I decided to finally clean up an old account on CivitAI (https://civitai.com/). Nothing unusual - I just wanted to exercise my right to be forgotten, the one I heard about so much on Reddit before, being a regular lurker.
I sent them a polite email citing Article 17 GDPR. Gave them enough info to find me (email, username, first login date, payment history). Didnāt use my real name, didnāt log in - partly because I didnāt want to trigger Cloudflareās fingerprinting again.
Their reply?
āWhen users delete their account, this action is permanent, since we delete any and all data associated with that account.ā
Maybe? Thereās no way to verify their claim without re-engaging. No public deletion policy (https://civitai.com/content/privacy). No confirmation. No alternative. Only if you log in to do it. Which means triggering Cloudflareās tracking system again.
I shouldnāt have to expose myself to surveillance just to ask to be forgotten.
Honestly, I was taken aback a little. But fair enough, I thought. I still have a shield for myself - letās escalate.
I filed with the Irish Data Protection Commission (DPC) - mostly because they accept anonymous, English requests.
They closed my case within days with this:
Youāre from Ukraine. Not our problem.
No discussion of whether CivitAI targets EU users (they do!). No interest in the fact they process personal data globally. Didnāt even ask if I was in the EU at that time. Just a flat rejection based on my location.
Fine. Maybe NGOs can help?
I contacted:
- Access Now
- EDRi
- Digitalcourage
- epicenter.works
- Even tried the UK ICO (turns out, CivitAI blocks UK users now, so no luck there)
Out of all of them, only epicenter.works replied - twice - telling me to contact noyb.
Which is silly, because I already did. Over a month ago. Still no reply.
So here I am.
I did everything I could - correctly, thoroughly, and in good faith. But all I got in return is silence, deflection, bureaucracy.
Donāt get me wrong - I still believe in the idea of GDPR. I want to believe in it. But the enforcement? Itās a paper tiger. All bark, no bite. And worst of all, it doesnāt even have self-respect - happy to roll over the moment someone shows up without an EU passport.
This wasnāt about being petty or creating drama. I just wanted to get in control of my data, as was promised by the GDPR declaration.
But apparently, even that is too much to ask.
Anyway, vent over. Just wanted to share this so others donāt waste months chasing rainbows like I did.
And maybe - just maybe - someone at noyb, DPC, or CivitAI will finally read it and feel ashamed enough to act.
P.S. Why Iām posting it here:
- I think it fits this community topic
- This post was removed from r/gdpr by moderators
- Some subreddits ignored my request to approve this post on their subreddits
- r/privacy requires karma to post
- I was shadowbanned by Reddit for no apparent reason
- Similar post saw zero reaction on Mastodon instance
- Twitter & Bluesky requires solving a captcha that Iām incapable of solving
In addition, since the initial post on Reddit and Mastodon weeks ago, Iāve sent emails to various privacy oriented news outlets and public organizations, but I was ignored by all, but EFF which replied āwe canāt help youā.
EDIT: To clarify a recurring point: GDPR does not require you to be an EU citizen or resident to be protected.
Under Article 3(2), it applies to any company that offers goods/services to people in the EU - even if the user is from Ukraine, the US, or elsewhere. if anyone think Iām in wrong, please provide source. I donāt see what Iām doing wrong here.
Proof (screenshots)
My GDPR request sent to support@.
Reasserting rights after their first refusal.
āUse the button.ā No erasure guarantee.
Irish DPC closes case based on nationality.
Thank you.
Because GDPR itself says I can:
https://gdpr-info.eu/art-3-gdpr/
What line from article 3 makes you think that? It sounds to me like itās only talking about data processors inside and outside the EU that handle data of people in the EU
Yet this same article in paragraph 2 literally says it only covers EU citizens.
āThis Regulation applies to the processing of personal data of data subjects who are in the Unionā
Why are you surprised when they point this out?
Youāre describing how it works in practice - not how itās written in law. GDPR protects data subjects in the EU, and applies to companies targeting the EU - not just EU passport holders. The real issue isnāt my location - itās that CivitAI ignores the law, and regulators let them - until an EU citizen complains.
This creates a geographic lottery: if youāre physically in the EU when you complain, you get enforcement. If youāre not - even as an EU citizen abroad - you get dismissed. This is essentially a VIP lane despite claiming otherwise.
Can you confirm you are physically in the EU? If you are not, they do not care because as you pointed out, āit protects data subjects in the EUā. If you are not in the EU, then your location DOES matter. If you are in an EU territory (or territory where international agreements deem it applicable) even as a non-EU citizen, then that would suck. It doesnāt sound like lottery to me- be physically in a territory where the law applies and get gdpr. Expecting laws to apply outside their jurisdiction is crazy
Maybe Iām just bad with words, so let me try to explain my point better: GDPR isnāt triggered by location - itās triggered by CivitAIās targeting of the EU (EUR pricing, no geo-blocking, Cloudflare EU infrastructure, etc). Article 3(2) + EDPB Guidelines Ā§21 make this clear - and the Irish DPC skipped that analysis entirely.
Iāve already covered this in other comments (and added a clarification to the post itself), so if youād like to continue the discussion (or anyone else who might be reading this reply), Iād appreciate it if you could ground your points in primary sources - e.g., the GDPR text, EDPB guidance, or official DPC precedent, rather than common misunderstanding.
Iām not trying to win an argument nor asking for more than itās written in the law itself.