Among a number of compliance challenges for organizations subject to the European Union’s data privacy regulation is the right to be forgotten, which is also referred to, perhaps misleadingly, as the right to erasure. Article 17 of the EU’s General Data Protection Regulation (GDPR) specifies that an individual — or, in GDPR-parlance, a “data subject” — has the right to have personal data erased in certain circumstances.
But does an individual’s right to be forgotten mean that their personal data must be deleted upon request? Or is something less than deletion or erasure acceptable? As with so much in the legal and regulatory world, it depends.
A Right to Be Forgotten and Other Rights
The right to be forgotten is just one of a number of rights addressed in the GDPR, which went into effect in 2018. Under GDPR, people have the right to access the personal information collected about them and to correct any errors in it. Individuals also have the right to be informed about the use of their personal data and the length of time it will be stored. They can even ask that the processing of their data be stopped in certain situations.
Also under GDPR, individuals have a right to data portability; they can ask that their personal information be provided to another entity. In sum, the GDPR fosters transparency, integrity, confidentiality, fairness and data minimization.
The Right to Be Forgotten Is Not Absolute
At the same time, the right to be forgotten pursuant to the GDPR is not an absolute one. For instance, organizations might face certain legal obligations that require them to maintain personal information about a person.
Other scenarios might allow an organization to retain an individual’s personal information as well, such as when the data is for archiving purposes in the public interest or for certain scientific, historical or statistical purposes.
Under the GDPR, organizations might also retain personal data when they are exercising “the right of freedom of expression and information.” Indeed, countries that are EU members are allowed to reconcile the right to protection of personal data with the right to freedom of expression and information, such as data processing for journalistic purposes or for academic, artistic or literary expression.
It’s a little complicated.
Erasure vs. Anonymization
Of course, organizations subject to the GDPR should have a compliance procedure in place for handling requests to be forgotten. What entities and their lawyers may want to consider is whether that right to be forgotten requires data to be deleted.
Interestingly, while the term “personal data” is defined in the GDPR, “erasure” is not. Some have argued that if personal data is anonymized, it’s no longer personal information since it cannot be associated with a particular person. Following that line of reasoning, a request to be forgotten might be satisfied either by deleting personal information or by de-identifying it. It’s an idea that has also surfaced with respect to another law a continent away — the proposed regulations for the California Consumer Privacy Act allow businesses subject to that law to comply with a consumer’s request to delete personal information by erasing, de-identifying or aggregating it.