EU Broadens Right To Be Forgotten In Dangerously Vague Ways With New 'Data Protection' Directive
from the bye-bye-free-speech dept
A few months ago, we noted that the EU was working on its new General Data Protection Regulation and Data Protective Directive — and warned that it was putting free speech and privacy on a crash course. We also had a podcast about this with Daphne Keller, from Stanford’s Center for Internet and Society. While the intentions of the data protection efforts sound good, the actual impact could be quite devastating. The idea is that all these companies are collecting lots of data, and individuals should have more control over what’s collected and how it’s used (and abused). Conceptually, that sounds really valuable. But, in practice it can be a disaster — especially if the people who are focused on privacy/data protection don’t think about or understand the consequences of what they’re doing.
And now, the EU has announced that the new data protection rules have been finalized — and while there’s plenty in there that may be useful, these new rules are almost certainly going to create some new dangerous consequences. A notable concern is that it reinforces this ridiculous “right to be forgotten” concept, and allows for the “erasure” of information. The theory here is that it’s supposed to let you delete old data about you from databases, and you can see why that might make sense. People don’t feel comfortable with, say, old credit information hanging around when it’s no longer relevant. But, as we know, it’s also been interpreted to mean that search engines can be forced to memory hole totally accurate, public information about someone, and that’s now created a vast tool for suppressing free speech. But the new rules more or less double down on that right to be forgotten.
There were fairly simple ways in which the EU could have changed the rules to make them not so problematic, but it ignored those suggestions and kept things troublingly vague, which will almost certainly lead to abuse and the suppression of free speech. A big part of the problem is that it’s not even clear who really is required to obey these right to be forgotten requests, and that’s going to lead to a huge mess:
The GDPR doesn?t tell us whether hosting platforms like Facebook or Twitter are controllers with RTBF erasure obligations. We know that search engines are controllers and thus have RTBF obligations — that was a key holding in the Google Spain/Costeja case. The GDPR doesn?t tell us what other Internet intermediaries will fall in that category. Realistically, I find it hard to imagine DPAs excusing major social networks from erasure obligations, in the long run. But there will be a lot of arguing first.
There are some strong arguments against RTBF obligations for hosts ? for example, that they cannot be controllers because they only process content at the direction of a user, who is herself the controller. There are also some widely accepted legal arguments that will, if they prevail, lead to more complicated answers. Following one of them, RTBF would apply to hosts that are too ?active? in managing user content, but not to ?passive? hosts. Following another argument, hosts would have to erase some content, but not nearly as much as the content that search engines must de-index. (Example: Google may have to remove search results pointing to the Facebook page where I posted about my cousin, but Facebook still won?t have to remove the post from its platform.)
And, this is a big deal. A key part of the new rules is that failing to abide by them can mean fines up to 4% of global revenue. Notice that it’s not just EU revenue, and not profits. That gives the EU tremendous power to force companies to censor the internet globally. I understand that this is being done with good intentions and with privacy in mind, but the potential impact here on basic free speech should be a huge concern.
And while other rules concerning liability for internet services have some protections against abuse, it’s not at all clear if those kinds of protections apply here:
We still don?t know the answer to the €20 million question: Do intermediary liability laws under eCommerce Directive Articles 12-15 apply to RTBF erasure requests? Existing rules under the eCommerce Directive tell Internet companies how to handle removal requests for other legal claims, like defamation. Those rules have real flaws, but they at least build in some protections against legally groundless or abusive attempts to silence online expression. There is no reason to use a whole new process for RTBF claims, so the answer to the question should be yes: eCommerce procedural rules for notice and takedown apply to RTBF erasures. That would mean, among other things, that intermediaries don?t have to take down content until they know the removal request states a valid claim.
The GDPR?s plain language seems to support this answer, but has a loophole that will fuel argument for years. Both GDPR Recital 17 and Article 2.3 say the GDPR is ?without prejudice? to ?the liability rules of intermediary service providers in Articles 12 to 15? ? the eCommerce rules that govern notice and takedown. The problem is, many data protection experts say that the eCommerce ?liability rules? are irrelevant, because the GDPR doesn?t technically hold intermediaries liable for the speech of a third party. Following this argument, the ?without prejudice? language has no practical consequence. As long as this question is unresolved, intermediaries can?t be certain whether they can use existing eCommerce removal systems, or whether they must develop new tools to implement the troubling new removal process prescribed by the GDPR. Putting faith in the simpler interpretation of Article 2.3, and assuming it excuses an intermediary from following the specific rules described in the GDPR, is an expensive gamble.
Again, the intentions here are good, but the actual impact here may be devastating to the internet. I know it’s easy to dislike big internet companies (even as people make use of their services, often for free, every day), but attacking them in a way that harms their users and their free speech rights seems like a bad bet — and one that likely won’t help develop a next generation of internet services in Europe.
Filed Under: data protection, eu, gdpr, intermediary liability, privacy, right to be forgotten
Comments on “EU Broadens Right To Be Forgotten In Dangerously Vague Ways With New 'Data Protection' Directive”
*shakes fist*
Don’t take away my right to… to… what was it again?
The right to make forget. Clearly, the European Union needs stronger protections for freedom of speech. Otherwise, it should limit itself to regulating economic relationships between the various countries and stop trying to become Europe’s sovereign federal government.
Re: Re:
Europe has NEVER been big on free speech. That was half the reason that people immigrated to other parts of the world. Europe may claim more “culture” and “history”, but personal rights tend to be much lower compared to places Europeans fled to (US, Canada, etc). As the US gets more “culture” and “history”, we’re also slowing eroding away those freedoms that brought people here, but where are we going to immigrate to for more freedom now?
Re: Re: Re:
error. There is a large variety of laws in Europe, some are “don’t speak of…”, which is a bit silly, and some are more cultural.
One of the common cultural reason for “rights to be forgotten” is the use of time-limitation on mostly misdemeanors. When a person is seeking employment for a new job, the criminal record is routinely checked by the potential employer. Thus the intention of that removal of information is to help people who did some crap as a youth and that is generally a positive thing.
That is one of the reasons why “right to be forgotten” in at least a very narrow sense has merrit.
Thus the intention is good. The implementation is unbelievably convoluted and frighteningly poor.
I would argue that this is a negative right, associated with a more humanist ideal of people changing for the better. Free speech is one thing. If the speech is problematic for other reasons, it should be possible to give it consequences. That these consequences shouldn’t be on the hands of a government is obvious, but who else should administer it and how?
There is an ongoing philosofical debate among journalistic organisations about how to deal with speech. Right now, most are leaning towards some form of moderation, whether by users or admins. The debate easily escalate to become an ongoing Godwin-discussion or threatening without some moderation. Right now the compromise between keeping a discussion on topic and a sewer from the most emotional and extreme users is dealing with it is several packages:
– Obviously illegal speech (personal threats and several other obvious illegal speech is usually deleted and handed over to the local authorities if possible to comply with the local jurisdiction)
– Very trollish and emotional extreme speech (This is the controversial bit. Most use some kind of “user-moderation and admin”-hybrid
– Normal speech (protected, but with some user-moderation.)
While free speech is a very controversial topic, you will have to treat the least problematic and most problematic speech differently. Free speech has to be moderated somewhere, by some standard or in some way. So drop that “free speech is sacred”-puritanism and be specific enough about what you would be comfortable with.
Just because some piece of data is about you (oftentimes called “private”) doesn’t mean that the data /belongs/ to you (meaning, it’s not *private* at all). The “right” to be forgotten is nothing more than an attempt to control what others are allowed to think. That’s all it’s ever been.
Re: Re:
If I have some personal info out there from when I was a kid, as an adult should I then have to suffer every last troll who wants to namesearch me and find that information (and not just talking likes/dislikes etc. but address and the like) to swat me or send me death threats in the mail or the like? No, I shouldn’t, but as things stand in the West, you can’t even get a host to delete your own post if where it was posted is inactive, but still searchable (like many of the old invisionfree forums). That’s different from something like what the article covers, which should never have been allowed to be removed at all.
Google needs to sue the European Union under the investor state system. Eunopened is changing its laws to directly harm Google search business.
Google, facebook, Sue them for billions
Re: Re:
Heh…wouldn’t that be awesome.
Personally, I’d rather see Google (and Facebook, and the like) just pull all of the European versions of their sites off the Net, and see how well Europe likes that. I doubt we’ll see that, but it would be nice.
Re: ISDS
There is no blanket Investor State Dispute System (ISDS). Various Bilateral Investment Treaties (BITs), although not all, have an ISDN provision. Google would have to find a BIT between its parent and the State it alleges has harmed it; prove that it is a qualified Investor under the terms of the BIT; prove that the harm was real and due to State actions; and that those actions were not done for a purpose such as the ‘public good’. In this case, if all of the pre-conditions were met, I’m inclined to think that their case might fall over on the last one.
“..it’s also been interpreted to mean that search engines can be forced to memory hole totally accurate, public information about someone, and that’s now created a vast tool for suppressing free speech”
Should free speech be immortal? If so, why?
If we think back to the days when most of us lived in all towns, villages or settlements, where the neighbors might learn many of our secrets, naughty doings, and private foibles, and might spread the information around (maybe to our detriment) at least the lifetime of the information was finite (as the neighbors died, as memories diminished, as our grandchildren produced our great-grandchildren and so on) eventually our secrets decayed into the silence of the grave. But we are now creating repositories of private information which will never die and which can be used to discriminate against, to persecute, to harass, to be used as gossip, against the previously innocent who entered the world mostly unsullied by whatever was recorded for use against our ancestors. Is this what we want for everyone? Should not our private life die when the persons who know us also enter into history?
Re: Re:
So a politician who commits a crime or who goes off on a racist rant, should be able to erase that information from the internet so that when potential voters search for his name, they will find only positive results?
Maybe we should go into the libraries and start tearing pages out of the history books as well? After all, I’m sure some of those people would rather be forgotten…
Re: Re: Re:
“So a politician who commits a crime or who goes off on a racist rant, should be able to erase that information from the internet so that when potential voters search for his name, they will find only positive results?”
Suppose you are Hitler’s or Stalin’s or great-great-great grandchild, born innocent and unformed, do you deserve the opprobium, hilarity or worse wreaked upon you as a decendent of that ancestor? Tarred with the sins of your ancestors? You probably have a horse-thief or pig-thief among your great-great^n ancestors. You’re not safe to work in a supermarket as a teen, because obviously your family are sh1ts. Do your penance.
Re: Re: Re: Re:
Suppose you are Hitler’s or Stalin’s or great-great-great grandchild, born innocent and unformed, do you deserve the opprobium, hilarity or worse wreaked upon you as a decendent of that ancestor?
So you are advocating that we erase all historical records older than, say, 100 years?
Re: Re: Re: Re:
If you’ve got people harassing you for what your ancestors did, then that’s a problem with the person doing the harassing, not the information. People shouldn’t be allowed to rewrite history just because it’s personally inconvenient for them.
Re: Re: Re:
So a politician who commits a crime or who goes off on a racist rant, should be able to erase that information from the internet so that when potential voters search for his name, they will find only positive results?
Well, if he has decided to no longer be racist why should his past be held against him? Just because he was a racist yesterday doesn’t mean that he is today!
Maybe we should go into the libraries and start tearing pages out of the history books as well? After all, I’m sure some of those people would rather be forgotten…
Only the pages that could cause embarrassment or have negative effects. The good things can be left in, of course. Otherwise, people might be concerned about future repercussions when deciding what to do today. We can’t have that.
/s
Re: Re:
Fascinating. Unfortunately, this law doesn’t target people who are dead as they are, by definition, unable to submit a request.
“The internet is a fantastic resource! We just need to regulate the hell out of it…”
Spain, France, The EU. really does feel like someone is directing things behind the scenes sometimes. Otherwise it must be the natural state for democracies to let themselves fall back into oppressive dictatorships.
Enough with the apologizing
While the intentions of the data protection efforts sound good… Conceptually, that sounds really valuable…. being done with good intentions and with privacy in mind… Again, the intentions here are good
Enough with that rubbish. ‘Intentions’ don’t mean squat, what matters is what you do, and in this case the actions are a huge mess, and likely to cause even more problems going forward.
If someone really means well when they do something that causes you significant problems that doesn’t mean their actions should be excused, because they still caused problems with their action.
I’m in Ireland. Whenever I do a Google search that includes a name (pretty much any name) I always see at the bottom that Google may not be displaying some results due to the RTBF law. Not that it actually is in each particular case, but that it MIGHT be, and it can’t tell me whether or not it actually is.
This has become so annoying and problematic that I’ve started avoiding Google.ie and now default to Google.ca
Zeal
Does the EU’s right to be forgotten (force this thing to work already) update specify a pig head.
This could work as an anti-CISA, we all just need to demand that the US government forgets all our info. And then when it eventually leaks that they haven’t the US government will be on the hook for 4% of its global revenue – per european person.
I like it =)
…and that those actions were not done for a purpose such as the ‘public good’.
No, profits override “the public good” under ISDS.
simple, really
The rules should simply state that any individual should have the right to dictate how any information provided in a transaction is regarded. That is the ONLY way information security can EVER work.
There needs to be an explicit opt-in agreement that gives the user the option for the service provider to maintain that data and apply it to purposes outside of the transaction. There need to be criminal repercussions to abuse of that data, and the service provider should not be able to refuse service to anyone unwilling to provide data for purposes other than the immediate transaction.
Oh, spare us all...
As I get older, I’m beginning to realize that one of the strongest indicators of an indefensible position is when it rests entirely on some predictable mantra.
So, humanity has entered this weird, new paradigm where sensitive information is digitized and agglomerated from everywhere and exists forever as public infotainment. If you happen to fall on the wrong side of that situation, it can have profound implications for your personal or professional life. You can be unemployable. You can be socially ostracized, even though you’ve done nothing wrong. This is not even withstanding the broader, moral question of whether or not ‘society’ enjoys some bizarre “Right For Nothing To Ever Blow Over” whereby everything you’ve ever said or done is etched in digital stone for public infotainment. To the contrary, almost every country enshrines various mechanisms for things to ‘eventually go away’. From credit reports to criminal records, even a full blown bankruptcy in federal court drops off your credit record after 7 years. Certain low felonies can be sealed in 2 or 3. Society has no problem dealing with this sort of thing but now that ‘the issue’ is defined by Google rather than society, we now have another problem.
“BUT MUH FREEDOM OF SPEECH! WHAT ABOUT MUH FREEDOM OF SPEECH!”, goes the rally cry. Well, my medical records are not your ‘freedom of speech’. My home ownership information is not your ‘freedom of speech’. Something you did dumb at the age of 18 that made the newspaper, that is not my “freedom of speech” and while its arguably the newspapers freedom of speech, it doesn’t take a great genius to acknowledge what that ‘freedom’ means in the context of the information age and to question whether or not it should exist as a mark against your name, forever.
Once upon a time, society had no problem demarcating this issue by applying a different defamation standard for public and private figures but again, in the Google era, we’re all just infotainment for Google’s profit.
“BUT WHAT ABOUT PEDOPHILES! WHAT IF PEDOPHILES WANT TO ERASE WHAT THEY’VE DONE? WON’T YOU THINK OF THE CHILDREN???” … goes the appeal to emotion but again, has there *ever* in the history of civilization been an issue that was otherwise rational when it had to be defined with hysterics about child molesters? If we acknowledge that particularly heinous crimes with a lot of notoriety may warrant some degree of permanence, does that then trickle down to someone who gets a DUI 9 years ago and serves probation, should be be unemployable because he can’t afford to pay a mugshot extortion website that cloaks itself with the same MUH FREEDOM OF SPEECH! rally cry as every shallow ideologue who is too blinded or dumb to take a nuanced look at this issue?
Sorry, Europe absolutely nailed this one, probably needs to go further. Once again, the US will remain the global laughingstock chanting a matra about something-something-FREEDOM!!!, as usual. Imbeciles.