The right to be forgotten is the concept that individuals have the civil right to request that personal information be removed from the Internet. In the European Union, the right to be forgotten is also referred to as the right to erasure. In order to effectively remove someone's personal data, there must be a traceable mechanism for making sure that deleted data is also removed from backup storage media.
While the right to be forgotten has become law in the European Union, the concern in the United States is that removing information from the Internet conflicts with the open nature of the Web and the free flow of information.
GDPR and the right to be forgotten
Article 17 of the General Data Protection Regulation (GDPR) is technically called the right to erasure, but it is commonly referred to as the right to be forgotten. According to article 17, an individual can make a request to a data controller that all of their personal data be erased without "undue delay" and with no cost to the person making the request. This includes files, records in a database, replicated copies, backup copies and any copies that may have been moved into an archive.
The terms data controller and data processor are clearly defined as they apply to GDPR. The data controller is the person or entity who is legally responsible for storing digital personal identifiable information. The data processor is the entity that holds or processes personal data, but does not exercise responsibility for or control over the personal data. In this context, a cloud provider is considered to be a data processor. The data processor cannot hold copies of data or make them available for other uses. The data controller, therefore, is responsible for deleting the personal data and ensuring it has been erased, as well as executing the operations but not for the decision process.
Currently the General Data Protection Regulation ruling regarding backups applies only in the European Union, but enterprises doing business in the European Union need to be able to address the General Data Protection Regulation's right to erasure clauses or face financial penalties. The new regulations expand the definition of personally identifiable information (PII) to include IP addresses and photos.
History of the right to be forgotten
In May 2014, a man from Spain asked Google to remove links to an old newspaper article about his previous bankruptcy, claiming there was no legitimate reason for the outdated information to remain accessible online. The European Court of Justice ruled that under European law, search engines are data controllers so they must consider all requests to stop returning irrelevant or outdated information in search queries. According to the ruling, Web pages where the query results were in question point could remain online and any link omissions on query returns would only occur when searches were made in Europe. In the wake of the 2014 ruling, Google began receiving thousands of requests to take down links.