Wherein The Copia Institute Reminds California’s New Privacy Agency That Its Regulations Need To Comport With The First Amendment
from the protect-speech-too dept
Last week the recently formed California Privacy Protection Agency held “pre-rulemaking stakeholder sessions” to solicit input on the regulations it intends to promulgate. I provided the following testimony on behalf of the Copia Institute.
Thank you for the opportunity to speak at these hearings. My name is Cathy Gellis, and I’m here representing myself and the Copia Institute, a think tank that regularly researches and comments on matters of tech policy, including as they relate to privacy and free speech.
I’m here today to talk about how privacy regulation and free speech converge in order to urge this board to carefully address the collision of any proposed regulation and the First Amendment, particularly with respect to the protection of speech and innovation. To do so I want to make three interrelated points.
First, as a general matter, it is important that any proposed regulation be carefully analyzed from a First Amendment perspective to make sure it comports with both its letter and spirit. When the First Amendment says “make no law” that abridges freedom of speech, that admonition applies to California privacy regulation. The enabling California legislation involved here itself acknowledges that it is only “intended to supplement federal and state law, where permissible, but shall not apply where such application is preempted by, or in conflict with, federal law, or the California Constitution,” and violating the First Amendment would run afoul of this clause.
It’s also important that any such regulation comport with the spirit of the First Amendment as well. The First Amendment exists to make sure we can communicate with each other, which is a necessary requirement of a healthy democracy and society. It would be an intolerable situation if these regulations were to chill our exchange of information and expression, or to unduly chill innovation. While wanting online services to be careful with how they handle the digital footprints the public leaves behind is admirable, the public would not be well served if new and better technologies couldn’t be invented, or new businesses or competitors couldn’t be established, because California privacy regulation was unduly burdensome or simply an obstacle to new and better ideas.
Along these lines a second point to make is that California is not Europe. Free speech concerns do not get “balanced” here and cannot be “balanced” without violating the First Amendment. The experience of the GDPR in Europe is instructive in warning what happens when regulators try to make such a balance, because inevitably free expression suffers.
For instance, privacy regulation in Europe has been used as a basis for powerful people to go after journalists and sue their critics, which makes criticizing them, even where necessary, and even where under the First Amendment perfectly legal, difficult if not impossible, and thus chills such important discourse.
The GDPR has also been used to force journalists to divulge their sources, which is also anathema to the First Amendment and California law, along with itself violating of the privacy values wrapped up in journalist source protection. It also chills the necessary journalism a democratic society depends on. (As an aside, the journalistic arm of the Copia Institute has had its own reporting suppressed via GDPR pressure on search engines, so this is hardly a hypothetical concern.)
And it was the GDPR that opened the door to the entire notion of “right to be forgotten,” which, despite platitudes to the contrary, has had a corrosive effect on discourse and the public’s First Amendment-recognized right to learn about the world around them, while also giving bad actors the ability to whitewash history so they can have cover for more bad acts.
Meanwhile we have seen, in Europe and even the U.S., how regulatory demands that have the effect of causing services to take down content invariably lead to too much content being taken down. Because these regulatory schemes create too great a danger for a service if they do not do enough to avoid sanction, they rationally chose to do too much in order to be safe than sorry. But when content has been taken down, it’s the world who needs it who’s sorry now.
As well as the person who created the content, whose own expression has now been effectively harmed by an extrajudicial sanction. The First Amendment forbids prior restraint, which means that it’s impermissible for speech to be punished before having been adjudicated to be wrongful. But we see time and time again such prior restraint happen thanks to regulatory pressure on the intermediary services online speakers need to use to speak, which force them to do the government’s censorial dirty work for it by causing expressive content to be deleted, and without the necessary due process for the speaker.
Then there is this next example, which brings up my third point. Privacy regulation does not stay well-cabined so that it only affects large, commercial entities. It inevitably affects smaller ones, directly or indirectly. In the case of the GDPR, it affected the people who used Facebook to run fan pages, imposing upon these individuals, who simply wanted to have a place where they could talk with others about their favorite subject, cripplingly burdensome regulatory liability. But who will want to run these pages and foster such discourse when the cost can be so high? Care needs to be taken so that regulatory pressure does not lead to the loss of speech or community, as the GDPR has done.
And that means recognizing that there are a lot of online services and platforms that are not large companies. Which is good; we want there to be a lot of online services and platforms so that we have places for communities to form and converse with each other. But if people are deterred from setting up, say, their own fan sites, independent of Facebook even, then that’s a huge problem. Because we won’t get those communities, or that conversation.
Society wants that discourse. It needs that discourse. And if California privacy regulation does anything to smother it with its regulatory criteria, then it will have caused damage, which this agency, and the public that empowered it, should not suborn.
Thank you again for this opportunity to address you. A version of this testimony with hyperlinks to the aforementioned examples will be published on techdirt.com shortly.