A case study on digital footprint removal and data protection solutions for doxxing

If you've searched your name online and discovered that your home address, email, business history or even defamatory accusations are visible through WHOIS data, archived websites or social media posts, you might be facing a situation that could escalate into a privacy breach.

What is doxxing and why publishing public data may breach privacy laws

How a growing YouTube channel exposed a client to doxxing threats

Why doxxing might be unlawful under UK data protection law

Legal methods to delete personal data from the internet

Why combining public data can be illegal: the data protection risks of doxxing

Can GDPR protects UK citizens living abroad from online privacy violations and doxxing

When outdated online information becomes a privacy risk under data protection law

Lawyers’ thoughts about the case

What is doxxing and why publishing public data may breach privacy laws

While each of published data points might seem harmless or legally published in isolation, when they are collected and presented together, they can create a detailed digital profile that poses serious risks. This practice, often used in doxxing, is recognised by law as a form of unlawful data aggregation and profiling, making it a potentially serious breach of data protection regulations.

This case study focuses on a growing legal problem: how outdated but still publicly available data can be stitched together to form a dangerous new profile of an individual. This practice, known as doxxing, is often used to harass, intimidate or discredit someone, and in many cases, it is unlawful.

Even if each individual item such as a Companies House listing or an old domain registration was once lawfully published, their combination can amount to unlawful data processing under the UK GDPR and Data Protection Act 2018.

This case shows how these laws can be used effectively to remove personal data from the internet, delete WHOIS records, erase Wayback Machine content, and challenge social media platforms to protect your identity and safety online.

How a growing YouTube channel exposed a client to doxxing threats

One of our clients, a British entrepreneur living in the United States, faced this exact issue. Years of involvement in online ventures had left him with a significant digital footprint, and not all of it was positive or under his control.

He reached out to us because his YouTube channel had become unexpectedly successful. The sudden spotlight drew new attention to his past ventures, and with it, a risk that users might uncover links between his current online presence and personal information that had once been publicly listed across the internet.

He was worried about doxxing (the malicious gathering and publication of someone’s personal information to cause them harm or distress). His concern was well-founded. Much of his personal data, from addresses and phone numbers to email accounts and business history, was easily accessible online and scattered across outdated directories, WHOIS records, even archived web pages from over a decade ago.

Why doxxing might be unlawful under UK data protection law

The root of the problem was how seemingly harmless bits of information, when pulled together, could form a detailed and potentially dangerous profile. In isolation, an old company listing on Companies House or a long-defunct WHOIS registration might seem innocuous. However, once pieced together- especially when combined with social media references or archived web content- they could expose someone’s current address, business interests, and even family members, making doxxing a breach of data in some cases.

This was exactly the kind of profile that malicious actors use when doxxing individuals. Our client, for example, had old WHOIS entries linking his name to several domain names and websites, some of which still had publicly available snapshots via the Wayback Machine. These entries showed not only his business connections but also linked to addresses and email addresses he no longer used.

Moreover, a disgruntled individual had tweeted content disclosing private information and making defamatory accusations against him. This content wasn’t just inconvenient; it represented, in our client's eyes a real and growing threat to his privacy, safety, and livelihood.

Legal methods to delete personal data from the internet

In cases like this, a multi-pronged legal strategy is essential. We first tackled the most immediate and harmful content: the tweets that disclosed his name and linked him to a previous business in a negative light.

Using the UK Data Protection Act 2018 and the GDPR, we served Twitter with a Notice of Objection to the processing of personal data. Twitter responded by removing the content from its platform, an example of how strong and enforceable data rights can be when properly exercised.

Next, we turned our attention to the WHOIS databases. Although domain registrars are often permitted to publish registrant information, retaining historic data after privacy settings have changed or after a domain has been sold can violate data protection laws.

We contacted multiple registrars and WHOIS platforms, pointing out the breach of data protection rules. These letters resulted in the removal of our client's personal data from several major databases.

Then we addressed archived websites. The Wayback Machine had retained multiple versions of websites our client had once owned. We used copyright claims, as he still held the intellectual property for much of the content, to argue that storing and republishing it was unlawful. The Internet Archive agreed to remove the content.

Each part of the strategy depended on a different legal foundation, but together they achieved the same goal: erasing a harmful digital footprint.

Why combining public data can be illegal: the data protection risks of doxxing

It is important to understand that doxxing is more than just mean-spirited behaviour. In legal terms, it involves the creation of a new kind of data. By aggregating small, seemingly unrelated pieces of public information such as Companies House listings, WHOIS records, LinkedIn pages, and social media comments, a doxxer essentially creates a fresh data set.

This new data set paints a current and potentially damaging picture of an individual, even if each part of the puzzle was legally published at the time. Under data protection law, the creation of this new personal profile is considered a new act of data processing.

Since it is done without the subject's consent and often with the intent to harass, it becomes unlawful. For instance, Companies House may legally publish a company director's service address, but when this address is combined with a WHOIS entry showing a phone number, and a tweet linking those to a YouTube username, the result is a consolidated profile that breaches privacy laws. 

This practice transforms lawful data into unlawful profiling. This legal nuance is one of the reasons why doxxing is increasingly being treated as a serious breach of privacy under UK and EU law and considered so dangerous.

Can GDPR protects UK citizens living abroad from online privacy violations and doxxing

Yes, GDPR does protect UK citizens living outside the UK or EU from privacy breaches, and this case is a strong example of how that protection can be used in practice. Although our client was residing in the United States at the time, his status as a UK citizen meant that the General Data Protection Regulation (GDPR) still applied to his personal data.

GDPR protections are not limited by geography. They apply to any UK or EU citizen when their personal data is processed by companies or platforms that either operate within or target individuals in the UK or EU. This is known as GDPR's extraterritorial scope, and it ensures that people are not left unprotected just because they have moved abroad.

In our client’s case, organisations like Twitter, WHOIS databases, and the Internet Archive either had operations in the UK or EU, or made their services available to users there. As a result, they were bound by GDPR obligations. This gave us a strong legal basis to issue data protection notices, which led to successful content removals despite the client's overseas location.

For UK citizens living abroad, this case demonstrates that GDPR is a powerful legal tool to protect your digital privacy. Whether your information is being mishandled by a global platform or misused on a public directory, you have the right to demand its removal or restrict how it's used under data protection law.

When outdated online information becomes a privacy risk under data protection law

Another key insight from this case is that content doesn't need to be obviously unlawful to be harmful. A photograph, an old business listing, or an archived web page may not breach any laws on its own. When combined and presented in a way that exposes someone to risk or connects past actions with current identities, it can be challenged under data protection principles.

Privacy laws consider the impact of the data's presence, its context, and whether there remains a legitimate public interest in its availability. For example, there may be a case for suppressing a service address listed in Companies House if it is no longer in use and poses a safety risk.

Similarly, WHOIS records, once relevant, may become obsolete and subject to deletion upon request. This understanding empowers individuals to challenge outdated or excessive data collection and demand its removal under the right to be forgotten or legitimate interest assessments. In the digital age, even lawful data can become unlawful when used irresponsibly or out of context.

Lawyers’ thoughts about the case

This case revealed the real-world challenges people face when trying to manage and protect their digital identities. Our client wasn’t dealing with a single slanderous blog or a rogue tweet, it was the cumulative effect of years of online activity.

Each piece of information may have seemed harmless or irrelevant on its own, but together they created a portrait that was deeply invasive and potentially damaging. It brought into focus how modern data protection laws are tailored not just to address direct misuse of data, but also the way context and aggregation can turn lawful content into a privacy violation.

Data is not fixed in meaning; its implications change over time and depending on how it is combined. Resolving this matter required more than technical takedowns. We had to adopt a strategic, layered approach: analysing each source of exposure, identifying the legal grounds for action, and applying persistent pressure on platforms and data controllers.

Importantly, we also had to communicate a credible legal stance, as many tech firms only respond meaningfully when their legal obligations are clearly asserted. In the end, we were able to use the existing legal frameworks not just to remove data, but to reaffirm the principle that individuals deserve to control their narrative in the digital space.