CHAPTER 2: EVOLUTION OF THE RIGHT TO BE FORGOTTEN
Right to be Forgotten (RTBF) comes from the fundamental human need for forgetting, according to
Bannon.1 The need to forget or be forgotten arises as a way to move one's mistakes into the past,
allowing a fresh start. However, with the advent of digital age, this presumption has been reversed.
Now, forgetting has become the exception rather than the rule.2
The idea of RTBF is driven by the widespread availability and easy access to information on the
internet. The growth of big data and databases has enabled the extraction of valuable personal
information using technologies such as data matching and data mining. 3 The control and access to this
data hold considerable influence in both public and private spheres.4 However, regulating this in the
decentralized structure of the Internet is a daunting task. Some argue that it might even be impossible
in the context of Generative AI because as a trained Large Language Model (LLM), it operates like a
black box making it challenging to delete specific datasets. 5 However, before delving into the
intricacies of Generative AI or how RTBF applies to this technology, it's crucial to understand this
right, how it has evolved and how the Court of the Justice of the European Union (CJEU) has
interpreted this so far.
Development of RTBF
The Directive 95/46/EC (Data Protection Directive or DPD) 6, which cameomes before the GDPR and
was enacted in 1995, governed the processing of personal data within the member states of the EU.
Unlike the GDPR, it did not explicitly grant the RTBF. However, it allowed for the erasure of
inaccurate personal data under Article 6 of the DPD. DPD emphasized the importance of processing
personal data only for specified purposes, mandating storage only for as long as necessary for the
intended purposes of collection. Article 12 of the DPD granedted individuals the right to access their
personal data and seek erasure or rectification in case of inaccuracies or incomplete information from
the data controller. In general, although the DPD did not explicitly mention the RTBF, the deletion of
personal data could occur as a consequence of other rights as stated above.
Then in May 2014, a landmark ruling was delivered by the CJEU in the Google Spain Case. 7 This
decision is widely recognized as a pivotal moment, addressing the enforcement of the RTBF within
the framework of the DPD. In this case, the CJEU held that individuals could request the removal of
outdated information from search engine results. The court invoked Articles 12 and 14 of the DPD,
and held that if the data relating to an individual is inaccurate, incomplete, irrelevant, or excessive for
the data processing requirements, the right to erase of such data may be exercised by the data subject
1
Liam Bannon, ‘Forgetting as a Feature, Not a Bug: The Duality of Memory and Implications for Ubiquitous
Computing’ (2006).
2
Mayer-Schönberger 'Delete: The Virtue of Forgetting in the Digital Age' (2011) Princeton University Press.
3
Dominic McGoldrick, ‘Developments in the Right to Be Forgotten’ (2013) 13 Human Rights Law Review
761.
4
Ibid.
5
Vishal Anand, ‘Machine Unlearning, The Rising RAG’ (Medium, 28 October 2023) <https://er-
vishalanand.medium.com/machine-unlearning-the-rising-rag-and-more-479151d3a2ca> accessed 8 February
2024.
6
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L
281/31.
7
Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014)
Case C-131/12
�for such data.8 Interestingly, the CJEU did not instruct the websites hosting information about the
petitioner to remove the content. Instead, it directed Google to just de-index the links leading to those
websites.
Therefore, it is crucial to note that the Google Spain case did not establish the RTBF but rather a
limited right to delist or de-index. Following this judgment, the Article 29 Working Party issued
guidelines for the implementation of the Google Spain Case affirming the existence of a "right to be
delisted,” under the DPD.9 The guidelines explained that search engines are not compelled to actively
assess all the information they process; rather, they are required to do so, but only when they have to
respond to data subjects' requests.10 Importantly, the exercise of this right does not impact the source
pages referenced by search engines; the original content remains available online and accessible
through alternative search terms.11 Lastly, the Working Party emphasizes the limited scope of this right
and stresses the importance of achieving a fair balance between the rights and interests at stake. 12
In summary, the DPD laid the groundwork for elements resembling the RTBF. The Google Spain Case
interpreted the DPD in the context of delinking but, however, before the advent of the GDPR, there
was no explicit provision of the RTBF within the EU legal framework.
Understanding the Right
General Data Protection Regulation (GDPR) 13 enacted in 2018, replaced the DPD and established the
Right to Erasure (‘Right to be forgotten’) under Article 17, along with recitals 65 and 66. The legal
aim of the Article 17 of the GDPR includes not only the 'right to erasure,' obliging data controllers to
erase the personal data of the individuals, but also the 'right to be forgotten,' instilling the provision
with a retrospective character.14 Under the article, an individual possesses the right to have their
personal data erased inter alia the following grounds: a) when the personal data is no longer necessary
for the original purpose of collection or processing by the organization; b) when the organization
relies on an individual's consent as the legal basis for processing the data, and the individual
withdraws consent; c) when an organization, relying on legitimate interests to justify data processing,
faces an objection from the individual, and there is no overriding legitimate interest for the
organization to persist with the processing. 15 While the GDPR grants individuals the RTBF under the
Article 17 of the GDPR, instances may arise where this right can be denied if overridden by the
interests of the data controller. Accordingly, an organization can continue processing an individual's
data if it is necessary for freedom of expression, compliance with legal obligations, tasks in the public
interest, public health, archiving for public interest, scientific, historical, or statistical purposes, or for
legal defense and claims.16 It is noteworthy to mention that the concept of right to be delisted or de-
8
Ibid, para 99.
9
Article 29 Working Party, 'Guidelines on the Implementation of the Court of Justice of the European Union
Judgment on "Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja
González" C-131/12 (WP225, adopted on 26 November, 2014.
10
Ibid, para 7.
11
Ibid, para 21.
12
Ibid, para 23.
13
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1.
14
Eugenia Politou et al, ‘Forgetting Personal Data and Revoking Consent under the GDPR: Challenges and
Proposed Solutions’ (2018) 4 Journal of Cybersecurity
<https://academic.oup.com/cybersecurity/article/doi/10.1093/cybsec/tyy001/4954056> accessed 13 January,
2024.
15
Ibid 13, art 17(1).
16
Ibid 13, art 17(3).
�indexed is not explicitly stated in the GDPR, . Tthehis right was merely constructed by the CJEU
under the Google Spain case. Within the GDPR framework, it can be conceptualized as a hybrid,
combining elements of RTBF under Article 17 of the GDPR and the right to object under Article 21 of
the GDPR as it allows individuals to both object to the processing of their personal data and request
the removal or delisting of search results that link to their personal information. 17
How the EU Courts have interpreted RTBF
Over the span of six years following the enactment of the GDPR, the Court of Justice of the European
Union (CJEU) has provided limited interpretations of the RTBF, with its guidance primarily evolving
from the landmark Google Spain case 18 in 2014. As stated above, this case set the precedent under
DPD for individuals to request the removal of search results linked to their personal information,
introducing the concept of 'de-indexing’ or ‘de-linking’. This is allowed when the information is
deemed inaccurate, inadequate, irrelevant, no longer relevant or excessive for the purposes of data
processing, but not simply because it is inconvenient to the data subject. 19
In 2017, the European Court of Justice (ECJ) expanded the application of Article 17 of the GDPR
through the Manni v. Camera di Commercio Lecce 20 case. The court examined whether the entity
overseeing the company register should, upon request from the data subject and after a specified time
since a company ceased operations, either delete or anonymize the relevant personal data, or restrict
its disclosure. ECJ held that firstly, the right to erasure (‘RTBF’) under Article 17 of the GDPR
applies to personal data in public registers, 21 and secondly, in rejecting Manni’s plea of erasure, ECJ
ruled that member states cannot ensure an automatic right for individuals to have their personal data
erased from the company register after a specific time unless there isare overriding and legitimate
reasons specific to the individual. 22 Building on the de-linking right, the GC, AF, BH, ED v
Commission nationale de l’informatique et des libertés (CNIL) 23 case highlighted the delicate balance
required between RTBF and the potential interest s of internet users potentially interest in the public
information.24 The court emphasized the necessity for search engine operators (Google in this case) to
assess de-referencing requests on a case-by-case basis, and must strike a fair balance between privacy
rights and the public’s freedom of information in the context of criminal convictions. 25
Following this iIn 2019, CJEU under Google vs CNIL case 26 clarified the territorial scope of the
RTBF and held that the right does not extend globally but only applies to search engines associated
with EU Member States. As stated above, RTBF is not an absolute right and therefore the request for
the enforcement of RTBF be assessed basised on case facts and against the rights and interests of the
data controller or the public at large. Most recently, iIn RE vs Google LLC (2022),27 the CJEU
17
Ausloos, Jef, 'Foundations of Data Protection Law', The Right to Erasure in EU Data Protection Law (Oxford,
2020; online edn, Oxford Academic, 18 June 2020), https://doi.org/10.1093/oso/9780198847977.003.0002,
accessed 12 Feb. 2024.
18
Ibid 7.
19
Ibid 8.
20
C-398/15 Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v Salvatore Manni, (2017)
ECLI:EU:C:2017:197
21
Ibid, para 34.
22
Ibid, para 60.
23
Case C-136/17, GC, AF, BH, ED v Commission nationale de l’informatique et des libertés (CNIL) (2019)
ECLI:EU:C:2019:773
24
Ibid, para 36.
25
Ibid, para 76.
26
C-507/17 Google LLC v CNIL (2019) ECLI:EU:C:2019:772.
27
Case C-460/20 TU, RE, Google LLC (2022) ECLI:EU:C:2022:123.
�reiterated the importance of balancing the right to data protection with the right to freedom of
expression. It also clarified that the burden of proof of establishing the inaccuracy of information rests
with the individual seeking de-referencing.28
Throughout the cases discussed, it is evident that in the past six years, the CJEU has predominately
focused on de-linking rather than complete erasure. Additionally, the focus of enforcing erasure
requests has primarily centred around search engine operators (such as Google), limiting the court's
exploration into the wider application of this right across new technologies like blockchain or
generative AI. In light of this limitation, the thesis seeks to bridge the gap by providing insights into
the implementation of the RTBF in technologies like generative AI. Notably, the GDPR's technology-
agnostic nature ensures its adaptability to new technologies that were not present during its drafting. 29
This highlights the importance of identifying and addressing potential conflicts between technology
and the law, a discussion that will be further explored in the next chapter.
28
Ibid, para 68.
29
Ibid 14.
