Ask an Attorney: The GDPR’s ‘right to be forgotten’ and its applicability to Texas newspapers

The European Union’s (EU) General Data Protection Regulation (GDPR) is a comprehensive data privacy and security law that imposes an array of obligations onto organizations that target the European market and collect personal data related to people residing in the EU. Article 17 of the GDPR, also known as the “right to be forgotten,” is one of its key provisions, allowing EU individuals to request that organizations delete their personal data if they no longer want it to be held and processed.

By MALLIKA DARGAN and GAVIN GEORGE, Haynes and Boone, LLP

For organizations with locations in the EU, application of the GDPR is straightforward. However, questions frequently arise when U.S.-based businesses consider if and how the GDPR’s “right to be forgotten” applies outside of the EU. This article explores the nuances of the “right to be forgotten” and its specific implications for Texas-based newspapers.

Geographic Scope of the GDPR

While the GDPR is a European regulation passed into the laws of the EU member states and the United Kingdom, its reach purports to extend beyond the borders of the EU, impacting any organization that processes the personal data of EU residents. In the context of Texas-based newspapers, this means that, regardless of the location of their offices, such newspapers could fall into the scope of the GDPR’s regulatory language if they collect, store, or process the personal information of EU residents in a “targeted” manner. 

“Targeting” can be established, for example, if a newspaper derives substantial revenue from digital subscriptions in Europe, offers content in European languages, or hosts targeted advertisements aimed at EU readers on its website. 

On the other hand, “targeting” is unlikely to be established solely if a newspaper in Texas that focuses only on serving domestic readers but happens to receive occasional website views from EU visitors. In short, until a newspaper has “targeted” EU residents to expand its distribution or readership, it shouldn’t need to concern itself with compliance with the GDPR until then. In the absence of a physical presence in the EU market or any efforts to cater to EU residents, Texas-based newspapers shouldn’t fall within the scope of GDPR’s “right to be forgotten.” 

Freedom of Expression

If a Texas newspaper finds itself swept up into the GDPR, once an EU resident requests to exercise their “right to be forgotten,” the organization must erase it “without undue delay” unless continued retention is necessary for exercising freedom of expression. Thankfully, the GDPR recognizes this exemption, which permits publishing personal data for “journalistic purposes of academic, artistic, or literary expression.” 

As such, Texas-based newspapers subject to the GDPR may find a good argument for exemption from any erasure requests based on the “right to be forgotten” if the removal of the information in question would compromise freedom of expression. Of course, determining what constitutes a compromise of freedom of expression can be subjective and would require case-by-case analysis with the assistance of experienced privacy counsel. 

Key Takeaways

Texas-based newspapers can position themselves to navigate the “right to be forgotten” under the GDPR by understanding the nuances of the GDPR’s reach and impact, preparing beforehand for any “right to be forgotten” requests, and understanding the delicate balance between privacy and permitted freedom of expression. The following is a list of steps Texas-based newspapers can take to ensure they are operating outside the scope of or in compliance with the GDPR: 

• Understand GDPR’s Applicability. Newspapers can assess whether they process personal data of any EU residents. Newspapers that both “target” and collect data from EU readers or customers should take steps to comply with the GDPR, such as providing “right to be forgotten” request mechanisms on the newspapers’ website. 

• Implement Data Protection Measures. To safeguard personal data and minimize risk of GDPR regulatory actions stemming from a data breach, newspapers should invest in data protection measures, such as encryption and regular auditing.

Stay Informed on Legal Developments. The data privacy landscape is constantly evolving, and new laws inspired by the GDPR continue to proliferate globally, including with the passage of Texas’ own general consumer privacy law last year, the Texas Data Privacy and Security Act (TDPSA). Newspapers can take proactive efforts to stay informed about any updates or changes to the GDPR, the TDPSA, and other relevant privacy laws.