On March 5, 2025, the European Data Protection Board (EDPB) launched its Coordinated Enforcement Framework (CEF) action for 2025, shifting its focus to the implementation of the right to erasure, commonly referred to as the “right to be forgotten,” under Article 17 of the General Data Protection Regulation (GDPR). This initiative, involving 32 Data Protection Authorities (DPAs) across Europe, marks the fourth iteration of the EDPB’s annual coordinated enforcement efforts. Following the 2024 focus on the right of access, the 2025 CEF targets a right that is both frequently exercised by individuals and a common source of complaints to DPAs. This paper examines the significance of this enforcement action, its operational framework, and its broader implications for data protection in the European Union (EU), situating it within the evolving landscape of privacy governance.
Context and Rationale
The right to erasure, enshrined in Article 17 of the GDPR, empowers individuals to request the deletion of their personal data under specific conditions, such as when the data is no longer necessary for its original purpose, consent is withdrawn, or processing lacks a legal basis. Unlike an absolute right, it is subject to exceptions, including legal obligations, public interest, or freedom of expression. The EDPB’s decision to prioritize this right in 2025, made during its October 2024 plenary, reflects its prominence in GDPR practice. As one of the most invoked data subject rights, the right to erasure underscores the tension between individual autonomy and organizational data management, often exposing compliance gaps when controllers fail to act promptly or misapply exceptions.
The selection of this topic aligns with the EDPB’s 2024-2027 strategy, which emphasizes streamlined enforcement and enhanced DPA cooperation. Previous CEF actions on cloud-based services (2022), Data Protection Officers (2023), and the right of access (2024) demonstrate a pattern of targeting high-impact areas where compliance challenges persist. The right to erasure’s visibility, coupled with frequent DPA complaints, positions it as a critical test case for assessing the GDPR’s practical efficacy nearly a decade after its implementation in 2018.
Operational Framework of the 2025 CEF
The 2025 CEF will unfold over the course of the year, with 32 DPAs engaging controllers across various sectors. This multi-jurisdictional approach ensures a comprehensive evaluation of erasure practices, leveraging both formal investigations and fact-finding exercises. DPAs will scrutinize how controllers process erasure requests, focusing on the application of Article 17’s conditions (e.g., necessity, consent withdrawal) and exceptions (e.g., legal retention requirements). This dual methodology—combining proactive audits with reactive follow-ups allows for flexibility, enabling DPAs to escalate efforts where significant non-compliance is detected.
A key feature of the CEF is its collaborative structure. DPAs will maintain close communication, sharing findings throughout 2025 to build a cohesive dataset. These national efforts will be aggregated and analyzed collectively, providing deeper insights into systemic issues and informing targeted enforcement actions at both national and EU levels. This process not only amplifies the reach of individual DPAs but also fosters consistency in GDPR interpretation, a core mandate of the EDPB under Article 70. The anticipated outcome, likely a report in early 2026, will synthesize these findings, offering guidance for controllers and potentially shaping future regulatory priorities.
Implications for Data Controllers
For organizations subject to GDPR, the 2025 CEF signals heightened scrutiny of erasure processes. Controllers must ensure timely responses typically within one month, per Article 12(3) and robust mechanisms for data deletion across all systems, including backups. The focus on exceptions adds complexity, as organizations must justify retention decisions with clear legal grounding, balancing compliance with operational needs. This enforcement action may prompt a wave of internal audits, particularly among sectors like housing (noted by Brandenburg’s DPA) or technology, where data retention practices vary widely.
The initiative also underscores the importance of transparency and documentation. Controllers will likely face DPA inquiries ranging from simple questionnaires to formal investigations, requiring evidence of compliant procedures. Non-compliance risks fines up to €20 million or 4% of annual global turnover (Article 83), alongside reputational damage. As the EDPB’s coordinated approach amplifies visibility, organizations operating across multiple EU jurisdictions must prepare for consistent enforcement, reducing the likelihood of exploiting regulatory fragmentation.
Broader Significance in Privacy Governance
The 2025 CEF reflects broader trends in EU privacy governance, particularly the shift toward proactive, collective enforcement. By targeting a fundamental right like erasure, the EDPB reinforces the GDPR’s role as a dynamic tool for empowering individuals in an increasingly data-driven world. This action builds on the 2024 CEF’s focus on access rights, suggesting a strategic emphasis on strengthening data subject control—erasure and access being two sides of the same coin in asserting ownership over personal information.
Moreover, the initiative highlights the GDPR’s adaptability to contemporary challenges. The “right to be forgotten,” first crystallized in the 2014 Google Spain v. AEPD case (CJEU C-131/12), has evolved from a judicial concept to a statutory right under GDPR, yet its implementation remains contentious. Issues such as incomplete deletions, delays, or over-reliance on exceptions persist, as evidenced by DPA complaint volumes. The CEF’s findings could clarify these gray areas, potentially influencing EDPB guidelines or even prompting legislative refinements.
Critical Perspectives
While the CEF’s ambitions are laudable, its success hinges on execution. The involvement of 32 DPAs risks inconsistency in approach, given differing national resources and priorities Berlin’s DPA, for instance, may prioritize urban tech firms, while Finland’s might focus on broader consumer sectors. Aggregation of results may smooth these disparities, but the lack of a standardized methodology could weaken comparative insights. Additionally, the focus on controllers places less emphasis on processors, despite their role in data handling, potentially leaving a gap in the enforcement chain.
Another critique lies in the CEF’s reactive nature. By targeting a right already known for compliance issues, the EDPB may miss opportunities to address emerging risks, such as those posed by artificial intelligence or cross-border data flows (e.g., Transfer Impact Assessments). A forward-looking approach might complement this retrospective focus, ensuring the GDPR remains ahead of technological curves rather than perpetually catching up.
CEF Actions in Europe
The EDPB’s 2025 CEF action on the right to erasure represents a pivotal moment in GDPR enforcement, blending operational rigor with strategic intent. By mobilizing 32 DPAs to scrutinize erasure practices, the initiative promises to enhance compliance, clarify legal nuances, and reinforce data subject rights across the EU. For controllers, it serves as both a challenge and an opportunity to refine processes under a watchful regulatory eye. Academically, it offers a lens into the evolving interplay of law, technology, and governance, with implications that may resonate beyond 2025. As the EDPB aggregates its findings, the resulting insights will likely shape the next chapter of EU privacy policy, affirming the GDPR’s enduring relevance in safeguarding personal data.
