top of page

GDPR

The right to be forgotten - removing negative information about you from Google?

The right to be forgotten under EU's GDPR is more important than ever as it is also applicable on search engines - and many people have information out there that they may find harmful, incorrect and or private in its nature. For many persons, the information can make it hard for them to find a job, rent an appartment or even to find a partner.

So here we will look at how the right to be forgotten works, how to use it, what requirements that need to be met in order for google or another search engine to be required to adhere to a request for the right to be forgotten.

Legal Foundation

The legal ground for the right to be forgotten is found in article 17 of the GDPR. Fundamentally, under GDPR the processing of personal data is only permitted if there is a legal ground for it - the extension of this principle is that if a data subject (that is you or me - the person whose data is processed) finds data that should not be processed or made available for others, there should be a way for such an individual to demand that it is erased. In other words, the individual data subject has a right to be forgotten.


However, such a right can of course lead to a mind field. Should you be able to re-write history? Should a politican running for election have a right to have information about his or her criminal records removed from the web? Let's look closer at the concept of the right to be forgotten, when you can use it, and how it works.


When Does It Apply?

An individual can request erasure of their personal data in particular if one or more of the following conditions are met:


  1. Data is no longer necessary: The data is no longer required for the purpose it was originally collected.

  2. Data subject withdraws consent: You withdraw the consent that formed the legal ground for processing the data in the first place, and there is no other legal basis for processing the same data that would warrant it being kept.

  3. Data subject objects to the processing: You object to the processing of the personal data concerning you, and there are no overriding legitimate grounds for the data to be retained.

  4. Unlawful processing: The data was processed unlawfully (e.g. the controller had no legal basis to begin with).

  5. Legal obligation: Erasure is required to comply with a legal obligation in EU law or the law of a member state (note that legal obligations under other jurisdictions' laws do not matter).


When Does It Not Apply?

Sometimes, a legitimate request to be forgotten may still be rejected by the search engine. When making the decision of whether to remove the information, the search engine will only do so unless the data is necessary for:

  1. Exercising the right of freedom of expression and information.

  2. Compliance with a legal obligation.

  3. Performing a task carried out in the public interest or in the exercise of official authority.

  4. Public health interests, such as many matters that came up with Covid that concerened protecting against serious cross-border health threats.

  5. Archiving in the public interest, scientific or historical research, or statistical purposes.

  6. Establishing, exercising, or defending legal claims.


How It Works in Practice

1. Submitting a Request

a) You as the individual that is directly concered need to contact the search engine and explicitly request erasure. Technically, you are making a request to the data controller, which in this case is the search engine that creates and delivers the search results. (Any time you want to use your rights under GDPR it should be done towards the controller - the organisation that is deciding what data about you that it processes, why it does so and how it does so.)


b) Most companies will want you to use their specific forms or submission platforms for requests to be forgotten. But this is not required - your request will be just as valid even if you make it through another form of communication - including verbally.


c) The request should as clearly as possible identify the data you want erased and, just as importantly, you need to be able to provide proof of your identity when making the request. (Imagine if anybody could make a claim that they were you and request information about you to be removed!)


2. Verification - you must be able to show the information is about YOU

The relevant search engine must, after receiving your request:

a) Verify your identity to ensure that no unauthorized access or deletion is granted.

b) Make a careful test as regards the merits of the request you have made for the data to be removed, weighed against the reasons outlined above that would warrant the data to be retained by the search engine.


3. Decision and response about your request

The search engine must respond to your request "without undue delay", which usually means within one month. However, if your request is complex or involves large volumes of data, this period can be extended by an additional two months, but then they need to inform you of the delay.


4. Deleting the information?

If your request is deemed to be valid and no counter arguments are to be prioritized (as listed above), then the relevant search engine has a legal obligation to erase the personal data about you that is in question.


However, if the search engine comes to the conclusion that it should refuse to erase the data about you, it must first and foremost provide a clear explanation for the refusal so you can assess their decision, and inform you of your right to submit a complaint with the relevant data protection authority or seek judicial remedies.


Challenges with the practical use of the right to be forgotten - to think of for you as a business owner


It may be hard to identify all data

The personal data can be scattered across systems, backups, and third-party processors so it can be hard to a) accomplish full erasure and b) to verify that is has been done. Remember - if you are the considered as the controller this will be your responsiblity.


Even if you get you right to deletion

A) the search engine does not delete the underlying data, only its own search results.

Note that the seach engine only deletes the search results. As such, the website with the actual data will still remain intact (unless you successfully get them to delete it as well), meaning that the data can still be available.


B) only search results within the EU will be adjusted

Generally speaking, the search engine will only delete the results when it comes to searches made in the EU where it must comply with the GDPR. This means that if a person searches with the same keywords from the US, they may still be linked to the information that you wanted to be erased.


Conclusion

The right to be forgotten is often invoked in cases involving search engines like Google. The right to be forgotten empowers you to, to some extent, control your digital footprint by requesting the deletion of your personal data when deemed reasonable in relation to e.g. the public's right to information and the freedom of expression. While it offers fairly robust protections, practical challenges and conflicting obligations can complicate its usability.


London, 18 December 2024

Author: Kat Strandberg Email: kat@stgcommerciallaw.com

Legal Foundation

The legal ground for the right to be forgotten is found in article 17 of the GDPR. Fundamentally, under GDPR the processing of personal data is only permitted if there is a legal ground for it - the extension of this principle is that if a data subject (that is you or me - the person whose data is processed) finds data that should not be processed or made available for others, there should be a way for such an individual to demand that it is erased. In other words, the individual data subject has a right to be forgotten.


However, such a right can of course lead to a mind field. Should you be able to re-write history? Should a politican running for election have a right to have information about his or her criminal records removed from the web? Let's look closer at the concept of the right to be forgotten, when you can use it, and how it works.


When Does It Apply?

An individual can request erasure of their personal data in particular if one or more of the following conditions are met:


  1. Data is no longer necessary: The data is no longer required for the purpose it was originally collected.

  2. Data subject withdraws consent: You withdraw the consent that formed the legal ground for processing the data in the first place, and there is no other legal basis for processing the same data that would warrant it being kept.

  3. Data subject objects to the processing: You object to the processing of the personal data concerning you, and there are no overriding legitimate grounds for the data to be retained.

  4. Unlawful processing: The data was processed unlawfully (e.g. the controller had no legal basis to begin with).

  5. Legal obligation: Erasure is required to comply with a legal obligation in EU law or the law of a member state (note that legal obligations under other jurisdictions' laws do not matter).


When Does It Not Apply?

Sometimes, a legitimate request to be forgotten may still be rejected by the search engine. When making the decision of whether to remove the information, the search engine will only do so unless the data is necessary for:

  1. Exercising the right of freedom of expression and information.

  2. Compliance with a legal obligation.

  3. Performing a task carried out in the public interest or in the exercise of official authority.

  4. Public health interests, such as many matters that came up with Covid that concerened protecting against serious cross-border health threats.

  5. Archiving in the public interest, scientific or historical research, or statistical purposes.

  6. Establishing, exercising, or defending legal claims.


How It Works in Practice

1. Submitting a Request

a) You as the individual that is directly concered need to contact the search engine and explicitly request erasure. Technically, you are making a request to the data controller, which in this case is the search engine that creates and delivers the search results. (Any time you want to use your rights under GDPR it should be done towards the controller - the organisation that is deciding what data about you that it processes, why it does so and how it does so.)


b) Most companies will want you to use their specific forms or submission platforms for requests to be forgotten. But this is not required - your request will be just as valid even if you make it through another form of communication - including verbally.


c) The request should as clearly as possible identify the data you want erased and, just as importantly, you need to be able to provide proof of your identity when making the request. (Imagine if anybody could make a claim that they were you and request information about you to be removed!)


2. Verification - you must be able to show the information is about YOU

The relevant search engine must, after receiving your request:

a) Verify your identity to ensure that no unauthorized access or deletion is granted.

b) Make a careful test as regards the merits of the request you have made for the data to be removed, weighed against the reasons outlined above that would warrant the data to be retained by the search engine.


3. Decision and response about your request

The search engine must respond to your request "without undue delay", which usually means within one month. However, if your request is complex or involves large volumes of data, this period can be extended by an additional two months, but then they need to inform you of the delay.


4. Deleting the information?

If your request is deemed to be valid and no counter arguments are to be prioritized (as listed above), then the relevant search engine has a legal obligation to erase the personal data about you that is in question.


However, if the search engine comes to the conclusion that it should refuse to erase the data about you, it must first and foremost provide a clear explanation for the refusal so you can assess their decision, and inform you of your right to submit a complaint with the relevant data protection authority or seek judicial remedies.


Challenges with the practical use of the right to be forgotten - to think of for you as a business owner


It may be hard to identify all data

The personal data can be scattered across systems, backups, and third-party processors so it can be hard to a) accomplish full erasure and b) to verify that is has been done. Remember - if you are the considered as the controller this will be your responsiblity.


Even if you get you right to deletion

A) the search engine does not delete the underlying data, only its own search results.

Note that the seach engine only deletes the search results. As such, the website with the actual data will still remain intact (unless you successfully get them to delete it as well), meaning that the data can still be available.


B) only search results within the EU will be adjusted

Generally speaking, the search engine will only delete the results when it comes to searches made in the EU where it must comply with the GDPR. This means that if a person searches with the same keywords from the US, they may still be linked to the information that you wanted to be erased.


Conclusion

The right to be forgotten is often invoked in cases involving search engines like Google. The right to be forgotten empowers you to, to some extent, control your digital footprint by requesting the deletion of your personal data when deemed reasonable in relation to e.g. the public's right to information and the freedom of expression. While it offers fairly robust protections, practical challenges and conflicting obligations can complicate its usability.


London, 18 December 2024

Author: Kat Strandberg Email: kat@stgcommerciallaw.com

bottom of page