These comments address the issue of transparency under the GDPR, as that topic arises in the context of Internet intermediaries and the “Right to Be Forgotten.” CIS Intermediary Liability Director Daphne Keller filed them in response to a public call for comments from the Article 29 Working Party – the EU-wide umbrella group of data protection regulators established under the 1995 Directive, soon to be succeeded by the European Data Protection Board established under the GDPR.
The comments are based on more detailed analysis of GDPR transparency provisions in Keller’s forthcoming Berkeley Technology Law Journal article, The Right Tools: Europe's Intermediary Liability Laws and the 2016 General Data Protection Regulation.
One set of comments addresses provisions in GDPR Articles 12, 13, and 14. While reasonable as applied to “back-end” data collected and used by intermediaries for purposes such as ad targeting, these provisions may cause real harm if applied to another class of data: expression and information publicly posted by Internet users. Read literally, these articles could require platforms to reveal confidential and personal information about online speakers. They could also lead platforms to improperly disseminate information about data subjects who exercise objection or erasure rights.
The second set of comments relates to public transparency about the processes and rules enforced by Google and other platforms in honoring “Right to Be Forgotten” requests. With support from the Working Party or Board, researchers’ understanding of these processes could be improved. Thoughtful and narrowly tailored transparency provisions, developed through consultations with experts on all sides of the issue, would support fundamental rights and the fairness and accountability principles of the GDPR.