GDPR Newsletter

The PwC DPO voice - Right to be forgotten

N°8 - August 2017 edition

The right to be digitally forgotten: personal data

How many of us haven’t dreamed of creditors forgetting about us so that we don’t have to pay back the mortgage on our impulse-bought property that is so special and hugely overpriced? How many candidates for a top position wouldn’t give everything to have a few unflattering posts removed from social networks or for the Luxembourg criminal record database to forget their past mistakes? What public figure wouldn’t want certain embarrassing associates or acquaintances to disappear from photographs, removed from reality in Marty McFly fashion, like in the first Back to the Future film?

Even legal proceedings are subject to the statute of limitations; so why isn’t there also a time after which certain information can no longer be processed - a kind of data expiry date?

The right to be digitally forgotten: a unique concept in an interconnected world

The right to be forgotten was created in 2014 by case law from the Court of Justice of the European Union, following requests by Internet users for certain pages concerning them to be removed from Google search results. This concept is written into law by Article 17 of the EU General Data Protection Regulation (GDPR) and extends to all data-processing methods.

While directive 95/46/EC, which is currently applicable, already provides that, for personal data to be processed legally, they must only be processed if they are necessary (and therefore they should no longer be processed if they stop being necessary), the GDPR must basically go further by allowing data subjects to have some of their personal data erased as soon as possible provided that certain requirements are met. This is in addition to the right to object to the processing of personal data.

While deceptively simple, the right to be forgotten immediately raises a tricky philosophical issue: how can the right to freedom of communication and freedom of information be reconciled with the right to privacy? On the one hand, you have the data controller’s legitimate interests and on the other, the data subject’s fundamental rights. You have scientific truth vs fact manipulation.

From a technical standpoint, the digital right to be forgotten is a genuine challenge. Granted, it is objectively easier to erase a computer’s memory than human memory; however, given the complexity of interactions between systems, the data back-ups as well as the variety of people involved and data recipients, it would be unrealistic to believe that data can be totally erased.

The right to be digitally forgotten and the legitimacy of data processing: reversing the burden of proof

The right to have one's data erased is not absolute and is inevitably faced with the very legitimacy of the processing. As long as the data are processed legitimately (and lawfully), erasing the data is out of the question (you will have to think of another way to make your creditors forget about you!).

However, data subjects are entitled to demand that their personal data be erased when the processing is no longer legitimate, i.e., when:

  • the data are no longer necessary in relation to the purposes for which they were collected;
  • the data subject withdraws consent on which the processing was based (editor’s note: this is another weak point as far as consent is concerned);
  • the data have been unlawfully processed;
  • the data subject exercises his/her right to object at any time in the cases of direct marketing and profiling relating to those data;
  • the data relate to a minor; or
  • the personal data must be erased to comply with a legal obligation (a new law or court ruling for instance).

In certain circumstances, things may not be as clear cut as described above. As soon as the data subject objects to the processing (and asks that his/her personal data be erased) “on grounds relating to his/her particular situation”, it will be up to the data controller to demonstrate that there are compelling legitimate grounds for the processing to continue.

Obviously, each situation will need to be assessed based on the data subject's status (e.g. fame, sphere of influence, reporting relationship with the data controller), the background (e.g. history, domestic data), the data's sensitivity as well as the consequences of the data being retained or erased.

Will the right to be forgotten necessarily mean that personal data will be destroyed?

What does the right to be forgotten actually mean? Are we saying that the data are destroyed, pure and simple? Or are they simply removed from the production system? Or are they archived with controlled access or are they pseudonymised?

Current practice is pragmatic and does not require that the data be systematically destroyed as long as relevant security measures are implemented carefully. Let us hope that this spirit is maintained with the GDPR and its article 17; indeed, no one can be expected to do the impossible, as provided in the spirit of articles 24 and 32 of the same regulation.

To date, the EU has not published any position on the practical terms governing the right to be digitally forgotten. A recommendation from the Article 29 Data Protection Working Party (which will change its name to the European Data Protection Committee) will need to be issued to shed light on a grey area, full of legal uncertainty.

Implementing the right to be forgotten is complicated

In any event, it would seem that the data controller must already do the following:

  • determine a data classification which includes retention aspects (e.g. statutory period, ongoing disputes, legitimacy of the processing);
  • outline the very concept of "erasure" in his/her policies;
  • provide in his/her governance that the data whose processing is no longer necessary be "erased" systematically in order to anticipate the data subjects' requests;
  • map all data recipients and require that they implement a similar governance;
  • implement an interface with the data subjects to enable them to exercise their right to be digitally forgotten;
  • ensure that the person exercising this right is indeed the data subject and justify any action taken following such requests;
  • if the "erasure" is valid, erase the data within no more than one month of the request being made;
  • ensure that no other data that need to be retained are destroyed or altered when those data are being erased.

As the right to be digitally forgotten is such a complex topic, one needs - once again - to analyse circumstances on a case-by-case basis. To do so, you need to be thoroughly familiar with your processes and you need to carefully organise metadata in order to respond adequately to the data subjects' requests.

Cédric Nédélec
Data Protection Officer

Contact us

Frédéric Vonner
Tel: +352 49 48 48 4173

Cédric Nédélec
Data Protection Officer
Tel: +352 49 48 48 2186

Ludovic Raymond
Tel: +352 49 48 48 4304

Follow us