On Wednesday in Brussels, the European Data Protection Board, the continent’s top authority on privacy, unveiled an ambitious plan to scrutinize how companies and governments honor one of the most cherished—and contested—rights under Europe’s stringent data laws: the right to erasure, better known as the “right to be forgotten.” The initiative, part of the board’s 2025 Coordinated Enforcement Framework, signals a new chapter in the European Union’s ongoing battle to ensure that individuals can reclaim control over their privacy rights as Europe has been the leader in personal data protection with GDPR that has led the way to the numerous privacy laws throughout the world.
Announced on March 5, this year-long effort will see 32 data protection authorities across Europe join forces to investigate whether organizations are complying with Article 17 of the General Data Protection Regulation, the landmark 2018 law that underpins the region’s privacy regime. The right to erasure allows people to demand that their personal information—be it old social media posts, outdated news articles, or corporate records—be wiped from databases when it’s no longer relevant or necessary. It’s a right that has empowered citizens but frustrated businesses and regulators alike with its practical complexities.
A Shift in Focus After Years of Access Battles
The EDPB’s decision to zero in on erasure follows a 2024 campaign that tackled another GDPR cornerstone: the right of access, which lets individuals peek into the troves of data companies hold about them. That effort exposed gaps in compliance, with many organizations struggling to respond promptly or fully to access requests. Now, the board is pivoting to erasure, a right that’s just as fundamental but trickier to enforce, given the exceptions and conditions baked into the law.
During its October 2024 plenary session, the EDPB chose this focus not on a whim but because of its prominence. “It’s one of the most frequently exercised rights under GDPR, and it’s a frequent source of complaints to national regulators,” a board spokesperson said in a statement. From forgotten profiles lingering on defunct websites to personal details stubbornly cached by search engines, the grievances pile up, reflecting a public increasingly aware of its digital shadow—and eager to erase it.
The Enforcement Plan: A Continent-Wide Audit
Starting this month, the 32 participating data protection authorities—spanning countries from Ireland to Italy—will fan out to examine a cross-section of “controllers,” the legal term for entities that manage personal data. These could include tech giants, small businesses, government agencies, or even nonprofits, though the EDPB has yet to name specific targets. The approach will vary: some regulators will launch formal investigations, while others will conduct fact-finding missions, sending questionnaires or requesting records to assess compliance.
What’s under the microscope? How these controllers handle erasure requests—from the moment a citizen submits one to the final deletion (or refusal). The GDPR lays out clear grounds for erasure, like when data is no longer needed for its original purpose or when consent is withdrawn, but it also carves out exceptions: public interest, legal obligations, or free expression can trump a deletion demand. Regulators will scrutinize how controllers navigate this tightrope, checking whether they’re honoring legitimate requests or leaning too heavily on loopholes.
Throughout 2025, these national watchdogs will huddle regularly, sharing notes and dissecting findings. By year’s end, the EDPB plans to pool the results into a comprehensive report, aiming to uncover patterns of compliance or neglect. That analysis won’t just sit on a shelf—it’s expected to guide follow-up actions, from targeted fines to EU-wide policy tweaks.
Why Erasure Matters Now More Than Ever
The timing couldn’t be more poignant. As artificial intelligence and data harvesting accelerate, the digital past feels more indelible than ever. A decade ago, the right to be forgotten gained fame when a Spanish man won a landmark case against Google, forcing the search engine to delink outdated articles about his financial woes. Today, the stakes are higher: personal data fuels algorithms that shape everything from job prospects to political ads, making erasure a frontline defense against an overexposed life.
Yet the right remains a lightning rod. Tech firms argue it’s a logistical nightmare—data often scatters across servers worldwide, defying easy deletion. Journalists and archivists warn it could erode history or free speech, a tension the GDPR acknowledges with its exceptions. For regulators, the challenge is consistency: a Greek authority might greenlight a deletion that a German one denies, leaving citizens and companies in a patchwork of outcomes.
What’s Next for Europe’s Privacy Rulings
The EDPB’s 2025 campaign isn’t a one-off—it’s part of a broader strategy launched in 2020 to harmonize GDPR enforcement across Europe’s fragmented landscape. Past efforts tackled cloud services, data protection officers, and access rights, each yielding reports that sharpened the board’s focus. This time, the right to erasure could set a precedent for how seriously Europe takes its promise of digital autonomy.
For now, the controllers under scrutiny—unnamed but undoubtedly on edge—face a year of reckoning. Citizens, meanwhile, may find their pleas to vanish from the internet finally heard, or at least better understood. As the EDPB’s 32 authorities dig in, one thing is clear: in 2025, Europe isn’t just asking to be forgotten—it’s demanding to know why it hasn’t been.
