The right to be forgotten appears in Article 17 of the General Data Protection Regulation (GDPR), stating that the “data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” In other words, an individual has the ability to request search engines like Google to delist certain results linked to their name and remove sensitive data from public record databases.
To date, the right to be forgotten is only applicable to residents of the European Union and the European Economic Area. However, it is not an absolute right and it is only valid under specific circumstances, including cases where an organisation has unlawfully processed a person’s data, the data has become irrelevant to the organisation or where the collected data belongs to a child.
While the right to be forgotten was not a GDPR’s invention — it had been present in several jurisdictions in Europe — it gained significantly more traction after the 2014 Google vs. Spain case. The case related to a lawyer whose bankruptcy records had been published on a website that was accessible via Google. The Court ruled in favour of the plaintiff, radically changing the way Europe dealt with digital privacy.