Careful where you point that thing: the right to be forgotten is picky when it comes to targeting


The right to be forgotten is one of the most frequently referenced and misunderstood parts of the GDPR. Like most data subject rights, its actual value is very relative and varies from case to case. A recent decision from the Belgian data protection authority reminds us that, among many other factors, the role of the data controller matters a lot.

The right to be forgotten has a long and storied history. Now enshrined in Article 17 of the GDPR, it has the dubious honour of being the only provision of the Regulation whose credibility is questioned through punctuation: the Article is titled the Right to erasure (‘right to be forgotten’). Even the drafters of the GDPR felt it appropriate to apply quotation marks to this particular right: it may not always do what it says on the box.

The scepticism is not entirely unjustified. For one thing, the GDPR didn’t invent the right to be forgotten. It’s been around in quite a few jurisdictions in Europe, including in the Belgian droit à l’oublie – recht op vergetelheid. At the EU level, it gained significantly more traction through the well known 2014 Google Spain decision from the Court of Justice. In a nutshell, that case related to a businessman with a prior bankruptcy record. Since that record was published on an openly accessible website, it could be easily found through Google, simply by searching for his name. He complained that this continued findability of a long past bankruptcy case was a disproportionate processing of personal data that caused significant harm to his future business prospects. The Court largely agreed, and supported his claim that Google should delete the references to the bankruptcy cases – while, interestingly enough, leaving the actual bankruptcy decisions available online. The crux of the matter was not that the information should disappear, but that it should not be so easily findable.

The Belgian data protection authority was recently called upon to rule on a very similar claim, with an important twist. The facts were quite similar: a businessman with a controversial undertaking had been the subject of a series of online publications by a newspaper, which were originally quite negatively phrased and partially incorrect. The businessman had managed to obtain corrections to the factual errors; but what was left of the articles was still quite damaging to him – and available to subscribers, and within Google’s indexing reach.

The businessmen could have demanded to be ‘forgotten’ by Google – although perhaps de-referenced or de-indexed should be the phrasing of choice for such cases. But he chose not to, and exercised his right to be forgotten directly against the paper.

The paper rejected his complained, arguing that its right to freedom of speech, the freedom of the press, and the public’s right to freedom of information outweighed the right to be forgotten. In doing so, it followed the (self-regulatory) rules of the Belgian media industry’s Charter on the right to be forgotten. Dissatisfied with the outcome, the businessman filed a complaint with the Belgian DPA.

Perhaps unsurprisingly, the DPA sided with the paper and rejected the complaint. In its decision (available in Dutch and in French), the Authority referenced prior Court of Justice cases, but also the EDPB’s Guidance on the right to be forgotten, and a series of related decisions from the European Court of Human Rights (both in favour and against the right, depending on circumstances). It ruled that in this case, the publisher could avail itself of the exceptions of Article 17.3 (a) of the GDPR, allowing a data controller to reject the application of the right to be forgotten to the extent that the processing (i.e. the publication of the articles) was necessary ”for exercising the right of freedom of expression and information”. The controller’s status as a press publisher was important in this assessment, since ensuring the right of freedom of expression and information is at the heart of a publisher’s mission, as well as the conduct of the complainant.

The decision is not legally ground breaking, and is certainly very well argued, referencing precedents and the underlying policy logic. Indeed, even the Google Spain decision considered the distinction between the tasks of a search engine – which does not engage in independent news seeking and publishing – and the public interest role of a news publisher. From a formal perspective, the distinction can feel a bit black-and-white; indeed, one might make the counterpoint that search engines also do a lot to advance the right to freedom of expression and information, as supported by Article 17.3 (a) of the GDPR.

None the less, the distinction has a long history of policy support, and was upheld in this case. The ‘right to be forgotten’ has once again deserved to remain within its quotation marks, due to its strong dependence on context. Meanwhile, newspapers can rejoice: there is at least one point left where their life may be slightly easier than Google’s.


Article provided by INPLP member: Hans Graux (Time.lex, Belgium)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.