THE RIGHT TOOLS: EUROPE’S INTERMEDIARY LIABILITY LAWS AND THE EU 2016 GENERAL DATA PROTECTION REGULATION Daphne Keller† ABSTRACT The European Union’s (EU) General Data Protection Regulation (GDPR) makes important changes to the “Right to Be Forgotten” established by the Court of Justice of the European Union’s landmark 2014 Google Spain ruling. The GDPR introduces new notice-and- takedown rules for “Right to Be Forgotten” requests that will make deliberate or accidental over-removal of online information far too likely. The new rules give private Internet platforms powerful incentives to erase or delist user-generated content—whether or not that content, or the intermediaries’ processing of the content, actually violates the law. These problems could be mitigated, without threatening the important privacy protections established by the GDPR, through procedural checks and balances in the platforms’ removal operations. This Article details the problematic GDPR provisions, examines the convergence of European data protection and intermediary liability law, and proposes ways that the EU’s own intermediary liability laws can restore balanced protections for privacy and information rights. The Article focuses on the motivations and likely real-world behavior of online platforms. It includes close examinations of: x Whether and how the “Right to Be Forgotten” may apply to user-generated content hosts like Twitter or Facebook; x Free expression provisions in the GDPR; x The GDPR’s extraterritorial reach and consequences for companies outside the EU; x Doctrinal tensions between the EU’s intermediary liability law under the eCommerce Directive and the EU’s data protection law under the 1995 Data Protection Directive and the new GDPR; and x Human rights and fundamental rights laws governing online notice-and-takedown operations. DOI: https://doi.org/10.15779/Z38639K53J © 2018 Daphne Keller. † Daphne Keller is the Director of Intermediary Liability at Stanford Law School’s Center for Internet and Society. She was previously Associate General Counsel for Intermediary Liability at Google. In that role, she worked closely with the independent Advisory Council convened by Google to advise the company on its RTBF obligations and had the opportunity to listen to and speak with many of Europe’s leading thinkers on data protection. She would like to thank the many people who lent their time and expertise to strengthen the Article, including John Bowman, Neal Cohen, David Erdos, Peter Fleischer, Al Gidari, Jennifer Granick, Jim Greer, Joris van Hoboken, Chris Kuner, Harjinder Obhi, Miquel Peguera, and Michel José Reymond. Mistakes are hers and not theirs. 288 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 33:287 TABLE OF CONTENTS I. INTRODUCTION ............................................................................. 289 A. ISSUE OVERVIEW ....................................................................................... 290 B. USING THIS ARTICLE AS A TOOLKIT ...................................................... 293 II. CONVERGENCE OF LEGAL FRAMEWORKS .............................. 294 A. INTERMEDIARY LIABILITY HISTORY AND LAW ................................... 294 B. DATA PROTECTION HISTORY AND LAW .............................................. 305 C. DATA PROTECTION AND ONLINE SERVICE PROVIDERS .................. 308 D. THE GOOGLE SPAIN RULING .................................................................. 312 E. THE 2016 GENERAL DATA PROTECTION REGULATION ................... 317 III. THREATS TO INTERNET USERS’ RIGHTS UNDER THE GENERAL DATA PROTECTION REGULATION ........................ 319 A. UNCLEAR RULES AND ONE-SIDED INCENTIVES ................................ 320 B. RIGHT TO BE FORGOTTEN OBLIGATIONS FOR HOSTS AND SOCIAL MEDIA............................................................................................ 322 C. NOTICE-AND-TAKEDOWN PROCESS ..................................................... 327 1. Removal Requests ............................................................................... 329 2. Temporarily “Restricting” Content ...................................................... 330 3. Permanently “Erasing” Content .......................................................... 332 4. Transparency ....................................................................................... 335 D. FREE EXPRESSION AND INFORMATION PROTECTIONS ..................... 341 1. Express General Data Protection Regulation Provisions ...................... 341 2. Enforcement Processes ......................................................................... 343 E. JURISDICTION ............................................................................................. 347 1. Prescriptive Jurisdiction: Who Must Comply? ...................................... 348 2. Territorial Scope of Compliance: Must OSPs Erase Content Globally? ............................................................................................ 349 IV. RELATION TO NOTICE-AND-TAKEDOWN RULES OF THE ECOMMERCE DIRECTIVE .................................................. 351 A. PROCEDURAL PROTECTIONS FOR INFORMATION RIGHTS UNDER THE ECOMMERCE DIRECTIVE .................................................. 351 B. APPLICABILITY OF THE ECOMMERCE DIRECTIVE TO RTBF REMOVALS ................................................................................................... 354 1. Conceptual Tensions Between Intermediary Liability and Data Protection ............................................................................................ 354 2. Confusing Language in the Governing Instruments .............................. 356 3. Reconciling the eCommerce Directive and Data Protection Law ........... 358 V. SOLUTIONS ...................................................................................... 361 A. RULES FROM THE ECOMMERCE DIRECTIVE SHOULD GOVERN NOTICE-AND-TAKEDOWN UNDER THE GDPR ................ 361 2018] INTERMEDIARY LIABILITY AND THE GDPR 289 B. IF GDPR RULES APPLY TO NOTICE-AND-TAKEDOWN, THEY SHOULD BE INTERPRETED TO MAXIMIZE PROCEDURAL FAIRNESS ........................................................................... 362 C. HOSTS SHOULD NOT BE SUBJECT TO RTBF OBLIGATIONS............. 362 D. DPAS SHOULD NOT ASSESS FINANCIAL PENALTIES AGAINST OSPS THAT REJECT RTBF REQUESTS IN GOOD FAITH ........................................................................................................... 363 E. EU MEMBER STATE LAW AND REGULATORY GUIDANCE SHOULD ROBUSTLY PROTECT FREEDOM OF EXPRESSION IN RTBF CASES ............................................................................................... 363 F. JURISDICTIONAL RULES SHOULD RESPECT NATIONAL LEGAL DIFFERENCES ................................................................................ 363 VI. CONCLUSION .................................................................................. 364 I. INTRODUCTION Internet technologies have vastly expanded access to information and opportunities for free expression around the world. At the same time, they have posed unprecedented threats to individual privacy. These two developments—and the underlying human rights affected by them—came into conflict with the Court of Justice of the European Union’s (CJEU) Google Spain ruling, which established the doctrine popularly called the “Right to Be Forgotten” (RTBF). Google Spain also surfaced tensions between two strikingly different areas of law, both of which shape Internet users’ rights online. The first area of law, intermediary liability, focuses on the legal responsibility that Online Service Providers (OSPs) have for their users’ speech. It is a key source of protection for individual expression and information rights on the Internet. The second, data protection, focuses on information about individual people. It gives them legal rights to limit the ever-proliferating uses of their personal data, both online and off. Both sets of laws protect fundamental rights and preserve Internet services as, in the words of the European Court of Human Rights (ECHR), “essential tools for participation” in contemporary society and public life.1 But these laws do so through profoundly different legal frameworks. Tensions between intermediary liability and data protection persist in the EU’s major new data protection law—the General Data Protection Regulation (GDPR). In provisions that have gone largely unexamined, the GDPR subtly reshapes the RTBF. This Article examines troubling consequences of these 1. Yildirim v. Turkey, App. No. 3111/10, Eur. Ct. H.R. ¶ 54 (2012), http://hudoc.echr.coe.int/fre?i=001-115705 [https://perma.cc/E6AW-KBDL]. 290 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 33:287 new provisions and suggests tools of European law that can be used to better balance the rights affected. A. ISSUE OVERVIEW Data protection and intermediary liability laws came together with a bang when the CJEU endorsed a so-called “Right to Be Forgotten” under EU data protection law. In Google Spain, the CJEU ruled that Google must honor a claimant’s request to exclude certain search results when users search for the claimant’s name.2 The right that the court established, which might more accurately be termed a right to “delist” information from search engines, was not absolute. The claimant’s rights had to be balanced against those of other people, including other Internet users looking for information online.3 Rather than have European courts strike this balance on a case-by-case basis, the CJEU placed de facto adjudication power
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages78 Page
-
File Size-