The European Data Protection Board has launched coordinated enforcement actions targeting systemic failures in GDPR right-to-erasure compliance, revealing widespread shortcomings in data controllers' processes and exposing millions of users to privacy risks.
The European Data Protection Board (EDPB) has initiated a sweeping coordinated enforcement action targeting how organizations implement the right to erasure under the General Data Protection Regulation (GDPR). This landmark operation, involving data protection authorities across 22 EU/EEA member states, represents one of the largest examinations of Article 17 compliance since GDPR took effect in 2018. The coordinated action comes in response to mounting evidence that individuals face significant barriers when attempting to exercise their fundamental right to have personal data deleted.
Under GDPR Article 17, individuals possess the legal right to request deletion of their personal data when it's no longer necessary for its original purpose, when consent is withdrawn, or when data has been unlawfully processed. Despite this clear mandate, the EDPB's preliminary findings reveal alarming compliance gaps. Many controllers lack standardized procedures for receiving and processing erasure requests, routinely exceed the mandatory one-month response window, and fail to properly verify requestor identities—creating both security risks and accessibility barriers.
For users, these systemic failures translate into tangible privacy harms. Individuals seeking to remove sensitive information—such as outdated financial records, compromising social media content, or health data—often encounter opaque processes requiring complex verification steps. Some controllers force users to submit physical copies of identification documents via postal mail, while others provide no confirmation of data deletion. These obstacles disproportionately affect vulnerable populations, including domestic abuse survivors seeking to erase location data and minors requesting removal of childhood digital footprints.
Organizations face severe consequences for non-compliance. The EDPB has signaled intentions to leverage GDPR's tiered penalty system, where violations of erasure rights can trigger fines up to €20 million or 4% of global annual revenue—whichever is higher. Beyond financial penalties, controllers risk mandatory audits, operational shutdowns of non-compliant processing activities, and lasting reputational damage. The enforcement action has already prompted several multinational tech firms to overhaul their data deletion infrastructures.
Technical implementation challenges lie at the heart of many compliance failures. Legacy systems with fragmented data storage, inadequate data mapping, and uncoordinated backup protocols make complete erasure technically difficult. The EDPB clarified that controllers cannot cite technical complexity as justification for non-compliance, emphasizing that GDPR requires implementation of "appropriate technical and organisational measures" (Article 25) to facilitate erasure. Controllers must now implement data inventory systems with deletion cascades across all storage locations, including backups and third-party processors.
Key compliance changes emerging from the enforcement action include:
- Mandatory web-based erasure request portals with automated tracking
- Standardized identity verification using secure digital methods
- Data mapping audits to identify all storage locations
- Revised retention schedules aligned with erasure obligations
- Staff training programs focused on erasure procedures
The EDPB has published detailed implementation guidelines reinforcing that erasure rights apply regardless of data storage format, requiring controllers to delete information across structured databases, unstructured data lakes, and even machine learning training sets where feasible. This interpretation significantly expands technical obligations for AI-driven organizations.
For individuals seeking to exercise erasure rights, the EDPB recommends:
- Documenting all deletion requests
- Filing simultaneous complaints with local data protection authorities when facing resistance
- Utilizing template requests from digital rights organizations like Access Now's GDPR guides
Organizations can reference the official EDPB Guidelines on Data Subject Rights and the Article 17 Implementation Checklist to align with enforcement expectations. The coordinated action marks a pivotal shift toward rigorous enforcement of fundamental privacy rights, signaling that superficial compliance will no longer suffice in Europe's evolving data protection landscape.
Comments
Please log in or register to join the discussion