It has long been discussed whether individuals should have a “right to be forgotten” online to suppress old information that could seriously interfere with their privacy and data protection rights. In the landmark case of Google Spain v AEPD, the Court of Justice of the European Union addressed the particular question of whether, under EU Data Protection Law, individuals have a right to have links delisted from the list of search results, in searches made on the basis of their name. It found that they do have this right – which can be best described as a “right to be delisted” – when some conditions are met.
The ruling, which imposes on search engines the duty to assess and accommodate delisting requests, has proven to be highly controversial. Strong feelings have been expressed either in favor or against it, in what may be seen as a clash between the values of personal data protection and freedom of expression.
This article does not delve into this underlying debate. Instead, it aims to explore the solidness of the ground on which the right is based. It begins by providing an overview of the relevant elements of EU data protection law so as to allow readers not familiar with its nuances to properly follow the discussion. After presenting the facts of Google Spain, both at national and EU level, the article discusses how the ‘right to be delisted’ was crafted by the CJEU. It argues that it is based on shaky ground, as it is premised on the characterization of search engines as “data controllers,” which is arguably at odds with their intermediary role and – in the absence of specific safeguards – makes their activity largely incompatible with the data protection legal framework. Moreover, the article discusses how the Court failed to devise a proper balance of the different rights at stake, particularly that of freedom of expression and information. It suggests that the intermediary role of generalist search engines should be adequately protected, both under the data protection legal framework as well as under the liability limitation scheme established by the E-Commerce Directive. This, however, is not likely to be achieved in the near future. A careful approach by national courts and data protection authorities is thus suggested as a way to fix some of the shortcomings identified in the ruling.