What is the Right to be Forgotten? 

5 min to read

The right to be forgotten is a law where users can ask a business or website to delete their personal data. It appears in Article 17 of the General Data Protection Regulation (GDPR), which applies to everyone operating in the European Union (EU) and the European Economic Area (EEA).

The right to be forgotten was initially confirmed in May 2014. Users can ask to have all of their personal data deleted if they wish, and the aim of the rule was for personal autonomy. Even if someone previously wanted their information in a database, they can remove it if they change their mind.

Deep Dive:
The right to be forgotten can differ slightly depending on why someone wants their data to be deleted. Moreover, you may see small differences in terms of how this rule is implemented across the EEA.
Key Takeaways:
  • The right to be forgotten is part of the EU’s General Data Protection Regulation (GDPR)
  • All businesses in the EU must comply with the right to be forgotten, which allows users to delete personal data
  • The right to be forgotten is important for user privacy and also applies to countries outside the EU but in the EEA
Hocoos small logo Answers Legal and Ethical Considerations

What legal basis does the right to be forgotten have? 

The right to be forgotten’s legal bases is within these two areas: 

  • GDPR Article 17: The right to request data deletion if it’s no longer required, consent no longer exists, or the data was obtained without a user’s permission. 

  • Directive 95/46/EC: This regulation was designed as a foundational part of EU internet protection. 

If the user’s request falls within either of these legal bases, the data collector must delete the user’s personal information. This can be used if information is no longer relevant (e.g. someone has unsubscribed), or if it’s not accurate anymore (e.g. a user’s address or name has changed).

Outlining when users can and cannot delete data should form a key part of your privacy policy. 

Deep Dive: 
While the right to be forgotten is a valuable principle, implementation may vary across different legal systems. It depends on the context, as data processing might be necessary in certain scenarios. These include for legal reasons, to conduct scientific research, and for public interest circumstances.

How does the right to be forgotten differ from the right to privacy? 

Another important regulatory framework is the right to privacy; since this differs from the right to be forgotten, understanding them both is crucial. 

The primary difference is that the right to privacy is about not making personal information publicly available. On the other hand, the right to be forgotten involves publicly available information and allows the user to request its deletion. 

The right to be forgotten is one part of the EU/EEA’s broader privacy framework, which each member state also builds upon itself. The right to be forgotten is essentially a specific subcategory within the larger framework of the right to be forgotten. 

Pro Tip:
Give users options to control their data on your website.

In what situations can the right to be forgotten be invoked? 

The right to be forgotten can be invoked when users want their information removed from the public domain. This is particularly important in search engines, for example, when data (e.g. home addresses) might appear without the person realizing. 

A user can also invoke the right to be forgotten on different online platforms, such as websites and social media networks. They may wish to exercise their rights in these situations: 

  • The information is no longer required (e.g. they’ve deactivated their account). 

  • The data is outdated (e.g. they’ve changed their name). 

  • The information might harm someone’s reputation (e.g. impersonation attempts). 

Other examples in which the right to be forgotten can be invoked include: 

  • Data has not been legally processed (e.g. the user did not give consent). 

  • There are no genuine reasons to process the data. 

  • Erasing irrelevant/outdated press coverage, particularly if it’s negative. 

To ensure that you comply with the right to be forgotten, you should consider hiring a legal expert.  

Who can request the removal of information under the right to be forgotten?

The right to be forgotten is available for any resident in the EU, EEA, and UK. This includes people living in the EU/EEA/UK while having a different citizenship (e.g. an American citizen living in the UK). 

Residents in these areas may request correction or removal of personally identifiable information if it’s demonstrably erroneous or irrelevant. To do this, a user can contact the website administrator or owner.

One important thing to note is that a user does not need to specifically mention Article 17, the right to be forgotten, or anything along those lines. Instead, they just need to reach out and ask for their information to be deleted.

After removing a person’s information, you should contact the individual to confirm that you’ve accepted their request. 

What are the limitations of the right to be forgotten? 

There are several other factors to take into account when exercising the right to be forgotten. It’s important to also consider the right to freedom of expression, for example. Moreover, you’ll need to consider whether this information needs to be publicly available. 

It’s also vital to understand that the right to be forgotten doesn’t cross boundaries with legal requirements. Rather than being a way to censor people, the right to be forgotten is about ensuring that entities do not sell personal information without a user’s consent. 

What are the implications of the right to be forgotten for online platforms and search engines? 

Implementing the right to be forgotten presents challenges, necessitating careful consideration and appropriate execution. Doing so, however, will require nuance; many decisions will be subjective. 

Understanding all of the associated legal frameworks, and including the right to be forgotten within this ecosystem, will be particularly important. On top of that, you will also need to think about how users can enforce their rights; for example, you might include elements on your website that work within this. 

Make sure that anything you implement falls within the GDPR’s official guidelines. Working with legal advisors and experts will also be essential for enforcing everything. 

Conclusion 

The right to be forgotten is a crucial consideration for all businesses and websites operating in the EU, EEA, and UK. Users have the right to request that their information is removed, as long as it falls within legitimate reasons. Knowing when to delete this data, and when it must stay up, is imperative. 

Balancing privacy and public interest is a key consideration, and you should also consider the possibilities of similar rules being implemented elsewhere. Only collect information that is an absolute necessity, and cooperate with users to get rid of information that shouldn’t be public.

Table of Contents

READY TO KICK-START YOUR SMALL BUSINESS JOURNEY?

Important Consideration: The information provided by our expert team is designed to give you a general understanding of the website creation process and the features available to you. It's important to note that this information is not a substitute for professional advice tailored to your specific needs and goals.
Read our editorial standards for Answers content.
Our goal is to empower you to create an amazing website. If you have questions or need guidance during the building process, don’t hesitate to Contact us. We're happy to provide assistance and point you in the right direction.