EU Broadens Right To Be Forgotten In Dangerously Vague Ways With New 'Data Protection' Directive
from the bye-bye-free-speech dept
A few months ago, we noted that the EU was working on its new General Data Protection Regulation and Data Protective Directive — and warned that it was putting free speech and privacy on a crash course. We also had a podcast about this with Daphne Keller, from Stanford’s Center for Internet and Society. While the intentions of the data protection efforts sound good, the actual impact could be quite devastating. The idea is that all these companies are collecting lots of data, and individuals should have more control over what’s collected and how it’s used (and abused). Conceptually, that sounds really valuable. But, in practice it can be a disaster — especially if the people who are focused on privacy/data protection don’t think about or understand the consequences of what they’re doing.
And now, the EU has announced that the new data protection rules have been finalized — and while there’s plenty in there that may be useful, these new rules are almost certainly going to create some new dangerous consequences. A notable concern is that it reinforces this ridiculous “right to be forgotten” concept, and allows for the “erasure” of information. The theory here is that it’s supposed to let you delete old data about you from databases, and you can see why that might make sense. People don’t feel comfortable with, say, old credit information hanging around when it’s no longer relevant. But, as we know, it’s also been interpreted to mean that search engines can be forced to memory hole totally accurate, public information about someone, and that’s now created a vast tool for suppressing free speech. But the new rules more or less double down on that right to be forgotten.
There were fairly simple ways in which the EU could have changed the rules to make them not so problematic, but it ignored those suggestions and kept things troublingly vague, which will almost certainly lead to abuse and the suppression of free speech. A big part of the problem is that it’s not even clear who really is required to obey these right to be forgotten requests, and that’s going to lead to a huge mess:
The GDPR doesn?t tell us whether hosting platforms like Facebook or Twitter are controllers with RTBF erasure obligations. We know that search engines are controllers and thus have RTBF obligations — that was a key holding in the Google Spain/Costeja case. The GDPR doesn?t tell us what other Internet intermediaries will fall in that category. Realistically, I find it hard to imagine DPAs excusing major social networks from erasure obligations, in the long run. But there will be a lot of arguing first.
There are some strong arguments against RTBF obligations for hosts ? for example, that they cannot be controllers because they only process content at the direction of a user, who is herself the controller. There are also some widely accepted legal arguments that will, if they prevail, lead to more complicated answers. Following one of them, RTBF would apply to hosts that are too ?active? in managing user content, but not to ?passive? hosts. Following another argument, hosts would have to erase some content, but not nearly as much as the content that search engines must de-index. (Example: Google may have to remove search results pointing to the Facebook page where I posted about my cousin, but Facebook still won?t have to remove the post from its platform.)
And, this is a big deal. A key part of the new rules is that failing to abide by them can mean fines up to 4% of global revenue. Notice that it’s not just EU revenue, and not profits. That gives the EU tremendous power to force companies to censor the internet globally. I understand that this is being done with good intentions and with privacy in mind, but the potential impact here on basic free speech should be a huge concern.
And while other rules concerning liability for internet services have some protections against abuse, it’s not at all clear if those kinds of protections apply here:
We still don?t know the answer to the €20 million question: Do intermediary liability laws under eCommerce Directive Articles 12-15 apply to RTBF erasure requests? Existing rules under the eCommerce Directive tell Internet companies how to handle removal requests for other legal claims, like defamation. Those rules have real flaws, but they at least build in some protections against legally groundless or abusive attempts to silence online expression. There is no reason to use a whole new process for RTBF claims, so the answer to the question should be yes: eCommerce procedural rules for notice and takedown apply to RTBF erasures. That would mean, among other things, that intermediaries don?t have to take down content until they know the removal request states a valid claim.
The GDPR?s plain language seems to support this answer, but has a loophole that will fuel argument for years. Both GDPR Recital 17 and Article 2.3 say the GDPR is ?without prejudice? to ?the liability rules of intermediary service providers in Articles 12 to 15? ? the eCommerce rules that govern notice and takedown. The problem is, many data protection experts say that the eCommerce ?liability rules? are irrelevant, because the GDPR doesn?t technically hold intermediaries liable for the speech of a third party. Following this argument, the ?without prejudice? language has no practical consequence. As long as this question is unresolved, intermediaries can?t be certain whether they can use existing eCommerce removal systems, or whether they must develop new tools to implement the troubling new removal process prescribed by the GDPR. Putting faith in the simpler interpretation of Article 2.3, and assuming it excuses an intermediary from following the specific rules described in the GDPR, is an expensive gamble.
Again, the intentions here are good, but the actual impact here may be devastating to the internet. I know it’s easy to dislike big internet companies (even as people make use of their services, often for free, every day), but attacking them in a way that harms their users and their free speech rights seems like a bad bet — and one that likely won’t help develop a next generation of internet services in Europe.