The General Data Protection Regulation (GDPR) which will become law in May 2018, codifies EU citizens 'right to erasure', often known as the 'right to be forgotten'.
The GDPR builds on and expands this 'right to be forgotten' which was first recognised by the European Court of Justice (ECJ) in a ruling it made in a case in 2014 between Google Spain and a Spanish citizen, Mario Costeja González.
The ECJ ruled in the case that Google and other search engines were responsible for personal information which appears on web pages published by third parties, and that search engines have to remove links to pages which referenced EU citizens when they are requested to do so.
While a lot of the arguments in the case were both protracted and abstract, the ruling stated that an EU citizens data rights, in general, override “not only the economic interest of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject's name".
Extension of rights
The GDPR has expanded and developed this 'right to erasure' to include all data held by any organisation, whether the information is publicly available or not. Under the GDPR any EU citizen has a right to have all personal information deleted by an organisation:
* Where the data is no longer necessary in relation to the purpose for which it was originally collected
* Where the citizen withdraws consent and there are no legal or other overriding legitimate interest for continuing to hold the data
* Where the data was illegally processed
* When the personal data is processed in relation to the offer of information society services to a child.
Burden of proof
The GDPR also flips the burden of proof from the 'data subject' i.e. the citizen to the 'data controller' i.e. the organisation – while in the past the data subject would have to prove they had the right for their data to be destroyed, the burden of proof now lies with the organisation which now has to prove that they have a legal basis for retaining control of or access to the 'data subjects' data.
What this means
The GDPR states that data controllers must communicate with data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” Where an EU citizen wants to exercise one of their rights the 'data controller' has to comply “without undue delay” or at most within a month of the request.
If there is a high number of requests the data controller may ask for an extension “where necessary” and if the data controller opts not to grant the request, it must explain its decision to the data subject within one month.
Crucially, all of these services must be free of charge and any organisation which hasn't already started to put in place contingencies for requests by customers they hold data on could be in for significant challenges in providing these services.
When you can refuse
The GDPR states that 'data controllers' i.e. businesses or organisations, must comply with requests by 'data subjects' i.e. consumers to be forgotten “without undue delay” or at most within a month of the request.
The right to erasure is not absolute however, and there are some very important exceptions to this rule that organisations need to be aware of, both from an operational and legal perspective.
An organisation can refuse to comply with a request for erasure where the personal data is necessary:
* to exercise the right of freedom of expression and information
* to comply with a legal obligation for the performance of a public interest task or exercise of official authority (for instance, if required to by the Revenue Commissioners)
* for public health purposes or when it is in the public interest
* for archiving purposes which are in the public interest, such as scientific research, historical research or statistical purposes
* when the data is necessary for the exercise or defence of legal claims
It is important to remember that, under the GDPR, it is the organisation and not the consumer that must prove that they have a legal basis for retaining control of or access to the 'data subjects' data, and they have to communicate why they are refusing to do so to the subject who made the request.
The DataSec 2017 conference takes place on May 3 in the RDS in Dublin.
The event will provide expert speakers, information and insight to help your business comply with GDPR and get the most out of the new legislation. Click here to book your place now.