The Right Tools: Europe’s Intermediary Liability Laws and the 2016 General Data Protection Regulation
The so-called “Right to Be Forgotten” established by the Court of Justice of the European Union in 2014 is about to change. The EU’s General Data Protection Regulation (GDPR), which goes into effect in 2018, introduces new notice-and-takedown rules for online information targeted by “Right to Be Forgotten” erasure requests. As drafted, the new rules make deliberate or accidental over-removal of online information far too likely. They give private Internet platforms powerful incentives to erase or de-list user-generated content – whether or not that content, or the intermediaries’ processing of the content, actually violates the law. They also create new data disclosure obligations that undermine privacy and Data Protection rights for people who post content online. These problems could be mitigated, without threatening the important privacy protections established by the GDPR, through procedural checks and balances in the platforms’ removal operations.
This article details the problematic GDPR provisions, examines the convergence of European Data Protection and Intermediary Liability Law, and proposes ways that the EU’s own Intermediary Liability laws can restore balanced protections for privacy and information rights. Throughout, it focuses on the motivations and likely real-world behavior of online platforms, drawing on the author’s extensive experience as Google’s Associate General Counsel for Intermediary Liability and as Intermediary Liability Director at Stanford Law School’s Center for Internet and Society. It includes close examinations of
Whether and how the “Right to Be Forgotten” may apply to user-generated content hosts like Twitter or Facebook; Free expression provisions in the GDPR; The GDPR’s extraterritorial reach and consequences for companies outside the EU; Doctrinal tensions between the EU’s Intermediary Liability law under the eCommerce Directive, and its Data Protection law under the 1995 Data Protection Directive and the new GDPR; and Human rights and fundamental rights laws governing online notice and takedown operations.