Back in 1998, a Spanish gentleman named Mario Gonzalez found himself in financial difficulties and was forced to put a property he owned up for auction.
It solved his financial problems, but it also led to one of the most far-reaching court cases in European history.
The property auction was covered in the Spanish press, and Mr Gonzalez found that if he Googled his name, articles about the auction would invariably appear. He argued that this damaged his reputation – particularly as he was now a man of good financial standing – and that Google Spain should remove such articles from its search results.
In May 2014, the Court of Justice of the European Union agreed with Mr Gonzalez; and the result is the ‘right to erasure’, or what’s better known today as the ‘right to be forgotten’. Ironically, of course, Mr Gonzalez is now something of a hero for data protection fans: there are pictures of him all over the internet and he is unlikely ever to be forgotten…
Why does GDPR matter to companies, charities and the public sector?
The original formulation of the right to be forgotten pitted European citizens against search engines. It effectively said that big search engines (like Google and Bing, along with social media sites like Facebook) had a duty of care to citizens to remove links to third party websites which contain information about them, when asked to do so.
But the new General Data Protection Regulation (GDPR), which comes into force in May 2018 extends these principles to almost all organisations (including the government and charity sectors) and all data, whether it is made public or not. Like the rest of the GDPR legislation, the right to be forgotten will remain in English law after Brexit. Whether it stays there is up to Parliament in the long term.
Under GDPR, the right to be forgotten says that any EU citizen can request that any organisation deletes any and all data held about them if:
- It’s no longer required for the explicit purpose for which it was originally collected. This means, for example, that if you collect a name and address to deliver a parcel, once it’s delivered, the customer has the right to ask that you delete the record.
- The citizen withdraws consent. Unless there is a legal or other ‘overriding reason’ to continue to store the data, the citizen’s decision is final. Overriding reasons include quite a lot of public interest applications like public health purposes or scientific research, but also includes the more contestable ‘expression of the right to freedom of expression and information’.
- Data has been illegally processed, i.e. in breach of other GDPR regulations.
There are loose ends to the right to be forgotten, but the GDPR is a law with teeth and companies should assume that courts will by default take the side of the citizen. In particular, note that the citizen doesn’t have to prove that storing their data puts them at any sort of disadvantage (Mr Gonzalez’ original complaint).
They simply have to ask for removal. And the citizen (or ‘data subject’) doesn’t have to prove that they are entitled to the destruction of their data; rather, the organisation (or ‘data controller’) must present credible evidence that there is essential value in maintaining a data record in order to keep it.
What do I have to do?
Most importantly, you need to be responsive and avoid dodgy small print. Article 12 of the GDPR says that you must communicate with citizens about their data and the way you process it “in a concise, transparent, intelligible and easily accessible form, using clear and plain language… in writing, or by other means, including, where appropriate, by electronic means.” You also need to respond to citizens who want to invoke their right to be forgotten within one month of the request.
Second, you should take a long hard look at your IT systems. The GDPR isn’t draconian – it accepts that there are situations where destruction of data is simply not possible. But in a survey of 500 IT decision makers , data company Varonis found that 71% felt that the right to be forgotten was the most challenging aspect of the GDPR.
Errors in the management or distribution of data – right down to individuals accidentally taking individual records off site – could mean you’re uncompliant. All organisations should at least take GDPR as an opportunity to revisit and refresh their technology approaches.
Finally, government organisations in particular should re-examine the way they handle information about children. The Information Commissioner’s Office says:
“If you process the personal data of children, you should pay special attention to existing situations where a child has given consent to processing and they later request erasure of the data (regardless of age at the time of the request), especially on social networking sites and internet forums.
This is because a child may not have been fully aware of the risks involved in the processing at the time of consent”.
What next?
Working with specialist Data Privacy lawyers, Me Learning has launched a suite of tailored e-learning courses especially for GDPR – including a module covering ‘the right to be forgotten.’
For more details and to find the course package that best suits your organisation, click here.