The right to be forgotten: why it almost never works

An executive asks me to make a 2017 news article disappear. Three months later, the article is de-indexed on Google.fr. It is still visible on Google.com, in four archives, and in a press dump that any OSINT tool spits back in thirty seconds. The client was convinced he had “won”. Mostly, he had paid to move the problem a few centimetres.

The common trap

You were sold the right to be forgottenGDPR Article 17: right to erasure of personal data under conditions.See glossary as a red button. You press it, the data disappears, your past is erased. That is the story told by reputation-management firms, by mainstream press articles, and by a large part of the bar-counter conversations about the GDPREU Regulation 2016/679 on personal data protection, in force since May 2018.See glossary. “You have rights, exercise your rights.” The sentence is legally true and operationally hollow.

The problem is not that the right doesn’t exist. It exists, it is codified, the CNILEU Regulation 2016/679 on personal data protection, in force since May 2018.See glossary and its peer authorities enforce it, and it has already produced real removals. The problem is the gap between what people think they bought — a definitive, universal, clean deletion — and what the law actually delivers: a conditional removal, geographically bounded, that acts only on the actors the law can reach. And the real sources of your exposure are almost never the ones the law reaches.

I’ll be blunt, because no one in this trade says it to you clearly: in the overwhelming majority of cases I handle, the right to erasure does not delete the data. It moves a search result. That’s useful, sometimes sufficient, but it is not what you were promised. And believing otherwise makes you take bad decisions — some of which actively make your situation worse. This article describes what works, what doesn’t, and what to do when deletion is simply out of reach.

What Article 17 actually says

GDPR Article 17 is called the “right to erasure”, and the first thing to understand is that it is not an absolute right. It is a conditional right bundled with exceptions broad enough, in many cases, to swallow the rule. To obtain erasure, you must fall into one of the six situations it lists: the data is no longer necessary in relation to its original purpose; you withdraw your consent and no other legal basis holds; the processing is unlawful; a legal obligation requires it; the data concerns a minor; or you exercise your right to object and no overriding legitimate ground prevails.

So far it reads like a solid right. Then come the exceptions in paragraph 3, and that is where everything plays out. Erasure does not apply when processing is necessary for exercising the right of freedom of expression and information — in other words, the moment a journalist, a media outlet, or a publisher invokes the public interest, your request becomes a negotiation, not an enforceable right. It also does not apply for compliance with a legal obligation, for reasons of public interest, for archiving, research or statistical purposes, nor for the establishment, exercise or defence of legal claims. These exceptions are not edge cases: they cover the press, legal registries, public archives, and any ongoing or potential litigation.

A second structural limit, quieter but decisive: Article 17 only addresses an identified data controller subject to the GDPR. The whole mechanism rests on the existence of a legally reachable counterparty — someone who decides the purposes and means of a processing operation, and whom European law can compel. When that counterparty does not exist, is not identifiable, or sits beyond the reach of European law, Article 17 simply has no object. It’s not that it fails: it does not apply. This nuance changes everything, because a huge share of your exposure lives precisely in these blind spots — actors with no European establishment, anonymous platforms, or orphaned copies with no owner.

A third limit, geographic: the territorial scope of de-indexing was settled by the CJEU in 2019 in Google v. CNIL. The search engine is not required to de-index across all its worldwide versions — the obligation is limited to the versions corresponding to the member states. Concretely, a de-indexing you obtain applies to Google.fr and the other European variants, with partial geo-blocking, but not to Google.com consulted from elsewhere. The CNIL had argued for worldwide scope; it lost. Hold on to the operational consequence: even a complete success in law remains a regional success in practice.

The result on the ground is brutal. On the de-indexing requests Google has received since the 2014 Google Spain ruling, the engine has refused a substantial share — roughly half of the URLs globally, and far more in some sensitive categories such as content tied to professional activity, a criminal conviction of public interest, or a role in public life. The CNIL, when seized on second appeal, confirms a good portion of those refusals. Understand what this means: the right to be forgotten is not a right to erase what bothers you. It is a right to ask, to argue, and to accept being told no more often than you imagine. And even when you are told yes, the “yes” is narrower than you think.

What actually works

Let’s be concrete about the half-full glass, because it exists and you need to know how to use it before considering the heavy approaches. Three levers genuinely work, to varying degrees.

The first, and by far the most cost-effective, is Google de-indexing across the European space via the official form. It is the direct consequence of the Google Spain ruling: a search engine is a data controller, and it must examine your request to remove a result associated with your name. The success rate is reasonable for old content, with no public interest, that does not concern your current professional life — an old closed private dispute, a mention in a matter where you were never implicated, a piece of data gone stale. The delay runs from a few weeks to three months. Cost: zero. It’s free, it’s official, and it should always be your first move. Beware the major trap: de-indexing never removes the source page. It pulls the link out of the search results on your name, on the European versions of the engine. The page still exists, directly accessible, and stays indexed outside the EU.

The second lever is direct deletion from an active GDPR operator that wants to avoid a penalty. A European site, an operator holding an account in your name, a platform managing a customer file: these actors have a rational interest in handling your request cleanly, because an unjustified refusal exposes them to a complaint and a fine. When the counterparty is identified, subject to the GDPR, and has no compelling reason to keep the data, real erasure — not de-indexing, deletion — is entirely achievable. Cite Article 17, be precise about the targeted data, keep a written trail.

The third lever, more partial, is opt-out at European data brokers: Bisnode, the EU branch of Intelius, Schober and a few others. It’s thankless work, never complete and never definitive, because these data brokersCompany collecting, aggregating, and reselling personal data at scale.See glossary continuously re-inject from public sources. But within the European perimeter, it’s a notable reduction in exposure. With US brokers that have no EU establishment, on the other hand, you enter the grey zone — I’ll come back to that.

What doesn’t work

Here is the part the deletion vendors keep quiet about. The majority of your real exposure lives in zones where the right to be forgotten has no grip at all.

US brokers with no European establishment simply ignore most GDPR requests. No establishment in the EU, no active targeting of the European market within the meaning of Article 3: no practical obligation to respond. On my own files, I estimate that roughly four out of five requests sent to this kind of actor produce no real effect — an empty automated reply, an opt-out that empties itself again after a few months, or total silence. You can write, but don’t build your strategy on it.

Mirror archives are the other wall. The Wayback MachineWeb archive by Internet Archive capturing pages since 1996.See glossary accepts at least one exclusion procedure, incomplete. But archive.todayOn-demand web archiving service with permanent snapshots.See glossary offers no official erasure mechanism, by design — that’s the whole point of the service for its users. A page archived there is, in practice, beyond your reach. Same goes for the various caches and the copies of copies.

The closed forum that migrated to a new domain is a case I keep seeing. The data was posted on a platform that changed hands, jurisdiction, sometimes legal existence. There is no longer a clearly identifiable data controller to address a request to, and the content keeps circulating under a new address. The law presumes a counterparty; when there is none left, the law does not bite.

Public legal registries form a category apart, where the refusal is not a malfunction but the law itself. A mention in an official gazette, a corporate-registry filing, a court decision published by statute: these data are made public in execution of a legal obligation, and Article 17 explicitly provides that erasure does not apply when the processing answers such an obligation. You may find the mention humiliating; it is nonetheless legally untouchable as long as its legal basis holds. Requesting their erasure is asking the administration to violate the very law that obliges it to publish.

Finally, and this is the most structural point: copies already downloaded by third parties. Data that has leaked in a dump, that has been scraped by an aggregator, that sits on someone’s drive, escapes by nature any erasure. You cannot delete what you cannot reach. The leak databases — see the data brokers article — illustrate this to the point of absurdity: asking a leak databaseService indexing data from public or semi-public breaches.See glossary like HIBPFree public service by Troy Hunt indexing emails in public breaches.See glossary for erasure is as effective as asking the rain to climb back into the cloud. These services index breaches by the millions of records; they have neither the mandate nor the technical ability to pull a line on request, and most refuse on principle in the name of the alerting function they serve. The data left once; it left for good.

The Streisand effect

There is a category of requests that not only fail, but make your situation worse. It’s the Streisand effect, named after the singer whose attempt to have a photo of her home taken down turned an image seen six times into a phenomenon seen hundreds of thousands of times. The mechanism is mechanical: the act of requesting removal creates an event, the event creates attention, and the attention reproduces exactly what you wanted to make disappear.

On the ground, it takes precise forms. A GDPR request sent to a journalist wakes their institutional memory and, sometimes, their appetite to write a follow-up on “pressure to erase”. A Google de-indexing request frequently triggers a notification to the editor of the source page, who thereby learns you want it gone — information they did not have, and can exploit. A public cease-and-desist turns obscure content into a topic of debate.

The discipline here is counter-intuitive for people used to “exercising their rights”. Not every right is worth exercising. A discreet Google de-indexing, which notifies only minimally, carries a low amplification risk. A thunderous cease-and-desist sent to a media outlet carries an enormous one. Weigh the targeted content: its current audience, the interest the other party would have in talking about it, and what you lose if it climbs back up. Sometimes the best action is the absence of action.

Pragmatic alternatives

When deletion is impossible — and it usually is — three strategies remain that do work, provided you abandon the idea of erasing.

The first is dilution. You cannot remove the negative content, but you can produce enough neutral, controlled content to push it to page two, three, or beyond in the results on your name. Clean, active professional profiles, presence in serious directories, bylined publications on quality platforms, a coherent profile on the spaces you control. The goal is not to lie, it’s to saturate the visible space with truth that you control. Almost no one ever goes past the first page of results. Pushing the bothersome content down to page three is, in terms of real exposure, almost as effective as deleting it — and it’s durable, where a deletion can be worked around.

The second is proactive compartmentation, covered in detail in the dedicated article. The past data has left; you won’t bring it back in. But you can decide that your future identities and activities will not be linked to that exposure. Separate email addresses, dedicated numbers, a clean separation between contexts: it’s a hygiene discipline that keeps the past from contaminating the present. CompartmentationSeparating identities by usage (civil, public pro, sensitive pro, operational).See glossary doesn’t repair, it isolates.

The third, the least glamorous and the most mature, is to accept and prepare the response. If an unfavourable piece of content is non-removable, work on the assumption that someone will eventually stumble on it, and prepare a factual narrative brief: context, what really happened, what has changed since. A piece of awkward data to which you have a calm, prepared answer holds far less power than a piece of data you are desperately trying to hide. Concealment creates the impression of guilt; controlled transparency defuses it.

A word on tools, because I always get the question. There are automated opt-out services for brokers — Incogni, DeleteMe, Optery and a few others. Be clear-eyed about what they do: they regularly sweep a few dozen to a few hundred brokers and file removal requests in your name. Within the perimeter of cooperative brokers, they genuinely reduce incremental exposure, and they spare you a painful manual effort. But they touch neither the leak databases, nor the archives, nor the legal registries, nor third-party copies — that is, the bulk of the problem. They are maintenance tools, not a cure. Paying for them while believing the matter is settled repeats, at subscription scale, the original illusion: confusing “less visible at a few actors” with “gone”. Use them for what they are, and keep dilution as your real durable line of defence.

What this means concretely

Mistakes we see all the time

• Asking a leak database like HIBPFree public service by Troy Hunt indexing emails in public breaches.See glossary or a dump for erasure: systematic refusal — it’s a breach archive, not a cooperative data controller.
• Sending an unreasoned GDPR letter without citing the Article 17 condition invoked: refusal for failure to meet the conditions, and time wasted.
• Confusing European de-indexing with worldwide deletion: the source page stays online and indexed outside the EU.
• Launching a public cease-and-desist without assessing the Streisand effect: a real risk of amplifying exactly what you wanted to bury.
• Trying to purge archive.todayOn-demand web archiving service with permanent snapshots.See glossary: no official mechanism, effort down the drain.
• Believing a legal registry — an official gazette, a corporate registry — is erasable: this data is a legal obligation, outside the scope of erasure.
• Measuring success as “nothing left on Google” while the data still circulates in direct access and at the brokers.

Actionable checklist

• N1 Identify the 3 most problematic results on your name in Google search (.fr and .com)
• N1 Submit a Google de-indexing request for eligible cases, quietly
• N2 For content on active GDPR sites: send a formal erasure request citing Article 17
• N2 Assess the risk/amplification ratio (Streisand effect) before any public legal step
• N3 Launch a dilution strategy (controlled positive content) if the negative is non-removable

Further reading

The reference text is GDPR Article 17(opens in a new tab) itself, whose paragraph 3 on exceptions deserves a close read — that’s where the essentials play out. The CJEU Google Spain ruling(opens in a new tab) sets the framework for de-indexing and explains why removing a result is not the deletion of a page. For the practical procedure on the French side, the CNIL page on de-indexing(opens in a new tab) describes the steps and the available appeals. And to understand why erasure structurally fails on already-disseminated data, read the neighbouring articles on data that is already public and on data brokers.