The Google Spain judgment established a search engine as a sui generis controller and the related ‘right to be forgotten’ (right to delisting) under data protection legislation, despite the controversies surrounding it primarily on account of the logic of the search engine operator’s functioning and its consequent inability to comply with certain basic data protection requirements. Resulting interpretations, ie the contouring of data protection legislation under CJEU case law (the Google Spain and the GC and Others judgment), are examined in this paper in detail in relation to the currently applicable GDPR provisions, which allows conclusions to be drawn on the substance of the (sui generis) delisting right, the legal standing of data subjects, the assessment of delisting requests, and the related role and responsibilities of search engine operators. While neither removal from the source web page is required nor can delisting be denied exclusively on the basis of the publisher’s right to freedom of information and expression, analysis shows several manifestations of inherent interweavement with concerns of freedom of information and expression, which at the same time intrinsically oppose data protection and privacy rights. The issue is further challenged by a lack of harmonisation in the area of reconciling privacy and data protection rights with the freedom of expression and information. The last section of the paper discusses the rationale behind the recently established duty of adjusting, ie rearranging, search results in certain cases where delisting requests were denied, the implications for the operators, and the future outlook.
Keywords: right to be forgotten, GDPR, GC and Others v CNIL, sensitive data, legitimate interest, substantial public interest, freedom of information, adjusting search results.
This work is licensed under the Creative Commons Attribution − Non-Commercial − No Derivatives 4.0 International License.
Suggested citation: N Gumzej, ‘“The Right to Be Forgotten” and the Sui Generis Controller in the Context of CJEU Jurisprudence and the GDPR’ (2021) 17 CYELP 127.