What is the right to be forgotten?
The right to be forgotten is the EU-originated right to demand erasure of personal data, codified in GDPR Article 17. It was popularized by the 2014 European Court of Justice ruling in Google Spain v. AEPD, which established that EU residents can require search engines to de-index outdated search results about them. The phrase now refers to both the GDPR erasure right itself and, more loosely, to any deletion right anywhere.
The 2014 origin: Google Spain v. AEPD
In 2010, a Spanish lawyer named Mario Costeja González asked Google to de-index a 1998 newspaper notice about an old auction of his repossessed property. Google refused. Spain's data-protection authority sided with Costeja González and ordered Google to remove the listing. Google appealed to the European Court of Justice.
In May 2014, the ECJ ruled that search engines are "data controllers" under EU data-protection law and that EU residents have the right to require the removal of outdated, irrelevant, or excessive personal information from search-engine results. The case became the foundational precedent for the right to be forgotten as a practical, enforceable right.
GDPR Article 17, codified
The 2014 case was decided under the EU's older Data Protection Directive. The 2016 GDPR (effective May 2018) codified the right to be forgotten as Article 17 ("Right to erasure"). The right applies when:
- The personal data is no longer necessary for the purpose for which it was collected.
- The data subject withdraws consent and there's no other legal ground for processing.
- The data subject objects to the processing and there are no overriding legitimate grounds.
- The personal data was unlawfully processed.
- Erasure is required to comply with a legal obligation.
- The data was collected in relation to information-society services offered to a child.
The right is not absolute. Article 17(3) carves out exceptions for free expression, legal obligations, public interest, scientific research, and legal-claim defenses.
What about US residents?
There is no federal US "right to be forgotten." Functional partial equivalents exist:
- CCPA §1798.105 — California's deletion right. Covers personal data held by California-doing-business companies. See the CCPA glossary entry.
- Google's "Results about you" tool — voluntary, covers specific categories of personal data appearing in search results. Functionally similar to the EU search-engine de-indexing right.
- State-level deletion rights — Texas (TDPSA), Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA), Utah (UCPA), and ~15 more states have deletion rights modeled on CCPA.
None are as broad as GDPR Article 17. The US version of "the right to be forgotten" is a patchwork of state laws plus voluntary search-engine de-indexing.
The mechanical limits
Even GDPR Article 17 has structural limits:
- Erasure applies to the controller you ask. Other copies of the data, other controllers, and downstream syndication aren't automatically erased.
- "Erasure" doesn't always mean physical deletion. Sometimes it's anonymization, sometimes it's access restriction.
- News archives, official records, and academic citations are typically protected by the public-interest exception.
- Search-engine de-indexing removes the result from search; it doesn't delete the underlying webpage.
The right is meaningful but more limited in practice than the dramatic framing of "forgotten" suggests. The realistic mental model: it's the right to demand controllers stop using your data, not a magical erasure of all knowledge.