Un Web ouvert peut-il s’affranchir des libertés individuelles ?

Publié le

dans

.
do not block exit panel

Nearly one year after I exercised my right to have my personal data erased from WordPress.org, my account was finally deleted. This story isn’t just about WordPress® or the GDPR. It’s about a more fundamental question: how do we measure a project’s commitment to individual freedom?

A few weeks ago, Matt Mullenweg published a post celebrating WordPress®‘ 23rd anniversary. In it, he reflected on a difficult year for the project and reaffirmed WordPress®‘ long-standing commitment to an open, independent Web that empowers its users.

I’ve believed in that vision for many years.

For more than fifteen years, I used WordPress®, contributed to its community, organized and spoke at WordCamps®, and participated in several community initiatives. I still consider WordPress® one of the most important open-source projects in the history of the Web.

But reading that anniversary post left me with a simple question.

When an organization claims to defend the Open Web and the people who use it, does it also respect those users’ fundamental rights when they choose to leave?

imath

I didn’t find the answer in a manifesto. I found it through personal experience.

A simple request

On June 20, 2025, I exercised my right to erasure under Article 17 of the GDPR by asking WordPress.org to delete my personal data.

There was nothing unusual about my request. I wasn’t asking for my past contributions to disappear. I wasn’t trying to rewrite the history of my involvement in the WordPress® community. I simply wanted my user account, my public profile, and the personal data associated with them to be deleted — or anonymized whenever preserving historical content made more sense.

The following day, the WordPress.org Data Protection Officer replied. The automated erasure process could not be completed because my account was linked to various WordCamp® and community contributions. The DPO asked me to confirm that I agreed to removing those related records so that my account could be fully erased.

I replied immediately. My answer was simple: Yes, I confirm. At that point, I assumed the process would move forward.

Then… Nothing

Weeks passed. Then months. No confirmation. No follow-up questions. No notification that the legal deadline had been extended. No reasoned refusal.

My public profile remained online.

After more than eight months, I contacted the DPO again. No reply. I then sent a formal notice reminding WordPress.org of its obligations under the GDPR. Still no reply.

Eventually, I filed a complaint with the French Data Protection Authority, the CNIL.

Rights exist only when they can be exercised

People often say that organizations must respond to GDPR requests within a « reasonable time. »

The GDPR is actually much more specific. Article 12 requires controllers to inform data subjects of the action taken on their request within one month. That deadline may be extended by up to two additional months if the request is particularly complex, but the individual must be informed of that extension.

In my case, it wasn’t one month. It wasn’t three months. It was almost a full year.

On June 2, 2026, my WordPress.org account was finally deleted. Shortly afterward, the CNIL informed me that it had issued a formal reminder to WordPress® because of the excessive delay in handling my request.

I’m genuinely pleased that my request was ultimately fulfilled. That was always my only objective.

What this experience taught me

This experience hasn’t changed how I feel about WordPress® as software. I still admire what the project has contributed to the Web over the past two decades. But it reminded me of something important.

Digital freedom is about much more than open-source licenses, interoperability, or decentralized infrastructure. It is also about an individual’s ability to regain control over their own personal data.

The freedom to leave is every bit as important as the freedom to participate.

An open Web isn’t defined solely by the freedom to join. It is also defined by the freedom to leave.

Beyond my own story

My story has a positive ending. My account was deleted. The CNIL fulfilled its role as an independent supervisory authority. The law ultimately prevailed.

But it took nearly a year, multiple follow-up emails, a formal notice, and regulatory intervention to achieve something that should, in principle, have been straightforward.

I am not sharing this experience to reopen old controversies. I’m sharing it because I believe the values that underpin the Open Web deserve more than inspiring speeches. They are measured:

  • in everyday practice;
  • when people choose to contribute;
  • and just as much when people choose to leave.

Ultimately, the question that remains is not about WordPress® alone. It is one that every digital platform should ask itself:

Can an Open Web truly call itself open if users cannot easily exercise their fundamental right to leave?

imath

Featured photo credits Thomas Le on Unsplash

Note: The WordPress® & WordCamp® trademarks are intellectual properties of the WordPress Foundation. The use of the WordPress® & WordCamp® names in this article is for identification purposes only and does not imply endorsement by the WordPress Foundation.