Right to Erasure

The right to erasure, also known as the "right to be forgotten," is established under GDPR Article 17. Originating from the landmark 2014 CJEU ruling in Google Spain v. Costeja González, this right enables individuals to request deletion of their personal data when certain conditions apply. The right is conditional, not absolute—it applies only when specific grounds are met and no overriding exceptions exist.

GDPR Article 17(1) specifies six grounds triggering the right: the data is no longer necessary for the purpose collected, consent is withdrawn and no other legal basis applies, the data subject objects to processing and no overriding legitimate grounds exist, data was unlawfully processed, erasure is required for legal compliance, or data was collected from a child in connection with information society services. Exceptions under Article 17(3) include freedom of expression, legal obligations requiring processing, public health purposes, archiving and research where erasure would seriously impair objectives, and establishment or defense of legal claims.

Organizations must respond "without undue delay" and within one month maximum, extendable by two months for complex requests. Under Article 19, when data has been disclosed to third parties, controllers must notify recipients of the erasure request unless this proves impossible or involves disproportionate effort. This downstream notification obligation creates significant documentation and tracking requirements.

U.S. state privacy laws provide analogous but distinct rights. CCPA's "right to delete" (Cal. Civ. Code § 1798.105) allows consumers to request deletion without specifying grounds, with a 45-day response window (extendable by 45 days with notice). Effective January 2026, California's Delete Act (SB 362) will establish a Delete Request and Opt-Out Platform (DROP) enabling residents to submit a single verified deletion request applicable to all registered data brokers simultaneously.

Technical implementation presents significant challenges. Personal data often resides across production databases, data warehouses, analytics platforms, CRM systems, email archives, and third-party processors—comprehensive erasure requires accurate data mapping. Immutable backup systems may retain data even after production deletion, requiring either backup restoration and re-creation, or documented retention policies that eventually purge old data. Deletion methods include physical deletion (permanent removal), logical deletion (making data inaccessible but not physically removed—potentially insufficient for GDPR), and cryptographic erasure (destroying encryption keys to render data unrecoverable).

The European Data Protection Board selected the right to erasure as its 2025 Coordinated Enforcement Framework priority, with 30+ Data Protection Authorities conducting simultaneous investigations. This signals intensified regulatory scrutiny of response times, verification procedures, and downstream notification compliance.

In the context of AI/ML, the right to erasure creates particularly complex challenges. Machine learning models can "memorize" training data, with research showing models may retain patterns from deleted source data in their weights. Complete erasure would require retraining from scratch—prohibitively expensive for large models. This tension has led to emerging solutions including machine unlearning techniques and the FTC's use of algorithmic disgorgement as an enforcement remedy, ordering deletion of both data and algorithms trained on illegally collected information.