Europe is very close to the finishing line of an extraordinary project: the adoption of the new General Data Protection Regulation (GDPR), a single, comprehensive replacement for the 28 different laws that implement Europe’s existing 1995 Data Protection Directive . More than any other instrument, the original Directive has created a high global standard for personal data protection, and led many other countries to follow Europe’s approach. Over the years, Europe has grown ever more committed to the idea of data protection as a core value. In the Union’s Charter of Fundamental Rights, legally binding on all the EU states since 2009, lists the “right to the protection of personal data” as a separate and equal right to privacy. The GDPR is intended to update and maintain that high standard of protection, while modernising and streamlining its enforcement.
The battle over the details of the GDPR has so far mostly been a debate between advocates pushing to better defend data protection, against companies and other interests that find consumer privacy laws a hindrance to their business models. Most of the compromises between these two groups have now already been struck.
The result is a ticking time-bomb that will be bad for online speech, and bad for the future reputation of the GDPR and data protection in general.
The current draft of the GDPR doubles down on Google Spain, and raises new problems. (The draft currently under negotiation is not publicly available, but July 2015 versions of the provisions that we refer to can be found in this comparative table of proposals and counter-proposals by the European institutions. Article numbers referenced here, which will likely change in the final text, are to the proposal from the Council of the EU unless otherwise stated.)
First, it requires an Internet intermediary (which is not limited to a search engine, though the exact scope of the obligation remains vague) to respond to a request by a person for the removal of their personal information by immediately restricting the content, without notice to the user who uploaded that content (Articles 4(3a), 17, 17a, and 19a.). Compare this with the DMCA takedown notices, which include a notification requirement, or even the current Right to Be Forgotten process, which give search engines some time to consider the legitimacy of the request. In the new GDPR regime, the default is to block.
Then, after reviewing the (also vague) criteria that balance the privacy claim with other legitimate interests and public interest considerations such as freedom of expression (Articles 6.1(f), 17a(3) and 17.3(a)), and possibly consulting with the user who uploaded the content if doubt remains, the intermediary either permanently erases the content (which, for search engines, means removing their link to it), or reinstates it (Articles 17.1 and 17a(3)). If it does erase the information, it is not required to notify the uploading user of having done so, but is required to notify any downstream publishers or recipients of the same content (Articles 13 and 17.2), and must apparently also disclose any information that it has about the uploading user to the person who requested its removal (Articles 14a(g) and 15(1)(g)).
Think about that for a moment. You place a comment on a website which mentions a few (truthful) facts about another person. Under the GDPR, that person can now demand the instant removal of your comment from the host of the website, while that host determines whether it might be okay to still publish it. If the host’s decision goes against you (and you won’t always be notified, so good luck spotting the pre-emptive deletion in time to plead your case to Google or Facebook or your ISP), your comment will be erased. If that comment was syndicated, by RSS or some other mechanism, your deleting host is now obliged to let anyone else know that they should also remove the content.
Finally, according to the existing language, while the host is dissuaded from telling you about any of this procedure, they are compelled to hand over personal information about you to the original complainant. So this part of EU’s data protection law would actually release personal information!
What are the incentives for the intermediary to stand by the author and keep the material online? If the host fails to remove content that a data protection authority later determines it should have removed, it may become liable to astronomical penalties of ?100 million or up to 5% of its global turnover, whichever is higher (European Parliament proposal for Article 79).
That means there is enormous pressure on the intermediary to take information down if there is even a remote possibility that the information has indeed become “irrelevant”, and that countervailing public interest considerations do not apply.
It is not too late yet: proposed amendments to the GDPR are still being considered. We have written a joint letter with ARTICLE 19 to European policymakers, drawing their attention to the problem and explaining what needs to be done. We contend that the problems identified can be overcome by relatively simple amendments to the GDPR, which will help to secure European users’ freedom of expression, without detracting from the strong protection that the regime affords to their personal data.
Without fixing the problem, the current draft risks sullying the entire GDPR project. Just like the DMCA takedown process, these GDPR removals won’t just be used for the limited purpose they were intended for. Instead, it will be abused to censor authors and invade the privacy of speakers. A GDPR without fixes will damage the reputation of data protection law as effectively as the DMCA permanently tarnished the intent and purpose of copyright law.