The right to be forgotten allows people to ask for data about them to be removed from the internet. How does it work?
Senior Writer, Forum Agenda
- The EU’s right to be forgotten rule allows individuals to request that organizations remove and delete personal information about them from online platforms.
- People can only ask organizations to erase their personal data if specific criteria are met, such as that it is outdated or offensive.
- Tackling harmful content online is the primary aim of the World Economic Forum’s Global Coalition for Digital Safety, which has developed a set of Global Principles on Digital Safety.
An increasingly digital world has led to digital footprints with surprisingly long trails – and details some people would rather the internet forgot.
This phenomena has led to calls for “the right to be forgotten” – also known as the “the right to erasure” of personal data.
It has both supporters and critics – and some governments have enshrined it as a right.
The concept has recently been back in the headlines after a Canadian court agreed that Canadians have the ‘right to be forgotten’ on Google searches. The Federal Court of Appeal found that the search engine is covered by its federal privacy law. Indeed, the Columbia Journalism Review goes so far as to say, ‘The EU’s right to be forgotten is migrating to other countries‘.
Why do people want the right to be forgotten?
The amount of data we’ve created since 2010 is enormous, with online data growing substantially over that time period.
The 60-fold jump from 2 zettabytes of data generation in 2010 to an estimated 120 zettabytes now is an obvious result of the dawning of the digital age, and some of that data almost certainly relates to you.
If that data is old, outdated or offensive, you may want it to be removed, and that is broadly why “right to be forgotten” rules came into existence.
The regulation stems from a 2010 case brought by a Spanish national after online search results for his name brought up references to legal proceedings from 1998 that had since been resolved. Google was consequently ordered to remove this information from its results page.
What is the right to be forgotten?
The right to be forgotten is a concept that allows people to request that organizations remove and delete specific personal information about them from online platforms.
This right is not recognized everywhere and even where it is, organizations don’t always have to comply with requests.
The EU introduced its right to erasure rule in 2014, and the legislation is part of its General Data Protection Regulation (GDPR). A 2019 ruling declared that Google didn’t have to apply the right globally but as the Canada news shows, it is being looked at and debated beyond Europe’s borders.
For example, in Japan, a 2016 ruling recognized a man’s right to be forgotten on Google.
When does the right to be forgotten apply?
Only people (not organizations) can ask for their personal data to be deleted and only if certain criteria are met. They cannot request that data be deleted for no legitimate reason.
Some of the criteria for the right to be forgotten in the EU include:
- The data is no longer needed in relation to the purpose for which it was collected or processed.
- An individual withdraws consent for the data to be used and there is no lawful basis contradicting this.
- Personal data is being processed for direct marketing purposes and the individual objects to this.
However, requests for personal data to be deleted can be denied. This can often include:
- The data is being used to exercise the right of freedom of expression and information.
- The data is being used to perform a task being carried out in the public interest or when exercising an organization’s official authority.
- The data being processed is necessary for public health purposes and serves in the public interest.
For additional examples, this list from the EU details other reasons data may and may not be erased in Europe, though rules might vary elsewhere.
Right to be forgotten cases
Data removal can be complicated. For instance, if a search engine is ordered to remove an individual’s data, this applies only to results that show up in Europe, not globally.
Still, as awareness of this right grows, so do requests. For instance, X – formerly known as Twitter – has seen rising requests for data to be removed. It received an average of over 250 requests per day in the final six months of 2021, the latest period on which it provides information.
Cases across the internet where the right to be forgotten has been enforced include:
- Defamatory social media posts.
- Information about spent legal convictions.
- Allegations from newspaper reports that are later disproven.
- Images of individuals that attract disparaging comments.
- Images or videos of people used without their knowledge for malicious purposes.
Who decides what should and should not be forgotten?
Some critics remind policymakers and leaders that a balance must be struck when determining what should and should not be forgotten.
For instance, tension does exist between the right to be forgotten and the right to freedom of expression. And the legislation makes space for this, with Article 17(3) outlining circumstances where the right to be forgotten doesn’t apply – including exercising the right to freedom of expression and information. Some believe this right could be misapplied to cover up human rights violations and other illegal activity.
Concerns are that the legislation could lead to frequent and widespread removal of content, and it can be used as a mechanism to censor or prevent scrutiny.
And, as technology develops, new challenges emerge. For example, questions have emerged about large language models, typically used to train AI systems, and the right to be forgotten from those. And, more significantly, how you might be forgotten from such datasets, which would be much more complicated than for search engines.
Tackling harmful content online
Where many cases are upheld, the data has posed a threat to an individual’s well-being. Tackling harmful content online is the primary aim of the World Economic Forum’s Global Coalition for Digital Safety, whose members span the public and private sectors and have developed Global Principles on Digital Safety.
“The principles encourage deeper collaboration and cooperation, recognizing that we all have responsibilities to help build a safe, rewarding and innovative digital world,” the Forum says in its Translating International Human Rights for the Digital Context report.
Anyone wishing to have data about themselves removed from the internet can make a request verbally or in writing, depending on their jurisdiction. The EU provides a template for doing so, while organizations, including Google and X, have set up online request forms.