The Right Tools: Europe's Intermediary Liability Laws and the EU 2016 General Data Protection Regulation

82 Pages Posted: 10 Feb 2017 Last revised: 14 Oct 2018

See all articles by Daphne Keller

Daphne Keller

Stanford Cyber Policy Center, Freeman Spogli Institute

Date Written: March 22, 2017


The so-called “Right to Be Forgotten” established by the Court of Justice of the European Union in 2014 is about to change. The EU’s General Data Protection Regulation (GDPR), which goes into effect in 2018, introduces new notice-and-takedown rules for online information targeted by “Right to Be Forgotten” erasure requests. As drafted, the new rules make deliberate or accidental over-removal of online information far too likely. They give private Internet platforms powerful incentives to erase or de-list user-generated content – whether or not that content, or the intermediaries’ processing of the content, actually violates the law. They also create new data disclosure obligations that undermine privacy and Data Protection rights for people who post content online. These problems could be mitigated, without threatening the important privacy protections established by the GDPR, through procedural checks and balances in the platforms’ removal operations.

This article details the problematic GDPR provisions, examines the convergence of European Data Protection and Intermediary Liability Law, and proposes ways that the EU’s own Intermediary Liability laws can restore balanced protections for privacy and information rights. Throughout, it focuses on the motivations and likely real-world behavior of online platforms, drawing on the author’s extensive experience as Google’s Associate General Counsel for Intermediary Liability and as Intermediary Liability Director at Stanford Law School’s Center for Internet and Society. It includes close examinations of

Whether and how the “Right to Be Forgotten” may apply to user-generated content hosts like Twitter or Facebook; Free expression provisions in the GDPR; The GDPR’s extraterritorial reach and consequences for companies outside the EU; Doctrinal tensions between the EU’s Intermediary Liability law under the eCommerce Directive, and its Data Protection law under the 1995 Data Protection Directive and the new GDPR; and Human rights and fundamental rights laws governing online notice and takedown operations.

Keywords: Intermediary Liability, Data Protection, Right to Be Forgotten, GDPR

Suggested Citation

Keller, Daphne, The Right Tools: Europe's Intermediary Liability Laws and the EU 2016 General Data Protection Regulation (March 22, 2017). Available at SSRN: or

Daphne Keller (Contact Author)

Stanford Cyber Policy Center, Freeman Spogli Institute ( email )

Encina Hall, 616 Jane Stanford Way
Stanford, CA CA 94305
United States
6507234581 (Phone)


Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics