Can You Actually Be Forgotten?

Yesterday I talked about the different privacy laws that currently exist around the world. I casually mentioned the concept of "The Right To Be Forgotten", as if that was something so simple and didn't require any more explanation. The truth is, the concept itself is a big deal. We've all heard the fact that once something is on the Internet, it's there forever. I'm sure plenty of people wish there were some things that could be erased from everyone's memory, alas, the reality is it never will. Unless you're the Star Wars Christmas Special.

Today, I'm going to dive deeper into the concept of "The Right To Be Forgotten" (RTBF). What it actually means, how it is executed, the drawbacks, the flaws, and everything else you'll need to become familiar with it. Let's dive in.

What Is the Right to Be Forgotten?

RTBF is a legal concept that allows individuals to request the deletion of their personal data from online platforms, databases, or search engines. It originated in the EU under the?General Data Protection Regulation (GDPR)?in 2018, but other privacy laws in different regions have since followed suit, such as California’s?California Consumer Privacy Act (CCPA).

The idea is simple: if your personal data is no longer necessary, relevant, or accurate, or you no longer consent to its collection, you should have the right to have it removed. This is important in cases where outdated or harmful information could negatively impact your reputation, privacy, or safety.

“The Right to Be Forgotten is a fundamental shift in how we think about data ownership. It empowers individuals to take control of their digital identities, but it also places a significant burden on companies to manage data responsibly.” –?Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario and creator of the concept of?Privacy by Design.

How Does It Actually Work?

1. Make a Request: Individuals can submit a formal request to a company or search engine (e.g., Google) to delete their personal data. The request must specify what data should be removed and why it meets the criteria for deletion (e.g. it’s outdated, irrelevant, or unlawfully processed).
2. Evaluation: The company or platform evaluates the request to determine if it falls under the legal grounds for deletion. They must balance the individual’s right to privacy against the public’s right to information (e.g. in cases involving public figures or criminal activity).
3. Action: If the request is approved, the data is deleted from the company’s systems, and links to the data are removed from search engine results. If the request is denied, the individual can appeal to a data protection authority (DPA) in their region.

Some Statistics:

• Since GDPR came into effect in 2018,?Google has received over 1.7 million RTBF requests, resulting in the removal of?48% of requested URLs?from search results. (Source: Google Transparency Report)
• In 2022,?72% of RTBF requests?were made by private individuals, while?28%?came from public figures or organizations. (Source: European Data Protection Board)

Does My Data Actually Get Deleted?

This is where things get a little fuzzy. While companies are legally required to delete your data upon request, the reality isn’t as straightforward:

1. Technical Challenges: Data is often stored in multiple locations, including backups, archives, and third-party systems. Deleting it everywhere can be technically challenging. Some companies may anonymize the data instead of deleting it, claiming it no longer qualifies as “personal data.”
2. Legal Loopholes: Companies could argue that the data is still necessary for legal, regulatory, or business purposes (e.g., fraud prevention, tax compliance). In some cases, they may hold onto the data but restrict access to it, making it “invisible” without fully deleting it.
3. Global Variations: The RTBF applies primarily in the EU. If a company operates globally, it may only delete the data for EU users, leaving it accessible elsewhere. Search engines like Google may remove links from EU versions of their site (e.g. google.fr) but keep them on non-EU versions (e.g. google.com).

Some Technical clarifications:

• Data Deletion vs. Data Anonymization: When you request data deletion, companies often anonymize the data instead of fully deleting it. Anonymization removes personally identifiable information (PII), but the data can still be used for analytics or AI training. For example, if your purchase history is anonymized, it might still be used to train a recommendation algorithm, even though it’s no longer tied to your name.
• Backups and Archives: Data stored in backups or archives may not be immediately deleted due to technical constraints. GDPR allows companies to retain such data until the next backup cycle, which could take months or even years.

“The Right to Be Forgotten is a step in the right direction, but it’s not a panacea. Companies often use technicalities like anonymization or backups to sidestep full deletion, leaving individuals with a false sense of security.” –?Dr. Andrea Jelinek, Chair of the European Data Protection Board (EDPB).

Key Challenges and Controversies

1. Freedom of Information vs. Privacy: Critics argue that the RTBF can be used to erase legitimate public information, such as news articles or criminal records, undermining freedom of speech and the public’s right to know. For example, should a politician be able to delete unflattering news articles from their past?
2. Enforcement and Compliance: Smaller companies may struggle to comply with RTBF requests due to limited resources or technical capabilities. Some companies may simply ignore requests, especially if they operate outside jurisdictions with strong privacy laws.
3. AI and Machine Learning: Even if your data is deleted from a company’s database, it may still influence AI models that were trained on it. For example, if your data was used to train a facial recognition system, removing it won’t “un-train” the model. This raises questions about whether the RTBF can ever be fully effective in an AI-driven world.

Statistics:

• A 2023 study by?MIT Technology Review?found that?60% of AI models?trained on personal data retained biases or patterns from deleted datasets, highlighting the limitations of the RTBF in AI systems.
• In 2022,?only 34% of RTBF requests?to smaller companies were fully complied with, compared to?78% for large corporations. (Source: European Commission)

“The Right to Be Forgotten is fundamentally at odds with how AI systems are built. Once your data is used to train a model, it becomes part of the system’s ‘DNA.’ Deleting the original data doesn’t undo its impact.” –?Dr. Kate Crawford, Senior Principal Researcher at Microsoft Research and author of?Atlas of AI.

Real-World Examples

1. Google Spain v. AEPD (2014): The landmark case that established the RTBF in the EU. A Spanish man successfully requested Google to remove links to outdated information about his financial history.
2. Celebrity Requests: Public figures have used the RTBF to remove unflattering or outdated information, sparking debates about fairness and transparency.
3. Data Breaches: Victims of data breaches often invoke the RTBF to have their stolen data removed from the internet, but this is rarely effective.

In 2021,?over 1,000 data breaches?were reported in the EU, exposing the personal data of millions of individuals. Despite RTBF requests,?less than 10% of breached data?was fully removed from the internet. (Source: European Union Agency for Cybersecurity)

What Can Readers Do?

1. Know Your Rights: Familiarize yourself with the privacy laws in your region (e.g., GDPR, CCPA) and how to exercise your RTBF.
2. Be Proactive: Regularly review your online presence and request the deletion of outdated or unnecessary data.
3. Advocate for Stronger Protections: Support initiatives that push for stronger data privacy laws and better enforcement mechanisms.

“The Right to Be Forgotten is only as strong as the systems that enforce it. Individuals need to be vigilant, but we also need stronger regulations and better tools to ensure compliance.” –?Max Schrems, privacy advocate and founder of NOYB (None of Your Business).

Is the Right to Be Forgotten Enough?

A 2023 survey by?Pew Research Center?found that?67% of individuals?feel they have little to no control over how their personal data is collected and used, underscoring the need for stronger privacy rights like the RTBF. While the RTBF is a powerful tool for reclaiming control over personal data, it’s not the end all be all. Technical limitations, legal loopholes, and the pervasive nature of AI mean that your data may never be fully “forgotten.” As we navigate this complex landscape, it’s crucial to advocate for stronger privacy protections and hold companies accountable for how they handle our data.

?