How The EU's Proposed New 'Privacy' Rules Will Be A Tool For Massive Censorship
from the takedown-takedown-takedown dept
We recently wrote about some concerns about the new Data Protection Directive that is being set up in Europe. The law is driven by people with good intentions: looking to better protect the privacy of European citizens. Privacy protection is an important concept -- but the current plans appear to be so focused on privacy protection that it gives very little regard for the unintended consequences of the way it's been set up. As we wrote in our last post, Daphne Keller at Stanford's Center for Internet and Society is writing a series of blog posts raising concerns about how the new rules clash with basic concepts of free speech. She's now written one about the immensely troubling setup of the "notice and takedown" rules included in the General Data Protection Regulation (GDPR). For years, we've been concerned by problematic notice and takedown procedures -- we've seen the DMCA frequently abused to stifle speech, rather than for genuine copyright challenges. But, for some reason, people often immediately leap to "notice and takedown solutions" for any kind of content they don't like, they and the drafters of the GDPR are no different.Except, it's worse. Because whoever drafted the notice-and-takedown portion of the GDPR actually made the process worse than the notice and takedown rules found elsewhere. Here's the GDPR process, as explained by Keller:
- An individual submits a removal request, and perhaps communicates further with the intermediary to clarify what she is asking for.
- In most cases, prior to assessing the request’s legal validity, the intermediary temporarily suspends or “restricts” the content so it is no longer publicly available.
- The intermediary reviews the legal claim made by the requester to decide if it is valid. For difficult questions, the intermediary may be allowed to consult with the user who posted the content.
- For valid claims, the intermediary proceeds to fully erase the content. (Or probably, in the case of search engines, de-link it following guidelines of the Costeja “Right to Be Forgotten” ruling.) For invalid claims, the intermediary is supposed to bring the content out of “restriction” and reinstate it to public view -- though it’s not clear what happens if it doesn’t bother to do so.
- The intermediary informs the requester of the outcome, and communicates the removal request to any “downstream” recipients who got the same data from the controller.
- If the intermediary has additional contact details or identifying information about the user who posted the now-removed content, it may have to disclose them to the individual who asked for the removal, subject to possible but unclearly drafted exceptions. (Council draft, Art. 14a)
- In most cases, the accused publisher receives no notice that her content has been removed, and no opportunity to object. The GDPR text does not spell out this prohibition, but does nothing to change the legal basis for the Article 29 Working Party’s conclusions on this point.
Once again, it seems like regulators focus solely on solving for the "worst case" scenario, with little thought towards how that will be applied in much more common cases, and what that means for free speech and society.
And that's not all that's dangerous about the current rules. They also deal a huge blow to anonymous speech and privacy:
A second glaring problem with the GDPR process is its requirement that companies disclose the identity of the person who posted the content, without any specified legal process or protection. This is completely out of line with existing intermediary liability laws. Some have provisions for disclosing user identity, but not without a prescribed legal process, and not as a tool available to anyone who merely alleges that an online speaker has violated the law. It’s also out of line with the general pro-privacy goals of the GDPR, and its specific articles governing disclosure of anyone’s personal information -- including that of people who put content on the Internet.Yes, that's right. In an effort to protect privacy, the drafters are so focused on a single scenario, that they don't consider how the process will be abused to weaken the privacy rights of others. Want to know who said something anonymously that you don't like? File a privacy complaint and the service provider is just supposed to cough up their name. Again, given how often we've seen bogus defamation claims made solely for the purpose of trying to identify those who speak anonymously, this is a major concern.
There are ways to create a better process for the removal of truly illegal information, but the GDPR simply wipes most of those away in the interest of expediency in trying to prevent a worst case scenario. And the end result may be an even worse situation, in which free speech and privacy rights are broadly wiped away from many by handing a powerful censorship tool, with privacy-destroying elements, to anyone who wants to go after someone else's speech. I've long been in favor of using "notice and notice" type systems that allow whoever posted content to protest before content is taken down, but even if they're going with a notice and takedown system, there are much better ways to implement ones that at least include some semblance of due process. In addition, there should be strong penalties for those who abuse these notice and takedown procedures.
As Keller writes:
Notice and takedown laws also exist to protect people who are harmed by online content. But protecting those people does not require laws to prioritize removal with little concern for the rights of online speakers and publishers. A good notice and takedown process can help people with legitimate grievances while incorporating procedural checks to avoid disproportionate impact on expression and information rights. Valuable information that would be gone under existing laws but for these checks -- importantly including transparency about what content has been removed -- spans religious, political, and scientific content, along with consumer reviews. Crafting the law to better protect this kind of content from improper removal is both important and possible.It would be nice to see the drafters of the GDPR at least recognize the harm they may be about to cause.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anonymous speech, data protection, eu, free speech, gdpr, notice and takedown, privacy, safe harbors
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Yes. It's called a court order.
How does that fix the privacy issue? You still have to identify yourself in your notice, and if you don't provide notice your content is still taken down.
[ link to this | view in thread ]
Response to: Anonymous Coward on Oct 29th, 2015 @ 11:09am
[ link to this | view in thread ]
Re:
This would be a more functional, fair system.
[ link to this | view in thread ]
Free Speech
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
The problem with any system is expecting content hosting companies to employ people to read and evaluate every notice. While that is viable for a few notices a week, or even ad day, it becomes very expensive when it becomes hundreds or thousands of notices an hour. Most people do not get the scale issues of the Internet, and while politicians should have an inkling of it from dealing with their electorate, they still under estimate the problem by many orders of magnitude.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: new version
But every politician we elect has a vested interest in keeping things mostly the way they are. They would only nibble around the edges. And with more law being tied and twisted by international obligations, about the only way to change the system would be to have the Martian Ice Warriors attack. And how likely is that?
[ link to this | view in thread ]