The right to be forgotten allows people to ask for data about them to be removed from the internet. How does it work?

This article was originally published in October 2023 and updated in November 2023.

An increasingly digital world has led to digital footprints with surprisingly long trails - and details some people would rather the internet forgot.

This phenomenon has led to calls for “the right to be forgotten” – also known as the “the right to erasure” of personal data.

It has both supporters and critics - and some governments have enshrined it as a right.

The concept has recently been back in the headlines after a Canadian court agreed that Canadians have the 'right to be forgotten' on Google searches. The Federal Court of Appeal found that the search engine is covered by its federal privacy law. Indeed, the Columbia Journalism Review goes so far as to say, "The EU's right to be forgotten is migrating to other countries".

The amount of data we've created since 2010 is enormous, with online data growing substantially over that time period.

The 60-fold jump from 2 zettabytes of data generation in 2010 to an estimated 120 zettabytes now is an obvious result of the dawning of the digital age, and some of that data almost certainly relates to you.

If that data is old, outdated or offensive, you may want it to be removed, and that is broadly why “right to be forgotten” rules came into existence.

The regulation stems from a 2010 case brought by a Spanish national after online search results for his name brought up references to legal proceedings from 1998 that had since been resolved. Google was consequently ordered to remove this information from its results page.

The right to be forgotten is a concept that allows people to request that organizations remove and delete specific personal information about them from online platforms.

This right is not recognized everywhere and even where it is, organizations don’t always have to comply with requests.

The EU introduced its right to erasure rule in 2014, and the legislation is part of its General Data Protection Regulation (GDPR). A 2019 ruling declared that Google didn't have to apply the right globally but as the Canada news shows, it is being looked at and debated beyond Europe's borders.

For example, in Japan, a 2016 ruling recognized a man's right to be forgotten on Google.

And in a sign that people and policy-makers are becoming ever more aware of sensitivities around privacy and personal data, the Dutch city of Amsterdam has recently developed software that can blur out people who appear in images collected by its Mobile Mapping team.

"It is of great importance that we develop new applications and initiatives that further safeguard the privacy of residents and visitors," a spokesperson for the city told Cities Today. "This right to privacy applies to the online and offline world.”

Only people (not organizations) can ask for their personal data to be deleted and only if certain criteria are met. They cannot request that data be deleted for no legitimate reason.

Some of the criteria for the right to be forgotten in the EU include:

However, requests for personal data to be deleted can be denied. This can often include:

For additional examples, this list from the EU details other reasons data may and may not be erased in Europe, though rules might vary elsewhere.

Data removal can be complicated. For instance, if a search engine is ordered to remove an individual’s data, this applies only to results that show up in Europe, not globally.

Still, as awareness of this right grows, so do requests. For instance, X – formerly known as Twitter – has seen rising requests for data to be removed. It received an average of over 250 requests per day in the final six months of 2021, the latest period on which it provides information.

Cases across the internet where the right to be forgotten has been enforced include:

Some critics remind policymakers and leaders that a balance must be struck when determining what should and should not be forgotten.

For instance, tension does exist between the right to be forgotten and the right to freedom of expression. And the legislation makes space for this, with Article 17(3) outlining circumstances where the right to be forgotten doesn't apply - including exercising the right to freedom of expression and information. Some believe this right could be misapplied to cover up human rights violations and other illegal activity.

Concerns are that the legislation could lead to frequent and widespread removal of content, and it can be used as a mechanism to censor or prevent scrutiny.

And, as technology develops, new challenges emerge. For example, questions have emerged about large language models, typically used to train AI systems, and the right to be forgotten from those. And, more significantly, how you might be forgotten from such datasets, which would be much more complicated than for search engines.

Where many cases are upheld, the data has posed a threat to an individual’s well-being. Tackling harmful content online is the primary aim of the World Economic Forum’s Global Coalition for Digital Safety, whose members span the public and private sectors and have developed Global Principles on Digital Safety.

“The principles encourage deeper collaboration and cooperation, recognizing that we all have responsibilities to help build a safe, rewarding and innovative digital world,” the Forum says in its Translating International Human Rights for the Digital Context report.

Anyone wishing to have data about themselves removed from the internet can make a request verbally or in writing, depending on their jurisdiction. The EU provides a template for doing so, while organizations, including Google and X, have set up online request forms.