In today’s digital landscape, where every action and piece of data is on public display, internet privacy is sought by many—but achieved by few.
The right to be forgotten, also known as the “right to erasure,” is a legal right established under Article 17 of the General Data Protection Regulation (GDPR) to give European Union citizens and residents the right to request the removal of their personal online data. Individuals may request data to be removed if it is no longer relevant or necessary, or if it falls into another category specified by law.
At Minc Law, we have litigated hundreds of content removal cases across not only the United States but the world. We have seen the damaging effects published private information can have on its subjects—especially if left unremedied. While the right to be forgotten has not yet (and may never) come to the US, it is still an important element in the worldwide internet privacy debate.
In the following article, we explain the right to be forgotten and how it can be applied in various situations. We also cover common exceptions to the rule, and the benefits and drawbacks of bringing the rule to the US. Then, we explore eight privacy laws in the United States that protect similar rights as the right to be forgotten.
What is The Right to be Forgotten?
The European Union (EU) enacted the General Data Protection Regulation (GDPR) in May 2018. This law regulates the availability and transferability of personal data in digital form. One of the most notable provisions is the “right to erasure” or, more commonly, the “right to be forgotten.” In this article, we use the two terms interchangeably.
The GDPR defines the right to be forgotten as the right of an individual to have their personal data erased by a “data controller.” In this case, a data controller is a website administrator or owner.
Individuals living within the jurisdiction of the European Union, i.e., in an EU member state, can invoke the right to be forgotten. Additionally, any organization or business that conducts business in the EU can fall under GDPR regulations, even if the organization itself is not located there.
What Does The Right to Be Forgotten Mean?
The internet comprises networks that transfer data from one portal to another. Whenever an individual publishes content online or even views a website, a transfer of data takes place. The GDPR strives to regulate internet services available within the EU by regulating the transfer of data between networks.
The right to erasure applies to any personal data that:
- Is no longer necessary for its collection or processing purposes;
- Must be erased to follow another legal obligation in the EU or the EU member state law to which the controller is subject;
- Has been collected in relation to the offer of information society services to children; or
- Has been illegally processed.
The right to be forgotten also applies if the data subject has withdrawn their original consent for the data processing or objects to it. Also, there must be no other legal grounds for its processing.
For example, Google can be subject to the GDPR even though its headquarters are in the US. This is because Google’s platform and services are available in EU member countries. But an individual must live in the EU to invoke the GDPR to compel Google to follow the right to erasure.
Why Was The Right to Be Forgotten Created?
The right to be forgotten originated with the idea that criminal convictions should be “dropped” or “forgotten” when those individuals seek employment, insurance, or other opportunities. The rationale for this idea is that once a person has served their sentence, the importance of that conviction’s record is diminished.
European countries—such as the United Kingdom and France—have historically favored this approach to free speech. The United States favors a stricter approach to freedom of speech and transparency. In the U.S., the public’s right to know information is of value regardless of how much time has passed.
Background of The Right to Be Forgotten
The right to erasure (and right to be forgotten) is not a new concept invented by the GDPR. In fact, several legal cases recognized the importance of the right to be forgotten before the GDPR was implemented.
In 2008, a Belgian newspaper, Le Soir, digitized its news archives. It republished a 1994 article reporting on a doctor’s drunk driving accident that killed two people. The doctor had already served out his sentence and paid his dues to society for the crime. He requested that Le Soir’s editor remove the doctor’s name from the article. The editor refused, and the doctor sued in a Belgian court.
The trial court granted the doctor’s request to redact his name from the article. The court of appeals upheld the ruling, noting the importance of balancing the right to freedom of expression with the right to privacy.
Because the article concerning the car accident no longer had news value, removing the doctor’s name did not change the article’s substance. Anonymizing the electronic version of the article also meant that the original paper archives would stay intact. The balancing test favored the doctor’s right to privacy.
The Belgian Court of Cassation (the highest Belgian court) affirmed the decision. They held that the damage caused by an article describing long-ago events outweighed the benefits of freedom of the press.
In the 2014 landmark case that led to the right to be forgotten decision, the respondent was a Spanish resident who lodged a complaint with Google. An internet search of his name returned results from the local newspaper describing his social security debts.
The plaintiffs posited that the articles referenced events that had been resolved for several years. So, the search results were irrelevant and harmful to his reputation in the present. The court ordered Google to remove Mr. Costeja González’s personal information from its index. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, Case C‑131/12, ECLI:EU:C:2014:317, Judgment of the Court (Grand Chamber), 13 May 2014.
In the years following these cases, the right to erasure has become codified in EU law. The right to be forgotten is now a comprehensive, catch-all concept. It protects a person’s right to make autonomous decisions about their digital footprint.
What Countries Recognize The Right to Be Forgotten?
More courts across the globe now recognize the need to balance an individual’s right to privacy with the public’s interest in freedom of information. The European Union, India, South Korea, and some South American countries recognize the right to erasure in various forms.
Minc Law Defamation Tip: Keep in mind that the “right to be forgotten” is different from the “right to privacy,” since the “right to privacy” addresses personal information that is not publicly known, while the “right to be forgotten” addresses information that was made publicly available.
When The Right to Be Forgotten is Applicable
Right to be forgotten legislation enables the removal of personal data and text posted online that is outdated, private, or unnecessary. Personal data, as defined in the GDPR, includes “any information relating to an identified or identifiable natural person.” This data also includes photographs, videos, and other forms of media.
Under the ruling in Google v. AEPD and Mario Costeja Gonzalez, the right to erasure is applicable if the personal data at issue is:
- Irrelevant; or
- Inaccurate for the purposes of data processing and access.
As emphasized above, the right to be forgotten strives to balance an individual’s right to privacy with the public’s interest in accessing such information.
When is The Right to Be Forgotten Applicable to Individuals?
The right to be forgotten applies to individuals living in the EU, referred to in the law as “data subjects.” Individuals living in the jurisdiction of the EU can claim the protections defined by the GDPR if a breach of their privacy rights occurred there.
An individual does not need to be a citizen of an EU member state to invoke GDPR protections. However, the individual must be living in the EU, and the publication or other breach of their data privacy rights must have occurred inside the EU.
When Does The Right to Be Forgotten Apply to Your Organization/Company?
The GDPR can apply to organizations (“data controllers”), both inside and outside the European Union. The right to be forgotten applies to data controllers that process EU residents’ data and either:
- Offer goods or services to these EU “data subjects”; or
- Track EU data subject’s behavior.
It does not matter if the controller is outside of the European Union—what matters is if the controller conducts business in the EU and processes the data of EU data subjects. As long as the company collects data from EU data subjects, they are subject to the GDPR and must comply with the right to erasure.
But in 2019, the Court of Justice of the European Union (“CJEU”) determined an important caveat. An EU member state cannot order data controllers living outside the U.S. to monitor or assess the content.
While a court can order a data controller to remove or block information that it stores, it cannot require the data controller to actively monitor for that illegal information or penalize the controller for failing to remove it in other instances.
For example, if someone published a defamatory statement about you saying that you were convicted of armed robbery, the data controller can be compelled to remove that exact statement wherever it is known to exist. However, they cannot be compelled to monitor for new publications or publications that materially change the information used.
A Complex Right to Be Forgotten Example
Often, EU residents (or former EU residents) wish to assert their right to be forgotten, but the situation is more complex than it appears.
For example, say Camille is a French citizen. She has been living in the United States for several years and has no immediate plans to move back to France. A Facebook user in France recently published the individual’s 15-year-old conviction for theft on their page. Camille wants to assert her right to be forgotten and have the information removed from Facebook.
Based on the standard GDPR enforcement process, Camille likely would not be able to claim the protections of the GDPR immediately, including the right to be forgotten. Because Camille is no longer a French resident, she would first need to file a lawsuit in France to try to claim her right before it could be referred to the CJEU for enforcement. The CJEU would then need to determine whether the GDPR applies to Camille’s situation.
What Happens When The Right to Be Forgotten Comes Into Conflict With Countries That Do Not Recognize It As a Legal Right?
In many cases, the right to be forgotten becomes a complex issue because one country involved in a multi-jurisdictional matter does not recognize the right to be forgotten as a legal right. The outcome depends on which country’s law applies: the country that does not recognize the right to be forgotten, or the law of the GDPR state. This question does not always have a straightforward answer and will depend on the circumstances at hand.
For example, if an individual tries to enforce GDPR protections in the US, the governing U.S. court will likely not enforce the GDPR because the U.S. does not currently recognize the right to be forgotten. The exception may be if the U.S. court determines that, under conflicts of laws rules, the law of the state recognizing the GDPR applies.
Minc Law Free Speech Fact: Although the right to be forgotten is gaining traction in other parts of the world, it has not caught on in the United States. This difference is largely due to the deeply entrenched free speech protections of the First Amendment of the U.S. Constitution. These protections are stronger and broader than in other legal theories of free speech found in other nations.
Exceptions to The Right to Be Forgotten
The right to erasure as defined in the GDPR is not absolute. While data controllers are obligated to erase personal data upon request of the data subject, they are not obligated to erase data where processing is necessary for:
- Exercising the human right to freedom of expression and information as defined by the European Convention on Human Rights;
- Compliance with a legal obligation, requiring processing by the EU or member state law to which the controller is subject. It may also be for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller;
- Reasons of public interest in the area of public health;
- Achieving purposes in the public interest, scientific or historical research purposes, or statistical purposes. In this case, the right to erasure may make it difficult or impossible for that processing to achieve its objectives; or
- The establishment, exercise, or defense of legal claims.
When Does the Right to Be Forgotten NOT Apply to Public Information?
The GDPR applies both to businesses and to public agencies that collect information. Under the GDPR, data is authorized if its processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller.
Items that would be considered public records, such as licenses, would be specifically authorized by law and, therefore, not considered unlawful under the GDPR. Something like a telephone directory, on the other hand, would likely not be authorized by law or subject to any legal obligations, so it would be covered under the GDPR.
In the end, it depends on the data that the public agency is processing—and why they are processing that data. Publicly available information will be evaluated depending on the specific type of information at issue.
What Does “Manifestly Unfounded” Mean in the Context of the Right to Be Forgotten?
Data processors may refuse to comply with data removal requests where those requests are “manifestly unfounded or excessive.” The GDPR does not define what constitutes manifestly unfounded or excessive requests and, so far, the CJEU has not entertained any case to define that test.
However, the Information Commissioner’s Office (ICO) of the United Kingdom—the UK authority charged with overseeing GDPR compliance—recently released several guidelines to aid data processors in determining when a request is manifestly unfounded or excessive.
The ICO recommends evaluating each instance on a case-by-case basis rather than enforcing a blanket policy relating to manifestly unfounded takedown requests. Per ICO’s guidelines, requests may be manifestly unfounded or excessive if:
- The requestor has no intention to access the information or is using the request to harass the data processor;
- The request repeats the substance of previous requests in a short period of time; or
- The request overlaps with other requests.
The data processor bears the burden of proving whether a request was manifestly excessive or unfounded. If a data processor refuses a request, they must inform the requester why the request was denied. They must also inform the requester that they have a right to submit a complaint to the relevant legislative authority (such as the ICO in the UK) and that they may enforce their right through the court system.
What Other Exceptions to the Right to Be Forgotten Exist?
Under certain circumstances, European Union member states can restrict individual rights under the GDPR. These restrictions must “respect the essence of the fundamental rights and freedoms” intended to be protected by the law.
The restrictions must also be “necessary and proportionate” measures to safeguard:
- The country’s national security, defense, and public security;
- The prevention, investigation, detection, or prosecution of criminal offenses;
- The execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- Other important objectives of general public interest (particularly economic or financial) of the EU or a member state. These interests may include monetary, budgetary, and taxation matters, public health, and social security;
- The protection of judicial independence and judicial proceedings;
- The prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions;
- A monitoring, inspection, or regulatory function connected—even occasionally—to the exercise of official authority;
- The protection of the data subject or the rights and freedoms of others; and
- The enforcement of civil law claims.
Continuing Right to Be Forgotten Hypothetical
If Camille, the French citizen in the above hypothetical, did manage to qualify for GDPR protections, she would still need to show that none of the above exceptions apply in her case. The court would have to balance her right to be forgotten with the public’s interest in knowing her criminal record and the publisher’s rights of freedom of expression.
This is much the same balancing test as applied by the courts in Oliver G v. Le Soir and Google v. AEPD and Mario Costeja Gonzalez prior to the enactment of the GDPR.
This situation has also been echoed in G.C. et. al. v. CNIL. In this case, the CJEU held that when determining whether to remove or alter personal information in response to a GDPR erasure request, a controller must consider all the circumstances of the case. See Case C-136/17, G.C. et. al. v. CNIL, Judgment, ECLI:EU:C:2019:773, ¶ 77 (24 Sept. 2019).
The Right to be Forgotten Pros and Cons
The right to be forgotten carries numerous benefits for persons seeking to remove past information from the internet, including:
Pro: Self-Determination of Your Online Presence
With legal protection of your personal data, you have some say in which facts about your life and history are readily available to the general public.
Pro: The Ability to Remove Libelous, Embarrassing, & Stigmatizing Information From a Past Post or Upload
If harmful content has been posted about you in the past, the right to be forgotten can give you recourse in having that damaging or defamatory content removed.
Pro: The Removal of Illegally Uploaded Content By a Third Party
Similarly, if a malicious actor has posted illegal content about you (such as intimate photographs on a revenge porn site), the right to be forgotten is a powerful ally in your efforts to remove that content from the internet.
Pro: Removing Personal Details That Compromise Your Personal and financial safety
You likely wish to block access to personally identifying information that would give strangers too much access to your location or financial accounts.
Pro: Peace of Mind When Applying For Jobs
If you have been convicted of a crime and have already paid your dues to society, you may not want potential employers to be able to see your past convictions that are no longer relevant to the person you are today.
Pro: An Opportunity For a Fresh Start
With the right to be forgotten, you can ask for some records of your past to remain in the past, giving you the freedom to move forward with your life.
However, the right to be forgotten raises equally as many concerns about the practicality of its implementation in the US, such as:
Con: Interference With the Public Interest
Your need for removal may be outweighed by the general public’s interest in accessing and viewing such information. Instituting the right to be forgotten may cause a lack of transparency surrounding important information about businesses or persons.
Con: First Amendment Issues
Since the right to be forgotten is based on European laws and circumstances, it carries a potential restraint on the freedoms afforded to U.S. media, journalists, and other parties under the First Amendment.
Con: Difficulty Instituting & Lacking U.S. Precedent
The right to be forgotten is relatively broad and undeveloped, and it may be difficult to enforce in the US since American free speech values are relatively unique.
Con: Request Overload & Backlogs Can Cause Long Wait Times
Google and other search engines may be backed up with requests to remove information.
What Do Critics Say About the Right to Be Forgotten?
Numerous critics of the right to be forgotten worry that implementing the law in the United States would be an infringement on the First Amendment, specifically the rights to freedom of speech and expression, potentially curbing the integrity of news agencies and other media.
Google was one of the first critics of the right to be forgotten. After the ruling in Google v. AEPD and Mario Costeja Gonzalez, Google resisted the efforts to globalize the GDPR, predicting that it would give authoritarian regimes a precedent for limiting free speech.
And AccessNow, an international organization that defends digital rights, also took a cautious stance on the right to be forgotten. In their 2016 position paper, analysts warned legislators that the sole purpose of the right to be forgotten should be to “enhance users’ control over their personal information,” and that the right should never be “misinterpreted or misapplied to enable the removal of online content.”
Defamation Law Fact: Although Google has been hesitant to embrace the legal provision, they took important steps towards aligning itself with the right to be forgotten in June 2015 by announcing it would now remove non-consensual pornography posts, also known as “revenge porn.”
Will The Right to Be Forgotten Come to the United States?
Although it does carry many benefits, it seems highly unlikely that the U.S. will ever implement the right to be forgotten. The U.S. legal system has a strong preference for freedom of speech and allowing speech that would be in direct conflict with rights like those enacted under the GDPR.
However, the U.S. has enacted other laws that attempt to protect private information in certain circumstances. We explore several of these laws in the next section below.
Similar Privacy Rights to The Right to Be Forgotten in the United States
Although the right to be forgotten has not been formally drafted as one comprehensive law or regulation in the United States, the U.S. does have laws in place that cumulatively strive to protect the privacy and information of certain parties, including:
- The California Consumer Privacy Act (CCPA),
- The Federal Trade Commission (FTC) Act,
- The Gramm-Leach-Bliley Act,
- The Fair Credit Reporting Act,
- The Health Insurance Portability and Accountability Act (HIPAA),
- The Family Educational Rights and Privacy Act (FERPA), and
- Civil privacy torts.
We examine each piece of legislation in greater detail below.
1. California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act gives California residents increased rights over their information, similar to other rights enacted in the GDPR, including the rights to:
- Request businesses to delete their personal information,
- Opt-out of the sale of their personal information, and
- Know-how and why their information is being collected and used.
The CCPA attempts to provide consumers increased control over how businesses use, collect, and transfer personal information.
2. Federal Trade Commission (FTC) Act
The Federal Trade Commission Act prohibits deceptive and unfair practices with company privacy policies and disclosures of personal data.
The FTC Act is the central enforcement mechanism behind the Children’s Online Privacy Protection Act (COPPA), a law regulating the online collection of information from minors.
3. Gramm-Leach-Bliley Act
The Gramm-Leach Bliley Act regulates financial institutions and their collection, use, and disclosure of private personal information. Regulated institutions include:
- Securities brokers and dealers,
- Insurance underwriters and agents,
- Finance companies,
- Mortgage bankers, and
- Travel agents.
In some instances, this act provides individuals with the ability to opt-out of having their information distributed and shared.
4. Electronic Communications Privacy Act & Computer Fraud and Abuse Act
These laws regulate the interference and interception of electronic communications and the subsequent tampering of it.
The Electronic Communications Privacy Act helps protect communications from being accessed in an unauthorized manner by the government. The Computer Fraud and Abuse Act (CFAA) limits federal jurisdiction to cases with a compelling federal interest. Also, the CFAA criminalizes trafficking in passwords and similar data.
5. Fair Credit Reporting Act
The Fair Credit Reporting Act applies to consumer reporting agencies and persons who provide and use consumer reports. It seeks to protect consumers from negligent or intentional reporting of credit information.
6. Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act regulates how healthcare providers, pharmacies, and data processors handle medical information. Specifically, it oversees the collection, use, and disclosure of certain protected health information.
HIPAA also requires the holding entity to correct any inaccurate information and notify individuals on how the information is being used.
7. Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act regulates the privacy of student educational records and applies to all schools that receive federal funding though the U.S. Department of Education. Relevant records include:
- Disciplinary records,
- Contact information, and
- Biometric records.
8. Civil Privacy Torts
In addition to these federal and state laws, most states still recognize claims for certain types of privacy breaches, including false light, publication of private facts, misappropriation, and intrusion upon seclusion.
Can I Request My Data to Be Deleted?
If you live in an EU member state, you can assert your right to be forgotten under the GDPR by submitting an erasure request directly to the website or company that published or collected your data. If the request is denied, you can challenge the company by following the legislative guidelines adopted by your country.
You may ultimately need to assert your rights in court. The process varies between countries, so it is important to consult an attorney who understands the legal remedies available in your country.
If you live in the US, while you are not entitled to rights under the GDPR, you may still be able to assert similar removal requests under one of the above privacy laws (or others). We recommend consulting an attorney who is familiar with state and federal privacy law.
Work With Experienced Content Removal Attorneys to Remove Personal Information From the Internet
While the internet makes connection, news, and communication more readily available than ever, this interconnectivity is both a blessing and a curse. Personal data online can be a tool used by malicious actors to commit various forms of harassment, theft, and identity fraud.
“I want to sincerely thank Dorrian for getting two articles about me removed from the internet. I went through a traumatizing incident of police brutality while being arrested for being drunk in public – the cops badly hurt me, then overcharged me. Most charges were dismissed, but I was convicted of one, and assumed I’d never be able to get the articles removed. After years living constant in fear of the articles being found by old friends or family, and thinking I’d never be able to get a decent job, I called Minc. Dorrian was able to show the editors of both newspapers how the articles didn’t at all reflect what really happened, and even with my conviction on one charge, she was still persuasive enough to get both articles deleted. I am incredibly grateful for this new liberating feeling I have, and the weight off my shoulders from no longer having those awful articles out there. Dorrian has given me back the ability to control the first impression I make in life. Thank you so much!!”
MW, Mar 17, 2021
If you are an EU resident, you may be able to invoke the right to be forgotten to remove potentially harmful content about yourself online. But even if you are not a resident of the EU, you may have options to protect your online reputation and remove sensitive content from the internet.
The internet defamation attorneys at Minc Law can help you remove personal information from the internet—and fight to remove internet defamation and other unwanted content that may already be published. To schedule a free, no-obligation initial consultation, call (216) 373-7706, or schedule a meeting online by filling out our online contact form.”