Close Menu
Privacy

The Right to Be Forgotten: How to Remove Yourself from Search Engines

Jesse William McGrawBy No Comments6 Mins Read26 Views
Stack of search results with some struck through by red erasure beams representing right to be forgotten

"Right to Be Forgotten" is the popular name for what Article 17 of the GDPR calls the "Right to Erasure", the right of EU and EEA residents to require certain processors to delete personal data about them. In its most famous form, it requires search engines to delist links from results returned for searches of a person’s name. It is one of the most invoked GDPR rights, one of the most contested in courts, and one of the most useful tools available to anyone trying to manage their online presence.

It is also frequently misunderstood, both in scope and in mechanics.

The legal foundation

The right traces directly to the 2014 Court of Justice of the European Union ruling in Google Spain v. González (C-131/12). Mario Costeja González, a Spanish national, asked Google to delist links to a 1998 La Vanguardia newspaper notice about an auction of his repossessed property. The court ruled that search engines processing personal data are subject to the Data Protection Directive (now GDPR), and that individuals have the right to require delisting where the indexing of their personal data is "inadequate, irrelevant or no longer relevant, or excessive."

GDPR codified and expanded the right. Article 17 lists six grounds for erasure including: data no longer necessary for the original purpose; consent withdrawn; unlawful processing; legal obligation. The right is not absolute. Article 17(3) carves out exemptions for freedom of expression, public interest, scientific or historical research, and several other public-interest grounds.

The full GDPR text is at eur-lex.europa.eu/eli/reg/2016/679/oj. Google’s official page on RTBF requests for EU residents is support.google.com/legal/answer/10769224.

What it actually does, and does not, do

Delisting is removal from the search-engine index when querying that specific name. Three important caveats:

The underlying source is not removed. The newspaper article, the public record, the social media post, these continue to exist. The right governs the search engine’s role as data processor, not the original publisher.

Delisting is generally limited to EU/EEA versions of the search engine. The 2019 CJEU ruling in Google v. CNIL (C-507/17) confirmed that EU regulators cannot require global delisting, only delisting in EU domains and for users geolocated to the EU.

Searches for the same content using different queries (the document title rather than your name, for example) may still surface the result. Delisting is name-anchored.

The practical effect is real but limited: an HR-screening Google search of your name in Germany returns a different set of results than the same search in the United States.

What Google approves and rejects

Google publishes a detailed Transparency Report at transparencyreport.google.com/eu-privacy/overview showing aggregate decision data. From the inception of the right through 2024, Google has processed over 1.5 million URLs across some 600,000 requests, with an overall delisting rate near 50 percent.

Categories with high approval rates:

Old criminal allegations not resulting in conviction.

Personal information published years ago about long-resolved private matters.

Outdated employment or educational information that is no longer accurate.

Personal contact information (home addresses, phone numbers).

Information about minor children.

Categories with high rejection rates:

Public-figure information related to professional conduct.

Recent news about ongoing matters.

Information that is publicly significant (court records of serious crimes, regulatory enforcement actions).

Content where the requestor is not the subject of the URL.

Information published by the requestor themselves on platforms they control.

Each request is decided on individual facts. Google’s evaluation looks at the nature of the information, the requestor’s role (private individual versus public figure), the source’s role (journalism versus aggregation), the age of the information, and the public interest in its accessibility.

The mechanics of filing

For Google, the form is at reporting.google.com/personal-info/eu_privacy. The process:

Provide your name as it appears in the offending search results.

List specific URLs you want delisted (you must enumerate them; Google does not search on your behalf).

For each URL, briefly explain why the indexing is "inadequate, irrelevant, or excessive", the standard from Google Spain v. González.

Provide identification confirming you are who you claim to be.

Submit and wait. Google’s median response time is reportedly several weeks; complex cases longer.

Bing has its own form at bing.com/webmaster/tools/eu-privacy-request; DuckDuckGo and Brave Search use Google and Bing’s underlying indexes respectively but accept their own requests through their support channels.

If a request is rejected, the requestor can appeal to their national data protection authority. The European Data Protection Board’s Guidelines 5/2019 on the criteria for the Right to Be Forgotten provide the regulatory framework supervisory authorities apply.

US data brokers and the broader removal problem

The US has no equivalent of the Right to Be Forgotten. California’s CCPA/CPRA gives California residents a right to deletion against most businesses processing their personal information, but search-engine delisting specifically is not addressed.

For most US-located individuals concerned about search-result exposure, the practical path is removal at the source where possible:

Contact the publisher directly. Many small-publication editors will remove or redact content on legitimate request, particularly for older articles.

Contact people-search sites individually. Spokeo, BeenVerified, Whitepages, and the rest have opt-out flows.

Use a removal service (DeleteMe, Optery, Privacy Bee) to handle data-broker removals at scale.

For Google in particular, the "Results about you" tool at myactivity.google.com/results-about-you, available in the US and several other countries, lets you request removal of search results containing your contact information regardless of the EU Right to Be Forgotten. This is narrower than RTBF (it covers PII like phone numbers and home addresses, not general reputation) but useful.

What to expect realistically

Delisting works best for older, lower-significance content about private individuals. It works least well for current professional matters and journalistic coverage.

Expect rejections on first attempts and prepare to escalate to data protection authorities for borderline cases.

Recognise that delisting is not deletion: the underlying content survives and can resurface through different queries.

Combine RTBF requests with takedown requests at the source where possible, they are complementary, not redundant.

The Right to Be Forgotten is one of the more user-friendly GDPR provisions. It is also one of the most ethically contested, the tension between privacy and historical record is real and unresolved. As a practical privacy tool for most individuals, it is worth using when the situation warrants. The decade-old story you wish would stop coming up in searches of your name probably can be made to stop coming up in EU-based searches, with some effort and a clear case.

Share.

Jesse William McGraw, also known as GhostExodus, is a former insider threat and threat actor. He became the first person in recent U.S. history to be convicted of corrupting industrial control systems. Today he focuses on threat intelligence, OSINT, and public speaking, using his knowledge to bring awareness to the security risks that organisations and individuals face.

Related Posts

Comments are closed.