By Katherine Whitlock
The General Data Protection Regulation (GDPR) is a new European Union (EU) law that regulates data protection and privacy laws. The law regulates any company that collects or monitors personal information from EU citizens. Although this is an EU law and only protects EU citizens, it applies to any company in the world that deals with EU citizens.
GDPR’s intention is to “give EU citizens more control over their own personal data, improving their security both online and offline” and make it more beneficial for businesses as well. Under GDPR, companies must expressly ask for a consumer’s consent before they collect/monitor information.
The law’s main purpose of protecting a citizen’s privacy includes a “right to be forgotten,” and is given to anyone who allows companies to collect their personal information. A citizen can request that their information be deleted from a company’s database, or even that their information be transferred to another source.
One of the main draws for ‘the right to be forgotten’ is that EU citizens theoretically have more control over their privacy rights and what personal data they want circulating. However, with a growing technological world, is it even possible for individuals to be truly forgotten? Hypothetically, an individual will submit personal information to a multitude of companies during their lifetime. If an individual actually attempts to erase everything about himself or herself that he or she puts online, the effort would likely be impractical or perhaps even impossible.
One major problem with the right to be forgotten is that it can be overridden in situations such as: freedom of expression, compliance with a legal obligation, reason of public interest, and archiving purposes for scientific or historical research.
The freedom of expression exemption could harm an individual’s right to be forgotten. The law does not clearly explain what constitutes this exception. The EU has given discretion to the member states and their courts to determine when a company should prevail in keeping content to properly express themselves. It is possible that freedom of expression will be greatly harmed if companies err on the side of caution and choose to remove content in excess rather than face the potential consequences. If a court allows a corporation to keep content based on freedom of expression, this inherently limits an individual’s right to be forgotten and they cannot be truly removed from any company’s system.
GDPR is still very new with many unanswered questions. As this law continues to unfold, it will be interesting to see whether or not individuals will be successful in requesting erasure of their information and if they can be truly “forgotten.”
Full article (PDF) with citations coming soon.
(Coming soon with full article.)
About the Author
Katherine Whitlock is a 2020 candidate for Juris Doctor from SMU Dedman School of Law. She received her Bachelor of Business Administration from Texas A&M University in 2017.