Citizens will soon be given more control over their personal information when the EU's General Data Protection Regulation (GDPR) and the UK's new Data Protection Bill will enshrine the right to be forgotten into law.
The right to be forgotten is also known as the right to erasure. It gives individuals the power to request the removal of their personal data when there is no compelling justification for its continued processing by a company.
The right to be forgotten is, however, an elusive privilege. It more easily captures an idea than it does a policy. An act of disremembering is impossible to enforce, but the principle has been invoked to support personal privacy by expunging outdated, inaccurate or irrelevant information.
History of the right to be forgotten
The right to be forgotten has an ancestor that emerged in the pre-internet era, known as “practical obscurity”. It refers to physical data that is so difficult to access it is "practically obscure".
Practical obscurity first came to public attention in 1979, when reporters sought the FBI rap sheet of a man called Charles Medico, whose family business allegedly had ties to organised crime.
Their suit was taken all the way to the US Supreme Court, which ruled that that the rap sheets weren't subject to disclosure under a Freedom of Information request.
Although such records were publicly available in court houses and government offices, the effort needed to retrieve them was so onerous it was considered to be impracticable. They were thereby deemed "practically obscure", and should be withheld as their release could constitute "an unwarranted invasion of personal privacy".
Much has changed since that decision. The conversion of such records into electronic formats makes finding them more realistic and we now record our lives online, leaving our indelible tracks wherever we may tread.
In 2014, a case heard in the European Court of Justice (ECJ) set a contemporary precedent on the issue. A Spanish national named Mario Costeja González had complained about two newspaper pages that had been published in 1998 but were still available online. They announced the forced sale of a property he owned, which was being repossessed to pay off his social security debts.
Google searches of his name would bring up links to the two pages. He wanted them to be removed as his debts had long since been resolved but would remain a stain on his reputation as they retained a prominent position in the results of searches for his name.
The ECJ ruled that Google had to withdraw the data from its indexes. Ironically, the case brought more attention to Costeja's past than it had ever had before. His victory would be more accurately described as a right not to be indexed than a right to be forgotten.
The information could remain on the newspaper’s website as it had been lawfully published. The newspaper was protected under data protection laws as it was a media company, which Google claims not to be.
The search giant accepted the decision. It then established a system to help others request erasure by submitting a request online that then undergoes a manual review. The search engine can still reject a request, which the subject can then appeal to a supervisory authority or the judicial authority.
Since the ECJ ruling, Google has removed more than 800,000 URLs after receiving a request for erasure, but has kept more than a million others in its index.
They include requests pending additional information or review, as well as those pages Google chose not to delist. Reasons for these decisions include the existence of alternative solutions, technical reasons, duplicate URLs, or the information being strongly in the public interest.
Privacy advocates hailed the decision as a major victory in their battle to protect personal information. Other organisations raised concerns that it could lead to organisations censoring truthful information about people if they don’t like it.
Each request for erasure must assess the public interest against the individual's right to privacy, but the comparative weight of such nebulous rights can be equivocal and mutable.
What is the effect of the upcoming regulations?
A digital presence is now an integral part of most of our personal and professional lives and the information posted online is hard to remove, whether it's embarrassing Facebook photos or spent criminal convictions. The past we thought we left behind is just a click away from the present.
The ECJ ruling only enforced the right to erasure on search engines operating in Europe. The proliferation of personal data that is available online extends far beyond their indexes. It's often exploited for the benefit of others, and their motivations may be contrary to the wishes of the data subjects. It will now be extended to all data processors.
How GDPR includes the right to be forgotten
These concerns led the EU to extend the right to be forgotten to all data processing. The GDPR will give any individual the right to request the erasure of their personal data from anywhere in the union when there is no compelling reason for its processing.
Article 17 of the regulation outlines the different circumstances under which they can exercise the right to erase their personal data. It should be granted if the data is no longer necessary to serve the purposes for which it was originally processed; if the subject withdraws consent or has a rightful objection to the processing and there are no overriding legitimate grounds for it to continue; if it has been unlawfully processed; if it needs to be erased for compliance with a legal obligation; or if it was collected in relation to the offer of certain information society services.
It also includes additional requirements for the personal data of children. They will have the right to erase data that they previously consented to provide, as they may not have fully understood the risks at the time they gave consent. This is particularly relevant to information posted on social networks and internet forums.
If the data controller has made personal data public and is obliged to erase it, they must take reasonable steps to inform anyone else processing the data that the erasure has been requested.
They don't apply if the processing is necessary for exercising the right of freedom of expression and information, for use in legal claims, for complying with legal obligations, is in the public interest, or for some archiving that is part of scientific or historical research or statistical purposes.
If businesses fail to meet their obligations, they face a maximum fine of €20 million or up to four per cent of worldwide revenue, whichever one is higher.
The British government will also enshrine the GDPR regulations into domestic law when the UK leaves the European Union.
In August the government announced that it will introduce a new Data Protection Bill, with specific reference made to the right to be forgotten. It promised to give the public the power to ask social media companies to delete information that they posted in their childhood, a measure dubbed the "right to innocence".
The plan was first proposed in the Queen's Speech in June 2017 and will soon move through the UK Parliament.
The current Data Protection Act limits the right to erasure to processing data that causes unwarranted and substantial damage or distress