Right to be Forgotten: What Does it Mean for Your Business?
The internet, like an elephant, never forgets. Every action or piece of content – a post, an image, a tweet, a share, a video and many, many others – can (potentially) be copied, replicated, linked to, referenced and archived. Our information is profiled, cross-referenced, micro-targeted and uploaded to the cloud. With freedom of information, freedom of expression, freedom of speech, right to privacy, and right to be forgotten, which freedoms or rights trump the other?
If you’re a citizen of the EU, you do have the right to remove and delete specific information that is deemed irrelevant, outdated or otherwise inappropriate – you have a right to be digitally forgotten. As part of the General Data Protection Regulation (GDPR), people “should have the right to have personal data concerning him or her rectified” and “personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed.”
If you withdraw consent for your information to be processed, or if the processing of personal data doesn’t comply with GDPR, you can request your information be altered or erased. This is especially relevant if the information was gathered when the individual was a child.
There are limitations to the right to be forgotten:
- For exercising the right of freedom of expression and information
- For compliance with a legal obligation
- For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- On the grounds of public interest in the area of public health
- For archiving purposes in the public interest
- Scientific or historical research purposes or statistical purposes
- For the establishment, exercise or defense of legal claims
Privacy vs. Freedom of Speech
While at first glance, the right to be forgotten seems like a reasonable measure to protect privacy, there are complex philosophical questions with significant real-world impacts at play.
Consider the first limitation: how do we balance the right to be forgotten with the right of freedom of expression? As Ben Rose, co-founder and partner at UK legal firm Hickman & Rose, quoted in The Guardian states “there is an inherent tension between an individual’s right to privacy and what information the public interest requires be available.“
EU Courts have already made rulings on the matter, based on the 1995 Data Protection Directive which preceded GDPR. In 2014, the Court of Justice of the European Union (CJEU) ruled in Google v. González
“inclusion in the list of results displayed following a search made on the basis of his name” … “is, at this point in time, incompatible with Article 6(1)(c) to (e) of the directive because that information appears, having regard to all the circumstances of the case, to be inadequate, irrelevant or no longer relevant.”
The question is, at what point is information inadequate, irrelevant or no longer relevant? The ruling did state “protection of those data and to privacy — which encompass the ‘right to be forgotten’ — override the legitimate interests of the operator of the search engine and the general interest in freedom of information.” Unfortunately, it offered no guidance on how to determine relevancy.
Recently, there were two rulings by the UK High Court. Both concerned business professionals who had previous criminal records appearing in search results and were looking to get those removed. The judge ruled in the favor of one of the claims but rejected the other. The convictions against the two men in these cases had a different level of severity and had differing reactions to their convictions. As such, the public interest in each case was determined to be different.
According to Jim Killock, executive director of The Open Rights Group, “the Court will have to balance the public’s right to access the historical record, the precise impacts on the person, and the public interest.” As a result, Google released this follow-up statement: “we work hard to comply with the right to be forgotten, but we take great care not to remove search results that are in the public interest.”
Removing Data in Practice
Google was a common link in both cases. As a search engine, they are used to easily find information, yet they are not a news site. They have been particularly affected by the right to be forgotten. According to a transparency report, Google has had over 677,000 requests to remove certain websites from its search results since May 29, 2014. These requests involved 2.52 million URLs and Google removed about 43.8 percent of those URLs.
Removal requests are done through a web form and each request is handled on a case-by-case basis. Reasons for not delisting include technical considerations and the public interest including “whether the content relates to the requester’s professional life, a past crime, political office, position in public life, or whether the content is self-authored content, consists of government documents, or is journalistic in nature.”
One criteria in the form submission is that the requester must identify themselves:
“To prevent fraudulent removal requests from people impersonating others, trying to harm competitors, or improperly seeking to suppress legal information, we need to verify the identity of the person on whose behalf the request is made (the relevant individual). A passport or other government-issued ID is not required. You may obscure parts of the document (e.g. ID number) as long as the remaining information identifies the relevant individual. You may also obscure any photograph in the identification document, unless you are asking for removal of pages that include photographs of the relevant individual. Google LLC will use this information solely to help us assess and document the authenticity of your request and will delete the copy within a month of closing your removal request except as otherwise required by law.”
Privacy vs. Data Inclusion
Keep in mind that many systems that we use to improve our lives use data to enable and optimize their processes. Consider cookies placed by a website, which helps the website remember the user and provides customization features. It provides tracking and profiling when combined with submitted user data, but it also enables the site operators to learn more about what their visitors want in order to provide a better user experience.
Another use case for data inclusion is fraud prediction. Data analysis enables systems to enhance fraud detection capabilities to help prevent and manage losses, while strengthening trust frameworks. The more data that is included in the analysis, the better the models are and the safer the system is for everyone.
Trust is a foundation of economic activity and without reliable data, online trust is difficult, if not impossible to build. If consumers request their data to be erased or forgotten, they may also inadvertently create barriers for accessing online services and participating in the modern economy. With less data, the advantages of micro-targeting — more customized messaging, deeper customer insight, improved customer experience — becomes more difficult and expensive and the entire new economy becomes immersed in a cloud of doubt.
With the introduction of GDPR, companies and compliance teams have to make sure the demands for effective procedures to comply with the right to be forgotten need are carefully considered. Communicating your data deletion policy and having your systems in place to handle any such request will help ensure the individuals you collect data from have the right to be forgotten — and it’s an important step towards your overall GDPR compliance. More than compliance, it’s about ensuring individuals trust the data practices of organizations and willingly participate to create a better future for all.