I decided to finally clean up an old account on CivitAI (https://civitai.com/). Nothing unusual - I just wanted to exercise my right to be forgotten, the one I heard about so much on Reddit before, being a regular lurker.
I sent them a polite email citing Article 17 GDPR. Gave them enough info to find me (email, username, first login date, payment history). Didnât use my real name, didnât log in - partly because I didnât want to trigger Cloudflareâs fingerprinting again.
Their reply?
âWhen users delete their account, this action is permanent, since we delete any and all data associated with that account.â
Maybe? Thereâs no way to verify their claim without re-engaging. No public deletion policy (https://civitai.com/content/privacy). No confirmation. No alternative. Only if you log in to do it. Which means triggering Cloudflareâs tracking system again.
I shouldnât have to expose myself to surveillance just to ask to be forgotten.
Honestly, I was taken aback a little. But fair enough, I thought. I still have a shield for myself - letâs escalate.
I filed with the Irish Data Protection Commission (DPC) - mostly because they accept anonymous, English requests.
They closed my case within days with this:
Youâre from Ukraine. Not our problem.
No discussion of whether CivitAI targets EU users (they do!). No interest in the fact they process personal data globally. Didnât even ask if I was in the EU at that time. Just a flat rejection based on my location.
Fine. Maybe NGOs can help?
I contacted:
- Access Now
- EDRi
- Digitalcourage
- epicenter.works
- Even tried the UK ICO (turns out, CivitAI blocks UK users now, so no luck there)
Out of all of them, only epicenter.works replied - twice - telling me to contact noyb.
Which is silly, because I already did. Over a month ago. Still no reply.
So here I am.
I did everything I could - correctly, thoroughly, and in good faith. But all I got in return is silence, deflection, bureaucracy.
Donât get me wrong - I still believe in the idea of GDPR. I want to believe in it. But the enforcement? Itâs a paper tiger. All bark, no bite. And worst of all, it doesnât even have self-respect - happy to roll over the moment someone shows up without an EU passport.
This wasnât about being petty or creating drama. I just wanted to get in control of my data, as was promised by the GDPR declaration.
But apparently, even that is too much to ask.
Anyway, vent over. Just wanted to share this so others donât waste months chasing rainbows like I did.
And maybe - just maybe - someone at noyb, DPC, or CivitAI will finally read it and feel ashamed enough to act.
P.S. Why Iâm posting it here:
- I think it fits this community topic
- This post was removed from r/gdpr by moderators
- Some subreddits ignored my request to approve this post on their subreddits
- r/privacy requires karma to post
- I was shadowbanned by Reddit for no apparent reason
- Similar post saw zero reaction on Mastodon instance
- Twitter & Bluesky requires solving a captcha that Iâm incapable of solving
In addition, since the initial post on Reddit and Mastodon weeks ago, Iâve sent emails to various privacy oriented news outlets and public organizations, but I was ignored by all, but EFF which replied âwe canât help youâ.
EDIT: To clarify a recurring point: GDPR does not require you to be an EU citizen or resident to be protected.
Under Article 3(2), it applies to any company that offers goods/services to people in the EU - even if the user is from Ukraine, the US, or elsewhere. if anyone think Iâm in wrong, please provide source. I donât see what Iâm doing wrong here.
Proof (screenshots)
My GDPR request sent to support@.
Reasserting rights after their first refusal.
âUse the button.â No erasure guarantee.
Irish DPC closes case based on nationality.
The EU isnât the world police. Expecting them to enforce their laws in a case where none of the involved parties are in the EU is odd.
And the GDPR isnât a universal right, itâs a right of EU citizens. Similarly, the USâ First Amendment right to free speech wonât save you from hate speech charges in Germany. Heck, it wonât do that even if youâre a US citizen, so long as the offense is on German soil.
Fair point, and I get why it might look that way.
But hereâs the thing. CivitAI doesnât block EU users. It used EUR pricing, English (the EUâs lingua franca), their current pop-up says theyâre privacy and GDPR compliant (somehow), and infrastructure that logs EU traffic (Cloudflare EU nodes). The Irish DPC is their de facto lead authority - thatâs why Meta, Google, and TikTok all get fined by them.
So when they dismiss my complaint with âyouâre from Ukraineâ - without even asking if I was in the EU when I used the site, or whether CivitAI targets EU users - itâs not legal analysis. Itâs triage. And in that triage, non-EU users get deprioritized - no matter what the law says.
Iâm not arguing theory. Iâm reporting what happened:
Correct, it is not a universal right. They are not engaging with you because your complaint is outside their jurisdiction. And the company isnât either.
Itâs like expecting Saudi Arabia to apprehend a Dutchman in Riyadh because you showed them a photograph of him drinking alcohol in Amsterdam. Sure, heâs in their country, so they could do it. And he did something thatâs illegal in their country. But he didnât do it in their country.