The Right to be Forgotten (RTBF) is the right to have private or personal data removed from searches and other directories under specific circumstances. This has been in place in the EU and Argentina since 2006, but there are concerns about how this in conjunction with the right to freedom of expression and how the RTBF would decrease the quality of content online with people questioning whether this is censorship or a rewriting of history.
The right to be forgotten is often cited when discussing issues surrounding revenge porn sites, or previous petty crimes that can appear in search engines when searching for an individuals name, and what impact that could have on a person’s online reputation.
In 2018 the General Data Protection Regulation (GDPR) came into force and was created to give individuals more control over their own personal data, and how that data was stored by third parties, such as retailers, social networks or publications. The regulation controls the flow of data throughout the EU and was adopted into UK law through the Data Protection Act 2018. Under the legislation, organisations can be fined up to £20 million, or 4% of the company’s annual turnover, whichever is higher.
The Right To Be Forgotten (RTBF) is the concept that people have the civil right to request that personal data or information is removed from the Internet.
If this information – which includes content, images, and videos – is removed, then it means it can not be found online. And it no longer appears in search results.
The Right To Be Forgotten is also known as the right to erasure and became EU law as part of the General Data Protection Regulations (GDPR) legislation introduced in 2018.
Individuals can request the erasure of their personal data and that data about them is removed from an organisation’s database – regardless of the reasons. It’s a concept that came under rapid fire from businesses and censorship advocates.
Companies have a legal obligation to comply with the law without undue delay – they must act upon a valid request as soon as it is made or face financial penalties. Under GDPR this can be as much as 4% of a company’s turnover, or £20 million.
But this predates GDPR. In May 2014, the European Court of Justice ruled in a Spanish case that individuals have The Right To Be Forgotten online. This ruling, within the European Union only, makes Google responsible for removing ‘irrelevant’, ‘no longer relevant‘, or ‘outdated’ information from personal search results.
The ruling only applies to a personal issue. You can’t submit an RTBF request for any business or commercial content, images, or videos.
The cost to remove articles or images can vary depending on the amount and types of content. Companies like Igniyte might be able to help you, and you should expect to pay from £750, plus VAT per removal.
The history of the RTBF has grown out of the concept that after a certain amount of time, a person’s past should not be viewed when they seek employment. After the advent of the Internet, and other search engines like Google and Bing, these types of records are easier to access.
In 2014, the Spanish courts ruled in favour of a right to be forgotten in the case of Google Spain SL, Google Inc v Agencia Espanola de Proteccion de Datos, Mario Costeja Gonzalez (2014). This revolved around a newspaper announcement about a forced property sale that was required to settle a debt. In 2009 Costeja contacted the newspapers to remove the record because the information had been found when searching for his name. The newspaper denied the request and he subsequently contacted Google Spain to remove the search result.
Eventually, the courts ruled that Google had to remove the search results but the newspaper didn’t have to remove the original article. This ruling effectively established precedence and validated the RTBF law. Today the RTBF is included in the GDPR’s article 17, and the RTBF has moved across the Atlantic too as the Right to Erasure, which the majority of American’s support. However, a case in 2019 ruled that Google does not have to apply the law outside of the EU.
GDPR, which applies to all EU member states and organisations using EU citizens’ data (since 25 May 2018), updates the definition of the Right To Be Forgotten (based on the EU’s 1995 Data Protection Directive).
Article 17 keeps the 1995 Directive’s intent to allow people to request their data is deleted when it’s no longer relevant. It also increases this right, to give people more control over who can access and use their data.
Under GDPR, an EU citizen can request an organisation to delete their data if:
In all of these cases, the organisation must ensure the personal data erased the data as soon as possible. If the personal data is public, it must take “reasonable steps, including technical measures” to inform any other entity processing the data that the subject wants it to be removed.
However, if the data is deemed to be in the public interest, the requests don’t have to be honoured.
UK law – updated post Brexit
All data protection rules in GDPR still apply to UK data processing. Post-Brexit, some sections of GDPR will be enshrined into UK law as part of the European (Withdrawal) Act. There will be no change in the foreseeable future.
Article 17 of the General Data Protection Regulation (GDPR) is officially called the right to erasure but is often referred to as the right to be forgotten. According to Article 17, any individual can request to a data controller that their own personal data be removed without any delay, and without incurring any costs to the person making the request. This data includes any files in a database, including any backups, or anything that has potentially been moved to an archive.
Companies use the terms data controller and data processor as they are clearly defined as they apply to GDPR.
A data controller is a person or entity that holds or processes personal data but does not exercise responsibility for or control over the personal data. For example, a cloud provider is considered to be a data processor.
A data processor can not hold copies of data, or make them available for other uses. The controller is responsible for deleting personal data and ensuring that it has been erased.
If you are in a jurisdiction where the RTBF or similar laws exist (such as in the EU), then yes! You are the data subject, and you must submit a Data Subject Access Request (DSAR) to remove or request what personal data a company holds about you.
That doesn’t mean that the controller will (or should) complete every removal request and erase personal data as there are legal differences between public, private and erroneous data that would be considered.
Individuals can make a request, but there are specific criteria. You can not request that information is removed just because you do not like what you see.
RTBF requests involve erasing personal data from search engines. This can include press coverage, outdated articles, pictures, or videos. Even social media and directory services that publish your personal information. It will be looked at on a case by case basis.
Google has a long-established procedure for dealing with these requests and removes links. You can use this form to submit a RTBF request.
When you make an application, Google will balance your privacy rights with what’s in the public’s interest to know and the right to distribute information. This is where it helps to have professional advice and consult experts like Igniyte, who can look into the legal aspects for you.
It’s also worth knowing that the Right To Be Forgotten also needs balancing against rights, including freedom of expression. So if the information is considered to be in the public interest is unlikely to be removed.
To submit a request under the RTBF law, you need:
Google will assess requests case by case. The search engine can ask you for more information to inform its decision. But, the main thing to note is that Google will balance your privacy rights with what’s in the public’s interest to know and the right to distribute information. Google can and does refuse applications where there is an alternative solution, technical reason, or duplicate URL.
Many factors are taken into account, e.g., the person’s professional life, a past crime, or whether they are in a political or public position. Or it could be whether the content is self-authored, is in an open document, or is journalistic.
Google received over 1 million requests since the 2014 ruling, asking for 4.3 million links (as of September June 2021) to be removed. It has delisted about 47% of the links requested.
In theory, an individual can make an erasure request verbally or in writing; the law does not require that a specific form is filled or a particular individual is the recipient of requests. But as you can see, it’s not always straightforward.
When deadlines haven’t been met, or your application has been ignored, then it’s good to know that right to be forgotten help is at hand through established reputation management companies. Their experience making requests can be essential when the situation is heading towards the need for legal claims to get action to be taken.
For more information, and to find out how Igniyte can help you with applications, please get in touch. The cost to remove articles or images can vary depending on the amount and types of content. Companies like Igniyte might be able to help you, and you should expect to pay a reasonable fee and our costs start from £750, plus VAT per removal.
Speak with Roz our online reputation management expert, in complete confidence.