We recently wrote about some concerns about the new Data Protection Directive that is being set up in Europe. The law is driven by people with good intentions: looking to better protect the privacy of European citizens. Privacy protection is an important concept — but the current plans appear to be so focused on privacy protection that it gives very little regard for the unintended consequences of the way it’s been set up. As we wrote in our last post, Daphne Keller at Stanford’s Center for Internet and Society is writing a series of blog posts raising concerns about how the new rules clash with basic concepts of free speech. She’s now written one about the immensely troubling setup of the “notice and takedown” rules included in the General Data Protection Regulation (GDPR). For years, we’ve been concerned by problematic notice and takedown procedures — we’ve seen the DMCA frequently abused to stifle speech, rather than for genuine copyright challenges. But, for some reason, people often immediately leap to “notice and takedown solutions” for any kind of content they don’t like, they and the drafters of the GDPR are no different.
Except, it’s worse. Because whoever drafted the notice-and-takedown portion of the GDPR actually made the process worse than the notice and takedown rules found elsewhere. Here’s the GDPR process, as explained by Keller:
- An individual submits a removal request, and perhaps communicates further with the intermediary to clarify what she is asking for.
- In most cases, prior to assessing the request’s legal validity, the intermediary temporarily suspends or “restricts” the content so it is no longer publicly available.
- The intermediary reviews the legal claim made by the requester to decide if it is valid. For difficult questions, the intermediary may be allowed to consult with the user who posted the content.
- For valid claims, the intermediary proceeds to fully erase the content. (Or probably, in the case of search engines, de-link it following guidelines of the Costeja “Right to Be Forgotten” ruling.) For invalid claims, the intermediary is supposed to bring the content out of “restriction” and reinstate it to public view — though it’s not clear what happens if it doesn’t bother to do so.
- The intermediary informs the requester of the outcome, and communicates the removal request to any “downstream” recipients who got the same data from the controller.
- If the intermediary has additional contact details or identifying information about the user who posted the now-removed content, it may have to disclose them to the individual who asked for the removal, subject to possible but unclearly drafted exceptions. (Council draft, Art. 14a)
- In most cases, the accused publisher receives no notice that her content has been removed, and no opportunity to object. The GDPR text does not spell out this prohibition, but does nothing to change the legal basis for the Article 29 Working Party’s conclusions on this point.
If you don’t see how that process is likely to lead to widespread abuse and the censorship of perfectly legal speech, you haven’t been paying much attention on the internet over the last decade plus. To be fair, you can understand why the drafters think this process makes sense. They’re thinking solely about truly problematic and embarrassing information. If, say, your personal medical records have been posted online, it makes sense to look for a way to have that info removed as quickly as possible. But, given how frequently people use these processes in the copyright context to takedown just content they “don’t like” (and how often people admit they do so because it’s the only way to get such content down), you know it’s going to get massively abused for issues that have nothing to do with privacy protection.
Once again, it seems like regulators focus solely on solving for the “worst case” scenario, with little thought towards how that will be applied in much more common cases, and what that means for free speech and society.
And that’s not all that’s dangerous about the current rules. They also deal a huge blow to anonymous speech and privacy:
A second glaring problem with the GDPR process is its requirement that companies disclose the identity of the person who posted the content, without any specified legal process or protection. This is completely out of line with existing intermediary liability laws. Some have provisions for disclosing user identity, but not without a prescribed legal process, and not as a tool available to anyone who merely alleges that an online speaker has violated the law. It’s also out of line with the general pro-privacy goals of the GDPR, and its specific articles governing disclosure of anyone’s personal information — including that of people who put content on the Internet.
Yes, that’s right. In an effort to protect privacy, the drafters are so focused on a single scenario, that they don’t consider how the process will be abused to weaken the privacy rights of others. Want to know who said something anonymously that you don’t like? File a privacy complaint and the service provider is just supposed to cough up their name. Again, given how often we’ve seen bogus defamation claims made solely for the purpose of trying to identify those who speak anonymously, this is a major concern.
There are ways to create a better process for the removal of truly illegal information, but the GDPR simply wipes most of those away in the interest of expediency in trying to prevent a worst case scenario. And the end result may be an even worse situation, in which free speech and privacy rights are broadly wiped away from many by handing a powerful censorship tool, with privacy-destroying elements, to anyone who wants to go after someone else’s speech. I’ve long been in favor of using “notice and notice” type systems that allow whoever posted content to protest before content is taken down, but even if they’re going with a notice and takedown system, there are much better ways to implement ones that at least include some semblance of due process. In addition, there should be strong penalties for those who abuse these notice and takedown procedures.
As Keller writes:
Notice and takedown laws also exist to protect people who are harmed by online content. But protecting those people does not require laws to prioritize removal with little concern for the rights of online speakers and publishers. A good notice and takedown process can help people with legitimate grievances while incorporating procedural checks to avoid disproportionate impact on expression and information rights. Valuable information that would be gone under existing laws but for these checks — importantly including transparency about what content has been removed — spans religious, political, and scientific content, along with consumer reviews. Crafting the law to better protect this kind of content from improper removal is both important and possible.
It would be nice to see the drafters of the GDPR at least recognize the harm they may be about to cause.