Lakhasly

Back in 2012, EU, in an attempt to respond to the challenges posed
by digital remembering and having as ultimate goal to give control
of personal data back to individuals, proposed the RtbF in its recently adopted regulation. The right evolves from the national law
in many European countries like France where the Right to Oblivion
is anticipated. According to some legal experts, the RtbF enshrined
in the GDPR has more a symbolic importance than a substantive effect as it does not actually represent a revolutionary change to the
existing data protection regime but its roots lie within the DPD and
in particular within the right to erasure and the right to object, although the GDPR is more analytical in defining the right and the
conditions under which it shall be invoked [6, 137–138]. For instance, the condition of withdrawing consent in order the RtbF to be
triggered has not been encompassed in any national or European
data protection law so far [137].
Admittedly, this right as introduced in the Article 17 of the
GDPR is a breakthrough on the EU legislation domain because does
not only encompasses the right to erase (or “to forget”) but it also
embraces the right “to be forgotten”. While the first specifies the
need for a controller to delete data, the latter implies the need for
data to be deleted “from all possible sources” in which they reside.
According to extended legal analysis [52, 92], the right is a novelty
and has a broader scope than any of the existing rights whereas its
unique feature, which makes it different from the rights granted by
the existing legislation, is its retro-activity. Article 17(1) provides
several situations where a person has the right to ask personal
data to be erased by the data controller. Of particular interest is
sub-paragraph b, which allows the person to withdraw his or her
consent. In other words, based on the GDPR, withdrawal of a previously given consent is sufficient to have personal data erased by the
controller. Under the regulation, an individual can request erasure
of his personal data “from every data controller” who is processing
the data and not only from the one who processed the data in the
first place (Article 17(2)). The fact that the consent was provided
only to the original controller does not appear to be relevant since
the obligation for erasure arises when the person withdraws consent,
without any specification on the controller who received it.
From the above, it is evident that the enforcement of this right
would pose major technical issues due to the practicalities involved
in knowing all the controllers who are processing the personal data
in question. Even in the case where controllers do have knowledge
of the third parties processing some data that they collected, it places upon them the additional obligation to inform those third parties about the erasure request, given that Article 17(2) states that
“... the controller shall take reasonable steps, including technical
measures, to inform controllers which are processing the personal
data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal
data.” Hence, controllers are required to implement technical solutions to allow the tracking of personal information and to prove its
efficient removal in the case of request for erasure under the RtbF.
And although the first may not be considered a difficult task, since
many controllers keep links of their copied information, the burden
to prove that the erasure has been implemented successfully from
all available sources is still technologically questionable. The fact
that the regulation does not provide a clear and unambiguous definition of the RtbF regarding its non-trivial practicalities of enforcing such a deletion when secondary uses apply, i.e. personal data
have been disseminated to third parties or they have been anonymized or pseudoanonymized, led many to argue that its future enforcement is reasonably doubted [139–140]. Nevertheless, the
GDPR provides a convenient exemption from the obligation to inform all recipients of any rectification or erasure when this
“proves impossible or involves a disproportionate effort” (Article
19). Yet, this exemption has also raised some concerns regarding
the effectiveness of the RtbF as its scope of applicability is not always obvious [141].
Inevitably, the right provoked plenty heated debates and fierce
discussions within law, philosophy, social, humanitarian and computing disciplines and has been lengthy explored in surveys, proposals and academic writings. Xanthoulis in asserted that the
RtbF should be conceptualized as a human right and more specifically as an expression of the broader right to privacy, whereas de
Andrade in [6] presents the RtbF as a branch of the right to identity,
which is the right to be different, not from others but from oneself,
i.e. from the one(s) we were before. Therefore, the RtbF—as part of
the right to personal identity—is intimately connected to the ability
to reinvent oneself, to have a second chance, to start over and present a renewed identity to the world. Following this line, Burkell
[123] explores the consequences of the digital record of our lives for
identity and argues that the RtbF may be, above all else, a psychological necessity that is core to identity—and therefore a value that
we must ensure is protected. Yet, the RtbF has been met with intense
resistance from both businesses and free speech advocates due to its
collision with other rights and protected interests
They questioned the regulation’s incentives and emphasized the difficulty on achieving a delicate balance between the involved rights,
namely the right to privacy and the right to freedom of expression
which, along with the right to privacy, is also contained in the
European Convention on Human Rights (Article 10) . Google’s
chief privacy counsellor remonstrated that the RtbF represents
the biggest threat to the free speech and expression on the Internet
[142] because it is not limited just to personal data that people provided themselves through an unambiguous consent agreement, but
instead, it applies to all possible cases of personal data may be found
online36 [19]. Furthermore, the RtbF has also been labelled by some
as censorship and disastrous for the freedom of expression