How the European Google Decision May Have Nothing To Do With a Right to Be Forgotten

After almost a month since the CJEU decision on Google and (allegedly) a “right to be forgotten” stirred up not only the international privacy community but also all of the digital world, managing to even occupy prominent general press space—among others, in The Economist, The New York Times and The Guardian, and while Google has already published a “search removal request” webpage that already attracted more than 40.000 applications within the first days it became operational, it is perhaps time to calmly assess what the CJEU decision really is and is not about.

What Google Does

With Google accounting for more than 90 percent of Internet searches in Europe, it shall be used from now on as showcase for any (successful) Internet search engine. Although it is obvious, we need to be reminded that Google links information – it does not create content. By scanning interminably, through automatic means, the web in order to create new connections and correlate more information leaves no record unsearched and no information unrelated to another. Given the exponential growth of digitized information and the lack of structure on the web, Google is the non-human, file-keeper of the past. Admittedly, it executes its task brilliantly: Through its successful search engine discovery of personal information on any individual that would otherwise take significant resources to carry out takes only moments and may be performed even by the most inexperienced user. This contribution is neither insubstantial nor without legal consequences. One should always keep in mind that, at least in the EU, data protection legislation emerged during the 1970s as a privacy spin-off only when the first computers entered public administrations in order to do exactly the same thing, for until that time, manual records were kept in cabinets and storage rooms. In other words, the efficiency of the personal data processing matters.

The EU Principle of Proportionality: Even Lawful Behavior May Be Found Infringing, Depending on the Actual Conditions

Such qualitative effect is court assessable. In EU law this is mostly performed by application of the principle of proportionality: All other factors found lawful, measures also need to be proportionate to their aims. This is an ever-present principle that at times had led to unexpected results, as was, for instance, the case in April when the same court annulled (retrospectively!) the EU law on the retention of telecoms and Internet data by their providers for law enforcement purposes. The same principle is embedded in EU data protection legislation as well. The processing needs to be proportionate to its purposes, meaning that if it is not, even if all other circumstances relating to it are lawful, it will be ultimately found unlawful. Perhaps this is the case in U.S. law as well. Although we would generally hesitate to approach U.S. Supreme Court rulings, the case of Grokster (and, we also think, secondary copyright infringement) was similarly based on a qualitative criterion (the volume of illegal downloads and Grokster behavior) and not on the action itself (enabling users to exchange files) that is otherwise lawful.

The CJEU Decision Is, More Than Anything Else, An Exercise of the Principle of Proportionality.

The CJEU expressly used proportionality-related reasoning in order to reach its decision:

processing of personal data, such as that at issue in the main proceedings, carried out by the operator of a search engine is liable to affect significantly the fundamental rights to privacy and to the protection of personal data when the search by means of that engine is carried out on the basis of an individual’s name, since that processing enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him. Furthermore, the effect of the interference with those rights of the data subject is heightened on account of the important role played by the internet and search engines in modern society, which render the information contained in such a list of results ubiquitous”.

Subsequently, the court weighted the above against Google’s legitimate interest to process the information—also acknowledged in EU data protection law—but found an imbalance in the relationship: “In the light of the potential seriousness of that interference, it is clear that it cannot be justified by merely the economic interest which the operator of such an engine has in that processing”. Hence, Google processing was found unlawful —see, however Christopher Kuner’s critical approach to the same balancing here.

The CJEU Decision Has Nothing To Do with the Freedom of Expression (And Much Less, with Freedom of the Press)

The CJEU did not order the newspaper on whose webpages the information on the claimant originally appeared to delete them. The newspaper post on the claimant is still online, available for anyone to see. What the CJEU prohibited is automated perpetual linking to this information—when, more particularly, they refer to “anonymous” individuals. Google does not express an opinion—nor may what it does be considered journalism. It only brings up information, perhaps enabling others to express an opinion (See also Solove questions, under 5). Google is an accessory, not required but certainly facilitating, to the freedom of expression—and to a bunch of other freedoms as well. However, to our knowledge at least, there is to-date no such thing as protected secondary exercise of human rights—although there appears to exist secondary copyright infringement. Until that time, enabling tools have nothing to do with the freedom or rights per se.

Even More Surprisingly, the CJEU Decision Has Nothing To Do with a “Right To Be Forgotten”

A “right to be forgotten”, if ever acknowledged to humanity even in digital context—there certainly is none in the offline world context—would essentially include a “right to delete” or “to have deleted.” As already explained, this is not what the CJEU decision under consideration does. It did not ask for deletion of the original information—according to the UK ICO blog, “It is important to keep the implications in proportion and recognise that there is no absolute right to have links removed. Also, the original publication and the search engine are considered separately.” This is also not what the draft EU data protection regulation at least today speaks of. Its Article 17 asks for deletion of the actual data, not third-party links to them. If we ultimately believe that by deleting Google links people forget, then we need to seriously reconsider the mechanics of human memory today and in the foreseeable future.

The Pragmatic Approach: This May Be Only A Mid-term Problem

We often forget that the Internet has a history of only 20 years or so. After a few more years have passed and a few hundred million or even billions of new users have been added to it while several thousands of its first users will have presumably “left” it, and a couple of social networks will have gone bankrupt and several webpages will be discontinued but still online, the qualitative criterion that annoyed the EU court will have been abolished because it will be far more difficult to establish that Mr. González (the claimant), still appearing in that Spanish newspaper, is indeed the same person who had his real estate auctioned back in 1998 and not one of the millions of others carrying the same name. Until that time, however, it is probably true that unsuspecting individuals who once in their lifetime erred or, even worse, allegedly erred, may need protection from super-efficient seemingly perpetual, automated associations of that one time with their name. In essence, this is perhaps an Internet infancy disease brought by the formidable work performed by Google and its competitors. The CJEU decision is trying to balance things, perhaps assisting individuals a bit more than they deserve, until we all—Internet users, the Internet and Internet companies—get to better grips with the, still new, medium.

Written By

Paul de Hert

Written By

Vagelis Papakonstantinou


If you want to comment on this post, you need to login.

  • John Tomaszewski Jun 20, 2014

    I completely agree with the authors. In point of fact, the decision is more of a practical analysis of how to use Article 7(f) - which most recently had an Art. 29 WP opinion passed on it - than anything else. I did a pair of blog posts on this issue a couple of weeks back where I reached much of the same conclusion. For those who are interested it is at www.globalprivacywatch.com
  • Sunghee Chae Jun 22, 2014

    I am a Korean Lawyer working for a Korean IT company. In Korea, personal data protection law will not bring the same result as in the CJEU case. In my opinion, it is highly likely that Korean data protection law and relevant law will not apply in the same fact patterns as in this case. However, Korean civil law does have a tool which I think will lead to the same conclusion as in the CJEU case, which is 'injunction for cease and desist'(in German, 'Unterlassungsanspruch') based on 'a right to determine whether and how his/her peronal data will be used by other person' or 'right to personal data' as a kind of 'right on personality'('allgemeines Persoenlichkeitsrecht' in German). Korean Supreme Court has been applying very similar criteria to determine whether an infringement on the 'right to personal data' as applied in the CJEU case, which is to balance conflicting interests or rights against one another. And I think the author of this colums's logic is very close to what we Korean lawyers would come up with. I am very interested to see this. 
  • Biddy Wyles Jun 24, 2014

    The whole topic is fascinating and the above article gives a welcomed perspective to the debate. Can anyone comment on the  exercise which Google is embarking upon and whether it will attempt to balance the parties'  respective rights?  Will it simply delete links upon request, or is it going to be exercising some sort of judgment as to the public interest and proportionality? 
  • Vagelis Papakonstantinou Jun 24, 2014

    It is perhaps too early to say how Google will react to the CJEU judgement. According to this NYTimes information (http://bits.blogs.nytimes.com/2014/06/18/google-ready-to-comply-with-right-to-be-forgotten-rules-in-europe/?_php=true&_type=blogs&_php=true&_type=blogs&emc=edit_tnt_20140618&nlid=28836431&tntemail0=y&_r=1&) we are only at the beginning of the process. It is also likely that developments with the EU Regulation (ie. its final wording on issues such as territoriality or the right to be forgotten) will affect Google's point of view. At any event, given the volume of applications, we would expect that a streamlined "objection process" will ultimately be adopted.
  • Vagelis Papakonstantinou Jun 24, 2014

    Thank you, interesting point about the "data brokers". Although, as you note, it is difficult to say what a "data broker" is maybe we could use the EU Data Protection Directive definition of "controller" ("the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data") in order to establish whether data brokers are of interest to the data protection purposes. Perhaps too long have "data brokers" hidden behind the same Directive's definition of "data processors" ("a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller"), a person generally bearing very limited obligations (and liabilities) with regard to its processing (please see also the case of cloud computing).
  • Alvaro Aug 28, 2014

    When I read the post title, the word tax popped up in my mind triggering my interest on it, but unfortunately taxes were not even mentioned on the post.
    My guess is that this ruling is putting the avantgarde part of the base for the collection of taxes from US companies that are not currently paying taxes, or are just paying peanuts in European countries using fiscal engineering.
    It is funnny how the ruling forgets about Electronic Commerce Directive, safe harbors it brings in the benefit of, among others, search engines and  even when it declares privacy is applicable to them. Previous General Advocate opinion was mentioning such Directive and argumenting on Personal Data Protection Directive jointly with Electronic Commmerce Directive.
    There are better ways to solve the issue, but CJEU has opted for the one is blaming and making accountable only to Google.
    What about fostering a review of robot.txt protocol that permits both search engines and content providers to jointly manage this issue? Why are search engines supossed to be exclusive accountable organizations to solve the problem?
    Another thing that surprises me is that considerable time has past since the ruling, and yet there is no chance in Google Privacy policy informing on personal data published by content providers or even by people themselves and processed by Google´s crawler and on its index.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»