The right to be forgotten: why it almost never works

An executive asked me to “make everything disappear” from a 2015 divorce proceeding. Three months later, after GDPR letters and ICO complaints: Google de-indexed 4 URLs out of the 130 I had mapped. The other 126 are still there. And we woke up two journalists.

The common trap

GDPR gave people the idea that they can delete anything they want from the internet. Fill out a form, cite Article 17, and inconvenient information disappears. This belief is so widespread it’s now a minor industry — lawyers and reputation management firms charge significant fees to file requests that mostly don’t achieve what clients think they’re paying for.

The right to erasure is real. It is also narrow, heavily qualified, jurisdiction-dependent, and entirely ineffective against most of the sources that actually matter when someone is researching you. Understanding exactly what it covers — and what it doesn’t — is the difference between a coherent strategy and expensive wishful thinking.

What Article 17 actually says

GDPR Article 17 gives you the right to request that a data controller erase your personal data without undue delay when certain conditions are met. The conditions: the data is no longer necessary for its original purpose; you withdraw consent and there’s no other legal basis; you object and there’s no overriding legitimate interest; the data was processed unlawfully; or erasure is required to comply with a legal obligation.

But the exceptions are substantial. Controllers can refuse erasure when processing is necessary for exercising freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in public health, for archiving purposes in the public interest, or for establishing, exercising, or defending legal claims.

That last exception alone covers a vast amount of content. Any data involved in litigation — including the proceedings you want to disappear — may be exempt.

Practically: you have 30 days for a response. The controller can extend by two more months for complex requests. They can refuse with a reason. If they refuse, you can complain to a supervisory authority (the ICO in the UK). The ICO will investigate, may take action, may not — and the timeline stretches to months or years.

The UK GDPR largely mirrors GDPR Article 17 post-Brexit, with the ICO as the relevant authority. The scope is still limited to UK and EU-based operators.

What actually works

Let’s be specific about where erasure requests produce real results.

EU/UK de-indexing from Google search. Google processes these requests and does de-index eligible URLs from European search results. This is meaningful — it doesn’t destroy the content, but it removes the direct search discovery path for most users. The case law from Google Spain v. AEPD (2014) established this as a requirement for search engines operating in the EU. Google’s transparency report shows millions of URLs de-indexed over the years.

Deleting an active account. If you have an account with a platform that processes your data under consent (rather than legitimate interest), and you withdraw consent and request deletion, well-run platforms comply. This actually removes your data from their live systems — though not necessarily from backups, derived analytics, or data they’ve already sold.

Erasure requests against GDPR-compliant EU operators. A European newsletter, a European e-commerce site, a European HR platform. These entities have compliance departments and real legal exposure if they ignore a legitimate erasure request. The success rate is meaningfully higher than with non-EU operators.

Requests to European news organizations. Some outlets will de-index or anonymize old articles, particularly for minor stories about private individuals. This is discretionary, not mandatory — but it happens, especially for regional or local publications.

What doesn’t work

This is the longer list.

Jurisdictional asymmetry. EU de-indexing from Google removes URLs from google.co.uk, google.fr, google.de, and other European results. It does nothing about google.com for US users, nothing about Bing globally, nothing about direct URL access, and nothing about any non-European search engine. If your audience is global, or if the person researching you uses a VPN, de-indexing provides minimal protection.

Leak databases. HIBP, DeHashed, Snusbase, and their equivalents operate outside EU jurisdiction, don’t respond to GDPR requests, and have no legal obligation under any framework you can practically enforce. Your leaked credentials from 2018 are not coming down.

Data brokers. Most of the major brokers (Acxiom, Experian, LexisNexis, Oracle Data Cloud) are US-headquartered and process data under US law. They offer opt-out mechanisms — some even mention GDPR compliance — but the opt-out is typically partial, applies to specific uses rather than deletion, and doesn’t reach the dozens of downstream buyers who already hold your data. See the Data brokers article for what opt-out services are actually worth.

Web archives. The Wayback Machine is operated by the Internet Archive, a US non-profit. It processes some removal requests for technical reasons but has no GDPR obligation. archive.today processes no removal requests at all. Content archived before you requested deletion remains archived. This is by design — the archives exist precisely to preserve content that might otherwise be removed.

Public registries. Companies House filings, SEC EDGAR documents, property records, electoral roll data. These are public records, typically mandated by law, and exempt from erasure requests on public interest grounds. Your directorship history is permanent by design. A court filing mentioning your name is a legal record.

The Streisand trap

When it’s useful anyway

Despite the limitations, there are situations where formal erasure requests are the right move.

Creating a legal record. Even if you don’t expect compliance, sending a formal GDPR request to a non-compliant operator creates a documented paper trail. This can be relevant if the matter ends up in litigation.

EU SERP de-indexing for specific private individual content. If you’re a private individual (not a public figure) and the content relates to your private life rather than your professional role, the legal threshold for de-indexing is lower. For someone with no public profile trying to remove an old embarrassing article, this sometimes actually works.

Closing an active account with a compliant operator. If you’re genuinely done with a platform, the formal deletion request ensures a clean exit rather than a dormant profile that continues to aggregate data.

Pressure on an identified, accessible actor. A small EU-based website. A former employer with an outdated staff page. An event organizer who still has your photo on their site. These are people with legal compliance obligations who respond to formal requests.

Alternative strategy: drown rather than delete

For most situations where erasure won’t work, the more effective approach is to saturate the search results with controlled, neutral, or positive content — making the problematic content harder to find without removing it.

This means:

• Creating or refreshing professional profiles (LinkedIn, a personal site, professional association pages) that rank strongly for your name
• Publishing bylined content, interviews, or professional contributions that displace older results
• Ensuring your employer’s website has a current, accurate profile of you that ranks above older mentions
• Using platforms with high domain authority that index quickly and rank well

This approach won’t hide content from a determined researcher who specifically seeks the problematic URLs. But it does change what a casual search returns — which is the relevant threat model for most reputation concerns.

Legitimate opt-out services — Mozilla Monitor Plus, Incogni, DeleteMe, Optery, Privacy Duck — focus primarily on data broker removal rather than search engine de-indexing. They’re worth using for broker suppression specifically; see the Data brokers article for an honest assessment of what they deliver.

Common mistakes

Filing a de-indexing request without mapping what’s actually indexed. You need to know which specific URLs to request removal for. “Remove everything about me” is not a valid request; specific URLs with specific grounds for removal is.

Targeting Google while ignoring the source. De-indexing a URL from search doesn’t remove the content from the original website. If the website is still up, anyone with the direct URL still sees the content. The source matters more than the search index.

Assuming UK GDPR covers non-UK operators. Post-Brexit, UK GDPR applies to UK-based processors and to non-UK processors who specifically target UK residents. It doesn’t give you jurisdiction over a US data broker who incidentally holds data about UK citizens.

Moving too fast. A rushed de-indexing campaign targeting dozens of URLs simultaneously, especially on the same search engine or platform, is more likely to trigger media interest than a methodical, targeted approach.

• N1 Map the 10 most problematic search results for your name — record the exact URLs
• N2 For each URL, identify whether it's eligible for GDPR de-indexing (EU-indexed, private individual, private life content)
• N2 Assess Streisand risk for each candidate URL before filing any request
• N2 Decide for each problematic result: pursue de-indexing, pursue drowning strategy, or accept
• N2 Subscribe to an opt-out service (Incogni, DeleteMe, or Optery) for data broker suppression
• N3 Build a SERP saturation plan: identify which platforms and content types would displace problematic results
• N3 Schedule an annual review of your search result profile