The Right to be Forgotten is a new concept introduced by the European Parliament and Council of the European Union in the General Data Protection Regulation (hereinafter “GDPR”) implemented 25th May 2018. No longer is there a requirement for a court to be satisfied by the request of a data subject that their personal data being held by an organization is inaccurate before the court may order the data controller to rectify, block, erase or destroy that data or even an expression of opinion which appears to the courts to be based on the inaccurate data as may be found in the United Kingdom’s Data Privacy Act1.
Now, Article 17 of the GDPR’s right to erasure enshrines the concept of the “right to be forgotten” as an individual right or Subject Access Right (hereinafter “SAR”).
The data subject may request the data controller to erase their personal data without unjustifiable delay. In addition, where the controller has made that data public and is obliged to erase the data, it must (taking account of available technology and implementation costs) take reasonable steps to inform controllers processing the data of the request for erasure of their links/copies of the data. This right applies where:
the personal data is no longer necessary in relation to the purposes for which is was collected or otherwise processed;
the data subject withdraws consent on which the processing is based and there is no other legal ground for its processing;
the data subject has exercised their right to object to the processing for direct marketing or there are overriding legitimate grounds for the processing;
the personal data has been unlawfully processed;
the data must be erased for compliance with a legal obligation in an EU/Member State law to which the controller is subject;
the data was collected in relation to the offering of information society services to a child.2
This author proposes that with rights sometimes come with risks and in this case, specifically, the risk of inundation. The nefarious “Joe Bloggs” of this world suddenly raising right to be forgotten requests may prove to be costly to even the largest business. There is almost no defense against this save for the fact that the organisation is not in possession of that individual’s data meaning that the organisation must entertain each individual request prima facie leading to significant time and cost expenditure. In addition, the higher-tier fine prescribed by the GDPR is applicable in relation to a breach of Article 17 i.e. fine of €20 million (about £18 million) or 4% of annual global turnover. The risk of non-compliance or even partial compliance may prove to be quite costly. Therefore, the implications of this principle are not to be dismissed as trivial but should be strongly considered by organisations who process the personal data of EU citizens.
“Well if the data subject wants their data deleted, just delete it” is an insufficient stance for organisations to take in relation to the legal and technological implications. An in-depth policy, systems, procedures and process review to verify the alignment of the organization with Article 17 is essential. The result of implementing the right to be forgotten request on behalf of a data subject must be the same each time in order to align with the GDPR principle of Lawfulness, Fairness and Transparency. In the author’s experience, this requires a major investment in time, manpower and financing on the outset to ensure consistent results in operation. Let us dive into each of these aspects of policy, systems, procedures and processes review to determine what is involved.
System: This is in regard to the particular technology that is used to process personal data. An investigation needs to be made into the system(s) of data collection, analysis/manipulation, transference/sharing, publication, storage, and deletion. It is not uncommon to find that these systems are operated by disparate applications. The role of the BAO and an Operating Landscape Manager (hereinafter “OLM”) is invaluable here. The DPO must query them at every stage of the system usage of personal data to ensure that that if the right to be forgotten were to be implemented on behalf of a data subject, it would lead to a total erasure of the data. At this stage the BAO, OLM and DPO ought to consider any 3rd-party data transfers. Data processors who have signed up to implement the instruction of the data controller via a Data Processing Agreement (DPA) will need to comply with the right to be forgotten request. Recall what was posited above regarding the requirement to inform other data controllers of the right to be forgotten request. Therefore, organisations must be completely aware of the extent and reach of its personal data processing systems. This is where cost and resource impact need to be reined in to align with such requests especially if the organisation considers itself vulnerable to the aforementioned risk of inundation. It cannot be ignored that some applications are vast and broad in their interfaces, staging platforms and storage such as HR applications utilized by multi-nationals. However, keeping system reach and operating landscape as clean and concise as possible has proven to be invaluable in mitigating this risk in the author’s experience.
While it is strongly postulated that where an organisation determines that parts of or the entirety of a data subject’s personal data is no longer required to perform a business task, it should dispose of said data in a controlled manner in compliance with the GDPR’s principles of Data Minimisation and Fairness, there is a challenge that the data controller may levy against the right to be forgotten. The controller is not obligated to erase the data or inform other controllers of the right to be forgotten request to the extent that processing is necessary for freedom of expression/information; compliance with applicable EU/Member state law; public interest/official tasks, public interest in public health; archiving purposes in the public interest or statistical purposes insofar as the right to erasure is “likely to render impossible or seriously impair the achievement of the objectives of that processing”; or legal claims.3 This may also prove to be a relief from the risk of inundation but also reinforces the importance for organisations to consider treaties such as this in achieving awareness and clarity about its personal data processing activities and compliance with the GDPR.
1 Section 14 UK DPA
2 Pinsent Masons “Guide to the EU General Data Protection Regulation, post Brexit” pg. 24.
3 Pinsent Masons op. cit.