"The European Union's (EU) General Data Protection Regulation (GDPR) makes important changes to the Right to Be Forgotten established by the Court of Justice of the European Union's landmark 2014 Google Spain ruling. The GDPR introduces new notice-and-takedown rules for Right to Be Forgotten requests that will make deliberate or accidental over-removal of online information far too likely. The new rules give private Internet platforms powerful incentives to erase or delist user-generated content—whether or not that content, or the intermediaries' processing of the content, actually violates the law. These problems could be mitigated, without threatening the important privacy protections established by the GDPR, through procedural checks and balances in the platforms' removal operations.

This Article details the problematic GDPR provisions, examines the convergence of European data protection and intermediary liability law, and proposes ways that the EU's own intermediary liability laws can restore balanced protections for privacy and information rights. The Article focuses on the motivations and likely real-world behavior of online platforms. It includes close examinations of:

Whether and how the Right to Be Forgotten may apply to user-generated content hosts like Twitter or Facebook;

Free expression provisions in the GDPR;

The GDPR's extraterritorial reach and consequences for companies outside the EU;

Doctrinal tensions between the EU's intermediary liability law under the eCommerce Directive and the EU's data protection law under the 1995 Data Protection Directive and the new GDPR; and

Human rights and fundamental rights laws governing online notice-andtakedown operations.