Wherever there exists a conversation about the GDPR (General Data Protection Regulation), you can guarantee a handful of infamous topics are covered. The scaremonger worthy administrative penalties, the notion of consent being the lawfulness to rule all others and the Lord Lucan of rights, the right to forgotten.
The most curious thing about the right to be forgotten is the poor understanding that most have of it, choosing a literal interpretation of the name whilst ironically forgetting that it is officially known as "the right to erasure". You may have been told that the right to be forgotten means that a data subject can request all personal data and reference to their existence removed; a fitting end to the plague that is the abuse of personal data and a blow to any unwanted communication, continent-wide.
There is no absolute "right" to be removed
Not quite, this blog post retorts for three reasons. One, because this blog post would end too early to justify writing; two, the right to erasure and the right to be forgotten, semantically have different outcomes; and three, because the right to erasure is not an absolute right. In fact, the right to erasure is one which can very rarely be requested in its own right. In a broad sense, this right only requires data controllers to remove personal data which they have no compelling reason to retain.
To understand this better we can refer to article 17 which gives us two conditions; conditions for when the right to erasure must be enacted and scenarios where the data controller is exempt from those conditions.
When to erase data
Data controllers are obliged to erase the following:
- When data is no longer necessary for the purpose it has been collected. Put simply, if someone agrees to give you their email address for the purpose of an email based newsletter, once that newsletter ceases, this personal data must be removed.
- When a data subject withdraws consent or objects to processing and there are no overriding reasons or other lawful basis for continuing to process their personal data.
- When personal data has been processed unlawfully.
- Where a legal obligation exists to enforce the removal of a data subject’s personal data.
As you may have noticed from the above, the right to erasure is more commonly than not a consequence of having no lawful basis for processing or continuing to process, as oppose to something which is directly requested.
Whose data right is it anyway?
Despite the opinions of many, the GDPR is not intended to be a paddle board used to beat data controllers and processors out of business. In the spirit of sensibleness, there are some cases where the data controller is not compelled to erase, such as:
- Where processing is an act of freedom of expression.
- Where processing is required to comply with a legal obligation - I was recently reminded of this clause regarding the retention of background checks when working with vulnerable members of society.
- Where processing relates to public health interests.
- Where processing is used for the purpose of archiving in the public interest - think censuses or land registries.
- Where processing may be necessary for the exercise or defence of legal claims.
What about the data subjects?
For marketers, channel partners and vendors wishing to advertise their wares, the refusal clauses probably do not suit. However, take some comfort in the limited list of conditions where erasure is required. In essence, if you are complying with the rest of the regulation by ensuring lawfulness of processing, the right to erasure may never cross your processing path.
It is not an absolute right and any notion of mass deletion of personal data due to data subjects requesting to be forgotten is pure fabrication. Data subjects may, under ill advice or understanding still request erasure. However, this may not be the ultimate outcome because the GDPR is not about awarding one party over the other, it is about sensible control and data protection for the modern age.