Right to Erasure

GDPR: The Right to Erasure Does Not Always Mean Forgotten

The title should actually be more in question form; Did you know that there’s even a difference between being erased and being forgotten?

Article 17 of the GDPR is “Right to erasure (‘right to be forgotten’)“, which suggests they are the same thing. They are not [quite], and I think the only reason the right to be forgotten was added in brackets is because everyone was already calling it that. But it’s just not accurate …enough.

The right to be forgotten is intended to allow an individual to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past.” For example; you may have been guilty of a minor criminal offence 30 years ago, which in the UK would likely make that offence “spent” (i.e. it should not be considered in any decisions against you related to insurance, employment, loans and so forth). However, if this criminal record has been posted online then duplicated in numerous forms all over the place, it will never go away. In other words, you’ve paid your ‘debt to society’ but it will haunt you for the rest of your days.

Just ask that poor sod Mario Costeja González how something in your past can perpetually bite you on the arse. He just wanted something fairly benign to be ‘forgotten’ and now he’s one of the most famous names in this whole debate.

On the other hand, the right to erasure is just that; deletion of data that, for whatever reason, is of no further use or shouldn’t be there in the first place (amongst other things). For example; Your previous employer has a BUNCH on information on you, a good chunk of which is simply not relevant. Training schedules, certificates, next of kin and so on. In reality they need only enough to meet certain regulatory and/or legal obligations and a note on whether or not they’d ever hire you back.

So what are you actually trying to achieve when you ask to be erased? I think that > 95 times out of 100 all you want is for an organisation to stop pestering you in some way, but this actually precludes you from being forgotten. If you ask someone to erase everything about you how can they possibly know not to contact you again? They have to keep something, even if it’s just enough to leave you alone.

When asking to be forgotten, you actually don’t have the right in some instances, because doing so would put other people’s rights at risk. Remember, privacy is not an absolute right, it’s only a fundamental right.

For example; Would you want the system to ‘forget’ about someone’s embezzlement background when they are applying for a job in your bank? Or a person’s serious medical condition when applying for a job to drive your kids to school? What about pedophiles?

On the other hand, don’t most of us deserve a chance at retribution for minor mistakes from our past? Should we really have to suffer our whole lives for something we deeply regret and have made amends for a thousand times over?

If you think about it, ‘erasure’ and ‘forgotten’ should really be combined into the ‘Right to the Application of Appropriate Context’ as that’s what you’re looking for from anyone with access to your data.

The above is rambling, enormously oversimplified, and I’m not even sure what my original point was. In the end the implementation of GDPR is going to have an enormous impact on us all, it’s up to you to ensure that impact is positive.

So whether you are data subject trying to invoke your right to erasure, or an organisation trying to understand what your recourse is, you MUST have the right context. You can only achieve that context by doing your homework.

[If you liked this article, please share! Want more like it, subscribe!]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.