Earlier this week, we wrote about the EU Court of Justice's decision that the NSA's surveillance of the internet meant that the EU-US data protection safe harbor was invalid
. As we noted, there's a lot of mess in all of this, but losing that safe harbor would be tremendously problematic for the internet. And the impact could be that the NSA basically screwed things up royally for American internet companies by spying on European users. But, the issue actually goes much deeper. As that ruling recognized, the crux of the matter was dependent on the EU's Data Protection Directive. And that Data Protection Directive is about to be updated.
And the end result may be very, very bad for the internet.
That's the conclusion of Daphne Keller at Stanford's Center for Internet and Society, who is writing a series of blog posts detailing the problems
with the current drafts. At the core of the issue, as Keller notes, the worlds of "privacy protection" and "free speech/intermediary liability protection" are two separate worlds -- and people on both sides don't seem to realize just how much the two can and do overlap.
Historically, many lawyers have not drawn a connection between data protection and the law of intermediary liability. The two fields use very different vocabularies, and are for the most part interpreted, enforced and litigated by different practitioners. A lawyer who views an issue through the lens of intermediary liability and one who views the same issue through the lens of data protection may have trouble even understanding each other's concerns.
Another way to look at it, though, is basically a European approach vs. an American approach. And this is something of a generalization, but the European approach values privacy
above most other factors, while the American approach values free speech
above most other factors. Both approaches have pros and cons, frankly. But when you don't realize where they conflict, problems can arise. There is no doubt that Europeans, generally speaking, are much more concerned about protecting the privacy of individuals, and are quite reasonably
concerned about excesses done by either governments or companies that intrude on individual privacy. The US, by comparison, has very little in the way of regulations concerning privacy, but does have very strong protections for free expression.
But sometimes "free expression" and "privacy" can clash in big, big ways.
A perfect example of the conflict would be the right to be forgotten
. The big ruling
out of the EU Court of Justice last year was entirely about privacy
. It felt that if there was old, out-dated, irrelevant information it should be "de-linked" from databases, in order to protect the "privacy" of those individuals. The "free speech" concerns didn't even really come into play at all. It was all about "data protection."
And that's where the new General Data Protection Regulation (GDPR) can present serious problems. First, it would expand what internet companies are likely covered by the regulations. Lots of American companies, which barely have any operations in Europe, have the potential of being impacted by these rules -- which would more or less lock in the right to be forgotten in a way that might even allow it to expand.
The GDPR asserts jurisdiction over entities that offer services to or “monitor” EU users. “Monitoring” seems to be defined broadly enough to include fairly standard web and app customization features, so the law reaches many online companies outside of the EU. In practice regulators presumably will not prioritize or dedicate limited resources to policing small and distant companies. But the GDPR will be an issue for companies with growing EU user bases and presence in Europe; and regulators can choose to enforce the law against many more entities around the world.
It could also wipe out further intermediary liability protections that have been so important to the internet and its success. While the US has strong intermediary protections in the form of CDA 230
, Europe already had a much weaker form of intermediary liability based on the EU's E-commerce directive. The fear is that the new GDPR could more or less eat away at the existing protections, making more companies "liable" for content posted by users, if it's somehow deemed to violate some sort of privacy right.
And, as we've pointed out for years, when you don't have strong intermediary liability protections you tend to end up with widespread censorship
over expression. That's because no internet company wants to face a lawsuit just because some of its users are jerks. And the new rules are not at all clear -- and vagueness will create incentives for massive censorship:
For intermediaries processing third-party data, free expression is also relevant, though in ways that can be hard to pin down in practice. The legal basis for intermediaries’ processing in the first place is often that the processing serves “legitimate purposes.” ... When an intermediary declines to honor a removal request on free expression grounds, the GDPR provision invoked is one that references only “legitimate interests.”... While undefined, such legitimate purposes and interests clearly include expression and information rights. But the GDPR and existing law provide scant detail on how to assess these interests – this was one common critique of the Costeja ruling. And important questions about whose interests may be considered – which come up in litigation about content removal – are not always addressed well in GDPR drafts. For example, one draft provision allows controllers to decline to remove content based on “legitimate interests pursued by the controller, or by the third party or parties to whom the data are disclosed[.]” ... Under this formulation, the interests of the speaker – the user whose content is indexed, transmitted, or hosted – fall out of the analysis. Data protection law’s lack of detailed provisions for free expression made more sense in an era when regulated entities were assumed to be banks, employers, medical offices, and the like. Today, inattention to the unique role of Internet intermediaries in GDPR drafting will likely lead to more removals of lawful expression – and more litigation.
On top of this it would appear to expand the right to be forgotten even further, noting a general right to "erasure" as part of the data protection regulation -- which is a pretty damn Orwellian term in this context. Erasure is a tool that we should be very wary of, because as we've seen time and time again, when you give people the power to take content down, it gets abused massively by people trying to censor all kinds of content they don't want. Protecting privacy is one thing. "Erasing" public content people just don't like is another.
As someone who has strong beliefs about protecting both
privacy and freedom of expression, it seems to me like it's fairly important to make sure that everyone's on the same page about what is private
and what is not. This often seems to be where much confusion lies. In the EU's right to be forgotten case, it was basically decided that old
but accurate information that was publicly
released in newspapers, should be considered private
when linked to a person's identity. Frankly, this approach seems nonsensical to me. If we're talking about actual
private information -- i.e., information that was never publicly available in a perfectly legitimate form -- then perhaps there's a point. I can understand the arguments for potentially removing truly private information. But when "private information" is so broadly defined, and then internet platforms are suddenly liable for policing such content, you have a recipe for mass censorship, or even companies moving out of offering service in Europe altogether.
On top of that, as we've discussed at length, the idea of holding intermediaries liable for the actions/statements of their users is a really dangerous idea. It creates massive uncertainty that is only going to lead to greater censorship as internet companies start blocking content just to avoid any possibility of liability.
As Keller notes in this post, if this is to not
create a massive mess for the internet around the globe, those who are concerned about privacy and those who are concerned about free speech (along with those who are concerned about the internet itself) need to get on the same page or in the same room to discuss these issues. Because, so far the discussions have been separate, and the end result may be a "data protection" regulation, put in place with truly good intentions by those who believe they're looking out for important privacy interests, but the end result is to whittle away at freedom of expression and
at the keys to maintaining a free and healthy internet. Pretending that you can just focus on "privacy" without considering free expression or how the internet itself works is not only foolish and naive, but potentially dangerous for the internet.