What is the Right to be Forgotten?
The Right to be Forgotten is the right of the individual to request information be removed from Internet search engines and other online directories under certain, specific circumstances.
There has been a form of the right to be forgotten present in the EU Law since 2014, with long-standing discussions surrounding the careful balance necessary between the right to freedom of expression and free speech and people's rights to their own data and data protection.

Right to be Forgotten - What you need to know
Pretty much everyone has heard of the EU’s GDPR (General Data Protection Regulation), as it was high up in the headlines as a proposed regulation prior to it coming into force in 2018.
The GDPR applies to all European Union member states and lays out the regulations regarding data collection, data protection and the rights of data controllers and individuals.
The Right to be Forgotten is Article 17 of the GDPR and it gives people the right to control their own data under certain circumstances.
Individuals can make a valid verbal request for data erasure under the GDPR, emphasizing the importance of having a clear process for handling such requests.
Let’s have a closer look at the right to be forgotten, how it works, and why this European Data Protection law impacts everyone in one way or another.


Speak with Roz our online reputation management expert, in complete confidence.
History of the Right to be Forgotten
As a concept, the Right to be Forgotten has been under discussion and put into practice in various jurisdictions, including the Philippines, Argentina and the European Union, for many years.
The whole idea of a right to be forgotten derives from people wanting autonomy over their data, without it being used to stigmatise them in the future. In other words, people want the right for their past actions - or simply incorrect historical information about them - to be scrubbed from the Internet so that third parties can't use it against the.
Criminal convictions are the obvious example of the kind of data use that could adversely impact the data subject.

Common arguments against the right to be forgotten
Controversy surrounds the very concept of an individual's right to be forgotten and ability to remove data from search engines.
Those arguing against the right to be forgotten in terms of data protection question the practicalities of treating such a right as an actionable, international human right.
Vague and differing regulations and differing rulings regarding its implementation contribute towards the ambiguity of applying this as a human right in practical terms.
The potential impact of such a right on other rights also causes controversy. For example, how is it possible to square the right to be forgotten with the right to freedom of expression? Furthermore, how does it work with the right to privacy and is it possible that the implementation of the right to be forgotten would lead to a less high-quality search function?
However, those who argue for the right to be forgotten citing circumstances such as revenge porn and the damage it does to people as a clear reason for it to exist. The same argument in favour includes instances of search results picking up someone's past criminal convictions or personally identifiable information.

Personal Reputation Management
|
Read more
From concept to implementation - the right to erase personal data
It all comes down to and its vital importance in the lives of individuals and the functionality of businesses.
Previous data protection laws in the European Union also intended to ensure that information about people shouldn't be used to damage them. However, this was largely predicated on the basis of a right to erasure, which was less all encompassing.
In the UK, there has been a long-held understanding that certain information (including a criminal conviction) about an individual should be 'spent' after a specified period of time. This can be seen with the Rehabilitation of Offenders Act, which was put in place in 1974.
The French Government also recognises, in law, 'le droit a l'oubli', which was first implemented in 2010.
So, while the 'right to be forgotten' as a term is relatively new, the ideas behind it are not.

European Court ruling in favour of the data subject over search engines
In 2014, the right to be forgotten was first officially recognised as a human right by the European Court of Justice. This was due to the ruling made in the case of Google Spain v Agencia Espanola de Proteccion de Datos, Mario Costeka Gonzalez.
The decision was that the search engine operator (in this case, Google) must consider legal claims from people to remove their data from Google search results according to certain circumstances.
These are:
- That the search results are inadequate.
- That the search results are irrelevant or no longer relevant.
- That the search results are excessive given the length of time since publication.
The seeds of the current General Data Protection Regulation can be found in the EU's implementation of the Data Protection Directive in 1995. This directive was brought in to provide regulation for the processing of personal data. Today, this is part of human rights law.

We Can Remove Your Personal Information Online
|
Read more
Protecting the rights of individuals pertaining to data
As we've seen, the history of the RTBF has grown out of the concept that after a certain amount of time, a person's past should not be considered when they seek employment.
The advent and development of the Internet, along with sophisticated search engines such as Google and Bing, made this kind of information very easy to find. Any employer can simply enter the applicant's name into a search engine and find out about their background in detail.
Should this adversely impact to applicant's chances of being employed due to old content or personal information that is no longer relevant, then it would fall under the right to be forgotten.
The Spanish case mentioned earlier revolved around a newspaper announcement about a forced property sale that was required to settle a debt. In 2009 Costeja (the data subject) contacted the newspapers to remove the record because the information had been found when searching for his name.
When the newspaper denied the request, Costeja contacted Google Spain to remove the search result. Google refused and eventually the courts ruled that Google had to remove the search results as it was a valid request, but the newspaper didn't have to remove the original article.
And this is the ruling that effectively established precedence and validated the right to be forgotten law. However, a case in 2019 ruled that Google does not have to apply the law outside of the European Union and the UK.

Is any company exempt from compliance with GDPR?
In May 2018, the General Data Protection Regulation (GDPR) came into force. Created, as we've seen, to give individuals more control over their own personal data, the GDPR also governs and how that data is stored by third parties such as retailers, social networks or publications.
While the GDPR does make provisions for exemption for media companies, Google chose not to opt in to this. Therefore, as Google isn't categorised as a media company, it is not protected from the GDPR or the right to be forgotten.
The EU categorises Google as a data controller for the purposes of the data protection directive. All data controllers are legally required, in every EU member state, to delete data that is "inadequate, irrelevant or no longer relevant".
This is why the GDPR and the right to be forgotten have international and global implications. However, this ruling only applies to personal data. You cannot use the right to be forgotten to request that any business or commercial content, images or video are removed from Google's search results.

Criteria for Erasure
The General Data Protection Regulation (GDPR) sets out specific criteria for the erasure of personal data. According to Article 17, the data subject has the right to obtain from the controller the erasure of personal data without undue delay when certain conditions are met. These conditions include:
- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
- The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing.
- The data subject objects to the processing, and there are no overriding legitimate grounds for the processing.
- The personal data has been unlawfully processed.
- The personal data must be erased to comply with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data has been collected in relation to the offer of information society services to a child.
Data controllers are required to erase personal data without undue delay, considering the technical feasibility and the cost of the operation. This ensures that individuals can exercise their rights effectively and that their personal data is protected in accordance with the GDPR.

Response and Criticism
The right to be forgotten has sparked a range of responses and criticisms. Some argue that it restricts the right to freedom of expression and information, while others see it as a necessary measure to protect individuals’ personal data. The European Court of Justice has ruled that the right to be forgotten is a fundamental right in the EU, but it must be balanced against the right to freedom of expression and information.
Reputation management firms have leveraged the right to be forgotten to help individuals remove unfavorable information from search engines. However, this practice has faced criticism as a form of censorship. Google, in particular, has been scrutinized for its handling of right to be forgotten requests, including the removal of links to BBC News weblog posts.
Despite these criticisms, the right to be forgotten remains a crucial tool for individuals seeking to protect their personal data and online reputation. It highlights the ongoing debate between privacy rights and the public’s right to access information.

Jurisdiction and International Relations
The right to be forgotten has significant implications for international relations, particularly between the EU and the United States. The two regions have been negotiating trans-Atlantic data privacy regulations, including the International Safe Harbor Privacy Principles agreement. However, the Safe Harbor agreement was invalidated by the European Union Court of Justice in the Schrems case, highlighting the complexities of international data privacy laws.
To address misconceptions about the right to be forgotten, the EU has released a factsheet that provides information about the important court case C-131/12 and frequently asked questions regarding Google, the purpose of the law, and how it works. This effort aims to clarify the law and its application, ensuring that individuals and organizations understand their rights and obligations.

Legal Claims and Disputes
The right to be forgotten has led to various legal claims and disputes, as individuals seek to have their personal data removed from search engines. Notable cases, such as the Costeja case, have set important precedents in this area. In the UK, the Data Protection Act 2018 provides for restrictions on the right to erasure in certain circumstances. Section 60 of the Act outlines restrictions necessary for important objectives of public interest, while Section 43 seeks to balance the right of erasure with the right to freedom of expression and information.
In the US, the California Minor Eraser Law allows residents younger than 18 to request the removal of information they posted online. This law applies to websites, social media sites, mobile apps, and other online services, reflecting the growing recognition of the need to protect personal data.
Overall, the right to be forgotten is a complex issue that raises important questions about the balance between individual privacy rights and the right to freedom of expression and information. As legal claims and disputes continue to arise, courts and lawmakers must navigate these challenges to ensure that both rights are adequately protected.

Your rights under the Right To Be Forgotten
The GDPR applies to every EU member state - and any organisation that uses EU citizens’ data and has done so since 25 May 2018.
Article 17 keeps the 1995 Directive’s intent to allow people to request their data is deleted when it’s no longer relevant. It also increases this right, to give people more control over who can access and use their data.
The RTBF gives individuals the chance to override perceived public interest in information about themselves.
Individuals can make a valid verbal request for data erasure under the GDPR, emphasizing the importance of having a clear process for handling such requests.
If you are an EU citizen, you can ask an organisation to delete information or data they hold about you, without undue delay. This offers an avenue to protect a person’s online reputation from being available to any and all Internet users.

Criteria for data privacy law to be effective
Under GDPR, an EU citizen can request that an organisation deletes the data subject's information if:
- The data originally collected is no longer relevant to the reason it was collected and contains sensitive personal information or if such information is considered to be outdated information.
- The person withdraws their consent for their data to be used (and the organisation has no other legal basis for collecting it).
- The person is objecting to the data being collected for direct marketing purposes. Or where their rights are overriding legitimate interest or legitimate interests in managing their data.
- The individual's data was unlawfully processed or considered sensitive data.
- Deleting the data is legally required.
- The data belongs to a child.
In all of these cases, the organisation must ensure the personal data erased the data as soon as possible.
If the personal data is in the public domain and can be found via Google or any other search engines, the organisation (also known as the data controller) must take “reasonable steps, including technical measures” to inform any other entity processing the data that the subject wants it to be removed.
However, if the data is deemed to be in the public interest, the requests don't have to be honoured by the data controller.

More details on Article 17 of the General Data Protection Regulation
Article 17 of the General Data Protection Regulation (GDPR) is officially called the 'right to erasure' but is often referred to as the right to be forgotten.
According to Article 17, any individual can request to a data controller that their own personal data be removed without any delay, and without incurring any costs to the person making the request.
This data includes any files in a database, including any backups, or anything that has potentially been moved to an archive. For example, data collected for the purposes of preventative or occupational medicine, information society services, statistical purposes, for scientific research or historical research.

GDPR terminology for the right to be forgotten
Companies use the terms data controller and data processor as they are clearly defined under and as they apply to GDPR.
Data controller refers to the person, organisation or entity that holds or processes personal data but does not exercise responsibility for or control over the personal data. For example, a cloud provider is considered to be a data processor.
A data processor can not hold copies of data, or make them available for other uses. The controller is responsible for deleting personal data and ensuring that it has been erased.
The individual whose data is held is the data subject and it is the data subject's right under GDPR to make multiple requests providing they meet the criteria.

Frequently Asked Right to be Forgotten Questions
What about the UK's right to be forgotten following Brexit?
All data protection rules stipulated within the EU's GDPR still apply to UK data processing. Some sections of GDPR were enshrined into UK law as part of the European (Withdrawal) Act.
There will be no change in the foreseeable future. However, it's not impossible that changes could now be made to personal data processing and the data subject's rights by the UK Government now that it is no longer under the jurisdiction of the European Parliament.
When can I ask for my personal data to be deleted from Google or other directories?
Provided you live in a jurisdiction that is covered by the right to be forgotten or similar local laws concerning personal data, then you can make a request for it to be forgotten online.
Under these circumstances, you are the data subject and in order to ensure that a right to be forgotten request is made properly, you'll need to submit a Data Subject Access Request (DSAR) to remove or request what personal data a company holds about you.
That doesn't mean that the controller will (or should) complete every right to be forgotten request to erase personal data. This is due to the legal differences between public, private and erroneous data that would need to be considered regarding personal data.
However, if they do agree to the removal request and erase all the versions of personal data that you want to see removed, then it can no longer show up in an Internet search result for someone else.
Can I remove unwanted content about myself online?
If an individual objects to the use of personal data about them, then they can make the request. However, as we've seen, there are specific criteria.
You can not request that information is removed simply because you do not like what you see. But in many cases, such as a health professional looking for a new job or a celebrity with a high level of visibility in public life, there are urgent reasons to want to make the request.
RTBF requests involve erasing personal data from search engines, such as Google search. This can include press coverage, outdated articles, pictures, or videos - anything that can be seen in public life. Even social media and directory services that publish your personal information will be considered.
There is no 'one size fits all' rule and any request will be looked at on a case-by-case basis.
What do I need to request that Google removes my data?
Google has a long-established procedure for dealing with these requests and removes links in some cases. You can use this form to submit a RTBF request.
When you make an application, Google will balance your privacy rights with what's in the public's interest to know along with the right to distribute information. This is where it helps to have professional advice and consult experts like Igniyte, who can investigate the legal aspects for you.
It's also worth knowing that the Right to Be Forgotten also needs balancing against other rights, including freedom of expression. So, if the information is considered to be in the public interest it's unlikely to be removed.
How do I apply for the right to be forgotten?
To submit a request under the EU RTBF law, you need:
- An EU passport or driving licence to prove your identity.
- Details of the web address or link that you are requesting to be removed.
- The full search term, for example, your name.
- Reasoning as to why you feel the link is ‘irrelevant', ‘not in the public interest' or ‘outdated'.
Be aware, that this reasoning should be aligned to the EU ruling and cite law wherever possible. The reasoning must be persuasive enough that Google will consider it favourably against what's considered to be in the public interest.
Is there any reasons why Google could refuse an application
Google will assess requests case by case. The search engine can ask you for more information to inform its decision. But the main thing to note is that Google will balance your privacy rights with what's in the public interest to know and the right to distribute information.
Google can and does refuse applications where there is an alternative solution, technical reason, or duplicate URL.
Many factors are considered. These include the person's professional life, a past crime, the need for professional secrecy, or whether they are in a political or public position. Or it could be whether the content is self-authored, is in an open document, or is journalistic.
Is every request for removal honoured by Google?
According to Google's transparency report, during the first five years of the implementation of the right to be forgotten, it received around 3.2 million requests to delete links from more than half a million individual requesters.
From these, Google determined that 45% met the criteria sufficiently well to be delisted. This shows just how much supporting evidence you need to make your request and have it adhered to.
Deciding whether the individual's data should be removed comes up against the public interest and it is not always clear which will come out on top. However, it is an absolute fact that an organisation such as Google must look into every single request on a case-by-case basis.
An advisor to the EU Court of Justice reiterated in April 2022 that search engines are legally obligated to look into the accuracy of every delinking request that is made. This advice from Advocate General Giovanni Pitruzzela derived from a German case involving two financial service companies accused of wrongdoing by a blog that the applicant says is extortion.
How can a Reputation Management company help with the Right to be Forgotten?
It’s not always straightforward making a RTBF request yourself. It may be that Google or other search engines will consider the request to be in the public’s interest.
When deadlines haven’t been met, or your application has been ignored, then it’s good to know that help is at hand through established reputation management companies.
Our experience making requests can be essential when the situation is heading towards the need for legal claims to ensure action is taken. Fighting against what is considered to be in the public interest can feel like an uphill battle, but a team of experts and experienced professionals can help move it along.
For more information, and to find out how Igniyte can help you with requests, please get in touch. The cost to remove articles or images can vary depending on the amount and types of content but should always be a reasonable fee.

Speak with Roz our online reputation management expert, in complete confidence.

