BACKGROUND IMAGE: stock.adobe.com
The right to be forgotten is the concept that individuals have the civil right to request that personal information be removed from the Internet. In May 2014, a man from Spain asked Google to remove links to an old newspaper article about his previous bankruptcy, claiming there was no legitimate reason for the outdated information to remain accessible online. The European Court of Justice ruled that under European law, search engines are data controllers so they must consider all requests to stop returning irrelevant or outdated information in search queries. According to the ruling, the Web pages that the query results in question point to can remain online and any link omissions on query returns will only occur when searches are made in Europe. In the wake of the ruling, Google began receiving thousands of requests to take down links.
While the right to be forgotten aims to support personal privacy, the concern in the United States is that it conflicts with the open nature of the Web and the free flow of information. The interests of one individual in removing information from the Web may conflict with the interests of another individual or group. While Google is not required to honor every request for information to be taken down, it seems clear that the popularity of the concept will inspire organizations to have a process in place for reviewing and following through on take-down requests.
It is important than when a person requests their data be deleted, there is a traceable mechanism for making sure data is removed in such a way that it cannot be restored from backup storage media. Currently the General Data Protection Regulation ruling regarding backups applies only in the European Union, but according to some research, Americans might be interested in a similar right in the U.S. in spite of concern from the opposition that removal of legally published and truthful information from the open Web infringes on First Amendment rights and smacks of censorship.
GDPR and the right to be forgotten
Enterprises doing business in the European Union need to be able to address the General Data Protection Regulation's (GDPR's) right to erasure clauses or face financial penalties. The new regulations expand the definition of personally identifiable information (PII) to include IP addresses and photos.
Article 17 is technically called the right to erasure, but it is commonly referred to as the right to be forgotten. According to article 17, an individual can make a request to a data controller that all of their personal data be erased without "undue delay" and with no cost to the person making the request. This includes files, records in a database, replicated copies, backup copies and any copies that may have been moved into an archive.
The terms data controller and data processor are clearly defined as they apply to GDPR. The data controller is the person or entity who is legally responsible for storing digital personal identifiable information. The data processor is the entity that holds or processes personal data, but does not exercise responsibility for or control over the personal data.
In this context, a cloud provider is considered to be a data processor. The data processor cannot hold copies of data or make them available for other uses. The data controller, therefore, is responsible for deleting the personal data and ensuring it has been erased, as well as executing the operations but not for the decision process.