Cybersecurity

The right to be forgotten allows people to ask for data about them to be removed from the internet. How does it work?

New "right to be forgotten rules" allows individuals to request that organizations remove and delete personal information about them. Here's what to know.

New "right to be forgotten rules" allow individuals to request that organizations remove and delete personal information about them. Here's what to know. Image: Unsplash/Ales Nesetril

Ian Shine
Senior Writer, Forum Agenda
Share:
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Data Policy is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:

Data Policy

This article was originally published in October 2023 and updated in November 2023.

  • The EU’s right to be forgotten rule allows individuals to request that organizations remove and delete personal information about them from online platforms.
  • People can only ask organizations to erase their personal data if specific criteria are met, such as that it is outdated or offensive.
  • Tackling harmful content online is the primary aim of the World Economic Forum’s Global Coalition for Digital Safety, which has developed a set of Global Principles on Digital Safety.

An increasingly digital world has led to digital footprints with surprisingly long trails - and details some people would rather the internet forgot.

This phenomenon has led to calls for “the right to be forgotten” – also known as the “the right to erasure” of personal data.

It has both supporters and critics - and some governments have enshrined it as a right.

The concept has recently been back in the headlines after a Canadian court agreed that Canadians have the 'right to be forgotten' on Google searches. The Federal Court of Appeal found that the search engine is covered by its federal privacy law. Indeed, the Columbia Journalism Review goes so far as to say, "The EU's right to be forgotten is migrating to other countries".

Why do people want the right to be forgotten?

The amount of data we've created since 2010 is enormous, with online data growing substantially over that time period.

Graph illustrating the data growth worldwide, 2010-2025.
Levels of data generated have soared in the digital age, and will keep on rising. Image: Statista

The 60-fold jump from 2 zettabytes of data generation in 2010 to an estimated 120 zettabytes now is an obvious result of the dawning of the digital age, and some of that data almost certainly relates to you.

If that data is old, outdated or offensive, you may want it to be removed, and that is broadly why “right to be forgotten” rules came into existence.

The regulation stems from a 2010 case brought by a Spanish national after online search results for his name brought up references to legal proceedings from 1998 that had since been resolved. Google was consequently ordered to remove this information from its results page.

What is the right to be forgotten?

The right to be forgotten is a concept that allows people to request that organizations remove and delete specific personal information about them from online platforms.

This right is not recognized everywhere and even where it is, organizations don’t always have to comply with requests.

The EU introduced its right to erasure rule in 2014, and the legislation is part of its General Data Protection Regulation (GDPR). A 2019 ruling declared that Google didn't have to apply the right globally but as the Canada news shows, it is being looked at and debated beyond Europe's borders.

For example, in Japan, a 2016 ruling recognized a man's right to be forgotten on Google.

And in a sign that people and policy-makers are becoming ever more aware of sensitivities around privacy and personal data, the Dutch city of Amsterdam has recently developed software that can blur out people who appear in images collected by its Mobile Mapping team.

"It is of great importance that we develop new applications and initiatives that further safeguard the privacy of residents and visitors," a spokesperson for the city told Cities Today. "This right to privacy applies to the online and offline world.”

When does the right to be forgotten apply?

Only people (not organizations) can ask for their personal data to be deleted and only if certain criteria are met. They cannot request that data be deleted for no legitimate reason.

Some of the criteria for the right to be forgotten in the EU include:

  • The data is no longer needed in relation to the purpose for which it was collected or processed.
  • An individual withdraws consent for the data to be used and there is no lawful basis contradicting this.
  • Personal data is being processed for direct marketing purposes and the individual objects to this.
Discover

What is the Forum doing to close the gap between technology and policy?

However, requests for personal data to be deleted can be denied. This can often include:

  • The data is being used to exercise the right of freedom of expression and information.
  • The data is being used to perform a task being carried out in the public interest or when exercising an organization’s official authority.
  • The data being processed is necessary for public health purposes and serves in the public interest.

For additional examples, this list from the EU details other reasons data may and may not be erased in Europe, though rules might vary elsewhere.

Right to be forgotten cases

Data removal can be complicated. For instance, if a search engine is ordered to remove an individual’s data, this applies only to results that show up in Europe, not globally.

Still, as awareness of this right grows, so do requests. For instance, X – formerly known as Twitter – has seen rising requests for data to be removed. It received an average of over 250 requests per day in the final six months of 2021, the latest period on which it provides information.

Graph illustrating the demands of latest data on X.
X – formerly known as Twitter – has seen rising numbers of requests for data to be removed. Image: X

Cases across the internet where the right to be forgotten has been enforced include:

Who decides what should and should not be forgotten?

Some critics remind policymakers and leaders that a balance must be struck when determining what should and should not be forgotten.

For instance, tension does exist between the right to be forgotten and the right to freedom of expression. And the legislation makes space for this, with Article 17(3) outlining circumstances where the right to be forgotten doesn't apply - including exercising the right to freedom of expression and information. Some believe this right could be misapplied to cover up human rights violations and other illegal activity.

Concerns are that the legislation could lead to frequent and widespread removal of content, and it can be used as a mechanism to censor or prevent scrutiny.

And, as technology develops, new challenges emerge. For example, questions have emerged about large language models, typically used to train AI systems, and the right to be forgotten from those. And, more significantly, how you might be forgotten from such datasets, which would be much more complicated than for search engines.

Tackling harmful content online

Where many cases are upheld, the data has posed a threat to an individual’s well-being. Tackling harmful content online is the primary aim of the World Economic Forum’s Global Coalition for Digital Safety, whose members span the public and private sectors and have developed Global Principles on Digital Safety.

“The principles encourage deeper collaboration and cooperation, recognizing that we all have responsibilities to help build a safe, rewarding and innovative digital world,” the Forum says in its Translating International Human Rights for the Digital Context report.

Anyone wishing to have data about themselves removed from the internet can make a request verbally or in writing, depending on their jurisdiction. The EU provides a template for doing so, while organizations, including Google and X, have set up online request forms.

Have you read?
Loading...
Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Related topics:
CybersecurityGeographies in Depth
Share:
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Quantum computing could threaten cybersecurity measures. Here’s why – and how tech firms are responding

Simon Torkington

April 23, 2024

About Us

Events

Media

Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum