GDPR Regulators Just Finished Grading Europe on ‘The Right to Be Forgotten.’ Now They’re Grading Honesty.
By Alex
For all of 2025, 32 European data protection authorities quietly investigated the same question: when someone asks a company to delete their personal data, does the company actually do it? The European Data Protection Board published its findings on February 18, 2026 — and a month later, without much pause, launched an entirely new investigation into a different question: do companies even tell people, clearly and honestly, what data they’re collecting and why?
The shift from one to the other isn’t a coincidence or a scheduling accident. It’s the EDPB’s Coordinated Enforcement Framework doing exactly what it’s designed to do — and this year’s pivot, from deletion to disclosure, lands at a moment when AI systems have made both questions harder to answer than they used to be.
What the Erasure Investigation Actually Found

The 2025 Coordinated Enforcement Action targeted Article 17 GDPR — the right to erasure — because it’s one of the rights individuals invoke most often, and one data protection authorities field the most complaints about. Of the 32 participating DPAs, nine opened or continued formal investigations, and 23 ran fact-finding exercises across companies in their jurisdictions.
The report surfaced seven recurring problems, and they’re the kind that suggest structural gaps rather than isolated bad actors. Companies relied on weak anonymization techniques as a substitute for actual deletion — scrubbing a name from a record while leaving enough attached data to re-identify the person. Retention periods were inconsistently defined, so “how long do we keep this” had no clear answer even inside the same company. Backups were a recurring blind spot: front-end systems would delete a record while an untouched copy persisted in backup infrastructure for months. And because the right to erasure isn’t absolute — it has to be balanced against other rights and legal obligations — many controllers simply didn’t have a defined process for making that judgment call consistently.
None of this required malice. It required exactly what you’d expect from data infrastructure that grew organically over years without erasure requests being designed in as a first-class operation from the start.
Why the EDPB Moved to Transparency Next
The 2026 Coordinated Enforcement Framework action, launched March 19, targets Articles 12 through 14 of GDPR — the requirement that companies tell individuals, in clear and accessible language, what data is being collected, why, and what happens to it. Twenty-five DPAs are participating this round.
The logic connecting the two years isn’t obvious at first, but it holds up: you can’t meaningfully exercise a right to erasure, or any other GDPR right, if you were never told in the first place what data existed about you to begin with. Transparency is the precondition every other right depends on. A company can build a technically perfect deletion pipeline and still fail GDPR if the privacy notice describing what it collects is vague, buried, or written to obscure rather than inform. The EDPB running erasure enforcement one year and transparency enforcement the next isn’t a change of subject so much as working backward through the dependency chain — checking the foundation after checking what’s built on top of it.
Why This Lands Differently in an AI Company

Transparency and information obligations were always awkward for any company running complex data pipelines, but AI systems make the awkwardness structural rather than incidental. A conventional web form collects a defined, enumerable set of fields — you can write an accurate privacy notice because you know exactly what you’re collecting. A model trained on scraped web data, user interactions, or third-party datasets often can’t produce that same clean enumeration. What data actually went into training, how a specific inference used a specific input, and what happens to conversation logs afterward are questions that many AI-driven products still answer vaguely, not out of bad faith but because the honest technical answer is genuinely more complicated than a form field.
That’s exactly the gap Articles 12-14 enforcement is built to probe: not just “did you disclose something” but “was the disclosure accurate, specific, and actually understandable to the person reading it.” A privacy notice that says a chatbot “may process your data to improve our services” technically discloses something, and still likely fails the standard the EDPB is now checking for.
What This Means Right Now
Nothing about the 2026 CEF creates new legal obligations — Articles 12-14 have applied since GDPR took effect in 2018. What changes is the odds of getting checked, and the state of the last equivalent audit as a preview of what auditors tend to find. If the erasure investigation is any guide, the coming transparency findings are more likely to surface structural gaps — privacy notices that haven’t kept pace with what a product’s data pipeline actually does — than to uncover companies with no notice at all. For any company running AI-driven features on European users, the practical task isn’t waiting for a fine; it’s the less dramatic work of making sure the privacy notice actually describes, in plain language, what the system does with data today, not what it did when the notice was last written.
- On May 9, 2026
- 0 Comment
