Right to Be Forgotten: Evolving Jurisprudence in Digital Contexts
The right to be forgotten has emerged as a pivotal issue in digital privacy law, sparking global debates on its application and limits. This article explores the evolving jurisprudence surrounding this right, analyzing landmark cases and their implications for individuals and platforms.
The “Right to Be Forgotten” (RTBF) has become one of the most high-profile and debated aspects of EU data protection law, particularly in the context of search engines, online reputation, and freedom of expression. Rooted in the General Data Protection Regulation (GDPR) and first articulated by the Court of Justice of the European Union (CJEU) in 2014, the right has since evolved through both landmark jurisprudence and national court enforcement.
/wp:paragraph wp:paragraphThis article focuses on the CJEU’s decision in Google v CNIL (C-507/17)—a pivotal case that defined the geographic scope of RTBF—and explores how national courts and regulators are interpreting and applying the right in digital and cross-border contexts.
/wp:paragraph wp:paragraphOrigins: Google Spain (C-131/12)
/wp:paragraph wp:paragraphThe modern RTBF emerged from the Google Spain case, where the CJEU ruled that search engines are data controllers under EU law and must consider requests from individuals to de-index links to outdated, irrelevant, or excessive personal information, even if the original content remains online.
/wp:paragraph wp:paragraphThis case established that:
/wp:paragraph wp:list- Individuals have a right to request de-referencing of search results under certain conditions.
- Search engines must balance the right to privacy with freedom of information and public interest.
Google v CNIL (C-507/17): Territorial Limits of De-Referencing
/wp:heading wp:paragraphIn Google v Commission nationale de l’informatique et des libertés (CNIL), the CJEU considered whether Google was required to remove links globally, or only within the EU/EEA when responding to RTBF requests.
/wp:paragraph wp:paragraphFacts:
/wp:paragraph wp:list- The French data protection authority (CNIL) fined Google for failing to remove links from all domain versions (e.g., google.com) after agreeing to de-index them from EU domains (e.g., google.fr, google.de).
- CNIL argued that limiting delisting to EU domains made the right ineffective.
CJEU Ruling:
/wp:paragraph wp:list- The Court held that global de-referencing is not required under EU law.
- However, EU law does allow Member States’ authorities to require broader de-referencing, depending on the circumstances and local legal balancing tests.
Implications:
/wp:paragraph wp:list- The RTBF is territorially limited to the EU/EEA—but must be effective within that scope, including through geo-blocking measures to prevent circumvention.
- National regulators retain the power to demand more expansive de-referencing, subject to proportionality and international law.
National Follow-Up and Judicial Trends
/wp:heading wp:heading {"level":3}France
/wp:heading wp:paragraphFollowing the CJEU ruling, CNIL revised its enforcement practices:
/wp:paragraph wp:list- Google and other platforms now use geo-fencing techniques to limit visibility of de-referenced content to EU users.
- French courts have continued to enforce RTBF requests with an emphasis on balancing with press freedom, particularly when dealing with public figures or judicial records.
Germany
/wp:heading wp:paragraphGerman courts and the Federal Commissioner for Data Protection (BfDI) have supported de-referencing for outdated media reports that disproportionately harm individuals’ reputations.
/wp:paragraph wp:list- In one high-profile case, a businessperson succeeded in having search results about a long-ago conviction de-indexed under Article 17 GDPR.
- German courts often weigh freedom of expression heavily, but lean toward de-referencing where rehabilitation or personal reintegration is at stake.
Spain
/wp:heading wp:paragraphSpain, the birthplace of RTBF jurisprudence, continues to see high volumes of requests.
/wp:paragraph wp:list- The Spanish Data Protection Agency (AEPD) regularly orders search engines to de-reference content that is not of public interest, especially in the case of private individuals or minor offenses.
- Courts support AEPD’s discretion, but stress the need for case-by-case balancing with the media’s right to report.
Current Legal Considerations for ISS Providers
/wp:heading wp:list {"ordered":true}- Scope of Obligations
Search engines and platforms must be able to implement de-referencing across all EU domains and apply geo-blocking where technically feasible. - Balancing Rights
Decisions must weigh privacy rights against public interest, the nature of the content, the role of the individual, and the passage of time. - Accountability
Controllers must document their legal reasoning for accepting or rejecting RTBF requests and be prepared to justify decisions to regulators. - Transparency and Appeal Rights
Data subjects must be informed of the outcomes of their requests and have access to appeal mechanisms before national courts or data protection authorities.
Looking Ahead: The Role of the Digital Services Act (DSA)
/wp:heading wp:paragraphWhile the GDPR remains the cornerstone for RTBF, the Digital Services Act (DSA) introduces complementary obligations for platforms around content moderation, transparency, and user rights, including appeal mechanisms and clearer procedures for the removal of illegal content. Though not a substitute for GDPR-based RTBF rights, the DSA strengthens the framework for handling and documenting takedown decisions.
/wp:paragraph wp:headingConclusion
/wp:heading wp:paragraphThe Right to Be Forgotten continues to evolve in digital contexts, especially as courts refine its scope and applicability. The Google v CNIL ruling brought important clarity on the territorial limits of de-referencing, but also affirmed that Member States may impose broader obligations where justified.
/wp:paragraph wp:paragraphFor digital platforms, search engines, and ISS providers, the challenge lies in navigating a complex patchwork of national approaches—balancing privacy, legal compliance, and freedom of information in every jurisdiction where they operate.
/wp:paragraph wp:paragraphNeed advice on how to handle RTBF requests, balance competing rights, or prepare your compliance strategy?
/wp:paragraph wp:paragraphOur data protection and digital services team can help you build policies, train your moderation teams, and respond to regulator inquiries with confidence.
/wp:paragraphReady to leverage AI for your business?
Book a free strategy call — no strings attached.
