The European Data Protection Board (EDPB) is about to shine a spotlight on one of the most complex and challenging aspects of data protection: the right to erasure. Last week they announced a Coordinated Enforcement Action on the right to be forgotten. For organizations operating in or serving European markets, this will probably call for some strategic preparation. Although it’s not clear that the Coordinated Enforcement Action will result in significantly more enforcement actions being launched by DPAs, we should expect that some of the trickier issues out there will be brought to light and tested.

Previous Coordinated Enforcement Actions focused on use of cloud-based services by the public sector, designation and position of data protection officers, and implementation of the right of access by controllers.

Beyond the Basics: The Complexity of Erasing Data

The right to erasure (Article 17 GDPR) sounds straightforward, but it’s anything but simple. Organizations will need to navigate a minefield of technical, legal, and ethical considerations that go far beyond a simple delete button.

Five Critical Fringe Cases to Watch

What happens when a right to erasure request conflicts with other legal requirements? Financial institutions, for example, must balance data protection requests with anti-money laundering regulations that mandate keeping certain records. Healthcare providers face similar challenges with medical record retention laws.

2. Distributed Data Ecosystems

The real challenge lies in data that’s been shared, copied, or integrated across multiple systems. How thoroughly must an organization track and eliminate personal data? This includes:

  • Third-party databases
  • Archived backups
  • Shared cloud services
  • Analytics and reporting systems

3. Partial Erasure and Pseudonymization

The EDPB is likely to scrutinize nuanced approaches to data minimization. When is data truly “erased,” and when is it simply transformed? Organizations will need to demonstrate:

  • Meaningful data reduction
  • Effective pseudonymization techniques
  • Clear documentation of erasure processes

4. Cross-Border and Multi-Platform Challenges

International organizations face complex scenarios. A request from an EU citizen might involve:

  • Data stored on servers in multiple countries
  • Different legal interpretations across jurisdictions
  • Complex platform ecosystems (social media, cloud services, etc.)

5. Automated Systems and AI Training Data

Perhaps the most cutting-edge challenge involves AI and machine learning systems. How do you “erase” someone from a trained algorithm? This raises critical questions about:

  • Retraining machine learning models
  • Removing individual data points from complex datasets
  • Balancing individual rights with technological innovation

Practical Implications for Organizations

The EDPB’s coordinated action isn’t just about finding violations–it’s about establishing best practices. Organizations should prepare by:

  • Conducting comprehensive data mapping exercises
  • Developing clear, transparent erasure procedures
  • Creating cross-functional response teams
  • Implementing robust tracking and verification mechanisms
  • Preparing detailed documentation of erasure processes

The Broader Context

This enforcement action is part of a broader trend of increasing data protection scrutiny. The EDPB has previously investigated cloud services, data protection officers, and access rights. Each investigation has raised the bar for compliance, turning data protection from a legal checkbox into a strategic imperative.

What’s at Stake

Non-compliance isn’t just about potential fines–though those can be substantial. It’s about maintaining trust, protecting individual rights, and demonstrating technological and ethical sophistication in an increasingly complex digital landscape.