Whenever personal information is shared online, it creates a lasting digital footprint. However, under the “right to be forgotten” (RTBF), an individual can, in certain circumstances, request an organization remove their personal data. Here is a look at the essential aspects of the RTBF, including the countries in which it is recognized and how a person can exercise the right.
What is the RTBF?
Also called the “right to erasure”, the RTBF allows an individual to ask an organization to delete the personal information it holds on them. In the EU, the right is enshrined in the General Data Protection Regulation (GDPR), which was adopted in 2016. However, the RTBF was first recognized in a 2014 case which considered the right of an individual to ask a search engine to delist certain results relating to their name.
The GDPR provides that an organization must comply with a data removal request under specific circumstances. These include where the organization no longer needs to hold the data or where the individual withdraws their consent for the data to be used. Additionally, if the data was collected from an individual when they were a child or it was used unlawfully, the organization should comply with the removal request.
However, the right is not absolute. This means there are instances when an organization can legitimately refuse to comply. These mainly relate to when the organization needs to hold on to the data for a specific reason, such as for regulatory compliance.
Is the RTBF recognized globally?
The RTBF is not an international concept, although it has been recognized in a few other jurisdictions and the GDPR requirements apply in the UK, post-Brexit. In addition, there is case law in several countries addressing issues relating to the right to have personal data removed for reasons including reputational damage and the right to control one’s image.
In the US, the right is not recognized by the courts. However, there are laws in place, such as the California Consumer Privacy Act of 2018, which gives individuals similar control over their personal data, including the right to request to have their data deleted. Again, there are legitimate reasons why an organization can refuse to comply.
How can an individual exercise their RTBF?
To exercise the right, an individual should contact the organization(s) and ask for specific personal data to be removed. For example, if a membership or subscription has elapsed, an individual can contact the company to ask for their personal details to be deleted.
Of course, personal data shared online can spread beyond just the company or organization with which it was shared. It can also end up in the databases of multiple data brokers. So, if an individual also wants their data removed from these brokers, using a data removal company like Incogni can streamline the process.
After receiving a removal request, the organization should respond, either to indicate it plans to comply or to state the reasons why it will not or cannot comply. Again, using a data removal service can help you to stay on top of the requests and ensure companies meet their obligations under the GDPR and other relevant laws.