Protecting Your Digital Footprint: The Right to Be Forgotten Under Data Protection Laws
Introduction
The digital age has brought about a massive shift in the way business is conducted, as well as how individuals socialize and communicate. While the widespread adoption of the internet, which has seen a surge in the collection, processing, and sharing of vast amounts of personal data, has brought about many benefits, it has also given rise to significant risks, including data breaches, identity theft, and online harassment. To address this and many other concerns, data protection laws have been introduced to regulate the collection and processing of personal data and to give individuals greater control over their digital footprint. One of the most significant rights granted under these laws is the right to be forgotten, also known as the right to erasure.
In this mini article, we will explore the right to be forgotten under the General Data Protection Regulation (GDPR) and Nigerian Data Protection Regulation (NDPR) and why it is essential for protecting your digital footprint. We will discuss how this right works and what exemptions exist under these regulations. We will also provide practical guidance on how to exercise this right and protect your privacy in the digital world, as well as how controllers need to respond to the exercise of this right. By understanding the right to be forgotten and how it can be used, individuals can take control of their personal data and protect their digital footprint.
What is the Right to Erasure?
The right to be forgotten, also known as the right to erasure, as the name implies, is the right individuals have to obtain from a controller/business/organization the erasure of personal data concerning them, which the controller processes. It is crucial for individuals to understand their right to be forgotten and how it can be enforced, as it is one of the fundamental rights granted to individuals under the European Union’s GDPR and the NDPR (which share similar provisions).
Under the GDPR and NDPR, individuals have the right to request the deletion or removal of their personal data:
- Where their personal data are no longer necessary in relation to the purpose for which it was collected or processed;
- Where they withdraw their consent to the processing, and there is no other lawful basis for processing the data;
- Where they object to the processing, and there are no overriding legitimate grounds for continuing the processing;
- Where they object to the processing and their personal data are being processed for direct marketing purposes;
- Where your personal data have been unlawfully processed;
- Where their personal data have to be erased in order to comply with a legal obligation; or
- Where their personal data have been collected in relation to the offer of information society services (e.g. social media) to a child (only applicable under the GDPR).
This right is not limited to online data as it applies to both online and offline data, and data controllers are obligated to comply with erasure requests that fall within any of the circumstances mentioned above within a reasonable timeframe.
However, it’s important to note that the right to be forgotten is not absolute. There are certain situations where data controllers may be exempt from complying with these requests, such as when the processing of personal data is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, or the establishment, exercise, or defense of legal claims. Data controllers must also consider the potential impact of a request for erasure on other individuals’ rights and freedoms. For example, if the personal data in question is necessary for scientific, historical, or statistical purposes, the controller may not be required to erase it.
How to Exercise a Right to Erasure
In order to exercise their right to be forgotten, individuals can submit a written request to the data controller, providing specific details about the personal data they wish to have erased and the reasons for the request. Data controllers must respond to these requests in a timely manner, providing confirmation of the erasure or explaining why the request cannot be fulfilled.
We recommend that individuals take an active role in protecting their personal data and exercising their rights under relevant data protection laws. This includes reviewing privacy policies and consent forms before sharing personal data and being proactive in submitting requests for erasure if and when appropriate.
One of the primary reasons for exercising the right to erasure is to prevent the misuse of personal data. In today’s world, personal data is collected, processed, and shared on a massive scale by organizations and businesses, but not all of these entities have secure data practices in place, which can leave personal data vulnerable to cyberattacks and data breaches. By exercising the right to erasure, individuals can remove their personal data from organizations that may not have adequate security measures, thereby reducing the risk of data breaches and identity theft. Another reason to exercise the right to erasure is to protect personal data. People may want to remove their personal data from online platforms, especially if they have been subject to online harassment. Individuals can remove their personal data from these platforms by exercising the right to erasure, reducing the likelihood of further harassment or abuse.
In addition to protecting personal privacy and data protection, exercising the right to erasure can also help individuals control their online reputation. In today’s digital age, a person’s online presence is often just as important as their offline reputation. By removing personal data that is no longer necessary or accurate, individuals can maintain greater control over their online image and reputation.
How to Respond to the Exercise of the Right to Erasure
Where data subjects have made a request for the deletion of their personal data, which a data controller has made public, on the basis of one of the above grounds, the controller is obliged to erase the data. After erasure, the controller must also:
- communicate the erasure of the personal data to each recipient to whom the personal data had been disclosed unless this is impossible or involves a disproportionate effort;
- If the data subject(s) request information on recipients of their personal data, the data controller must inform them about the recipients;
- The data controller shall take reasonable steps to inform other controllers who are processing the personal data that the data subject has requested the erasure by them of any links to, or copies of, their data.
Conclusion
Overall, the right to erasure is a powerful tool for protecting personal privacy and data protection in the digital age. By understanding how to exercise this right and taking steps to protect personal data, individuals can take greater control over their digital footprint and protect themselves from the risks of data breaches and online harassment. If you still need guidance on how to exercise this right, kindly reach out to us at complaint@pdpainitiative.com