freshidea - stock.adobe.com

GDPR and the right to erasure: hiding in the shadows or welcome shade?

The European Union's new data protection laws introduce a right to be forgotten – but what does it means for corporate IT?

Anyone visiting the UK for the first time might easily be convinced we were obsessed with celebrity. From Love Island to the sadly defunct Bromans. From the trials and tribulations of Danniella Westbrook to the happy news about the Royal baby. From the folk on Jeremy Kyle and Gogglebox to... well, you get the picture.

But for every person desperate for exposure and attention, there are many more who would rather disappear from view entirely.

In a High Court ruling on 13 April 2018, two men convicted of dishonesty offences sued Google to remove search results showing newspaper reports about their convictions.

The case was heard under the current Data Protection Act 1998 with the men arguing, among other things, that the reports were no longer “relevant”. If they were no longer relevant, Google was breaching the third Data Protection Principle by continuing to display links to them.

Google’s argument that, like newspapers, it was entitled to the journalism exemption was quickly dismissed. Even so, the two men had two very different outcomes.

Right to be forgotten

The first man, codenamed NT1, had been convicted of false accounting in the late 1980s, and was keen that his current and potential clients should not be able to access news reports about his conviction. The court decided his clients might well think his previous conviction relevant and dismissed his application. The fact that he also misled the court didn’t help him at all.

The second man, NT2, did however succeed as the court decided the report about him was “out of date, irrelevant and of no sufficient legitimate interest to users of Google Search to justify its continued availability’. The court also noted that “NT2 has frankly acknowledged his guilt and expressed genuine remorse. There is no evidence of any risk of repetition”.

So happy days for reformed criminals? Maybe not career criminals, but perhaps some hope to stop that one terrible mistake decades ago being the top search engine result should anyone make a casual enquiry.

The European Court of Justice, followed by the British courts, has been slowly developing the so-called “right to be forgotten” for a few years. At the same time, the European Commission (EC) and Parliament have been working to completely overhaul data privacy law across the European Union (EU).

The result is the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018 with a brand new statutory right for all citizens: the right to erasure.

The right to erasure is intended to protect every one of us from companies and organisations holding onto our personal data well passed its use-by date, when it ceases to be relevant or where its continued use breaches our right to privacy. The technical grounds on which you will be entitled to require your personal data be erased are as follows:

  • It is no longer necessary for the purpose for which it was originally collected or processed.
  • The business processing the data relies on your consent and you then withdraw that consent.
  • The business processing the data does so relying on its own “legitimate interests”, but these are not sufficient to override your objection.
  • The business processes the data for marketing purposes and you object.
  • The business processed the data unlawfully.
  • The business has a legal obligation to erase the data.
  • The data being processed relates to having offered “information society services” to you as a child (even if you are now an adult).

Stinging punishment

Where a company receives a notice to erase personal data, it must do so “without undue delay” and within 30 days. It must also notify any other business or organisation to which it transferred the personal data that the right to erasure has been exercised and they must then take similar steps.

GDPR has real teeth when it comes to a business not complying with the right to erasure, with a fine of up to 4% of global turnover or €20,000,000. It may be unlikely that the top fine would ever be issued for a single, inadvertent failure to comply, but egregious or negligent failures may well attract a stinging punishment.

There are still exemptions to the right to erasure. These include where it would unfairly restrict someone else’s right of freedom of expression and information, prevent archiving of information in the public interest or for historical or scientific research, or where it would interfere with someone else’s ability to establish, exercise or defend legal claims.

A good example is the use of personal data by credit reference agencies (CRAs). Equifax, for one, has publicly set out its view that “it will be very rare that the CRAs do not have compelling, overriding grounds to carry on using the personal data following an objection”.

Unlike the fee for providing a copy of personal data held about someone (abolished by GDPR), if the exercise of the right to erasure is manifestly unfounded or excessive, a business may charge a “reasonable fee” for complying with it.

So, where will we really be after 25 May?

Any business or organisation which processes personal data should expect a flurry of test requests. Not just on the right to erasure, but also the right to have a copy of all personal data provided in a portable format (without a fee being charged), various previous consents being withdrawn, and specific types of processing being objected to.

Businesses and organisations which have already completed their data mapping, updated and stress-checked their internal procedures and IT systems and established clear contractual arrangements with their own sub-processors will manage. The rest will struggle and may find themselves in the sights of the Information Commissioner’s Office.

As for citizens? For some, it’s a good time to think about all those inappropriate comments on social media, accounts with ill-advised platforms and local media reports on youthful indiscretions which don’t reflect who you are today but everyone keeps dredging up, particularly employers.

For others, who just feel too much of their private lives is glaringly open to all and sundry, it’s a good opportunity to seek some shade.

Read more about GDPR

  • We look at the options for tools to help organisations comply with the EU’s General Data Protection Regulation.
  • If you approach GDPR as if compliance is all that matters, then you're bound to fail – data protection should be at the heart of business strategy.
  • Data protection continues to be a key focus for IT security investment for European firms in 2018 as GDPR approaches.

Read more on Privacy and data protection