What Is the Right to Be Forgotten? A Complete Guide

Understanding the Right to Be Forgotten

Imagine searching your name online and finding embarrassing content from years ago—outdated information that no longer represents who you are today. This is precisely why the "right to be forgotten" exists. Also known as the right to erasure, the GDPR gives individuals the right to ask organizations to delete their personal data, providing a critical tool for managing your digital footprint in an increasingly connected world.

The right to be forgotten (RTBF) is the right to have private information about a person be removed from Internet searches and other directories in some circumstances. While this sounds straightforward, the reality involves a delicate balance between privacy rights and freedom of information—a tension that affects millions of people worldwide.

The Legal Foundation: GDPR Article 17

A right to be forgotten was replaced by a more limited right of erasure in Article 17 of the GDPR, which came into force in May 2018. This legislation transformed how organizations handle personal data across Europe and beyond, establishing clear guidelines for when and how data must be deleted.

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if specific conditions are met. Understanding these conditions is essential for both individuals exercising their rights and organizations ensuring compliance.

When Does the Right Apply?

Organizations must honor erasure requests under several specific circumstances. An individual has the right to have their personal data erased if the personal data is no longer necessary for the purpose an organization originally collected or processed it, an organization is relying on an individual's consent as the lawful basis for processing the data and that individual withdraws their consent, or an organization is relying on legitimate interests as its justification for processing an individual's data, the individual objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing.

Additional grounds include situations where data has been processed unlawfully or when legal obligations require erasure. These provisions ensure individuals maintain meaningful control over their personal information throughout its lifecycle.

The Numbers Tell the Story

The right to be forgotten isn't just theoretical—millions of people actively use it. From 2015 to 2021, 1,066,274 "right to be forgotten" or "right to erasure" requests were submitted to Google and Bing, demonstrating widespread awareness and utilization of these privacy protections.

Most notably, French requests accounted for nearly a fourth of all the submitted requests, highlighting significant regional variations in how citizens exercise their data protection rights. By 2018, Google said it had received more than 650,000 requests to remove certain websites from its search results since a European court ordered the company to allow Europeans the "right to be forgotten" in 2014.

Exceptions: When Organizations Can Say No

The right to be forgotten isn't absolute—and for good reason. The reasons cited in the GDPR that trump the right to erasure include: The data is being used to exercise the right of freedom of expression and information, the data is being used to comply with a legal ruling or obligation, and the data is being used to perform a task that is being carried out in the public interest or when exercising an organization's official authority.

Additional exceptions include archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and establishment, exercise or defence of legal claims. These safeguards prevent the right from being misused to rewrite history or obstruct legitimate public interests.

Global Adoption and Territorial Limits

While originating in Europe, the concept has spread globally. Several other countries have implemented RTBF principles including Argentina and the Philippines under their data protection frameworks, Canada with strengthened privacy laws through the Consumer Privacy Protection Act (CPPA) incorporating erasure rights, South Korea with enhanced Personal Information Protection Act (PIPA), and India through the Digital Personal Data Protection Act (2023) which includes data erasure provisions.

However, territorial scope matters. In 2019, in a landmark ruling, the CJEU decided as part of the Google v CNIL case that the territorial scope of the right to be forgotten and the obligation to delist under EU law (GDPR) only applies to the territory of the EU. This means search engines don't need to apply delisting globally—only within European domains.

Interestingly, American courts do not recognize this concept, largely due to First Amendment protections. The contrasting approaches between Europe and the United States highlight fundamental differences in how societies balance privacy against free expression.

Practical Implementation Challenges

Complying with erasure requests involves significant technical and organizational challenges. Personal data is often spread across multiple systems, including employee devices, cloud storage, backups and legacy databases, making it difficult to track down all instances of an individual's data.

To comply with the GDPR's Right to Erasure, the main priority is to delete active records from live systems, such as personal data stored in databases, files and customer records. Backups, on the other hand, may remain until they are overwritten according to the organization's retention schedule. However, they must be put "beyond use", meaning they cannot be accessed or processed for any other purpose.

How to Exercise Your Right

To exercise the right to be forgotten and request removal from a search engine, one must complete a form through the search engine's website. Google's removal request process requires the applicant to identify their country of residence, personal information, a list of the URLs to be removed along with a short description, and – in some cases – attachment of legal identification. The applicant receives an email from Google confirming the request but the request must be assessed before it is approved for removal.

"Undue delay" is considered to be about a month, giving organizations a reasonable timeframe to verify requests and take appropriate action. Organizations must balance efficiency with thoroughness to ensure legitimate requests are honored while protecting against fraudulent claims.

Emerging Challenges: AI and Data Erasure

The rise of artificial intelligence presents new complications. AI models, however, do not store information in discrete entries. Once personal data is integrated into a model's parameters, removal becomes nearly infeasible without costly retraining or experimental machine unlearning methods.

AI is significantly influencing the right to be forgotten. AI technologies are being used to speed up and automate responses to these requests. AI helps platforms efficiently process removal requests by analysing large amounts of data, making it easier to identify and remove specific information. While AI creates challenges, it also offers potential solutions for managing the growing volume of erasure requests.

Compliance Best Practices for Organizations

Organizations handling personal data should implement systematic approaches to manage erasure requests effectively. Facilitating easy and transparent erasure requests is crucial for compliance. Organizations should offer straightforward and accessible methods for data subjects to submit their requests. This might include online forms, dedicated email addresses, or customer service hotlines specifically for handling data protection queries.

Organizations should prioritize understanding and documenting all data processing activities to ensure compliance with Article 17. This entails creating an exhaustive inventory of all collected data and identifying the reasons for its collection and the legal basis for its processing. Without clear documentation, responding to erasure requests becomes unnecessarily complex and time-consuming.

Regular audits are essential. Organizations should conduct periodic reviews of their data protection policies and practices. This includes checking that erasure requests are handled within the stipulated time frames and that all data subject rights are respected.

Looking Ahead

The right to be forgotten continues evolving alongside technology and societal expectations. In January 2025, it was reported that The Oregonian, The Plain Dealer, Bangor Daily News, The Atlanta Journal-Constitution and NJ.com offered similar services allowing subjects of stories to request contextualization, removal from searches, or anonymization—demonstrating how media organizations are adapting to privacy expectations.

Understanding the right to be forgotten is essential for navigating today's digital landscape. Whether you're an individual seeking to manage your online presence or an organization handling personal data, this fundamental privacy right shapes how information flows across the internet. For more detailed information about GDPR provisions, visit the Wikipedia Right to Be Forgotten page or consult GDPR.eu's comprehensive guide.

The balance between privacy and transparency remains delicate, requiring ongoing dialogue between individuals, organizations, regulators, and courts. As technology advances and data practices evolve, the right to be forgotten will continue adapting to protect individual privacy while preserving legitimate public interests in accessing information.