Right To Be Forgotten

The 'derecho al olvido digital' (Right to be Forgotten) allows individuals to request the removal of personal data from search engine results that are inaccurate, inadequate, irrelevant, or excessive.

The "Right to be Forgotten," more formally known as the right to erasure, is a complex and evolving principle within data protection law. It empowers individuals to request the removal of personal information from online platforms, search engines, and other data controllers under specific circumstances.

Origins and Legal Basis

The concept originated in the European Union, primarily through the landmark 2014 ruling by the Court of Justice of the European Union (CJEU) in the Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González case. This ruling established that search engine operators, like Google, are data controllers and have a responsibility to process requests from individuals seeking to delist search results containing their personal data.

The legal basis for the right to erasure is primarily found in Article 17 of the General Data Protection Regulation (GDPR), which outlines the conditions under which an individual can request the deletion of their personal data. These conditions include:

• The data is no longer necessary for the purpose for which it was initially collected or processed.
• The individual withdraws consent on which the processing is based (and there is no other legal ground for processing).
• The individual objects to the processing and there are no overriding legitimate grounds for the processing.
• The personal data has been unlawfully processed.
• The personal data has to be erased to comply with a legal obligation in Union or Member State law.
• The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR (i.e., services offered directly to a child).

Scope and Limitations

It's crucial to understand that the Right to be Forgotten is not absolute. data controllers can refuse erasure requests under certain circumstances, including when processing is necessary:

• For exercising the right of freedom of expression and information.
• For compliance with a legal obligation.
• For reasons of public interest in the area of public health.
• For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
• For the establishment, exercise, or defense of legal claims.

Furthermore, search engines are typically only required to delist URLs from search results displayed in the EU member states, not globally. This jurisdictional limitation has been a subject of ongoing debate and legal challenges.

Practical Implications for Businesses

Organizations that collect and process personal data must establish procedures for handling erasure requests. This includes:

• Implementing mechanisms for individuals to submit erasure requests.
• Conducting a thorough assessment of each request to determine its validity.
• Documenting the decision-making process.
• Implementing technical measures to ensure data is effectively deleted or anonymized.
• Having a clearly defined policy regarding the Right to be Forgotten, easily accessible to data subjects.

Failure to comply with erasure requests can result in significant penalties under data protection laws like the GDPR.

Global Perspectives

While the Right to be Forgotten originated in the EU, similar concepts are emerging in other jurisdictions. Some countries, like South Korea and Argentina, have data protection laws that incorporate elements of the right to erasure. However, the scope and implementation of these rights vary significantly. In the United States, while there isn't a federal law explicitly granting a "Right to be Forgotten," various state laws, such as the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), provide consumers with rights to deletion of personal information. These state laws are influencing data Privacy practices nationwide.

Legal Perspective 2026

Looking ahead to 2026, the Right to be Forgotten will likely face increasing scrutiny and refinement. We anticipate the following developments:

• Increased Harmonization Efforts: We may see further efforts to harmonize data protection laws across different jurisdictions, potentially leading to a more globally consistent approach to the right to erasure.
• Technological Challenges: The increasing volume and complexity of online data, including data stored in decentralized networks (blockchain), will present ongoing challenges for implementing and enforcing the Right to be Forgotten.
• AI and Automated Decision-Making: The use of artificial intelligence (AI) in data processing will raise new questions about the scope and application of the Right to be Forgotten, particularly regarding data used to train AI algorithms.
• Balancing Freedom of Expression: The tension between the Right to be Forgotten and freedom of expression will continue to be a central issue. Courts and regulators will need to strike a careful balance between these competing rights.
• Evolving Case Law: Further legal challenges and court rulings will continue to shape the interpretation and application of the Right to be Forgotten, providing greater clarity for businesses and individuals.

In conclusion, businesses must stay informed about the evolving legal landscape and proactively implement robust data protection measures to ensure compliance with the Right to be Forgotten and other data Privacy regulations. Continuous monitoring of legal developments and adaptation of internal policies and procedures are crucial for navigating the complexities of this rapidly changing field.