GDPR and the right to erasure: hiding in the shadows or welcome shade?

Right to be forgotten

The first man, codenamed NT1, had been convicted of false accounting in the late 1980s, and was keen that his current and potential clients should not be able to access news reports about his conviction. The court decided his clients might well think his previous conviction relevant and dismissed his application. The fact that he also misled the court didn’t help him at all.

The second man, NT2, did however succeed as the court decided the report about him was “out of date, irrelevant and of no sufficient legitimate interest to users of Google Search to justify its continued availability’. The court also noted that “NT2 has frankly acknowledged his guilt and expressed genuine remorse. There is no evidence of any risk of repetition”.

So happy days for reformed criminals? Maybe not career criminals, but perhaps some hope to stop that one terrible mistake decades ago being the top search engine result should anyone make a casual enquiry.

The European Court of Justice, followed by the British courts, has been slowly developing the so-called “right to be forgotten” for a few years. At the same time, the European Commission (EC) and Parliament have been working to completely overhaul data privacy law across the European Union (EU).

The result is the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018 with a brand new statutory right for all citizens: the right to erasure.

The right to erasure is intended to protect every one of us from companies and organisations holding onto our personal data well passed its use-by date, when it ceases to be relevant or where its continued use breaches our right to privacy. The technical grounds on which you will be entitled to require your personal data be erased are as follows:

• It is no longer necessary for the purpose for which it was originally collected or processed.
• The business processing the data relies on your consent and you then withdraw that consent.
• The business processing the data does so relying on its own “legitimate interests”, but these are not sufficient to override your objection.
• The business processes the data for marketing purposes and you object.
• The business processed the data unlawfully.
• The business has a legal obligation to erase the data.
• The data being processed relates to having offered “information society services” to you as a child (even if you are now an adult).

Stinging punishment

Where a company receives a notice to erase personal data, it must do so “without undue delay” and within 30 days. It must also notify any other business or organisation to which it transferred the personal data that the right to erasure has been exercised and they must then take similar steps.

GDPR has real teeth when it comes to a business not complying with the right to erasure, with a fine of up to 4% of global turnover or €20,000,000. It may be unlikely that the top fine would ever be issued for a single, inadvertent failure to comply, but egregious or negligent failures may well attract a stinging punishment.

There are still exemptions to the right to erasure. These include where it would unfairly restrict someone else’s right of freedom of expression and information, prevent archiving of information in the public interest or for historical or scientific research, or where it would interfere with someone else’s ability to establish, exercise or defend legal claims.

A good example is the use of personal data by credit reference agencies (CRAs). Equifax, for one, has publicly set out its view that “it will be very rare that the CRAs do not have compelling, overriding grounds to carry on using the personal data following an objection”.

Unlike the fee for providing a copy of personal data held about someone (abolished by GDPR), if the exercise of the right to erasure is manifestly unfounded or excessive, a business may charge a “reasonable fee” for complying with it.

So, where will we really be after 25 May?

Any business or organisation which processes personal data should expect a flurry of test requests. Not just on the right to erasure, but also the right to have a copy of all personal data provided in a portable format (without a fee being charged), various previous consents being withdrawn, and specific types of processing being objected to.

Businesses and organisations which have already completed their data mapping, updated and stress-checked their internal procedures and IT systems and established clear contractual arrangements with their own sub-processors will manage. The rest will struggle and may find themselves in the sights of the Information Commissioner’s Office.

As for citizens? For some, it’s a good time to think about all those inappropriate comments on social media, accounts with ill-advised platforms and local media reports on youthful indiscretions which don’t reflect who you are today but everyone keeps dredging up, particularly employers.

For others, who just feel too much of their private lives is glaringly open to all and sundry, it’s a good opportunity to seek some shade.