An Individual's Right To Be Forgotten

• Author: David Zetoony
• Profession: Is a partner in the Boulder, Colorado office of Bryan Cave Leighton Paisner, LLP, an international law firm
• Pages: 39-54

39

An InDIVIDUAL’s

RIGHt to Be

foRGotten

Q.44 WHAt Is tHe “RIGHt to Be foRGotten”?

The right to be forgotten refers to the ability of a person to request that

a company erase all of the personal data that it keeps about the person.

Q.45 DID tHe GDpR cReAte tHe RIGHt to Be

foRGotten?

No.

The right to be forgotten is often cited as a “new” right that was cre-

ated by the GDPR. In actuality the right to be forgotten was includ-

ed within the Privacy Directive—the predecessor to the GDPR—and,

therefore, existed for over twenty years before the GDPR was conceived.

The following compares the right as presented under the Directive and

under the GDPR:9293

PRIVACY DIRECTIVE

ARTICLE 12

GDPR

ARTICLE 17

Member States sha ll guarantee

every data subject the right to

obtain from the c ontroller . . .

as appropriate the . . . er asure or

blocking of data the processing of

which does not comply with the

provisions of thi s Directive.92

The data subject sh all have the

right to obtai n from the control-

ler the erasure of personal data

concernin g him or her without

undue delay and the cont roller

shall have the obligation to erase

personal dat a without undue

delay where one of the following

grounds applies .93

92. Privacy Directive, Article 12 (b).

93. GDPR, Article 17(1).

40 TH E EU GEnEral DaTa PrOTECTIOn rEGUlaTIOn (GDP r)

What the GDPR did do was provide greater clarity about when com-

panies were and were not required to honor a request to be forgotten.

See Q 49 for a discussion of when an erasure request must be honored.

Q.46 ARe tHeRe Any AnALoGs to

tHe RIGHt to Be foRGotten WItHIn

UnIteD stAtes LAW?

Yes.

While the majority of United States data privacy laws do not include

a right to be forgotten, the Children’s Online Privacy Protection Act

(“COPPA”) has an analogous provision. COPPA regulates the online

collection of information from children under the age of 13. Pursuant to

the rules implementing COPPA, parents have a right to review “or have

deleted the child’s personal information.”94

Q.47 ARe ALL coMpAnIes ReQUIReD to

cReAte A poLIcy oR pRoceDURe foR

pRocessInG RIGHt to Be foRGotten

ReQUests?

No.

Some companies may decide to create a written policy or procedure for

processing right to be forgotten requests, whereas other companies may

decide that such a policy is unneeded.

The GDPR requires that controllers “be able to demonstrate compliance”

with the core principles espoused by the regulation.95 The obligation to dem-

onstrate compliance is sometimes referred to as the “accountability principle.”

Several of the core principles tangentially relate to the right to be for-

gotten. For example, one of the core principles is that a controller must

not keep personal data for “longer than is necessary for the purposes for

which the personal data [is] processed.”96 The principle relates closely to

an individual’s right to request that personal data be erased if it is “no lon-

ger necessary in relation to the purposes for which [it was] collected.”97

94. 16 C.F.R. § 312.4(d)(3).

95. GDPR, Article 5(2).

96. GDPR, Article 5(1)(e).

97. GDPR, Article 17(1)(a).