This is the second instalment in my series analyzing Europe’s pending General Data Protection Regulation, with a focus on its impact on intermediary liability and user free expression. The introduction gives an overview of the legislation and the issues it raises. Reading it first is highly recommended. This section goes into greater depth on those issues and previews coming installations n the series, which will appear on the Stanford CIS blog.
1. Core Questions About the GDPR and Intermediary Liability
Later blog posts will address these topics in more depth.
Q: What entities outside Europe will fall under GDPR jurisdiction?
A: A lot. The GDPR asserts jurisdiction over entities that offer services to or “monitor” EU users. “Monitoring” seems to be defined broadly enough to include fairly standard web and app customization features, so the law reaches many online companies outside of the EU. In practice regulators presumably will not prioritize or dedicate limited resources to policing small and distant companies. But the GDPR will be an issue for companies with growing EU user bases and presence in Europe; and regulators can choose to enforce the law against many more entities around the world. The first post in this series will go into detail about what this means.
Q: What’s this about Controllers and Processors?
These are key terms under existing data protection law and in the GDPR. Regulated entities are generally classified as either Controllers or Processors. Distinct legal obligations flow from that classification. Controllers are, roughly speaking, entities that hold personal data and decide what to do with it. Because they are the decision-makers, they have more obligations under the law – including compliance with erasure or “Right to Be Forgotten” requirements. Processors hold personal data, but follow instructions from a controller about what to do with it. Their legal duties are correspondingly fewer. In a simple example, a firm that holds records about its employees is a controller of their personal information; if it outsources payroll operations under contract with a payroll company, that company is a processor. The CJEU’s determination that Google acted as a controller in operating web search was a key holding of Costeja. More on the controller/processor distinction is here.
Q: What about the “Right to Be Forgotten”?
A: It’s not going away. In the GDPR, it is currently enumerated as a right to “Erasure.” In recent drafts it has been a right exercisable only against data controllers, not data processors. That would mean Google web search still has to do these removals. There is room for debate about the obligations of other Internet intermediaries, such as Twitter. Content providers can also be required to honor “Right to Be Forgotten” removal requests, but under different substantive standards for determining what to remove.
Q: Does the GDPR clear up whether intermediaries can rely on intermediary liability “safe harbors” or notice and takedown systems under the eCommerce Directive when they receive an erasure request?
A: I don’t think so. But there will be disagreement on this.
Q: How does the GDPR directly address free expression?
A: Article 80, which in most drafts is titled “Processing of personal information and freedom of expression,” requires Member States’ laws to include exemptions and derogations protecting speech and information rights. That’s a lot of pressure to put on national law, which historically has varied widely in its protection of such rights. More troublingly, some drafts would offer exceptions only for the “processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression.” (EDPS Art. 80) In other words, if the work is for some other purpose, or if it has a mixed purpose, the exceptions would not apply.
For intermediaries processing third-party data, free expression is also relevant, though in ways that can be hard to pin down in practice. The legal basis for intermediaries’ processing in the first place is often that the processing serves “legitimate purposes.” (Art 5.1(b)) When an intermediary declines to honor a removal request on free expression grounds, the GDPR provision invoked is one that references only “legitimate interests.” (Art 6.1(f)) While undefined, such legitimate purposes and interests clearly include expression and information rights. But the GDPR and existing law provide scant detail on how to assess these interests – this was one common critique of the Costeja ruling. And important questions about whose interests may be considered – which come up in litigation about content removal – are not always addressed well in GDPR drafts. For example, one draft provision allows controllers to decline to remove content based on “legitimate interests pursued by the controller, or by the third party or parties to whom the data are disclosed[.]” (6.1(f) EDPS) Under this formulation, the interests of the speaker – the user whose content is indexed, transmitted, or hosted – fall out of the analysis. Data protection law’s lack of detailed provisions for free expression made more sense in an era when regulated entities were assumed to be banks, employers, medical offices, and the like. Today, inattention to the unique role of Internet intermediaries in GDPR drafting will likely lead to more removals of lawful expression – and more litigation.
Q: If parts of this law are unclear, who decides what it means?
A: It will take a while. Initial layers of review will typically come from data protection regulators, rather than courts. In the first instance, DPAs – largely staffed by career civil servants specialized in data protection law – will answer most questions. Issues that affect more than one country will be resolved via important and hotly contested new “One Stop Shop” and Cooperation Procedure provisions. Difficult questions or disagreements among national DPAs will be addressed by a new European Data Protection Board created by the GDPR, which effectively replaces the existing EU-wide Article 29 Working Party. Entities which disagree with regulators’ interpretation of the law can eventually go to court (or the complainant can go directly to court instead of the DPA), so in the long term we will see court opinions on the hard issues. But they may vary from country to country and even from case to case within a country – particularly in civil law countries. The really hard and consequential questions should eventually bubble up to the Court of Justice of the EU (CJEU) or possibly the European Court of Human Rights (ECHR).
2. Important and Complex Questions from Experts
These are all hard questions I have heard from experts in Brussels. They will not get extensive treatment in this series, but they matter a lot in the long term. Feedback regarding these questions is especially welcome; there is more to be said about all of them.
Q: Aren’t the eCommerce Directive and GDPR already aligned, because any intermediary that is passive enough to qualify for eCommerce protection will also qualify as a Processor for data protection purposes?
A: This question comes up because of some approximate parallels between the eCommerce and Data Protection directives. Intermediaries lose protection under the eCommerce Directive if they are too “active” in handling user-generated content, as opposed to being “passive” and “neutral.” Similarly, under data protection law, an entity that determines for itself how to process personal data is deemed a “controller” with significant legal obligations including data erasure; while an entity merely following a controller’s instructions about how to process data is a “processor” with fewer obligations. There are parallels between the two classification systems: the more discretion you exercise in managing third party data or content, the more responsibility you have. So it would be theoretically possible that the only entities that have content erasure obligations as controllers under the GDPR are ones that fall outside eCommerce Directive protections anyway – in other words, that all data protection processors are passive intermediaries protected by the eCommerce Directive, and all controllers aren’t.
But the law doesn’t say that now, and there’s good reason it shouldn’t in the future. There are already instances where an intermediary has been deemed a controller in data protection cases, but found to be protected by the eCommerce Directive in content removal cases. More broadly, law about “passive” and “active” eCommerce intermediaries is a moving target. Court rulings provide widely diverging interpretations in different cases and in different countries. More fundamentally, the animating policy goals of data protection law and intermediary liability law are sufficiently different – and the scope of unrelated issues each much address sufficiently broad – that it seems unlikely the two would ultimately arrive at identical classification regimes.
Q: What does the GDPR have to do with freedom of expression?
A: Some thoughtful data protection experts honestly see no free expression concerns with the law, despite its strong new language requiring erasure of information. Erasure is only required after consideration of relevant legitimate interests, including interests in free expression and access to information, so – one could reason – protection of free expression is built in.
One problem with this analysis is the documented tendency of intermediaries to avoid risk and transaction costs by simply removing challenged content. Putting removal decisions in the hands of technology companies – as opposed to, say, content creators or national courts – is a recipe for over-removal of lawful expression. Another is t procedural details in the GDPR’s removal and review process tilt the playing field in favor of privacy rights, and make users’ free expression rights harder to vindicate. A final problem is that different countries have very different laws balancing free expression against other rights, including privacy or data protection. Content that self-evidently should be removed in Europe may be protected and lawful speech in the US and other countries. Applying EU removal standards to content in those countries creates a free expression issue for Internet speakers and readers there.
Q: The erasure provisions of the GDPR aren’t about liability, so how can they affect intermediary liability?
A: I’ve heard this question a couple of times from smart data protection lawyers, and I’m not sure I quite understand it. But here’s a shot. I think the point may be that the erasure requirements function like injunctive relief, they don’t create liability in the sense of exposure to monetary damages. Assuming that is the argument, there are several possible responses. One is about terminology. The term “intermediary liability” is used by practitioners as shorthand for an array of obligations intermediaries have toward third party content, including notice and takedown. So any law creating a removal obligation for intermediaries falls in the category of “intermediary liability” law. (We could really use better terminology.) Another answer is that given the new, high financial penalties for GDPR noncompliance, an intermediary risks serious financial consequences for not taking content down – even if the intermediary believes the law does not require removal. The same may be true under current law, according to the Vidal-Hall ruling. A third answer is that parts of the GDPR seemingly create liability for intermediaries even when they are unaware that they are processing content unlawfully. Such a departure from the eCommerce Directive’s knowledge standard would be a sea change for intermediary liability, and make the operation of open platforms for users to receive and impart information a much riskier business.
3. One Question I Hope Other People Are Asking About Free Expression and The GDPR
I have not seen much evidence of librarians and archivists following the GDPR, and provisions affecting them are outside the scope of this series. I would be interested in seeing any analysis others have on this issue.
Q: Does the GDPR have other consequences for free expression and information access, aside from the Internet issues discussed here?
A: Yes. The stand-out issue to me is the GDPR’s treatment of archives and research. I am not expert in this field, but I hope those who are have been tracking the GDPR and communicating with decision-makers in Brussels. The GDPR appears to whittle away at archival uses in a number of ways. For example, Article 83 in most drafts permits use of personal data for “historical, statistical or scientific research” only if it is impossible to conduct the research using non-identifying information. Given the expansive definition of “personal data,” and the cost for libraries or researchers to strip out anything that meets the definition, this would appear to impose significant costs on normal and valuable research. Many exceptions and derogations permit archival “public interest” uses only if they are specifically listed in national law. For example, one draft says Member State law must ensure that archival data “cannot be used in support of measures or decisions affecting specific individuals, except for those measures or decisions that are specifically foreseen in Member State law.” (EDPS draft Art. 83a) It is easy to imagine scenarios where a use unanticipated by the State has real societal value: aggregation of third party personal data to decide if a specific individual should be charged with professional negligence, for instance, or receive extra educational support, be protected from certain allergens in the workplace, etc. Unless all these scenarios are foreseen and enumerated by every national legislature in the EU, the outcome appears troubling for researchers – and the people whose lives are made better by their work.
Another possible threat to archives comes from provisions about “further processing” and the purpose limitation for data processing. (Art. 5 and elsewhere.) Different drafts take notably distinct approaches to the situation in which personal data that was collected for one purpose is later used for a new purpose. The issue is rightly important and contentious because of concerns about companies getting user permission for one purpose, and then using the data for other things. Without careful drafting, though, this could also affect archives and research institutions, where information collected for one purpose can often be a treasure trove for researchers pursuing new questions. It is not clear if this concern is fully represented in GDPR discussion.
Daphne Keller is Director of Intermediary Liability at The Center for Internet and Society at Stanford Law School