The Right to Be Forgotten: GDPR Erasure Explained (2026)
The right to be forgotten lets people in the EU and UK ask search engines to de list certain results about them. Here is what GDPR Article 17 actually covers, who qualifies and where, how to file a Google request, and why the United States has no equivalent general right.
Key takeaways
- The right to be forgotten is a European and UK right to erasure grounded in GDPR Article 17, applied to search engines mainly as a de-listing right after the 2014 Google Spain ruling.
- Article 17 lists six grounds a person can invoke and five exceptions (led by freedom of expression) that let an organisation refuse, so it is a balancing test rather than an automatic delete button.
- Google runs a dedicated EU and UK removal form: you supply exact URLs, the name queries, proof of identity, and a specific reason for each link, and Google must respond within roughly one month.
- De-listing is scoped to EU versions of the search engine (Google v CNIL, 2019), not worldwide, and it never deletes the source page.
- The United States has no general right to be forgotten because of the First Amendment; Americans instead rely on narrower state deletion laws like the CCPA and CPRA plus Google's own personal-information removal tools.
- Because the right reaches search results and not source content, it works best as one lever inside a coordinated plan rather than a standalone fix.
In this guide
The phrase right to be forgotten sounds absolute, as if you could point at anything unflattering online and make it vanish. The reality is narrower and far more jurisdictional. In the European Union and the United Kingdom it is a genuine legal right to have qualifying personal data erased, and when applied to search engines it usually means having a specific result de-listed from name searches, not deleted from the web. In the United States no equivalent general right exists at all. Understanding that real shape is the difference between filing a request that works and being frustrated by one that never could. This guide explains exactly what the right is, the precise grounds and exceptions under GDPR Article 17, the case that created it, how to file a Google request, the territorial limits, and what Americans can actually use instead.
What the right to be forgotten actually is
In legal terms the right to be forgotten is a right to erasure. In the European Union it is grounded in Article 17 of the General Data Protection Regulation (GDPR), which gives individuals the ability, in defined circumstances, to have personal data about them erased. The popular version most people mean grew out of a 2014 decision of the Court of Justice of the European Union (CJEU) known as the Google Spain case, which established that search engines act as data controllers and can, in appropriate cases, be required to remove certain results from searches made against a person's name.
It is important to be precise about the mechanism. As applied to search engines the right is primarily a de-listing (or de-referencing) right. It targets the search result that surfaces information about you, not the original web page. The underlying article, record, or post can continue to exist at its source. What changes is whether that page appears in the search engine's results for your name in the relevant region. That distinction governs almost everything else about how the right behaves in practice.
GDPR Article 17: the six grounds for erasure
Article 17(1) sets out six situations in which an individual can require a controller to erase their personal data without undue delay. The data must be erased where the data is no longer necessary for the purpose it was collected; where the person withdraws consent and there is no other legal basis for processing; where the person objects to the processing and there are no overriding legitimate grounds; where the data has been unlawfully processed; where erasure is needed to comply with a legal obligation; or where the data was collected in relation to online services offered to a child. According to the UK regulator, the Information Commissioner's Office, a controller generally has one month to respond to a valid erasure request.
The takeaway is that erasure is not a free-floating entitlement to remove anything you dislike. You have to fit your situation to one of these defined grounds. A page that is simply embarrassing but was lawfully published, is still accurate, and remains relevant may not clear any of them, whereas stale data kept long past its purpose often does.
Want help exercising your erasure rights?
Senior-led and confidential. You pay only for results.
The five exceptions that can defeat a request
Article 17(3) is where many requests actually turn. Even when a ground applies, a controller can refuse erasure where continued processing is necessary for one of five reasons. The first and most consequential is freedom of expression and information, which protects journalism and the public's access to lawful reporting. The others are compliance with a legal obligation or a task carried out in the public interest or official authority; reasons of public health; archiving in the public interest, scientific or historical research, or statistical purposes; and the establishment, exercise, or defence of legal claims. You can read the operative text at GDPR Article 17.
This is why the right is best understood as a balancing exercise rather than an on-or-off switch. Your privacy interest is weighed against the public's interest in continued access to the information. Two people with superficially similar results can get different outcomes: a stale, low-relevance page about a private individual's long-past minor matter is a very different case from recent reporting about a company director's professional conduct.
The Google Spain case that created the modern right
The modern right traces to Google Spain SL v AEPD and Mario Costeja Gonzalez, decided by the CJEU Grand Chamber on 13 May 2014 (Case C-131/12). Mario Costeja Gonzalez, a Spanish national, objected that a Google search of his name returned links to a 1998 newspaper notice about a repossession auction over a debt that had long since been resolved. The court held that a search engine operator is responsible for the processing of personal data appearing on third-party pages, and that individuals may in appropriate cases require the operator to remove links returned for a search on their name where the results appear inadequate, irrelevant, no longer relevant, or excessive in light of the time elapsed.
The ruling was interpreted through Articles 7 and 8 of the EU Charter of Fundamental Rights (respect for private life and protection of personal data). Its practical impact was immediate: Google reported receiving more than 12,000 removal requests on the first day it opened its form. That case, later carried into the codified language of GDPR Article 17, is why de-listing exists as an everyday remedy in Europe today.
Who qualifies and where it applies
The right to be forgotten is a feature of European law. It applies to individuals in the European Union, and a closely comparable right exists in the United Kingdom under the UK GDPR and Data Protection Act 2018, which carried the framework forward after Brexit. In practice Google asks whether the requester has a connection to a European country, such as residency or citizenship, as a threshold question. If you are located in the EU or the UK, or your data is processed in a way that falls under those regimes, you are in scope.
If you are elsewhere, most importantly in the United States, the general right simply does not reach you, a point we return to below. Matching your jurisdiction to the right tool is the whole game, and it is the first thing a reputation audit should establish before any request is filed.
How to file a Google delisting request step by step
In practice most people exercise this right through the search engine's own process. Google publishes a dedicated EU and UK privacy removal request form and explains the process in its Right to be Forgotten overview. A workable request has a few consistent elements. First, identify yourself and, where asked, provide proof of identity so Google can confirm the request relates to you. Second, list the exact result URLs you want de-listed rather than a general complaint about a site. Third, name the search queries, typically your name and close variants, under which those results appear. Fourth, give a specific reason for each URL, for example that it is outdated, inaccurate, no longer relevant, or intrudes on your private life without a public-interest justification.
After you submit, Google reviews the request against the balancing test and may ask for clarification. It can approve, in which case the URL is de-listed for name-based searches in the applicable region, or it can decline. If it declines, you can escalate to your national data protection authority (in the UK, the ICO) or ultimately to the courts. As of a 2025 process update, Google generally aims to decide within roughly 30 to 45 days and no longer routinely notifies the publisher of the underlying page when content is de-listed. A specific, well-documented request is far harder to refuse than a vague blanket one, which is where professional content removal support often makes the practical difference.
What Google weighs when deciding
Google has built its criteria to track the guidance of European data protection authorities and courts, and it publishes aggregate outcomes in its Transparency Report. The core questions are whether you have a genuine connection to a European country; whether the page actually appears for your name; whether the information is inadequate, irrelevant, no longer relevant, or excessive; and whether there is a countervailing public interest in the information remaining findable.
Certain factors weigh heavily against de-listing. Information tied to your current professional role, to matters of genuine public record with ongoing relevance, to serious criminal matters, or to the conduct of public figures acting in their public capacity is more likely to stay. Conversely, requests about private individuals, stale content, sensitive personal data, or material relating to your private life with no strong public-interest hook succeed more often. Because the assessment is contextual, outcomes vary case by case, and no honest service can promise a specific result in advance.
The territorial limit: EU-wide, not worldwide
A crucial and often misunderstood limit is geographic. In Google v CNIL (Case C-507/17, 2019) the CJEU held that EU law does not require a search engine to de-list a result across all versions of its search engine worldwide. Instead, an operator must apply the de-listing across its EU versions and take measures, including geo-blocking, that effectively prevent or seriously discourage users within the EU from reaching the de-listed link.
The practical consequence is that an approved de-listing removes the result for name-based searches within Europe, but the same query run from outside the EU may still surface the page. De-listing narrows discovery in the region where the right applies; it does not create a global disappearance. Anyone promising that a right-to-be-forgotten filing will scrub a page everywhere on Earth is overstating what the law delivers.
The United States has no general right to be forgotten
This is the sharpest contrast. The United States has no equivalent general right to be forgotten. There is no federal statute that lets an ordinary American demand that Google de-list truthful, lawful information about them the way an EU resident can. The reason is constitutional: the First Amendment protects the publication and continued availability of lawful, truthful speech, and US law has long favoured access to public-record and press information over a broad personal interest in obscurity. If you are in the United States and someone tells you to just invoke your right to be forgotten, they are describing a right that, in that general form, does not exist where you are.
That does not mean Americans are without options. It means the options are narrower, more targeted, and rooted in specific statutes, platform policies, and, where content is genuinely unlawful, defamation or privacy claims against the source. The mistake is expecting a single European-style lever; the reality is a toolkit assembled case by case.
What Americans can actually use instead
Two practical routes matter most. The first is state privacy law. California's Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), gives California residents a right to ask a business to delete personal information the business collected about them, generally within 45 days. As the California Attorney General explains, this is narrower than GDPR erasure: it reaches data a business holds about you, not third-party search results or journalism, and it carries an explicit exemption protecting free speech and other legal rights. A growing list of other states (Virginia, Colorado, Connecticut, and more) have enacted comparable deletion rights. These laws are powerful against data brokers and companies holding your records, but they are not a route to suppress a news article or a review.
The second route is Google's own personal-information removal tools. Independent of any right to be forgotten, Google will remove certain results globally when they expose sensitive data, and its consumer-facing Results about you tool and personal-info removal policy let anyone request removal of results that show contact details, government ID numbers, bank or card numbers, login credentials, medical records, images of signatures, or doxxing content shared with intent to harm. As with de-listing, removing a result from Google does not delete the underlying page; to remove the source you must contact the site owner or host. For a full walkthrough of these tools, see our companion guide on how to remove personal information from Google.
Realistic outcomes and how this fits a broader strategy
Used correctly, in the right jurisdiction, against qualifying results, the right to be forgotten can quietly remove painful pages from European name searches. Used with the wrong expectations, it disappoints. Three limits define what is realistic: it de-lists rather than deletes, so the source page survives; it is regional, so discovery outside Europe is unaffected; and it is a balancing test, so success is never guaranteed and public-interest content usually stays.
Because of that, de-listing is one lever inside a larger effort rather than a complete solution. Where a page qualifies under European law, that route can be pursued. Where it does not, the answer may lie in content removal at the source, in pursuing a platform-policy or legal takedown against genuinely unlawful material, or, when a lawful page simply cannot be removed, in pushing it down with stronger, more relevant content so it falls off page one. That suppression approach is covered in our guide on how to suppress negative search results. The right approach depends on where you are, what the content is, and why it is visible in the first place, which is exactly what a proper assessment sorts out first.
The honest bottom line
The right to be forgotten is real, meaningful, and genuinely useful, but it is a European and UK de-listing right, not a global delete button, and it does not exist in general form in the United States. GDPR Article 17 gives you six grounds and five exceptions, the Google Spain case turned that into an everyday search remedy, Google v CNIL confined it to EU versions of the search engine, and Americans instead rely on narrower state deletion laws and Google's own removal tools. Understand those boundaries first, match the tool to your jurisdiction and your specific content, and treat de-listing as one coordinated part of a plan rather than the whole of it.
Frequently asked questions
Is the right to be forgotten the same as GDPR Article 17?+
Effectively yes. In EU law the right to be forgotten is the right to erasure codified in GDPR Article 17. The popular meaning, having search results de-listed, comes from the 2014 Google Spain case, which applied that erasure principle to search engines. Article 17 also covers erasure of data held directly by companies, not just search links.
Does the right to be forgotten delete the web page itself?+
No. As applied to search engines it de-lists the result so the page no longer appears for name-based searches in the relevant region. The original page stays live at its address, reachable directly and still findable through other routes. Removing the source itself requires contacting the site owner or host, or a separate legal or policy takedown.
Can Americans use the right to be forgotten?+
Not in its general European form. The United States has no broad right to be forgotten because the First Amendment protects lawful, truthful speech. Americans can instead use state privacy laws like California's CCPA and CPRA to delete data a business holds about them, and Google's personal-information removal tools for sensitive data such as contact details, financial numbers, or doxxing content.
Does a Google de-listing apply worldwide?+
No. In Google v CNIL (2019) the CJEU held that EU law requires de-listing only across the EU versions of the search engine, backed by geo-blocking for users in the EU. The same search run from outside Europe may still return the result, which is why de-listing narrows regional discovery rather than erasing a page globally.
How do I file a right-to-be-forgotten request with Google?+
Use Google's dedicated EU and UK privacy removal form. Verify your identity, list the exact result URLs, name the search queries (typically your name) they appear under, and give a specific reason for each URL, such as that it is outdated, inaccurate, or intrudes on your private life without public interest. Google generally responds within about a month.
What kinds of requests usually get refused?+
Requests tend to fail where there is a genuine public interest in the information: content tied to your current professional role, serious criminal matters, matters of public record with ongoing relevance, or the conduct of public figures. The Article 17(3) exception for freedom of expression and journalism is the most common reason a request about news reporting is declined.
What can I do if Google refuses my request?+
You can escalate to your national data protection authority, which in the UK is the Information Commissioner's Office, and ultimately to the courts. It also helps to strengthen the request itself with clearer, URL-specific reasoning and evidence, since vague blanket requests are easy to decline. Where de-listing is not available, removal at the source or suppression may be better routes.
How long does the process take?+
Under GDPR a controller generally must respond to an erasure request within one month. For search de-listing, Google typically aims to decide within roughly 30 to 45 days, and may pause the clock if it needs clarification. Escalations to a regulator or court add further time on top of the initial review.
Sources & references
Prefer we handle it?
Want help exercising your erasure rights?
We handle the removal requests, de-indexing, and follow-through for content you want gone.
See content removalReady to See What AI Finds About Your Reputation?
Schedule your free, confidential consultation and we'll show you exactly where you stand across search engines, review sites, and AI platforms.
