GDPR : Strengthening the right to be forgotten
Today, personal data is already protected. Indeed, there is a dereferencing right in Europe. The General Data Protection Regulation (GDPR) provides another right to be forgotten, which is the right to erasure. This Regulation will come into effect on May 25th, 2018 in the European Union. The idea behind the law is that specific data can not be found in the database anymore. However, this right, which is granted by the Article 17 of the GDPR, will be applied with conditions and limits.
The application of the right to erasure
The right to erasure will be a new protection for personal data. Unlike the right of dereferencing, data won’t stay in the database. While dereferencing does not allow an individual to personally remove the data, a request can be made to the search engine that one is not to be associated with a certain search anymore.
For the application of the right to erasure, many reasons will be valid. Essentially, the data will be erased if there is no legitimate reason to conserve them. Also, the data can be erased if consent is withdrawn, which can happen due to several reasons.
If the data subject is not processing information, and there aren’t any legitimate grounds, the controller must respect the application to withdraw. This could occur if there has been unlawful processing of the data. Furthermore, there could be an erasure if the controller of the data has a legal obligation. Lastly, data can be erased if it was collected in accordance with information society services.
If the personal data has been transferred to somebody else, the controller must inform all concerned persons that the subject of the data has requested the erasure of the data. This right may seem like a big progress but it is still restricted in many situations.
In what situations can’t this right be applied?
Firstly, the right of freedom of expression and information will always be prioritised when confronted with the right to erasure. The right can also not be invoked when information processing is a necessity for the compliance with a legal requirement. A task of public interest or the exercise of official authority justifies data retention. Also, the right to erasure shall not be applied when it comes to public health. The controller has the right not to erase the personal data if he needs it for archive, scientific or historical research or for statistical purposes. Finally, erasure is not possible if it is intended to establish or defend against a legal claim.
This means that the data subject can’t be sure that her information will be erased because there are many limitations to this right. If somebody doesn’t want to leave a trace, the best solution is to stay far from new technologies.
For more informations :
Les Big Data à découvert, Mokrane BOUZEGHOUB et Rémi MOSSERI, p. 307