Right to Erasure (Right to Be Forgotten)

The right to erasure, also known as the right to be forgotten, is a data subject right under GDPR Article 17 and similar laws that allows individuals to request the permanent deletion of their personal data from an organization's systems.

Definition

The right to erasure (commonly called the “right to be forgotten”) is codified in GDPR Article 17 and grants individuals the right to request deletion of their personal data from any organization that holds it. The right applies when the data is no longer necessary for its original purpose, when consent is withdrawn, when the data subject objects to processing and no overriding legitimate grounds exist, when data has been unlawfully processed, or when deletion is required to comply with an EU or member state legal obligation.

The concept predates GDPR. In 2014, the Court of Justice of the European Union ruled in Google Spain SL v. AEPD (C-131/12) that individuals could request search engines to delist links containing outdated or irrelevant personal information. GDPR Article 17 expanded this right from search delisting to full data deletion across all controllers and processors, and imposed affirmative obligations on controllers to notify third parties who received the data.

Why It Matters

Google’s transparency reports indicate that the company has received over 2.1 million URL delisting requests under the right to erasure since the 2014 ruling, covering more than 5.5 million URLs. Across the broader GDPR ecosystem, erasure requests represent one of the most frequently exercised data subject rights—and one of the most operationally difficult to fulfill.

The operational challenge is profound. A 2024 study by BigID found that 68% of enterprises cannot locate all copies of a specific individual’s data across their infrastructure within the 30-day response window mandated by GDPR. Data proliferates across production databases, analytics warehouses, backup tapes, machine learning training sets, CDN caches, email archives, log aggregators, and third-party integrations. True erasure requires locating and destroying every copy—an operation that becomes more difficult as data infrastructure grows.

The consequences of failure are both legal and reputational. The Swedish Data Protection Authority fined a bank SEK 35 million in 2024 for failure to adequately respond to erasure requests. Beyond fines, organizations that cannot demonstrate complete data deletion face loss of consumer trust at a time when 79% of consumers say they would stop doing business with a company that mishandled their data, according to Cisco’s 2024 Consumer Privacy Survey.

How It Works

The right to erasure operates through a request-and-verify cycle:

Request submission: The data subject submits a verifiable erasure request. The controller must verify the requester’s identity without creating new privacy risks.
Scope assessment: The controller determines whether the request qualifies under Article 17 and whether exceptions apply (freedom of expression, legal claims, public health).
Deletion execution: The controller deletes all personal data and notifies all processors and third parties. Article 17(2) requires controllers to inform other processors of the erasure request.
Verification and response: The controller confirms completion within one month (extendable to three months). Documentation must be maintained—creating a tension between proving deletion and retaining data about the deletion.

The fundamental paradox: comprehensive erasure in distributed systems is operationally intractable. Cryptographic shredding addresses this by making deletion a key management operation rather than a data location operation—destroy the encryption key, and all copies become irrecoverable simultaneously.

Stealth Cloud Relevance

Stealth Cloud satisfies the right to erasure by making it unnecessary. The zero-persistence architecture ensures that no personal data is stored beyond the active session. PII stripping removes personal identifiers before data enters any processing pipeline. Cryptographic shredding destroys session encryption keys at session end, rendering any residual ciphertext permanently irrecoverable.

There is no erasure request to process because there is nothing to erase. No data inventories to search. No backup tapes to locate. No analytics warehouses to purge. No third-party processors to notify. The architecture achieves continuous, automatic erasure as a property of its design—not as a response to a regulatory request.

This is the operational difference between privacy by design and privacy by compliance. Compliance-driven organizations build deletion pipelines, train staff to handle erasure requests, and maintain audit logs of deletion operations. Stealth Cloud builds architecture where data does not persist long enough to require deletion—where erasure is the default state, not an exception triggered by a subject request.

The Stealth Cloud Perspective

The right to erasure is a legal remedy for an architectural failure—data that should not have persisted in the first place. Stealth Cloud eliminates the failure mode. When zero persistence and cryptographic shredding are architectural defaults, the right to erasure is not exercised—it is rendered structurally irrelevant.