry of Labour and Social Affairs and the Authority agreed that in that case, the information did not have to be deleted. Google argued that the right of erasure was contrary to the right of information but the Spanish Authority disagreed and the European Court held that that the interest of the general public in having access to information could vary depending on factors such as the role played by the data subject in public life. Since Mr. Gonzalez was, prior to that judgement, totally unknown from the public, that public did not have a right to get information about the forced sale of his house. One should also keep in mind that specific restrictions apply in the health sector.
The right to be forgotten is a complex right and in the context of search engines, its exercise can give rise to complex issues. After the Google Spain judgement was rendered, the French Data Protection Authority (CNIL) enquired about how Google was implementing the right and found out that when requests were received from individuals residing in France, Google deleted the links from its “French” search engine, i.e., the one that was accessed on google.fr. The CNIL ordered Google to delete the links from all its search engines worldwide, Google refused and the CNIL imposed a fine of 100,000 euros. Google filed an appeal before the Conseil d’Etat who referred questions to the European Court of Justice about the territorial scope of the right. Although the answers to those questions will be in relation to the 1995 Directive and not in relation to the GDPR which has a much broader territorial scope, it will be interesting to see what the Court will decide in a few months.
 The right to erasure does not apply:
- if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
- if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g., a health professional).