Privacy is a fundamental human right, and the “right to be forgotten” has been legally recognized as a human rights issue, especially within the framework of European data protection laws. In today’s digital world, maintaining privacy can feel impossible. The “right to be forgotten” represents one of the most important and controversial privacy concepts in modern data protection law. It empowers private individuals, who are the primary beneficiaries of this right, to request the deletion of their personal information from search engines and other data controllers.
Privacy professionals and compliance experts have long observed that the right to be forgotten remains one of the most misunderstood concepts in modern privacy law. Notably, this right allows individuals to request removal of personal information from search engine results, which can significantly impact their online reputation. Understanding how the right works, its limitations, and its legal foundations is essential for both businesses and individuals.
Table of Contents
What is the Right to be Forgotten?
The right to be forgotten (RTBF), also known as the right to erasure, gives individuals the power to request the removal of their personal data from online databases, search engine results, and other public sources, including links to news articles. It is intended to give people control over their digital footprint when that information is no longer relevant, accurate, or necessary.
The concept functions like a digital reset button. It is not absolute, but it recognizes that people should not be permanently defined by past actions, especially when those actions continue to appear prominently in search results long after they occurred.
The concept recognizes a simple truth: humans change, circumstances evolve, and information loses relevance over time. The right to be forgotten is often invoked in cases where individuals seek to remove links to outdated or irrelevant information, such as old news articles, that could adversely affect their personal or professional reputation. What might have been appropriate to publish about someone ten years ago may no longer serve any legitimate purpose today.
But this right is not unlimited. It exists in constant tension with other important values:
-
Freedom of expression
-
Public interest in accessing information
-
Historical documentation
-
Legal obligations to retain certain records
Critics of the right to be forgotten express concerns that it may infringe on free expression and lead to censorship, as it allows individuals to request the removal of information that is publicly available.
This is what makes the right both important and complicated. The RTBF is not a universal eraser; it is a calibrated tool that weighs competing interests.
Legal Foundations: GDPR Article 17
The most robust legal framework for the right to be forgotten comes from the European Union’s General Data Protection Regulation (GDPR), which is a cornerstone of European data protection law and one of the most influential data protection laws globally, built around seven foundational principles of GDPR compliance. Article 17 specifically outlines the “right to erasure,” establishing the data subject's right to request the deletion of personal data relating to them.
Under GDPR and related data protection laws, individuals can request erasure when:
-
The data is no longer necessary for its original purpose
-
The individual withdraws consent for data processing
-
The individual objects to processing and there are no overriding legitimate grounds
-
The data was processed unlawfully
-
Erasure is required to comply with a legal obligation
-
The data was collected in relation to the offer of information society services to children
In these cases, individuals may request that such information be erased from records or search results.
Article 17(1) states:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay [under specific conditions]...When making a request for erasure, individuals may need to provide proof of identity and address to verify that they are the data subject making the request, as stipulated by the GDPR.
But one important point is often missed: Article 17 includes built-in limitations. Article 17(3) specifies exceptions where the right does not apply:
-
When exercising freedom of expression and information
-
When complying with legal obligations
-
For reasons of public interest in public health
-
For archiving purposes in the public interest, scientific or historical research, or statistical purposes
-
For establishing, exercising, or defending legal claims
Organizations can refuse a request to erase personal data if they can demonstrate that the request is manifestly unfounded or excessive, and they may charge a reasonable fee for processing such requests.
In practice, this means an individual can ask Google to remove outdated information from search results, but Google does not have to comply if the information serves a legitimate public interest.
How the Right to be Forgotten Works
Implementing the right to be forgotten involves a multi-step process that balances individual rights against broader societal interests.
The general process usually works as follows:
-
Request submission: An individual submits a request to a data controller, such as Google or Facebook, identifying the specific information they want removed. Individuals can also request search engines to remove links to personal data from their search results, and many have asked Google to remove information from Google searches.
-
Request evaluation: The controller assesses the request against legal criteria, considering:
-
Is the information inaccurate?
-
Is it irrelevant or excessive?
-
Is there a compelling public interest in keeping it available?
-
Are there legal grounds for retaining the information?
-
-
Decision and action: The controller decides whether to approve or deny the request. If approved, they must delete information “without undue delay.” Under GDPR, businesses must respond to valid erasure requests within 30 days.
-
Notification to third parties: Controllers must take “reasonable steps” to inform other controllers processing the same data about the erasure request.
-
Appeal process: If a request is denied, individuals can appeal to data protection authorities or seek judicial remedies.
Individuals also have the right to obtain information about their stored data and request its deletion, which makes robust data subject request handling processes essential for organizations.
However, there is a gap between theory and practice. The effectiveness of this process can vary dramatically depending on the data controller, the nature of the information, and the persistence of the individual making the request.
For search engines like Google, the process often looks like this:
| Step | Description | Timeframe |
|---|---|---|
| 1 | Submit removal request via online form to request search engines to delete information from search engine results | Immediate |
| 2 | Receive acknowledgment | 1-3 days |
| 3 | Request review by search engine team | 1-4 weeks |
| 4 | Decision communicated to requester | 2-8 weeks |
| 5 | Implementation of approved removals | Within days of approval |
Search engines must balance individual privacy rights against the public’s right to access legitimate information. They typically evaluate:
-
The individual’s role in public life, since public figures have fewer removal rights
-
The nature of the information, since sensitive data gets more protection
-
The source of the information, since official records are harder to delist
-
Time passed, since older information may be less relevant
-
Impact on the individual’s life compared with the public interest in access
An important distinction is that even when content is de-listed from search engines, it often remains on the source website. The right to be forgotten primarily addresses how easily information can be found, not necessarily its complete deletion from the internet.
For businesses, complying with deletion requests means developing mechanisms to identify, locate, and delete user data across all systems, including backups and third-party tools, following the GDPR’s detailed erasure rights and right to be forgotten guidance. Implementing technical measures is required to ensure that personal data is properly erased or access is restricted as mandated by data protection regulations.
Limitations of the Right to Erasure
The right to be forgotten is powerful, but it is far from absolute. Its limitations include several important areas.
Technical limitations: Once information spreads online, achieving complete erasure becomes nearly impossible. Data may be cached, archived, or copied to multiple locations beyond the reach of any single data controller. Additionally, some information may remain in the public domain even after de-listing, such as legal cases, court decisions, or archived materials that are legally accessible.
Jurisdictional constraints: The GDPR’s territorial scope has limits. While Google may remove results from European domains like google.fr or google.de, they may remain visible on google.com or through VPNs.
In 2019, the European Court of Justice ruled that search engines do not have to apply the right to be forgotten globally, limiting its application to EU domains.
Override exceptions: Several legitimate interests can override erasure requests in certain circumstances:
-
Freedom of expression and information
-
Compliance with legal obligations
-
Public health interests
-
Scientific, historical, or statistical research
-
Legal claims
The right to be forgotten also does not apply to data processing necessary for the establishment, exercise, or defense of legal claims, or for archiving purposes in the public interest.
Practical challenges: For individuals, proving that their data no longer serves its purpose or is no longer relevant can be subjective and difficult.
The Streisand Effect: Ironically, attempting to remove information sometimes draws more attention to it. When people learn something is being suppressed, they may become more interested in finding it.
For businesses, the challenge lies in developing systems that can accurately identify, track, and remove personal data across complex data environments while documenting compliance throughout the process.
These limitations highlight why the right to be forgotten represents a balancing act rather than an absolute right. It is about proportionality, weighing individual privacy against other legitimate interests on a case-by-case basis.
Landmark Cases that Shaped the Right
The right to be forgotten did not appear overnight. It evolved through several pivotal judicial decisions that tested and defined its boundaries. Such cases have played a crucial role in shaping the legal framework for personal information rights. Notably, the European Court of Justice ruled in 2014 that search engines are responsible for the content they link to, establishing the legal basis for the right to be forgotten in the EU.
Google Spain v. AEPD and Mario Costeja González (2014)
This landmark European Court of Justice case, referred by the Spanish High Court (Audiencia Nacional) and involving Google Spain SL, effectively created the right to be forgotten. Mario Costeja González wanted Google to remove links to a 1998 newspaper article about his resolved debt issues. The court ruled that:
-
Search engines are “data controllers” under EU law
-
Individuals can request removal of links to irrelevant or outdated information
-
Search engines must evaluate such requests case-by-case
Google LLC, as the parent company, was responsible for implementing the court's decision. Supporters of the right to be forgotten argue that it is necessary to protect individuals from the long-term consequences of past actions, such as being stigmatized by outdated or irrelevant information.
The ruling established that privacy rights can sometimes outweigh the public interest in accessing certain information and the economic interests of search engines.
Google v. CNIL (2019)
This case answered a crucial question: does the right to be forgotten extend globally? The European Court of Justice ruled that search engines do not need to apply the right beyond EU borders. The court found that:
-
EU law does not require global de-listing
-
Search engines must apply the right across all EU member states
-
Search engines should prevent or seriously discourage EU users from accessing de-listed results
Importantly, the right to be forgotten is enforced specifically on European versions of search engines, such as Google’s EU domains, and is subject to local laws within each EU member state.
This decision limited the territorial scope of the right to be forgotten, recognizing the delicate balance between EU privacy rights and other jurisdictions’ legal frameworks.
NT1 & NT2 v. Google (2018)
Known as the “right to be forgotten” case in the UK, this involved two businessmen requesting that Google, as a search engine operator, remove search results linking to recent articles about their criminal convictions. The court created a nuanced approach:
-
NT1’s request was denied because his conviction was for serious business fraud and he showed no remorse
-
NT2’s request was approved because his conviction was less serious and he showed genuine remorse
This case highlighted how factors such as the severity of past actions, the age of the articles, whether recent or outdated, time elapsed, and relevance to current public life affect de-listing decisions.
These cases demonstrate the evolving nature of the right to be forgotten. Each ruling has refined the concept, creating a framework that attempts to balance individual privacy against legitimate public interests.
Practical Steps for Data Controllers
For information companies processing personal data, the right to be forgotten presents both legal obligations and practical challenges that often require implementing specialized GDPR compliance tools. Data controllers must pay special attention when personal data has been made public, as they are required to take reasonable steps to erase such data and inform other parties involved. Additionally, data controllers should implement appropriate technical measures and consider other protections to ensure comprehensive privacy compliance.
Data controllers should prepare in the following ways:
1. Create Clear Erasure Request Procedures
Organizations should establish transparent, accessible procedures for individuals to submit erasure requests. This should include:
-
Multiple submission channels, such as online forms, email, and postal mail
-
Verification processes to confirm the requester's identity
-
Clear timelines for acknowledging and responding to requests
-
Templates for communication throughout the process
A well-defined process helps ensure compliance while managing requesters' expectations.
2. Implement Technical Capabilities
Organizations should build the technical infrastructure needed to execute erasure requests effectively:
-
Data mapping to know where personal data resides across all systems
-
Search capabilities to locate specific individuals' data
-
Deletion mechanisms that can remove data without disrupting system integrity
-
Audit trails to document erasure actions, which dedicated GDPR compliance software platforms like ComplyDog can help generate and manage automatically
Partial deletion may be necessary in some cases, such as removing data from active systems while retaining it in backup archives with safeguards against reintroduction.
3. Establish Evaluation Criteria
Organizations should develop clear guidelines for assessing erasure requests:
-
Does the request meet legal grounds for erasure?
-
Do any exceptions apply?
-
Is the data still necessary for its original purpose?
-
Does continued processing have a legal basis?
-
What legitimate interests might override the erasure request?
Organizations should document the reasoning for approving or denying each request.
4. Third-Party Notification Protocol
When data has been shared with third parties, organizations should:
-
Maintain records of where data has been shared
-
Create standardized notification methods for informing recipients
-
Document all notification efforts
-
Implement confirmation processes to verify third-party compliance
5. Staff Training
Privacy compliance is not just a technical issue. It is also a human one. Relevant staff should be trained on:
-
The legal basis for the right to erasure
-
How to recognize and process erasure requests
-
Decision-making criteria and documentation requirements
-
Communication guidelines for interacting with requesters
6. Regular Process Review
Privacy law continues to evolve. Organizations should schedule regular reviews of their erasure procedures and monitor them through a structured GDPR compliance dashboard for ongoing reporting to:
-
Incorporate lessons from past requests
-
Adapt to new regulatory guidance or court decisions
-
Improve efficiency and effectiveness
-
Ensure continued compliance
By implementing these practical steps, organizations can transform RTBF compliance from a reactive scramble into a structured, manageable process. This not only reduces legal risk but also builds trust with customers and users who see their privacy rights respected.
How to Submit a Removal Request
Individuals who decide to exercise their right to be forgotten can follow a practical process for submitting a removal request.
For Search Engines
Major search engines provide dedicated forms for removal requests:
-
Google: Use the "Request to remove information you see in Google Search" form
-
Bing: Submit a "Right to be Forgotten" request through the Microsoft Privacy Dashboard
-
Yahoo: Complete the "Request to Block Search Results In Yahoo Search" form
When submitting a request, individuals should include:
-
Full name and contact information
-
The specific URLs they want removed
-
Why the content should be removed, citing applicable GDPR grounds where relevant
-
Context explaining why the information is irrelevant, outdated, or otherwise problematic
-
Any supporting documentation
Requests should be specific and thorough, as vague requests are more likely to be rejected.
For Social Media Platforms
Social media platforms typically offer several options:
-
Direct deletion: For content posted by the individual, the simplest approach is usually to delete it directly.
-
Account deletion: Most platforms allow full account deletion, which should remove most associated content.
-
Data request tools: Major platforms provide tools to request deletion of specific information:
-
Facebook: Privacy Center's "Your Data and Privacy Choices"
-
Twitter: Privacy settings under "Your account"
-
Instagram: Privacy and Security settings
-
LinkedIn: Settings & Privacy section
-
For Websites and Other Data Controllers
For third-party websites and online services, including those that use tracking technologies, individuals may also want to run a free website cookie compliance check to understand what data is being collected before submitting requests:
-
Contact the site directly: Look for privacy policy information with contact details for privacy requests.
-
Provide necessary information:
-
Identity details
-
The specific content to be removed
-
The legal basis for the request
-
Why the content no longer serves its purpose or is inappropriate
-
-
Follow up: If no response is received within 30 days, the GDPR time limit, the individual can contact their national data protection authority.
After Submission
Individuals should keep records of all communications, including:
-
When and how the request was submitted
-
Any reference numbers or acknowledgments
-
All responses received
-
Dates of follow-up communications
If a request is denied, individuals have several options:
-
Appeal directly to the data controller with additional information
-
File a complaint with the relevant national data protection authority
-
Seek legal advice about court remedies
Persistence can be important. Many initial rejections can be overturned with additional context or by escalating to supervisory authorities.
Global Perspectives on Digital Forgetting
The right to be forgotten has evolved differently across the globe, reflecting varying cultural and legal approaches to privacy. Data protection laws vary significantly by geography, with frameworks such as the GDPR in the EU, CCPA in California, and similar regulations in Canada, Japan, Turkey, and Serbia shaping how the right to be forgotten is implemented and enforced.
European Union: The Gold Standard
The EU leads with the most comprehensive right to be forgotten through the GDPR, which specifically grants EU citizens the right to request removal or delisting of personal information from search engines and online platforms. European privacy philosophy views personal data control as a fundamental right. The EU’s approach:
-
Creates enforceable legal rights for individuals
-
Imposes clear obligations on data controllers
-
Backs enforcement with significant penalties
-
Balances privacy against other fundamental rights
United States: A Patchwork Approach
The US lacks comprehensive federal privacy legislation providing a right to be forgotten. Instead:
-
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) include limited deletion rights
-
Other states like Virginia, Colorado, and Utah have enacted similar but varying provisions
-
Case law generally favors freedom of expression over privacy when they conflict, as the First Amendment protects freedom of speech and press, making it challenging to reconcile with European data privacy laws that allow for content removal or de-listing
This creates a geographic lottery where erasure rights depend on where an individual lives.
South America: Following Europe's Lead
Several Latin American countries have embraced the right to be forgotten:
-
Argentina recognized a right to de-listing in "Rodríguez, María Belén v. Google" (2014)
-
Brazil's General Data Protection Law includes erasure rights similar to GDPR
-
Colombia's Constitutional Court recognized the right in 2015
Asia-Pacific: Divergent Approaches
Asian countries have taken varied approaches:
-
South Korea's Personal Information Protection Act includes robust deletion rights
-
Japan's Act on the Protection of Personal Information provides more limited erasure rights
-
China's Personal Information Protection Law now includes deletion rights
-
India's proposed data protection framework includes a right to be forgotten
Russia: The "Right to be Forgotten" Law
Russia enacted a specific law in 2016 requiring search engines to remove links to information that is inaccurate or irrelevant. However, its implementation differs from the EU approach, with critics noting potential censorship concerns.
Global Challenges
This global diversity creates significant challenges:
-
Companies operating internationally must navigate conflicting requirements
-
Enforcement across borders remains problematic
-
Internet users have vastly different rights based on location
-
Technical implementation becomes complex in a borderless digital world
The trend, however, is clear: more countries are recognizing some form of digital erasure rights, even as the specific boundaries and implementations vary widely, prompting organizations to follow a structured GDPR compliance implementation roadmap when adapting to evolving laws. The global conversation around digital forgetting continues to evolve, with the EU model serving as a reference point, whether as an example to follow or a cautionary tale, depending on the jurisdiction.
Balancing Privacy and Information Access
The right to be forgotten exists at the intersection of two fundamental values: personal privacy and public access to information. This right allows individuals to request the deletion of private information from online sources, empowering them to control how their personal data appears on the internet. Finding the proper balance requires careful consideration of several factors:
Individual Factors
Not all information deserves the same protection or exposure:
-
Time passed: Information typically becomes less relevant with age
-
Accuracy: Inaccurate information has less claim to remain accessible
-
Original purpose: Data should not persist beyond its needed lifetime
-
Sensitivity: Highly personal information deserves stronger protection
-
Public role: Public figures have reduced privacy expectations for information relevant to their public activities
Societal Considerations
Broader social interests must weigh against individual privacy:
-
Historical record: Society benefits from preserving accurate historical information
-
Freedom of press: Journalism serves vital democratic functions
-
Public interest: Information about public safety or corruption deserves protection
-
Academic and research access: Knowledge advancement requires data access
-
Chilling effects: Over-removal risks suppressing legitimate speech
Practical Examples of Balancing
This balancing act manifests in real-world scenarios:
-
A former criminal conviction might be removable after rehabilitation, but not if the person holds public office where character is relevant.
-
Medical information generally deserves strong privacy protection, except when public health interests require disclosure.
-
Financial information might warrant removal after debts are settled, unless the person seeks positions of financial trust.
-
Information about minors typically deserves stronger protection than similar information about adults.
-
Public statements by politicians generally remain accessible as part of the historical record.
The key lies in proportionality: does the privacy harm to the individual outweigh the public value of continued access? This question must be answered case by case, considering all relevant factors.
Technology complicates this balance further. Digital information's persistence, searchability, and replicability create unprecedented challenges for applying traditional privacy concepts. What once required physical effort to discover can now appear instantly in search results, dramatically changing the practical impact of public information.
The ongoing dialogue between privacy advocates and free speech defenders continues to shape this evolving area of law and ethics. Neither absolute remembering nor complete forgetting serves society's best interests. The challenge lies in finding the appropriate middle ground.
Implementing Compliance for Your Business
Implementing right to be forgotten compliance requires systematic approaches that balance individual rights, business needs, and legal requirements. Businesses must be able to delete data when a right to be forgotten request is made, ensuring they comply with GDPR regulations. Failure to comply with these requirements can result in GDPR violations, which may trigger fines up to €20 million or 4% of global annual turnover. Official press releases from regulatory authorities often summarize key compliance requirements and enforcement actions, providing authoritative guidance for organizations.
Businesses can build effective compliance programs through the following steps:
1. Conduct Data Mapping
Organizations cannot delete what they cannot find. A strong compliance program should begin by mapping the data landscape:
-
Identify all systems containing personal data
-
Document data flows between systems
-
Classify data by type, sensitivity, and purpose
-
Note retention periods and legal bases for processing
This foundation enables swift response when erasure requests arrive.
2. Establish Clear Policies and Procedures
Organizations should create comprehensive documentation covering:
-
How individuals can submit erasure requests
-
Verification procedures to confirm identity
-
Assessment criteria for evaluating requests
-
Decision-making responsibility and authority
-
Implementation timeframes
-
Record-keeping requirements
These policies should be accessible to both customers and employees.
3. Implement Technical Solutions
Organizations should deploy technology that supports efficient erasure:
-
Database configurations that enable targeted deletion
-
Archiving systems that prevent reintroduction of deleted data
-
Audit trails that document erasure actions
-
Communication systems for third-party notifications
-
Request management tracking
The right tools can transform compliance from a burden into a routine operation.
4. Train Your Team
Privacy compliance depends on knowledgeable staff, especially in sensitive areas like HR data collection and employee information management:
-
Provide role-specific training for employees handling erasure requests
-
Ensure technical teams understand deletion requirements
-
Train customer-facing staff to recognize verbal erasure requests
-
Establish escalation paths for complex cases
-
Conduct regular refresher training
A well-trained team prevents compliance gaps while building customer trust.
5. Document Everything
Comprehensive documentation protects the business:
-
Record all requests received
-
Document decision rationale
-
Maintain evidence of completion
-
Log third-party notifications
-
Track exceptions and their justification
This documentation provides crucial evidence of compliance during regulatory inquiries.
6. Leverage Compliance Software
Modern privacy compliance tools can dramatically simplify this process, and comparisons of leading GDPR software solutions for SaaS companies highlight how different platforms reduce the operational workload. Specialized compliance software like ComplyDog can:
-
Automate data mapping and inventory
-
Streamline request intake and processing
-
Provide pre-built workflows for common scenarios
-
Generate compliance documentation automatically
-
Track completion status and deadlines
-
Create audit-ready reports
These systems reduce manual effort while improving accuracy and consistency.
7. Regular Compliance Reviews
Privacy requirements evolve, requiring ongoing attention:
-
Schedule regular policy reviews
-
Conduct compliance audits
-
Test the erasure process with simulations
-
Incorporate lessons from actual requests
-
Update procedures based on regulatory guidance
Regular review cycles ensure that the compliance program remains effective.
The Business Case for Strong Erasure Practices
Beyond avoiding penalties, strong right to be forgotten practices offer tangible business benefits:
-
Enhanced customer trust and loyalty
-
Reduced data storage costs
-
Lower security risk through data minimization
-
Competitive advantage in privacy-conscious markets
-
Smoother mergers and acquisitions due to clean data practices
These advantages make privacy compliance a business asset rather than merely a regulatory burden.
By implementing comprehensive compliance through specialized tools like ComplyDog, businesses can transform the right to be forgotten from a compliance challenge into an opportunity to demonstrate respect for customer privacy and build stronger relationships based on trust.
