Expansive Public Data Removal Obligations

Subsection (3) requires data controllers to remove personal data "available to the public through links, copies, websites, replications" to the "greatest extent possible" following erasure requests. This extends obligations beyond the controller's direct systems to tracking and removing data across external platforms and websites. For digital platforms, aggregators, search engines, and data-sharing services, this creates substantial compliance burdens requiring sophisticated monitoring systems to identify and remove replicated data. The requirement goes beyond GDPR's approach and could discourage business models relying on data aggregation or republication. Meanwhile, subsection (9)'s vague language about data subjects "bearing consequences" of erasure (including "denial of service") creates uncertainty about when platforms can refuse requests, potentially leading to disputes without clear implementation guidance.