The General Data Protection Regulation and the “Right to be Forgotten”: A Primer for Information Professionals

CIRI Blog

Published: August 11, 2019 by Dr. Lisa Daulby

The European Union (EU) General Data Protection Regulation (GDPR), which took effect on May 25, 2018, is designed to protect the privacy rights and freedoms of individuals residing in the EU. GDPR is a comprehensive regulation encompassing 99 articles with provisions for data collection, consent, breaches, processing and security. GDPR was developed to reflect changes to personal information governance in an interconnected and virtually borderless world. Organizations that collect personal data about EU residents including customer and employee information must comply with GDPR. Personal data is broadly interpreted as information related to an identified natural person irrespective of where this information is stored. Given that GDPR applies to organizations situated in and outside of the EU, the regulation is impacting organizations globally. GDPR places a strong emphasis on organizational data accountability and transparency as a result, GDPR EU Supervisory Authorities (regulators) can investigate and fine organizations up to 20 million EUR or 4% of global annual revenue for most violations.

Encompassed within the GDPR directive are several individual data subject rights including the right to be informed about what individual personal data is being collected and processed. In order to be GDPR compliant, organizations must also provide individuals with an avenue to access and request the production of their data. EU residents can also exercise the right to restrict the processing and use of their data and withdraw previously given consent. GDPR also strengthens the right to havepersonal data rectified if incorrect and transferred to another organization as required. Finally, GDPR defines the scope of the right of data erasure making it a fundamental liberty for individuals to request the deletion of information pertaining to them. Article 17, the individual subject right to erasure, also known as the “right to be forgotten” details the data retention and destruction requirements for data deletion requests. EU individuals can lawfully request the removal of their personal data from all storage environments and organizations must accommodate the request in a timely manner. As Information Professionals we must ask ourselves – does the individual subject right to erasure challenge the notion of records/information serving as documentary evidence of truth and accountability for organizations and society as a whole?

It is important not to overstate the right to erasure for it is not an absolute or unconditional right. The individual right carries several exceptions and limitations including the right of expression and freedom of information. Data also can not be erased if it conflicts with a competing record-keeping legal obligation to retain or is needed in defense of a legal claim. Additionally, an individual cannot request to delete personal data if it is required to carry out contractual obligations in providing the “goods and services” requested by the consumer. Finally, the removal or deletion of data, and the “right to be forgotten” needs to be balanced against the interest of public health and scientific/historical research.

GDPR was built on existing European data protection laws and principles and embodies a standard benchmark for forthcoming privacy regulations universally. Reflecting on the past year of GDPR regulatory enforcement, the implementation of the data erasure rules is bound by complexity; compounded by the multifaceted and ever evolving data environmental landscape. Enabling the data erasure right needs to be assessed on a case by case granular level, considering the type of information in question, it’s sensitivity for the individual and the interest of the public/corporation in having access to that information. The “right to be forgotten” debate is far from resolved and possess difficult questions about access to, and control of, digital information across national borders. While an individual’s right to privacy is paramount the “right to be forgotten” is not unlimited and will always need to be balanced against other fundamental data rights.

Reference:
On the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016