Facts vs Fiction: What’s the ‘Right to be Forgotten’ Really About?

There’s still a vigorous debate going on about the ‘right to erasure’, also referred to by some as ‘the right to be forgotten.’ Its detractors strongly argue that it is tantamount to censoring lawful and factual information, and is dubious on principle. They also believe it to be deeply flawed as a method of protecting privacy.

I believe those to be simple-minded positions. The ‘right to erasure’ allows for data subjects to have their data scrubbed when it is no longer necessary for the purpose an organization originally collected it. It is also key when there is no overriding legitimate interest for an organization to continue with the processing. It also protects an individual when their data is being processed unlawfully or when an organization has to adhere to a court ruling.

To be more specific, Article 17 of the GDPR outlines the conditions under which the right to be forgotten takes precedent. An individual has the right to have their personal data erased when:

  • The personal data is no longer required for the original purpose an organization collected or processed it;
  • An organization is relying on an individual’s consent as the lawful basis for processing the data and that consent is withdrawn;
  • An organization is relying on legitimate interests as its justification for processing an individual’s data, the individual objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing;
  • An organization is processing personal data for direct marketing purposes and the individual objects to this processing;
  • An organization processed an individual’s personal data unlawfully;
  • An organization must erase personal data in order to comply with a legal ruling or obligation; and
  • An organization has processed a child’s personal data to provide them with specific information services.

However, there are several instance which override the right to erasure:

  • The data is being used to exercise the right of freedom of expression and information.
  • The data is being used to comply with a legal ruling or obligation.
  • The data is being used to perform a task that is being carried out in the public interest or when exercising an organization’s official authority.
  • The data being processed is necessary for public health purposes and serves in the public interest.
  • The data being processed is necessary to perform preventative or occupational medicine. This only applies when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy.
  • The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair halt progress towards the achievement that was the goal of the processing.
  • The data is being used for the establishment of a legal defense or in the exercise of other legal claims.
  • Furthermore, an organization can request a “reasonable fee” or deny a request to erase personal data if the organization can justify that the request was unfounded or excessive.

As is evident by a deeper look at the GDPR, a number of factors contribute to successfully having your data erased. Each request has to be assessed individually, the request must not interfere with other fundamental rights, it shouldn’t take precedent over the public interest, or countermand law enforcement requirements, etc. It is NOT a lawful reason to erase history or hide data about yourself that is embarrassing, and it doesn’t generally allow you to obscure your criminal past.

That being said, the issue of outdated and irrelevant information remaining indefinitely online is one that law has not effectively addressed (especially in the Internet Age). And it’s a dilemma that is predominantly more harmful for those who aren’t public figures — the folks who are in greater need of privacy protections from the law.

The Impact of the GDPR on the Hospitality Sector

Today I held a General Data Protection Regulations (GDPR) awareness seminar for members of the Barbados Hotel and Tourism Association (BHTA).

With regards to data security, there are few sectors more vulnerable to data-related threats than the hospitality sector. The volume of processed personal and credit card information being handed over to hotels, restaurants, etc. on a daily basis makes the sector extremely vulnerable. With the enforcement deadline having passed on 25 May, several companies in the sector have not updated their data protection processes, and are at risk for large financial penalties.

The seminar touched on key areas such as the following:

  1. Major Differences between the Data Protection Directive 95/46/EC and the GDPR
  2. Overall readiness across the hospitality sector
  3. Capturing and using personal data going forward
  4. Consent and contextual use of personal data
  5. How the GDPR affects repeat business and email marketing
  6. How the GDPR affects third-party data processors
  7. The rights of data subjects under the GDPR
  8. The difference between ‘personal data’ and ‘sensitive data’, and how they should be treated
  9. Other key aspects of the GDPR such as the Data Protection Officer (DPO), Data Protection Impact Assessments (DPIA) and ‘privacy by design’
  10. How to update strategies for websites, data governance, and marketing to become GDPR compliant

My takeaway from this session was that many businesses — small to large — have not made any steps to align their operations and processes with the requirements of the GDPR. Several others are defiantly refusing to address privacy and data protection within their organizations. However, what was gratifying is that I received a torrent of emails in the hours and days after from hoteliers, many of them eager to engage subject matter experts (SMEs) to assist in improving their control framework to meet the rigorous demands of the GDPR. Hopefully, this interest and willingness to improve is sustainable. There’s a lot of work to be done!