How to Remove Personal Data from the Internet: Why Aggregators Cannot Use It Freely

How to remove personal data from the internet—and why aggregators cannot use it however they want.

Personal data is not “ownerless,” even if it has been online for a long time.

We recently wrote that data has become the new currency of the digital world.

Every click, every acceptance of terms, and every app permission is not just a technical action. It is a legally significant step.

However, there is another side to this reality.

More and more people are asking the same question: why is my personal data published on aggregator websites, and why is it so difficult to remove?

The response users often receive sounds reasonable. Aggregators claim that the data comes from official sources and is publicly available, so its use is lawful.

At first glance, this argument seems logical. If information is published online, does that mean anyone can use it?

In practice, the answer is no.

Personal data is subject to specific legal rules, and those rules are defined by law.

Here is what we will cover:

• what is happening in the market for personal data aggregators
• what counts as personal data under Russian law (152-FZ)
• when collection and publication become unlawful
• why an “official source” does not give a free pass
• how to remove personal data from the internet in practice

What Is Happening in the Personal Data Aggregator Market

In recent years, an entire market has emerged around services that collect and compile information about individuals. These services are commonly referred to as personal data aggregators.

Their operating model is relatively straightforward:

• collect information from multiple sources
• combine it into a single database
• create individual profiles
• display part of the data for free
• offer more detailed reports for a fee

The sources of data may include:

• court publications
• public registries
• open websites
• advertisements
• online profiles
• social networks
• other databases

As a result, a digital profile of a person is created. This profile can be used for employee screening, counterparty verification, reputation analysis, or marketing purposes.

While this may appear to be a simple search service, it raises an important legal question: does such a service have the right to collect, process, and distribute this data?

In practice, the interaction between users and aggregators often follows a familiar pattern.

User: “I found my personal data on your website. Please remove it.”

Aggregator: “The information comes from open or official sources, so publishing it is lawful.”

However, once the situation is examined more closely, the legal picture becomes more complex. If a service collects, organizes, stores, and publishes personal data, it is engaged in data processing. This means it must have a lawful basis for doing so.

Personal Data Law and Aggregators

What Counts as Personal Data Under the Law

Under Russian law, personal data is defined as any information that relates directly or indirectly to an identifiable individual.

This concept is broader than many people assume. It includes not only names, phone numbers, and identification documents, but also IP addresses, geolocation data, purchase history, behavioral patterns, device identifiers, and cookies.

Even if individual data points appear harmless, their combination may be sufficient to identify a person.

This means that data is not an abstract concept. It is a legally regulated category.

When an Aggregator Becomes a Data Operator

The law defines a data operator as an entity that organizes and carries out the processing of personal data, determines the purposes of processing, defines the scope of data, and decides how it is handled.

Processing itself includes a wide range of actions, such as collection, recording, systematization, storage, use, transfer, dissemination, access, blocking, and deletion.

If a service collects, stores, organizes, and publishes personal data, it is processing that data. As a result, it must comply with legal requirements.

Why “We Took It from Open Sources” Is Not Always Lawful

This is one of the most common arguments used by aggregators. However, the legal framework does not support such a simplified approach.

The law distinguishes a specific category of data that is permitted for public distribution by the individual. Such data can only be distributed if the person has given explicit and separate consent.

The law clearly states that:

• consent must be specific and issued separately
• the individual must define which data can be shared
• silence does not constitute consent

Therefore, the assumption that publicly available data can be freely used is incorrect.

Why Court Publications Do Not Give Aggregators Unlimited Rights

Court decisions are indeed published in accordance with laws that ensure transparency of the judicial system. However, this publication has a specific purpose and is subject to certain limitations, including the anonymization of some personal data.

Aggregators operate differently:

• they collect data at scale
• combine it from multiple sources
• create structured profiles
• distribute the information

In doing so, they create a new system of personal data processing. This means they must comply with personal data protection laws, including requirements related to registration as data operators and lawful processing. You can check Russia’s register of personal data operators here: https://pd.rkn.gov.ru/operators-registry/operators-list/

Why Personal Data Spreads So Easily

Another reason why data quickly appears in aggregator databases is user behavior.

People often agree to terms without reading them carefully. This leads to broad consent being given across multiple services, which can later result in data appearing in unexpected places.

This is not always obvious at the moment of consent, but it has long-term consequences. We explored the “data as currency” idea in this article: https://contentguard.pro/en/blog/dannye-novaya-valyuta-soglasie-obrabotka

How to Remove Personal Data from the Internet

If you discover your personal data on an aggregator website, it is important to act systematically.

Step 1. Find every place your data appears

The first step is to identify all instances where your data appears. Search using, for example:

• full name + city
• full name + employer or company
• phone number
• email address
• username or handle

Step 2. Preserve evidence

Next, document what you found. Keep screenshots of the webpage, the URL, the date, and the specific data being displayed.

Step 3. Send a request to the data operator

Under Russian law, you have the right to request:

• confirmation that your data is being processed
• the legal basis for processing
• the source of the data
• the purpose of processing
• the storage period

Step 4. Demand deletion if processing is unlawful

If the processing is unlawful, you have the right to demand deletion or destruction of your data. This is reflected in Article 21 of Federal Law No. 152-FZ on personal data.

Step 5. Escalate to the regulator

If the operator ignores your request, you may file a complaint with Roskomnadzor, Russia’s data protection authority.

When Data Protection Becomes Critical

The issue becomes especially important in situations involving business negotiations, confidential information, public activity, or reputational risks.

In such cases, control over personal data becomes a key element of risk management.

How ContentGuard Can Help

Working with personal data requires not only knowledge of the law but also practical experience in dealing with platforms and aggregators.

ContentGuard assists individuals and companies in:

• finding and removing unlawfully published personal data from the internet
• communicating with aggregators and services that publish user information
• preparing formal legal requests to data operators
• supporting complaints to Roskomnadzor
• auditing websites for compliance with 152-FZ
• auditing personal data processing processes
• drafting privacy policies and related documentation
• preparing businesses for regulator inspections

We also help organizations build compliant end-to-end data processing systems—from audit to a full documentation package. Ensuring compliance before issues arise is the most effective way to reduce risk.