The right to be forgotten appears in Recitals 65 and 66 and in Article 17 of the GDPR. It states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”
Concept of the Right to be Forgotten
The right to be forgotten is the theory that individuals have the civil right to request that personal information be removed from the Internet. It was established in 2014 in the European Union as the result of a ruling by the European Court of Justice. The Court found that European data protection law gives individuals the right to ask search engines like Google to delist certain results for queries related to a person’s name. In deciding what to delist, search engines must consider if the information in question is “inaccurate, inadequate, irrelevant or excessive,” and whether there is a public interest in the information remaining available in search results.
Referred to as the Right to Erasure
In the European Union, the right to be forgotten is also referred to as the right to erasure. In order to effectively remove someone’s personal data, there must be a traceable mechanism for making sure that deleted data is also removed from backup storage media. Somehow, the United States’ request for the removal of personal data under the concept of the right to be forgotten entertains by the open nature of the Web and the free flow of information.
GDPR and the Right to be Forgotten
Article 17 of the General Data Protection Regulation (GDPR) is precisely termed the right to erasure, but it is commonly denoted as the right to be forgotten. According to article 17, an individual can make a request to a data controller that all of their personal data be erased without “undue delay” and with no charge to the person making the request. This contains files, records in a database, imitated copies, backup copies, and any copies that may have been moved into a record.
Data Controller and Data Processor
The terms data controller and data processor are clearly defined as they apply to GDPR. The data controller is the person or entity who is legally accountable for storing digital personally identifiable information. The data processor is the entity that holds or processes personal data but does not exercise responsibility for or control over the personal data. In this perspective, a cloud provider is considered to be a data processor. The data processor cannot hold copies of data or make them available for other uses. The data controller, therefore, is responsible for deleting the personal data and ensuring it has been erased, as well as performing the operations but not for the decision process.
Right to Erasure Clauses
Presently the General Data Protection Regulation ruling regarding backups applies only in the European Union, but enterprises doing business in the European Union need to be able to address the General Data Protection Regulation’s right to erasure clauses or face financial penalties. The new regulations expand the definition of personally identifiable information to include IP addresses and photos.