The Right to be Forgotten

You might remember this video that went viral a few years ago – a woman totally lost it at the Apple store and started screaming at an employee. Certainly not her best moment, and probably a moment she’d like to forget. And yet, a simple google search pulls up countless results for “woman melting down in Apple store,” seven years after the original incident. So what happens if one of your more unflattering moments gets plastered all over the internet? Don’t you have some sort of right to not have your image and information posted? The answer is not so straightforward, but today we will discuss something called the “right to be forgotten.”

The theory behind the right to be forgotten is that you should have the right to control what gets put out on the internet about you to a certain extent, particularly if the information or video could have long term damaging effects on your reputation and wellbeing.

Before we talk about how the United States addresses the right to be forgotten, we look first to the European Union’s General Data Protection Regulation (the “GDPR”), as the prime example of what it looks like to enact legislation codifying that right. Article 17 of the GDPR states that “[t]he data subject shall have the right to obtain from the [data] controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” See GDPR Article 17.

There are six different, fairly broad categories you could fall into to be “forgotten” under the GDPR.

The first situation in which a person can request data to be erased under the GDPR is where the personal data is no longer necessary in relation to the purpose for which it was collected. GDPR Article 17(a). For example, if a company is running a contest online and requires an entrant to provide their name, address, email, and phone number, once that contest is over, that personal data is no longer necessary for the company to retain. In this scenario, under the GDPR, an individual could ask the company to delete their information.

Second, where the data was able to be collected in the first place only because the individual gave consent, that individual has grounds to have the data erased if he or she withdraws consent for its use. GDPR Article 17(b).

Third, where the individual objects to the collecting of particular information or data in the first place, and there is no overriding legitimate ground for collecting it, the individual can have that data erased. GDPR Article 17(c).

Additionally, if the data was collected illegally or if the data must be erased to comply with EU or national law, the individual can request erasure. GDPR Article 17(d)-(e).

Lastly, an individual can request data erasure where data was collected in relation to certain services offered directly to a child. GDPR Article 17(f).

Also notably, under the GDPR, the data controller that receives an erasure request has to take reasonable steps to inform any other controllers of the same data. This allows the individual to submit fewer requests for erasure and puts the onus on the data collectors to act accordingly.

Unlike the EU, the United States has not enacted a federal law codifying the right to be forgotten. However, for California residents, the California Consumer Privacy Act (the “CCPA”) extends similar protections as the GDPR. Even if you are not a California resident, you have likely seen banners and warnings on websites regarding data collection and allowing you to opt-out of some collection practices, such as tracking cookies.

The CCPA came into effect in January 2020 and is generally intended to create more awareness and protection for consumers surrounding data collection and use. Under the CCPA, a consumer has the right to deletion of personal information that a business has collected, subject to certain exceptions. Cal. Civ. Code § 1798.105. The CCPA also requires a business receiving deletion requests to instruct its service providers to also delete the data at issue.

Unlike the GDPR, however, the CCPA does not list specific conditions in order for an individual’s right to be forgotten to kick in. While the CCPA is broad in applying the grounds for deletion, again unlike the GDPR, it is broad in the grounds a business can use to refuse a request for deletion.

It usually takes 10 years or even longer for laws to catch up to technology. The silver lining to this this that the GDPR and CCPA are just the beginning to consumer protections around the right to be forgotten.