What is the Right to be Forgotten?
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

What is the Right to be Forgotten?

With the EU’s GDPR set to take effect in May, the Right to be Forgotten is of major importance.

One of the central tenants of the EU’s incoming GDPR is ‘the right to be forgotten.’ This is a concept that was given precedent by the Luxembourg-based Court of European Justice back in 2014.

In the case in question, a Spaniard named Mario Costeja Gonzalez claimed that news coverage of a 1998 auction continued to damage his reputation. Gonzalez had come under some financial hardship towards the end of the 90’s and was forced to place one of his properties up for auction. This attracted the attention of a local newspaper whose coverage ended up going online.

By the time the court in Luxembourg heard the case, 16 years had passed and Gonzalez had moved beyond his woes, but anybody who searched his name was immediately greeted with this story about his financial hardships. He argued that this tarnished his reputation and as such, the content should be removed from Google’s search results.

The court agreed with him, thus establishing a precedent that would be used in the EU’s GDPR.

What is the Right to be Forgotten?

The Right to be Forgotten is the idea that citizens should have the ability to:

“…determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past.”

As it relates to the internet, this means that citizens have certain rights with regard to their personal data, including to have it deleted.

Unfortunately, the application of this concept is messy and surrounded with controversy.

Opponents of the right to be forgotten are quick to point out that it will have a negative impact on freedom of expression, and could have a negative net impact on the internet itself as a result of censorship and people’s ability, to some extent, to rewrite history.

Proponents of the concept point to the need for the right to be forgotten in light of things like revenge porn or instances of petty crimes from someone’s youth—things that can unduly influence one’s reputation indefinitely.

The Right to be Forgotten in the EU’s GDPR

Article 17 of the GDPR deals with: Right to erasure (‘right to be forgotten’). It states that EU citizens have the right to have their personal data erased under certain premises. Here’s the entire article:

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
    3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
    4. the personal data have been unlawfully processed;
    5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
    6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
  2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
    1. for exercising the right of freedom of expression and information;
    2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
    4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    5. for the establishment, exercise or defence of legal claims.

How to Exercise the Right for Erasure

In order to exercise your right to be forgotten in the EU, you must complete a form through the website of the search engine you want to be forgotten from.

Google, which fields the most requests annually, requires you to identify your country of residence, personal information, a list of the URLs you would like removed along with a short description of each and an attachment of legal identification.

The term “erasure” is misleading though. Google (and others) don’t actually delete anything, rather the content is de-indexed so that it will no longer appear in search listings. The content itself still exists, it’s just much harder to find it now.

Do Americans have the right to be forgotten?

Despite the fact that an Adweek survey found 9 in 10 Americans want the right to be forgotten, it doesn’t exist in the United States. Though the debate dates back to 1931, when an ex-prostitute that was charged with, and then acquitted of murder sued the producer of the 1925 film the Red Kimono for revealing her history. At the time the court ruled in favor of the woman, finding that:

“…any person living a life of rectitude has that right to happiness which includes a freedom from unnecessary attacks on his character, social standing or reputation.”

Decades later, the courts went the other way after a former child prodigy attempted to sue The New Yorker for an article he claimed disrupted his ability to live a quiet adulthood, without recognition. In this case the court found there were limits to one’s right to control facts about oneself, holding that there is social value in published facts and that a person cannot ignore their celebrity status simply because one wants to.

The United States’ preoccupation with its right to the freedom of speech is actually one of the biggest obstacles towards a right to be forgotten becoming a reality, as many believe it constitutes censorship and jeopardizes citizens’ freedom of expression.

Is the right to be forgotten a good idea?

Frankly, that’s a matter of opinion. Here’s ours: While the idea behind the right to be forgotten is well-intentioned, overall it’s putting the needs of the individual over the collective good of the internet.

On a completely philosophical level, the ability to control your own personal information is difficult to apply because nothing happens in a vacuum. Censorship of your own information, in turn affects others’ information as well as the ability of others to get information. It also lends itself to abuse, as has already happened. For instance, a pianist named Dejan Lazic attempted to use the right to be forgotten to get a negative review deleted. As we discussed, this directly infringes on someone else’s right to expression.

In a way, the right to be forgotten lends itself to people attempting to censor information solely on the basis that they don’t like what it says. That’s a dangerous precedent to set.

Then there are the technical pitfalls of allowing someone to selectively whitewash their own online history, from the amount of work and strain it places on search engines to the way it impugns on freedom of information. All in all, the right to be forgotten is a nice idea, but bad policy.

Even in instances where “erasure” is warranted, such as with revenge porn, more specific legislation could easily address this without the potential overreach the right to be forgotten entails.

As always, lave any comments or questions below…

Check out the rest of the Hashed Out GDPR Compliance Series

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.