Right to Be Forgotten: GDPR Article 17 and Google's Delisting Decisions

7 Million URLs Requested for Removal—Google Approves About Half

Since the European Court of Justice's 2014 Google Spain ruling established that individuals could request search engines to delist links to personal information, Google has received over 7 million delisting requests covering more than 17 million URLs. Google approves approximately 48% of individual URLs, declining the rest on grounds including public interest, journalistic significance, or because the information is not outdated or irrelevant. That 48% figure masks enormous variation by category: criminal history requests are approved at higher rates than requests involving business conduct or public figures. The right to be forgotten is real, consequential, and contested—simultaneously a privacy protection and a potential mechanism for suppressing legitimate public information.

The Google Spain Ruling: Where It Started

In Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González (C-131/12), the Court of Justice of the EU ruled in May 2014 that individuals could require search engines to remove links to information about them when the information was inadequate, irrelevant, no longer relevant, or excessive in relation to the purposes for which it was processed. Mario Costeja González had sought removal of links to 1998 newspaper notices about a property repossession he had long since resolved—arguing that the links were outdated and damaged his reputation without serving any current public interest. The CJEU agreed, establishing the principle over Google's objection that it was merely an intermediary transmitting information it did not create.

The ruling distinguished between the source publication (which the newspaper could continue to host) and the search engine aggregation (which created a searchable profile of the individual that the original newspaper notice never intended to create). This distinction—between original publication and amplified searchability—is the conceptual core of the right as applied to search engines.

GDPR Article 17: Codifying and Expanding the Right

GDPR Article 17 moved the right from case law into statute. It provides six grounds for requesting erasure:

Exceptions: When Erasure Can Be Refused

Article 17(3) lists situations where controllers may refuse erasure despite a valid request. These exceptions are interpreted strictly and the burden of justification falls on the controller.

• Freedom of expression and information: Journalistic content, academic research, artistic and literary expression protected under national press freedom laws.
• Legal compliance: Data that must be retained to comply with a legal obligation (e.g., tax records, employment records under specific statutory periods).
• Public interest in public health: Applies primarily to health research and pharmacovigilance databases.
• Archiving, research, and statistics: Data necessary for historical archives, scientific research, or official statistics in the public interest.
• Legal claims: Data needed to establish, exercise, or defend legal claims—the broadest exception, often invoked by companies in litigation contexts.

How Google Evaluates Delisting Requests

Google's delisting process involves human review teams assessing multiple factors. The company's own transparency report and public guidance describe the balancing test applied:

• Is the requester a public figure? Politicians, executives, celebrities, and others who have voluntarily entered public life have reduced erasure rights regarding their public roles.
• Is the information current and accurate? Outdated or factually incorrect content is more likely delisted than accurate, current information.
• Is there a compelling public interest? Fraud convictions, professional misconduct, ongoing safety concerns, and matters of public record receive higher public interest weight.
• Does the requester have a particular vulnerability? Victims of sexual offences, minors, and individuals whose past appearances created disproportionate harm receive more favorable treatment.

Google applies delisting only to EU-version search domains (google.fr, google.de, etc.) when requested. The CJEU ruled in 2019 (Google LLC v. CNIL, C-507/17) that GDPR does not require global delisting—a significant limitation on the right's reach that distinguishes it from a true "erasure" of information.

Enforcement Actions Under Article 17

Beyond search engines, Article 17 has been enforced against controllers who refused to delete data from their own systems. The UK ICO, France's CNIL, Germany's BfDI, and other authorities have issued findings against companies that:

• Retained customer data after account deletion despite no legitimate retention ground.
• Claimed "legitimate interest" as a blanket justification for indefinite retention without conducting the required balancing test.
• Deleted data from live systems but maintained it in backup archives without anonymization.
• Failed to propagate erasure requests to processors and sub-processors, leaving data in downstream systems.

The backup archive issue is particularly common: many companies interpret erasure as deleting from production databases but do not implement processes to purge backups when they are restored. Regulators have held that data retained in restorable backups is not erased for GDPR purposes.

The Balance Between Privacy and History

The right to be forgotten sits at a genuine tension between two legitimate interests: the individual's right to move beyond past events and the public's interest in accurate historical information. Most enforcement history suggests regulators and courts resolve this by asking whether the search engine aggregation creates a harm disproportionate to any current public interest—not by asking whether the underlying information should exist. The right is not to rewrite history; it is to reduce the searchable amplification of personal information whose continued prominence serves no legitimate purpose.

Legal Disclaimer: This article is for general informational purposes only and does not constitute legal advice. The right to erasure and delisting involves case-by-case analysis. Individuals seeking to exercise this right should consult their national data protection authority or qualified legal counsel.