Right to Be Forgotten: What It Means and Why It Matters

What It Is

The Right to Be Forgotten — formally known as the "right to erasure" — gives individuals the power to request that organizations delete their personal data under certain circumstances. If a company or website holds information about you that is outdated, irrelevant, or no longer necessary, you can ask them to remove it. And in many jurisdictions, they are legally obligated to comply.

This right became a cornerstone of modern privacy law when the European Union codified it in the General Data Protection Regulation (GDPR) in 2018. It gained global attention after a landmark 2014 ruling by the Court of Justice of the European Union, which found that Google had to remove links to outdated newspaper articles about a Spanish man's past financial difficulties.

How It Works

In practice, exercising the Right to Be Forgotten involves submitting a formal erasure request to the data controller — the organization that holds your data. Under GDPR, companies must respond within 30 days and either comply with the request or provide a legally valid reason for refusing.

Valid grounds for requesting erasure include:

  • The data is no longer needed for its original purpose
  • You withdraw consent that the processing was based on
  • The data was unlawfully processed
  • You object to the processing and there are no overriding legitimate interests

Refusals are permitted when the data is needed for legal compliance, public interest, or freedom of expression reasons. Search engines like Google have built dedicated web portals where users can submit removal requests for specific URLs from search results.

It's worth noting that the right has geographic limits. A search result removed in the EU may still appear in other regions unless local laws require broader action. Courts have debated whether removals should apply globally, with results varying by country.

Why It Matters for VPN Users

Privacy-conscious individuals who use VPNs often care deeply about controlling their digital footprint — and the Right to Be Forgotten is a critical legal tool for doing exactly that.

A VPN masks your IP address and encrypts your traffic, preventing real-time surveillance of your online activity. But it doesn't erase data that has already been collected and stored by websites, data brokers, or platforms you've interacted with. That's where legal rights like erasure requests become essential.

If your personal information appears on data broker websites, old forum posts, or news archives, a VPN alone won't remove it. Submitting an erasure request under applicable laws can. Together, a VPN and the Right to Be Forgotten form complementary layers of a broader privacy strategy — one protects your future data; the other helps you reclaim your past.

Practical Examples and Use Cases

  • Outdated news articles: A person who was mentioned in a minor legal case years ago can request that search engines de-index those articles if the information is no longer relevant.
  • Old social media data: If you deleted a social media account, you can formally request that the platform delete all associated personal data from its servers, not just deactivate the profile.
  • Data broker profiles: Individuals can submit GDPR erasure requests — or use equivalent state laws like California's CCPA — to demand that data brokers remove profiles compiled from public records and browsing behavior.
  • Employment history leaks: If a former employer shared personal details online without consent, you may have grounds to request removal.

The Right to Be Forgotten is not absolute, and it requires navigating legal processes that vary by country. But for anyone serious about online privacy, understanding and using this right is just as important as choosing the right VPN or encryption protocol.