Right to be Forgotten

What is Right to be Forgotten?

Right to be Forgotten is the legal right enabling individuals to request organizations delete their personal data, with organizations obligated to comply absent valid reasons. First legally protected under GDPR, it’s now adopted by regulations worldwide. Japan’s APPI similarly recognizes deletion request rights.

In a nutshell: You can request companies delete old social media posts and search history with “I don’t need this anymore.”

Key points:

• What it is: Individuals request personal data deletion; organizations must comply without valid cause
• Why it’s needed: Digital era allows individuals to regain data control
• Who exercises it: EU/GDPR-covered users and users in other countries like Japan

Why it matters

Digital era captures personal actions as data, stored by organizations. Historically, once online, information stayed forever. Right to be Forgotten challenges this “digital eternal record” concept, returning control to individuals.

People have growth rights and deserve liberation from the past. Early photos and blog posts lingering in search results decades later harm job interviews and relationship searches.

Right to be Forgotten lets people request “delete unwanted information,” requiring organization compliance. However, this right isn’t absolute; exceptions include “public interest,” “press freedom,” and “legal retention obligations.”

Scope

Right to be Forgotten applies under specific conditions:

EU/EEA users under GDPR can exercise this right unconditionally. EU companies holding customer data must honor deletion requests.

Japan’s APPI provides equivalent “deletion request rights.” Japanese users can request deletion from both Japanese and foreign companies.

Not all data deletion is permitted. Tax records and legally-retained information cannot be deleted. Publicly-disclosed information (news articles) raises “press freedom” conflicts; deletion isn’t automatic.

Key requirements

Deletion request processes and organization compliance requirements:

Organizations must provide “easy request mechanisms.” Account settings should include “request data deletion” buttons, completing in 1-2 clicks. Complex forms or phone-required requests obstruct rights exercise.

Organizations receiving deletion requests must respond within 30 days. Data deletes from databases; users receive deletion confirmation. Data across multiple systems must delete everywhere; partial deletion fails requirements.

Organizations denying deletion requests must clearly explain reasons. Valid examples: “legal retention obligation” or “news article status.” Invalid: “too much work” or “no time.” Denial requires legitimate grounds.

Penalties for non-compliance

GDPR non-compliance risks fines of 2% of revenue or 10 million euros, whichever is larger.

APPI non-compliance receives PPC guidance or improvement recommendations; refusal risks maximum 1 million yen fines or imprisonment.

Reputational damage is extreme. “Company refusing deletion requests” becomes a label; media coverage destroys social trust.

Related terms

• GDPR — Regulation first legally protecting Right to be Forgotten
• APPI — Equivalent Japanese law
• Data Minimization — Complementary principle
• Privacy Policy — Document describing deletion request methods
• Encryption — Technology ensuring verified data deletion

Frequently asked questions

Q: Must SNS delete all photos and comments when deletion requested?

A: Basically no. If other users commented or shared your posts, their rights need consideration. Deleting your original post typically auto-deletes associated comments. Complex cases require company legal judgment.

Q: Does deletion remove search engine results?

A: Direct obligations apply to data-holding companies (e.g., Facebook), not search engines (Google). Search engine deletion requests consider “public interest” and “news value.” Google declines ~40%; famous people or news-valuable info stays.

Q: Is 3-month deletion response delay non-compliance?

A: Yes. GDPR requires “without delay,” ideally within 30 days. Three-month delays likely breach, unless complex widespread deletion circumstances justify documented delays.