The General Data Protection Regulation — a once-in-a-generation overhaul of Europe’s data protection laws — has landed, after a grueling four years of negotiations.
But even among experts, no one’s quite sure what it means. A particular source of confusion is the “right to be forgotten” provision, which expands a right recognized by the European Court of Justice in its 2014 Google Spain ruling.
The new provision looks like bad news for free expression and information access online. But it is open — very open — to better interpretation. The EU’s data protection regulators can and should speak up now to tell Internet companies that there are reasonable interpretations of the new law — and that they can stand up for their users’ online expression without risking crippling fines. If they don’t, the new “right to be forgotten” regulation risks becoming a powerful instrument that individuals and companies can use to suppress far more information than GDPR drafters ever intended.
The new law does one very good thing for Internet users: It creates a swift process to erase the data that Internet companies collect and store internally for use in profiling, targeted advertising and the like. The downside is that this streamlinedprocess can be used to erase content put online by Internet users — whether or not that content actually violates anyone else’s rights.
That’s a problem. It is already far too easy for individuals or companies to raise dubious legal claims against content they disagree with, and pressure private Internet platforms to take it down.
I advised Google on its responses to legal removal requests for many years, and can attest to the volume of false accusations made, through ignorance or malice, against legitimate online expression.
Data released by Google and Bing tells us this pattern is strong under the current right to be forgotten law — at least half of removal requests are invalid. Some established companies may spend time and money weeding out these bogus removal demands, but study after study shows that, overall, false accusations often succeed. For many Internet platforms, especially the small and those without lawyers, the easiest response to such requests is “if in doubt, take it down.”
The GDPR will make deleting online content even easier. Its right to be forgotten section nominally protects legitimate expression, but it also introduces disturbing rules that, in practice, will undermine that protection.
For example, companies are supposed to take user content down immediately upon request, and review the legal allegation later. In most cases, the accused speaker is never told why the online expression disappeared, or given any chance to defend it. And a company that gambles on disputing a removal request and leaves challenged content online risks staggering fines — up to €20 million or 4 percent of annual global turnover, whichever is more. A platform that simply erases users’ content on demand risks nothing. This is a formula for excessive deletion.
Read the full piece at Politico.