Implications of the EU ‘Right to be Forgotten’ on U.S. Higher Education Institutions
On May 25, 2018, the much-hyped General Data Protection Regulation (GDPR) came into effect in all the European Union Member States. Some of its most talked about features, alongside the potential for a €20 million (US$23.5 million) fine or 4 percent of annual turnover (whichever is higher), include the bolstered ‘user rights,’ chief among them, the new ‘right to be forgotten.’ The idea that individuals can demand the erasure of their personal data has caused consternation among data controllers in the U.S. whose activities may fall under the expanded territorial ambition of the new legal regime. So with many questions hanging in the air, this blog post attempts to shed some light on how the right to be forgotten may apply to academia in the United States.
Officially named the right to erasure, ‘the right to be forgotten’ is enshrined in Article 17 of the GDPR. This article states that an individual shall have the right to have his or her personal data erased ‘without undue delay’ if (a) the data is no longer necessary for the purpose ‘for which they were collected or otherwise processed, (b) the processing on the data is based on consent which is withdrawn, (c) the individual demands erasure from an exercise of the right to object to automated processing under Article 21 and ‘there are no overriding legitimate grounds for the processing,’ (d) the data has been ‘unlawfully processed,’ (e) it has to be erased to comply with law, or (f) has been collected in relation to information society services (Article 8(1) concerning consent by children).
However, the right is not absolute. Article 17(3) lists five exemptions when processing is necessary for (a) the exercise of the right of freedom of expression and information, (b) compliance with law or task in public interest or carried out by public official, (c) public health interests, or (d) for archiving purposes in ‘the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)…, (e) or ‘for the establishment, exercise or defence of legal claims’.
So what does this mean for a U.S. higher education institution?
There is no clear answer, partly because the law is widely drawn and untested and partly because the objectives behind the right are not straightforward. Indeed, a potted summary of its legislative history reveals that the right may not be as broad as may be assumed at a first cursory glance. The introduction of ‘the right to be forgotten’ into European jurisprudence is regularly attributed to the famous Google Spain case from 2014, but its first mention appears as early as 1966. Over time, the concept of a right to be forgotten has steadily grown in European jurisprudential thought, merging the originally German concept of informational self-determination with a Southern and Central European emphasis on the right to reputation (and to some extent honor).
The watershed moment came in 2014 when the Court of Justice of the European Court (‘CJEU’) ordered the U.S. search engine giant Google to delist links to a 2009 Spanish newspaper article that chronicled the (long-settled) bankruptcy of a Mr. Costeja Gonzales. At the time, the legal and academic communities saw the right as only about search engine listings, and that any conflict of interest would arise from the journalistic right to access to information. The CJEU judgment was not about blanket erasure, but about making otherwise legally processed information more obscure in the reputational interest of the individual. The ‘right to be forgotten,’ despite its strong appeal, was thus often seen as a misnomer of the actual legal right. It was not exactly what it ‘said on the tin.’
(You can learn more about what led to the Google Spain case and the case law justification by watching this lecture from Orla Lynskey at the University of Cambridge.)
However, unlike in Google Spain, Article 17 of the GDPR is not confined to search engines. It applies to all data controllers, including higher education institutions. It is, therefore, possible that U.S. higher education institutions, as data controllers, may very well be subject to a data erasure demand by EU students or even U.S. faculty visiting Europe. This situation may arise if the EU student or U.S. faculty data has been processed by the institutions while they were physically on European soil. As such, two general points about the GDPR should be noted: first, its broad territorial scope, and second, its broad definition of personal data, which is far wider than the U.S. use of the term ‘personally identified/identifiable information (often abbreviated to PII).
Under Article 3(2)(a) on Territorial Scope, the GDPR applies to the processing of personal data whether or not it happens inside the EU when it relates to “the offering of goods or services, irrespective of whether a payment […] is required” to individuals in the EU. A broad interpretation of Article 3 suggests that a U.S. higher education institution that collects or processes any personal data taken from individuals inside the EU, such as from prospective students or even visiting scholars, would be required to process that data in accordance with the GDPR. This data processing, therefore, requires complying with the right to erasure under Article 17. This requirement would apply to all personal data sent from the EU to a U.S. higher education institution or its subsidiary data repository (such as a cloud service) connected with its operations. The institution would be classified as a commercial establishment for the purposes of the law.
The picture becomes even more daunting when taking into account the extremely broad definition of personal data in Article 4(1). Personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to any identifiers such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” As such, it should be noted that the CJEU clarified that exam papers fell under the heading of personal data in Nowak in 2016.
Article 4 must further be read in conjunction with the non-binding, but persuasive, Recital 26 which stipulates that in order to ascertain the likelihood of information being identifiable, ‘reasonably likely’ technical means should be taken into account. ‘Reasonably likely” technical means include “available technology at the time of the processing and technological developments [my emphasis].” In other words, the data controller is asked to determine whether information can be linked or ‘identified’ to a specific individual at some point in the future by reasonably foreseeing what technical means may be available at such date. The ‘bullet proof’ comprehensive nature of Article 4, therefore, leaves no doubt that the legislators intend for all data that can be linked or connected to a specific person to be considered personal, and thus fall under the GDPR.
Regarding personal data sent to a U.S. higher education institution, this may, therefore, include name, email addresses, the content of correspondence, metadata concerning frequency and time of contact, website browsing history (and by correlation possibly IP addresses), comments on social media, and so on. It will of course also cover any personal data requested by the institution such as proof of educational or health records, references, or samples of academic work. The question is therefore not whether or not the right to be forgotten pertains to the personal data, but whether the individual has the right to demand that the U.S. higher education institution has it erased.
The short answer is, as always in the case of the law, that it depends.
The first ground for erasure, i.e., that it is no longer necessary for its purpose (Article 17(1)(a)) appears to replicate the obligatory (and unwaivable) requirements of purpose limitation under Article 5(1)(b), and thus is uncontroversial. If you no longer need the data, you can’t keep it. The second ground under Article 17(1)(b) is slightly more complicated as it demands that the legal ground for processing, as required under Article 6, is consent (Article 6(1)(a)). However, consent is only one of six, equally weighted, grounds for processing and if the specific legal ground is, for example, ‘legitimate interest’ under Article 6(1)(f), Article 17(1)(b) would not apply. If the legal ground for processing, however, is based on consent under Article 17(1)(a), it can still be vitiated by another legal ground for processing (suggesting that the legal ground had switched from consent to something else which the GDPR technically does not allow for). Another legal grounds may assumedly be a domestic legal requirement for record-keeping or similar statutory obligations. In such case, the individual could not demand that their personal data be erased. The grounds for the right to erasure under Article 17(1)(c), (d), (e), and (f) do not seem likely to apply.
Thus, in summary, it appears to be that an individual can compel a U.S. higher education institution to erase his or her personal data if it is no longer needed for the specific purpose for which it was collected and processed, or if it was collected and processed based on consent which has been withdrawn. The UK Information Commissioner’s Office considers that erasure demands can be made verbally or in writing, and that data controllers have one month to respond. It is, however, not clear, if the erasure demand can be satisfied by part erasure of only applicable data, or if all data related to the individual will need to either be kept or erased.
There may still be further normatively informed mitigating factors. The history of the right to be forgotten has been intimately intertwined with the right to reputation against publication of adverse or embarrassing information, as evidenced in part by the wording of Article 17(2). The right has therefore not been conceived as a measure for individuals to take against the collection, processing, and storage of personal data by data controllers that is not made available to a wider audience. It is believed that the safeguards under Articles 5 and 6 in conjunction with the already established user rights (access, rectification, and restriction) and the new data portability right adequately covers these areas. It is also unlikely that U.S. higher education institutions will be high on the list of priorities in the first wave of enforcement of the Regulation. But as the law is brand new, it is far to soon to tell where the enforcement efforts by the national supervisory authorities and courts will lie.
So despite these caveats, it would be prudent for any U.S. higher education institution which processes personal data for Europe to set up a mechanism to handle any ‘right to be forgotten’ demands. This would include publishing contact details by which the data controller can be contacted, a system for securely maintaining records of requests and information regarding outcome (bearing in mind that these records will also form part of the individual’s personal data), and prepare robust technical methods for the actual erasure. It is important to be mindful of the fact that the data must be erased from all relevant systems and departments, which may include third parties with whom it has been shared.
The right to be forgotten is an evolving European jurisprudential concept. It is therefore difficult to predict its path alongside data flows from Europe to the U.S. shores. What is certain, is that the European legislators in Brussels intended to strengthen the control individuals have over their data, and to that effect, the right to be forgotten or erased may play a vital role in the future.
In addition to this blog, The Tambellini Group offers its members many resources on GDPR. Members have access to Tambellini’s guidebook on GDPR for higher education institutions, which I wrote in conjunction with Katelyn Ilkani. You may read more about the guidebook here. Two member-only webinars accompany the report. Members can also schedule time with Katelyn or me to discuss specific GDPR needs or inquire about a comprehensive GDPR project through Tambellini’s CISO Advisory Services.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of The Tambellini Group. To express your views in this forum, please contact Katelyn Ilkani, Vice President, Client Services and Cybersecurity Research, The Tambellini Group.
 See also Recitals 65 and 66 of the GDPR.
 C-131/12 Google Spain SL and Google Inc. v AEPD and Mario Costeja Gonzales, May 13, 2014.
 George Brock, The Right to be Forgotten: Privacy and the Media in the Digital Age (The Reuters Institute for the Study of Journalism, University of Oxford, 2016) p. 24.
 German Constitutional Court in 1983. See also the Organization for Economic Co-operation and Development (‘OECD’)’s Individual Participation Principle in the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980).
 George Brock, The Right to be Forgotten: Privacy and the Media in the Digital Age (The Reuters Institute for the Study of Journalism, University of Oxford, 2016) p. 12. For a discussion of how the right merges the concept of oblivion and erasure, see Meg Leta Ambrose and Jef Ausloos, “The Right to Be Forgotten Across the Pond”, Journal of Information Policy, Vol. 3 (2013) pp. 1-13.
 Sometimes also referred to as de-indexing.
 C-131/12 Google Spain SL and Google Inc. v AEPD and Mario Costeja Gonzales, May 13, 2014. It should be noted that although the case law was made in reference to the now repealed Data Protection Directive, the wording of personal data under both the Directive and the GDPR are so close that there is no reason to believe that the Court would depart from its earlier rulings.
 Article 3 of the GDPR.
 Article 4(1) of the GDPR.
 C+434/16 Peter Nowak v. Data Protection Commissioner (Ireland), December 20, 2017.
 See the CJEU ruling in C 582/14 Patrick Breyer v. Germany, October 19, 2016.
 Meg Leta Ambrose and Jef Ausloos, “The Right to Be Forgotten Across the Pond”, Journal of Information Policy, Vol. 3 (2013) p. 12.
 Note further that processing of special categories (previously sensitive) data imposes stricter legal ground requirements (Article 9 of the GDPR), e.g. medical records, information concerning religious or political affiliations.
 It should also be noted that there is a further buffer for the legal responsibility to process an erasure demand if the request is “manifestly unfounded or excessive”. In such case, the data controller can request “a reasonable fee” to deal with the request or refuse to deal with the request. If you refuse a demand you must provide an explanation within one month of the demand being made.
 George Brock, The Right to be Forgotten: Privacy and the Media in the Digital Age (The Reuters Institute for the Study of Journalism, University of Oxford, 2016) p. 34.
 Principles relating to the processing of personal data (Article 5 of the GDPR) and Lawfulness of processing (Article 6 of the GDPR).
 Articles 15, 16 and 18 of the GDPR.
 Article 20 of the GDPR.