Think The GDPR Only Regulates Big Internet Companies? The EU Says It Regulates You Too.
from the another-threat-to-democratized-speech dept
People tend to think of the GDPR as regulation companies must comply with. But thanks to a decision by the Court of Appeals for the EU earlier this month, there’s particular reason to believe that ordinary Internet users will need to worry about complying with it as well.
In this decision the court found that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of its visitors’ data. And, as such, the administrator must comply with applicable data processing regulations ? which necessarily include the GDPR.
The fan page at issue in this case appears to be run by some sort of enterprise, “Wirtschaftsakademie.” But fan pages aren’t always run by companies: as the court acknowledges, they are often run by individuals or small groups of individuals. Yet there doesn’t appear to be anything in the ruling that would exempt them from its holding. Indeed, the court recognizes that its decision would inherently apply to them:
Fan pages are user accounts that can be set up on Facebook by individuals or businesses. To do so, the author of the fan page, after registering with Facebook, can use the platform designed by Facebook to introduce himself to the users of that social network and to persons visiting the fan page, and to post any kind of communication in the media and opinion market user data a processor of the data for visitors to its page, and thus jointly responsible with Facebook for its handling.
The problem is, compliance with data protection regulations like the GDPR is no simple matter. In fact, as this article suggests, the decision also potentially makes it even more complicated and expensive by expanding the jurisdiction of individual member states’ data protection authorities (which was something that EU-wide regulation like the GDPR was actually supposed to minimize).
[Eduardo] Ustaran expressed concern in his 2017 post about the potential for local DPAs? authority to issue decisions that affect companies located in other areas, in this case, Facebook, whose EU representative is in Ireland. He says that this goes against the letter of GDPR?s one-stop shop goal.
But even without this change to the GDPR’s enforcement operation, the burdens of compliance were already a matter of concern. As discussed previously, compliance with the GDPR is difficult and expensive for even well-resourced companies. It’s not something that individual Internet users are going to be able to easily manage, and that’s a problem, because who would want to set up a Facebook fan page if doing so opened yourself up to such a crippling compliance burden?
Which leads to the essential problem here. Some cheer the GDPR because it puts user privacy front and center as a policy priority. In and of itself, there’s nothing wrong with doing so ? in fact, it’s an idea whose time has come. But it doesn’t matter how well-intentioned a law is if instead of merely regulating otherwise lawful activity it ends up suppressing it. And it’s especially problematic when that activity is expressive. Even if chilling expression weren’t the intent, if that’s the effect, then there is something wrong with the regulation.
Furthermore, while it’s bad enough if regulation chills the expressive activity of those well-resourced companies better able to navigate complex and costly compliance requirements, it’s even worse if it chills the lawful and even desirable expressive activity of ordinary individuals. One of the things an Internet platform like Facebook does, and does well, is encourage the casual expression of ordinary people. If you have things to say, these platforms make it easy to say them to other people without you needing to invest in corporate structure or technical infrastructure before doing so. These are tools that help democratize expression, which ordinarily is something places claiming to value the principles of free expression should want to support. In fact, the more the antipathy against big companies, the more they should want to ensure that independent voices can thrive.
But instead we’re seeing how all this regulation targeted at those big companies instead attacks regular people trying to speak online. We’ve seen the same problem with SESTA/FOSTA too, where individual online speakers suddenly find themselves risking legal liability for how they interact with other speakers online. And now it’s happening again in the GDPR context, where the very regulation ostensibly intended to protect people online now threatens to silence them.