This is one of a series of posts about the pending EU General Data Protection Regulation (GDPR), and its consequences for intermediaries and user speech online. In an earlier introduction and FAQ, I discuss the GDPR’s impact on both data protection law and Internet intermediary liability law. Developments culminating in the GDPR have put these two very different fields on a collision course -- but they lack a common vocabulary and are in many cases animated by different goals. Laws addressing concerns in either field without consideration for the concerns of the other can do real harm to users’ rights to privacy, freedom of expression, and freedom to access information online.
Disclosure: I previously worked on "Right to Be Forgotten" issues as Associate General Counsel at Google.
Cross-posted to the Internet Policy Review News & Comments
This series of blog posts has identified problems with the GDPR’s notice and takedown provisions for user-generated content processed by Internet intermediaries. The unnecessary new burdens these provisions place on Internet users’ free expression rights could be avoided, without undermining protections for privacy, through simple changes to the Regulation. But the GDPR’s procedural bias toward content deletion by private intermediaries is not the only threat to free expression under the new law.
Several other GDPR provisions give short shrift to speech and information rights. One is the GDPR’s specific provision covering freedom of expression, at Article 80. Another is the GDPR’s process for adjudicating disputes and balancing rights through Data Protection Agencies (DPAs), courts, and the newly created European Data Protection Board.
These parts of the law disadvantage expression and information rights in ways that would be relatively harmless if data protection law still primarily applied, as it once did, to data held and processed internally by companies. They have far larger consequences now, given the law’s application to vast amounts of publicly available information and content. Problems created by these provisions are compounded by the new obligations on Internet intermediaries to erase users’ online expression under the “Right to Be Forgotten.”
I will treat these problems in far less detail than I did the notice and takedown process. Even this relatively simple overview, however, raises real concerns about whether the GDPR can really provide proportional protections for free expression as a right co-equal with privacy and data protection.
The GDPR’s Article 80 Free Expression Provisions
Free expression rights under the GDPR are directly addressed in Article 80, which requires that “Member States shall provide for exemptions or derogations” to protect free expression. Draft Recitals discuss – quite reasonably – the need to balance fundamental rights, including privacy and information rights. (Council Recitals 3a, 38, 53 and 56) However, a closer look at the Regulation reveals numerous causes for concern about this balance.
One problem with Article 80 is that it relies on Member State law to define and enforce the free expression rights guaranteed by the European Charter. This is the same allocation of responsibility that exists under the current Data Protection Directive, and empirical research has revealed significant problems with it. Cambridge professor David Erdos has exhaustively reviewed and analyzed national implementation of the current free expression carve-outs from data protection, and found significant and troubling variation from one country to another. Some countries have not even passed legislation to create the derogations that have been required for the past twenty years under the 1995 Directive. Others have enacted laws that fall far short of the goal of balancing expression and privacy rights. Given this history, it is unreasonable to expect Member States to enact more balanced protections under the GDPR.
A second cause for concern arises from the language of the GDPR’s free expression provision in Article 80. In some drafts, this Article does not even require Member States to protect all forms of expression – only those “carried out solely for journalistic purposes or the purpose of artistic or literary expression.” (Comm. Art. 80, emphasis added) This restrictive language is not new, but it is newly troubling given data protection law’s greatly expanded application to online speech. Individuals posting information, opinions, and ideas online will often lack the credentials to claim protection under these limited exemptions. Their failure to fit into defined categories should not preclude legal protection for their fundamental rights.
The rules Member States enact under this flawed framework directly affect intermediaries when they are asked to delete users’ online expression. “Right to Be Forgotten” requests under the GDPR can in theory be rejected if the content being challenged is necessary “for exercising the right of freedom of expression in accordance with Article 80.” (Art. 17.3 Commission) (This provision does not, however, affect the intermediary’s obligation to immediately take the content offline pending review.) In practice, intermediaries will be far less likely to honor this exemption if the relevant Member State law is vague, inapplicable to ordinary Internet users, or significantly different from one country to another.
Another problem with this provision is the lack of clarity about whose free expression rights an intermediary may consider. The most obvious person should be the Internet user who posted the content. But doctrinally and before courts, serious legal uncertainty can arise regarding an intermediary’s ability to act on the basis of that user’s rights -- as opposed to the company’s own, relatively paltry, free expression rights. As a conspicuous example, the CJEU’s Costeja ruling itself did not identify the publisher’s expression rights as a balancing factor in determining what content must be removed. The GDPR perpetuates this uncertainty, sometimes suggesting that relevant interests are only those pursued by “the controller, or by the third party or parties to whom the data are disclosed” – in other words, the intermediary and the users who read the content, but not the publisher. (EDPS Art. 6.1(f))
Inadequacies in the GDPR’s provisions governing free expression are problematic on their own, but will ramify as that law is interpreted by risk-averse private companies under the GDPR’s notice and takedown framework.
Process and Public Resources to Protect Fundamental Rights
A second set of problems for free expression arise from the way the GDPR instructs courts and regulators to handle disputes involving both privacy and free expression rights. At every step of the way, the person asserting a privacy right has government support and a clear avenue to enforce her rights. The person asserting a free expression right does not. The GDPR’s provisions for DPA and court enforcement replicate many of the problems of the notice and takedown process: responsibility for defending or assessing free expression rights rests with entities that lack the information or incentives to reach a fair outcome, while people who do have information and incentives to defend their expression are excluded from the process.
In brief overview, what happens is this. When an intermediary does not comply with a Right to Be Forgotten removal request, the requester can take her grievance to the regional or national Data Protection Agency. The DPA then adjudicates the matter as a two-party dispute between the data subject and the intermediary, under strict rules of confidentiality. The person whose free expression rights are at stake is absent from the process. Defense of her rights lies in the hands of an intermediary that likely doesn’t know the facts of the underlying dispute, and has little incentive to risk antagonizing an important regulator.
This institutional imbalance – the person asserting a data protection right has a presumptive ally and audience in the DPA, the person asserting a free expression right has neither – is compounded by the basic mission and function of most DPAs. Their legal mandate is to “protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data.” (Comm. Art 46). They are staffed by privacy professionals, well-versed in their field but not necessarily expert in free expression law, or in relevant Internet law. This is not to say that DPAs will always shortchange free expression – in many cases, including the Right to Be Forgotten removals criteria put forward by the Article 29 Working Party, they very thoughtfully balance competing rights. That said, DPAs are in most cases bodies of privacy professionals whose job is to regulate the processing of personal data. Absent a far stronger legal mandate for them to balance privacy with free expression, and without robust inclusion of internal free expression experts as part of the Agencies themselves, it is not reasonable to expect DPAs to be equally attuned to both sets of rights – particularly when the person asserting a privacy right is before them, while the person who might claim a free expression right is nowhere to be seen.
Under pre-GDPR data protection law, regulatory review of such a claim would typically end with the DPA, at which point either party (the data subject or the intermediary) could move the dispute to national court. The GDPR changes this by adding another potential level of review within the privacy regulation system, under the new pan-European Data Protection Board. (EDPB) The EDPB will review cases and issue opinions to harmonize differences between national DPAs – differences which, in the free expression context, may easily arise from divergent Member State law. The EDPB’s conclusions do not appear to be reviewable by Member State courts. Its binding opinions can seemingly be reviewed only by the CJEU. (Council Recital 113) Since the CJEU does not accept amicus or intervener briefs, the online speaker or publisher has no say in that level of review, either.
By contrast to this robust system for review and enforcement for privacy rights, the legal avenues available to a publisher or online speaker asserting free expression rights are scant. No publicly funded, legally powerful “Free Expression Agency” has a mandate to protect her rights; no “General Free Expression Regulation” lays out detailed enforcement mechanisms. In most cases, her only recourse is to courts of law, where she can attempt to sue either the intermediary or the data subject who requested removal. Neither claim is likely to succeed – most countries have no clear cause of action against an individual whose false accusation led an intermediary to remove content, or against the intermediary for taking that accusation at face value. For publishers, speakers, and Internet users deprived of access to information under the GDPR, no clear remedy exists.
Privacy and free expression are in principle equally important rights, protected proportionally under EU law. Nonetheless, the GDPR tilts the playing field powerfully in favor of privacy rights – and incentivizes widespread deletion of online expression even in cases where no privacy or data protection right is really infringed. Fixing these problems the GDPR’s text at this late date is probably impossible. Protection of free expression will fall to Member State lawmakers and privacy regulators, as they interpret and implement the law. The best hope for more balanced protections lies in their hands.
 “The laws of three countries (*Croatia, *Czech Republic and *Spain) provide no media derogation at all from any part of the data protection scheme.” Erdos at 11.
 Respect for the rights of online speakers and publishers permeates most practical assessments of the “Right to Be Forgotten” – including the Article 29 Working Party’s. The GDPR should ensure that close legalistic readings do not abandon this concern.
 Or to court, but that is less common.
 There is an interesting question about what happens if an intermediary has accepted the Article 29 Working Party’s authorization to contact the affected speaker in particularly difficult removal cases. Can that person then be included in any subsequent procedure before a DPA?
 The GDPR does interestingly provide that “each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a [DPA] concerning them.” (Art. 74, see also Council R 113). Possibly this opens the door for an affected speaker to get into court once a DPA has already ruled against her, even though the “legally binding decision” is not against her personally but against an intermediary.