As our biggest change in data protection law in 20 years (the General Data Protection Regulation) comes ever closer, it is interesting to read the judgments of two recent cases concerning the ‘right to be forgotten‘.
The right to be forgotten is one of the rights that we, as data subjects, have to request that our personal data is removed once the original purpose for which it was collected has expired. Crucial to the enforcement of this right is the obligation to show that on balance, the right of the data subject to the removal or deletion of that data outweighs the rights of the public (reasons of public interest or national security are often taken into consideration) to retain the data.
This right comes about following a case in 2014 brought by Spaniard Mario Costeja Gonzalez who had asked Google to remove information about his financial history. The right is enshrined in Article 17 of the GDPR which comes into force on 25th May this year.
In the first of these two recent cases, the individual concerned wanted search results about a spent conviction removed from the Google search engine. He had been convicted 10 years ago of conspiring to intercept communications and had spent six months in prison.
The Judge, Mr Justice Mark Warby, ruled in his favour recently (13th April 2018). In the second case, the individual had been convicted more than 10 years ago of conspiracy to account fraudulently and had spent over four years in prison.
His legal action under the right to be forgotten failed on the grounds that his case had been more serious and when balancing his right to be forgotten against the public interest to retain the information, the judge held that there was a greater argument for retaining the information in the public interest.
You may be interest to know that Google says that it has removed over 800,000 pages from its search results following requests for removal under the right to be forgotten. It will be interesting to watch these cases develop so that we have some guidance on what the judges are considering when looking at the public interest counter argument.
It is worth stating that if, as an organisation, you receive a request from an employee or other data subject under the right to be forgotten and, having assessed their right to be forgotten against the business’s right to retain the information, you decide to agree to the request and you delete the data concerned, GDPR requires you to track that deletion through your systems including to any third party who might have a copy of that data from you.
We haven’t yet seen this within our own business, but anticipate that as is the case in responding to all data subject rights, it will be an interesting (and probably time consuming!) exercise.
If you have any questions on the right to be forgotten or on your GDPR compliance then please contact me.
Due to demand we are continuing to run more workshops on GDPR compliance – for businesses, charities and for HR teams. If you would like to attend, please book through our website.