Back in 2012, EU, in an attempt to respond to the challenges posed
by digital remembering and having as ultimate goal to give control
of personal data back to individuals, proposed the RtbF in its recently adopted regulation.Google's
chief privacy counsellor remonstrated that the RtbF represents
the biggest threat to the free speech and expression on the Internet
[142] because it is not limited just to personal data that people provided themselves through an unambiguous consent agreement, but
instead, it applies to all possible cases of personal data may be found
online36 [19].Admittedly, this right as introduced in the Article 17 of the
GDPR is a breakthrough on the EU legislation domain because does
not only encompasses the right to erase (or "to forget") but it also
embraces the right "to be forgotten". While the first specifies the
need for a controller to delete data, the latter implies the need for
data to be deleted "from all possible sources" in which they reside.According to some legal experts, the RtbF enshrined
in the GDPR has more a symbolic importance than a substantive effect as it does not actually represent a revolutionary change to the
existing data protection regime but its roots lie within the DPD and
in particular within the right to erasure and the right to object, although the GDPR is more analytical in defining the right and the
conditions under which it shall be invoked [6, 137-138].Inevitably, the right provoked plenty heated debates and fierce
discussions within law, philosophy, social, humanitarian and computing disciplines and has been lengthy explored in surveys, proposals and academic writings.The fact
that the regulation does not provide a clear and unambiguous definition of the RtbF regarding its non-trivial practicalities of enforcing such a deletion when secondary uses apply, i.e. personal data
have been disseminated to third parties or they have been anonymized or pseudoanonymized, led many to argue that its future enforcement is reasonably doubted [139-140].Yet, the RtbF has been met with intense
resistance from both businesses and free speech advocates due to its
collision with other rights and protected interests
They questioned the regulation's incentives and emphasized the difficulty on achieving a delicate balance between the involved rights,
namely the right to privacy and the right to freedom of expression
which, along with the right to privacy, is also contained in the
European Convention on Human Rights (Article 10) .Even in the case where controllers do have knowledge
of the third parties processing some data that they collected, it places upon them the additional obligation to inform those third parties about the erasure request, given that Article 17(2) states that
"... the controller shall take reasonable steps, including technical
measures, to inform controllers which are processing the personal
data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal
data." Nevertheless, the
GDPR provides a convenient exemption from the obligation to inform all recipients of any rectification or erasure when this
"proves impossible or involves a disproportionate effort" (Article
19).