Data Erasure & The Right to be Forgotten
The ‘right to be forgotten’ is a legal concept that is fast evolving in the European Union (EU) that could eventually find its way to the US federal law according to data privacy experts. With the amount of personal information flowing around the internet, and the misuse of it, it has led to people to consider completely disappearing from the world-wide web, via a few clicks.
What Right to be Forgotten is:
The right to be forgotten allows people to ask for internet search results that are based on names and other personal information such as home addresses or recent criminal convictions to be removed. This concept has been a part of the European Union’s data protection laws since 1995, however it was not until 2014 that it became acknowledged by the Court of Justice for the European Union (CJEU) in a landmark hearing involving Google Spain, and a Spanish citizen – Mario Costeja González.
In the case of Google Spain, the court looked at the EU’s data protection directive as a qualified right to be forgotten and ruled that search engines were required to balance someone’s request for data removal with that of the public interest in keeping the data. The court’s view was that people had the right to request de-listing of information of their data from search engines. Since that ruling, 3 million European citizens have made similar requests for their data to be removed from search engines.
In certain circumstances data may not have to be erased, these can include:
- If data supports legal claims
- For purposes of Historic and Scientific research
- The right for freedom of expression
- If the information is necessary for public health purposes
The wider impact:
Whilst states in the US have recently implemented a similar legal concept such as California with its Consumer Privacy Act, it doesn’t protect an individual’s data privacy rights to the same extent as seen in Europe.
With the introduction of GDPR it acted as a standard of law that other countries in Asia and the US would follow, a lot of the concepts in those legislations such as the right to opt out, and the right to access an individual’s stored data, originated from GDPR.
In the end data controllers would in some respects end up being the judge and jury in handling data erasure requests with those of other competing rights and interests.
With the introduction of GDPR and how it has strengthened the right to erasure, organisations must prove that there is a legal basis in retaining control or access to data of their customers.
With the right tools brands can honour the rights of individual’s who trust their privacy will be respected, find out more from Protegrity’s GDPR -Act 17 webinar which looks at how the act is a GDPR requirement which allows EU citizens to have their online data corrected or removed if deemed to be inaccurate.
*** This is a Security Bloggers Network syndicated blog from Blog – Protegrity authored by Raajveer Loyal. Read the original post at: https://www.protegrity.com/data-erasure-the-right-to-be-forgotten/