What Is The Right to Be Forgotten? How Can Organizations Respond?

The "Right to be Forgotten" (RTBF) is a legal concept empowering individuals to request the removal of personal data from search engine results when it is outdated, irrelevant, or harmful to their reputation. Originating from a landmark 2014 ruling by the Court of Justice of the European Union (CJEU), the RTBF has become a cornerstone of privacy legislation, particularly under the European Union’s General Data Protection Regulation (GDPR). Discussions on similar protections are emerging globally, reflecting heightened attention to privacy in the digital age.

While RTBF seeks to enhance individual privacy, it has stirred debates about its potential to suppress freedom of expression and access to information. Critics warn of possible censorship risks, while supporters emphasize its role in restoring personal control over digital narratives. For organizations, navigating RTBF compliance is challenging, requiring robust data management and governance frameworks to address legal and operational complexities.

This blog offers a primer on the RTBF, covering its origins, implementation challenges, and the essential steps organizations can take to operationalize it effectively. Key sections include historical context, actionable steps for compliance, and the role of a data catalog in streamlining RTBF implementation.

The right to erasure

While the "Right to be Forgotten" and the "Right to Erasure" are closely related, they are not entirely synonymous. The Right to Erasure, as outlined in Article 17 of the GDPR, provides individuals with the ability to request the deletion of their personal data held by an organization under specific circumstances. These circumstances include when the data is no longer necessary for its original purpose, when consent is withdrawn, or when the data has been unlawfully processed.

In contrast, the Right to be Forgotten primarily addresses the removal of links to personal data from search engine results, ensuring that outdated or irrelevant information is not easily accessible online. While the RTBF focuses on mitigating reputational harm in the digital realm, the Right to Erasure takes a broader approach to empower individuals to control their data across all contexts, not just in search engine visibility.

Both rights underscore the importance of individual privacy and data protection. However, organizations must distinguish between the two when responding to requests to ensure compliance with applicable legal requirements. Implementing effective data governance practices, including the use of a data catalog, can help organizations efficiently manage these requests and maintain regulatory compliance.

Historical background on RTBF

The RTBF concept arose from growing concerns about the permanence of digital data and its potential impact on individuals’ lives. As the internet expanded, individuals’ personal information became more accessible, raising privacy concerns. In 2014, the CJEU’s ruling established RTBF under specific conditions, allowing EU citizens to request the removal of certain search engine results.

Privacy rights—rooted in legal traditions dating back to the seventeenth century—took a modern turn with this ruling. It required search engines like Google to process removal requests and balance privacy with public interest. While RTBF has since gained traction outside the EU, it remains a polarizing issue. Proponents highlight its necessity in a digital world, while critics question its implications for free speech and historical accountability. Globally, jurisdictions continue to adapt the RTBF concept to local legal and cultural contexts.

How do you implement the right to be forgotten?

Implementing RTBF requires a structured approach that encompasses technical, operational, and legal measures to ensure compliance with regulations such as GDPR and CCPA. Organizations must develop robust data governance practices and clear procedures for handling deletion requests to effectively manage personally identifiable information (PII) and respond to data subject requests.

Technical measures for RTBF implementation

1. Data Governance and Management: Organizations must map personal data’s location, purpose, and consent status. A master data management system provides a unified view of customer data, enabling precise identification of data for deletion.

2. Metadata Collection and Maintenance: Establish processes to maintain metadata, including access logs, data relationships, and consent status. This ensures accurate handling of data deletion requests.

3. Automation: Use tools like AWS Lake Formation and analytics platforms to automate compliance tasks, reducing manual effort and enhancing accuracy.

Operational measures for RTBF implementation

1. Clear Response Procedures: Create protocols for processing deletion requests, including flagging, anonymizing, and auditing data.

2. Cross-Functional Collaboration: Engage teams across legal, IT, and compliance to address risks and ensure cohesive data management practices.

3. Audits and Training: Regularly review processes and train employees to maintain compliance.

What are the legal measures associated with the right to be forgotten?

Designation of Data Protection Officers

In territories subject to the GDPR, oganizations must designate Data Protection Officers (DPOs) who are responsible for ensuring compliance with data protection regulations. DPOs should inform and advise the organization on its obligations, monitor compliance, and act as the point of contact for regulatory authorities. The responsibilities of DPOs will evolve with the rise of global privacy regulations, necessitating ongoing education and adaptation to new requirements. Today, DPOs are required in organizations where large-scale processing of personal data occurs, especially when it involves sensitive information like health records or financial details.

Compliance checklists

Developing a structured checklist can help organizations minimize the risk of penalties while safeguarding customer data. This checklist should encompass all aspects of data protection compliance, ensuring that organizations are systematically addressing their obligations under relevant laws.

By fostering a proactive compliance culture, organizations can better navigate the complexities of data protection regulations.

Challenges in RTBF or erasure implementation

Implementing RTBF poses significant challenges for organizations, particularly in sectors like finance, where data systems are often complex and interrelated. One of the primary hurdles is the lack of robust supporting tools, as many financial institutions did not have ideal solutions in place by the GDPR deadline in May 2018, necessitating reliance on manual processes for data erasure.

This situation complicates compliance efforts, particularly when institutions must compile lists of relevant data items affected by erasure requests, while also accounting for legal exemptions that may apply.

Another challenge lies in the comprehensive collection and maintenance of metadata associated with personal data. Organizations need to establish a thorough understanding of all data pertaining to individuals, including its location and purpose. This requires an extended business glossary and ongoing updates to ensure accuracy, particularly as consent for data processing can be given or revoked by individuals at any time.

Without this foundational knowledge, meeting the GDPR's requirements becomes a daunting task. Moreover, the dynamic nature of legal compliance adds layers of complexity. The GDPR provides a wide scope for interpretation, which means that institutions must navigate their unique compliance levels while ensuring that they do not inadvertently overlook important legal obligations. This necessitates a tailored approach, often resulting from privacy impact assessments that reveal specific compliance gaps within an institution’s data processing activities.

Lastly, there is the risk of compliance fatigue, where organizations may be tempted to view compliance as a mere cost of doing business rather than an integral part of their operations. This perspective could lead to inadequate management of compliance risks, making it essential for institutions to establish dedicated compliance teams and continually reassess their processes to ensure they remain effective and aligned with evolving legal standards.

Why a data catalog Is essential for RTBF or erasure implementation

A modern data catalog is indispensable for organizations striving to operationalize the RTBF or right to erasure. Here’s why:

• Centralized Data Visibility: A data catalog provides a unified view of all data assets, enabling organizations to locate personal data quickly.

• Metadata Management: By organizing metadata, a catalog ensures that consent status, lineage, and relationships are clear, streamlining RTBF processes.

• Automated Workflows: Many data catalogs integrate with governance tools to automate flagging, deletion, and audit trails, reducing compliance risks.

• Support for AI and Advanced Analytics: Taxonomies and ontologies within a catalog enhance data understanding, ensuring accuracy in AI-driven RTBF processes.

Conclusion

The Right to Be Forgotten represents a pivotal shift in the global approach to digital privacy, emphasizing the need for robust data management and governance practices. To navigate this complex landscape, organizations must embrace structured compliance measures, leverage automation, and adopt tools like data catalogs to enhance efficiency and transparency.

As privacy regulations evolve, the RTBF will remain a critical consideration for organizations worldwide. By aligning their strategies with legal requirements and technological advancements, businesses can safeguard individual privacy, maintain trust, and ensure long-term compliance.

Curious to learn more about how a data catalog can help you protect privacy? Book a demo with us today.