In everyday language, the “right to be forgotten” is often invoked as the possibility of removing from the internet information that continues to resurface over time, even when it no longer reflects a person’s current circumstances.
Under European law, however, the right to be forgotten is neither a generic formula nor an automatic entitlement. It is a complex safeguard that operates only within clearly defined boundaries and only after a balancing exercise between competing fundamental rights, in particular the right to the protection of personal data and the freedom of expression and information.
Understanding how it works requires moving beyond the idea of an automatic erasure of the past and placing this right correctly within the framework established by the GDPR and European case law.
What is the right to be forgotten?
The right to be forgotten is not an emotional category, nor an absolute right to erase information. It is a protection that developed primarily through case law and now has a clear legal basis in Article 17 GDPR, to be read in conjunction with the Charter of Fundamental Rights of the European Union and the provisions safeguarding freedom of information.
It does not allow someone to rewrite the past, nor does it automatically eliminate information that is true or lawfully published. Rather, it allows an assessment of whether the ongoing accessibility of personal data, over time and in the current context, remains proportionate and justified in light of the original informational purpose.
The right to be forgotten, therefore, does not arise from an event in itself (such as the discontinuance of proceedings or the mere passage of time), but from the loss of the balance between the public interest in access to information and the protection of the data subject.
Right to be forgotten: data processing and informational content
A common mistake is to assume that the right to be forgotten concerns only the content of the information. In reality, the legal focus is on the processing of personal data that takes place through the dissemination or indexing of that information.
This does not mean that the content is irrelevant. On the contrary, informational content is central, because it is through the content that one assesses the currency of the news, its public relevance, the context of publication, the public or private role of the individual concerned, and the concrete impact of its continued accessibility.
The right to be forgotten does not protect against the existence of a fact, nor does it remove social judgement in the abstract. It allows the data subject to challenge processing that, in light of the specific circumstances, is disproportionate or no longer necessary.
The right to be forgotten under the GDPR: the legal framework
Within the GDPR, the primary reference point is Article 17, which governs the right to erasure of personal data. The provision sets out the circumstances in which a data subject may request the removal of their data, for example where the data are no longer necessary for the original purposes or where processing is unlawful.
In the context of the right to be forgotten, however, Article 17 does not operate automatically or in isolation. Its application requires coordination with the principles of proportionality, relevance and data minimisation, as well as with Article 85 GDPR, which safeguards freedom of expression and information.
For this reason, the right to be forgotten does not follow merely because information has become inconvenient or unfavourable, nor solely because of the outcome of legal proceedings. It depends on an overall assessment of the lawfulness and proportionality of the processing over time.
The time factor: relevant but not decisive
The passage of time is one of the key elements in assessing the right to be forgotten, but it is not an automatic criterion. Information that dates back months or years may remain legally relevant, just as recent information may already be disproportionate.
Time affects the currency of information and the public interest in its accessibility, but it does not, in itself, extinguish the informational relevance of a fact. Similarly, the discontinuance of criminal proceedings or the absence of a conviction does not automatically generate a right to be forgotten.
The right remains a functional and contextual safeguard, requiring a case-by-case analysis grounded in the balancing of fundamental rights.
Limits of the right to be forgotten and freedom of expression
The GDPR excludes the application of the right to erasure where processing is necessary to ensure freedom of expression and information, to comply with a legal obligation, or for reasons of public interest.
This limitation is not exceptional but structural. The right to be forgotten cannot be applied automatically or abstractly, because it always requires a balancing between the data subject’s right to personal data protection and the collective interest in knowledge of the facts.
It is on this ground that supervisory authorities and case law intervene, assessing whether the public interest in access to the information remains current and overriding.
Erasure and de-indexing: what it is reasonable to expect
In European practice, the right to be forgotten is implemented primarily through de-indexing from search engines, rather than by deleting the content at source.
Complete removal of information is a residual outcome. In most cases, the right results in a limitation of accessibility, not in the absolute elimination of the information.
Data controllers are required to adopt reasonable measures, taking into account available technologies and implementation costs, without this amounting to an absolute obligation to achieve a guaranteed result.
When to seek legal advice to enforce the right to be forgotten
The complexity of the right to be forgotten becomes apparent at the application stage. Many requests fail not because they lack merit, but because they are drafted in generic terms, lack a proper legal basis, or are directed to the wrong recipient.
The role of a lawyer is first to verify whether the conditions for invoking the right to be forgotten are met, by analysing the content of the information, the publication context, the time elapsed and any continuing public interest.
Submitting a request to the data controller
Where the conditions are met, the first step is typically out of court. The request must be precise, fact-specific and legally grounded, identifying the data concerned and the reasons why the processing is no longer proportionate or necessary.
The controller must provide a reasoned response. Silence or a purely formal refusal does not discharge the substantive assessment required by the GDPR.
The role of the supervisory authority and, ultimately, the courts
In the absence of an adequate response, the data subject may refer the matter to the competent supervisory authority, which will conduct a substantive balancing of the rights involved.
In more complex cases, judicial proceedings remain available. The right to be forgotten is never recognised automatically: decisions are always based on a concrete evaluation of context, proportionality of the processing and the public interest in access to information.
Within the GDPR framework, the right to be forgotten is therefore not a tool for selectively erasing the past, but a safeguard that can be exercised only where the balancing of fundamental rights allows it.
