Understanding the Privacy Right to Be Forgotten

Since 2018, the General Data Protection Regulation (GDPR) has wielded a significant impact on privacy practices across the globe. Aside from offering strong protection for the personal data of European Union citizens, GDPR has effected many changes in the way companies conduct business when EU data is part of the equation. Likewise, it has become the gold standard and a model for privacy legislation in many jurisdictions within the United States, as well as around the world.

Among many others, one right afforded to individuals under GDPR is the right to request deletion of one’s personal data held by an organization, or, as it is more colloquially known, the right to be forgotten. As data privacy laws continue to gain a greater foothold in the U.S.[1], the rights of U.S.-based individuals (a/k/a data subjects), including employees in some cases, are now coming into focus, including the right to have personal information deleted[2].

How the Right to Deletion Works
The right to deletion is exercised through the mechanism of a Data Subject Access Request or DSAR. Although each state’s privacy law has its own specific requirements on how to handle DSARs, including mandated response times and verification of the data subject’s identity, a company subject to such laws also should have a set and verifiable method for responding to DSARs. In fact, many privacy vendors offer products which allow for the automation of DSARs. This method should be set out in a company’s privacy policy.

Scope of the Right to Deletion
As in the popular limbo game, the key question for organizations is “how low can you go?”. In other words, when a company receives a DSAR, how far back into its data records and archives must the company search? Does a company need to pass the request on to other companies which may have received the data from them? What is the scope of this right?

The answer is that the right to deletion is not absolute. For example, under GDPR, exceptions to the right to delete include when data is being used for the following purposes:

• To exercise the right of freedom of expression and information


• To comply with a legal ruling or obligation


• To perform a task that is being carried out in the public interest or when exercising an organization’s official authority


• For public health purposes or when serving and the public interest


• To perform preventative or occupational medicine (this exception is applicable only to data being processed by a health professional who is subject to a legal obligation of professional secrecy)


• When the data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and erasure of such data would be likely to impair or halt progress towards achieving the intended goal of the processing


• When the data is being used for the establishment of a legal defense or in the exercise of other legal claims

Likewise, under current U.S. state laws, the right to delete is subject to similar types of exceptions, including, but not limited to, the following:

• The data is needed to comply with federal, state or local laws, rules and regulations


• The data is needed to comply with a civil or criminal inquiry


• The data is needed to investigate, exercise, prepare for or defend legal claims


• The data is needed to provide a product or service specifically requested by a consumer


• The data is needed to otherwise use the consumer’s personal information internally in a lawful manner that is otherwise compatible with the context in which the consumer provided the information


• The deletion effort is impossible or involves disproportionate effort (a decision made on a case by case basis)


• The data has been disassociated with from the individual by means of anonymizing or pseudonymizing


• The data is held in archives or a back-up file and it is difficult or impossible to access the data or it may adversely affect adjacent data records

Shared Data is also Subject to DSAR.
The party collecting the data and receiving the DSAR must also inform any parties with whom it may have shared the data and require them to also delete the data. For instance, if a company has shared data with its affiliates, business partners, ad networks or any number of other third parties, these partners will have similar downstream obligations to delete, subject to the exceptions.

Examples of Data Request Responses
Some requests are easy to respond to, such as requests to delete:

• a criminal conviction (compliance not required)


• an employee’s negative performance review (compliance not required)


• a name from a marketing list (compliance required)

However, other requests are not so straightforward. For example, if data is held in the records of a company’s product and is needed to evidence compliance, must it be deleted upon request? What if the data is part of the product delivered on a SaaS platform? What if the data is located in an email? In these situations, any number of exceptions may apply making deletion unnecessary.

Establishment of a Privacy Program is Crucial
The ability to respond to a DSAR presumes that a company has a data privacy program already in place which enables the tracking or mapping of its data. In fact, the practice of data mapping, or conducting a data inventory, is a critical building block for privacy law compliance. Other key components of an effective privacy program include sound data security practices, frameworks and standards, as well as a transparent privacy policy and data deletion rules. Together, these elements play an important role in a company’s ability to respond to the requests from data subjects and inquiries from regulators.

Conclusion
As digital business practices continue to reshape commerce, it is important to understand applicable privacy laws and the obligations they impose on your business, including the need to respond to requests for deletion. The attorneys at Outside GC have experience in this area and can assist with the establishment or improvement of your company’s privacy program, as well as how you handle DSAR’s and the thorny landscape of the right to be forgotten. For more help, please contact Lori Ross at [email protected].

[1] As of now, California, Virginia, Connecticut, Colorado and Utah have enacted newly enhanced privacy laws: California Consumer Privacy Act of 2018 (CCPA); California Privacy Rights Act of 2020 (CPRA) and Virginia Consumer Data Protection Act (VACDPA) which both go into effect on January 1, 2023; and finally, Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (CTPA); Colorado’s Privacy Act (COPA) and Utah’s Consumer Privacy Act (UCPA) are in the queue. Nevada also has similar requirements.

[2] Other rights granted to data subjects include the right to access information, to know how the information was shared, and the right to correct any erroneous information.

Lori Ross is a Partner on Outside GC’s California-based team. Lori has over 25 years of legal experience and focuses her practice on advising new and emerging technology, manufacturing and media companies. She regularly handles a wide range of commercial and privacy related issues, include SaaS and IaaS matters. Lori holds the International Association of Privacy Professionals (IAPP) designations in U.S. and European privacy law – CIPP/US and CIPP/E, and she is also an IAPP Certified Information Privacy Manager (CIPM).