[Manila Principles] [Liability] Concerns with GDPR over risk of censorship and conflict with Manila Principles

Daphne Keller daphnek at law.stanford.edu
Fri Dec 11 07:37:15 PST 2015

I think there's a valid question here about statutory construction.  What
is the meaning of CJEU precedent after subsequent change in the Directive
or Regulation language upon which a ruling relied?  This seems to be a
pretty tough question under EU law, based on the conversations I've had
asking EU lawyers about it.  No matter what the answer, though, the GDPR
still changes the equation for information and expression rights on the

I would love to talk to anyone on this list who is engaged on this issue
and/or knows how this statutory construction question should play out.
Below is my take.

Basically, the CJEU created a special removal obligation that by its terms
applied only to search engines.  It left unanswered whether some analogous
duty exists for other kinds of controllers. (And it of course didn't
address whether hosts like FB or Twitter or YT are controllers.)  But
clearly other controllers' duty could not be identical, for the reasons
your colleague identified; and because the court was clear that underlying
website operators, who presumably are controllers, do not have to remove
the same things Google does; and because the remedy of removing things from
certain search results but still showing them for others doesn't make sense
for controllers who do not operate search indexes.

The GDPR now creates an obligation that is called "Right to Be Forgotten"
in most drafts, roughly tracks the logic and removal standards of Costeja,
and applies by its terms to all controllers.  It spells out very specific
 steps, including removal timelines and a phase called "restriction" where
the controller must temporarily restrict public access to the content,
pending assessment of the data subject's objection.  Its operative verb is
"erase," and nowhere does the GDPR suggest that "erase" means "remove from
search results for specific query terms, but keep showing for other
queries."  Of course, the CJEU was also drawing on the word "erase" in the
1995 Directive in telling Google to do that kind of search result removal.

Putting those two things together, does this mean:

a) The GDPR means what its plain text says - the defined "Right to Be
Forgotten" obligation applies to all controllers, including Google web
search, and everyone has to follow its steps and perform erasures in the
manner it describes.  (FWIW that's what this
data protection lawyer thinks.)

b) The GDPR means what it says for other controllers.  But search engines
can still remove just for certain queries, per Costeja.  That's because the
interpretation of "erase" and the implicit balancing of rights underlying
the Costeja remedy still apply to search engines.

c) The GDPR is redefining an obligation that we know, from Costeja, applies
only to search engines.  Other controllers can safely ignore the detailed
obligations that, per plain Regulation language, appear to apply to all
controllers.  Google and Bing need to change their removals to follow GDPR
rules, though.  Among other things that means that all RTBF requests are
honored immediately, but content can be reinstated if the request is later
determined to be invalid (as 50% or more are, for both companies).  The
companies can still just remove only certain search results, per Costeja,
because it interpreted the word "erase" and the same interpretation still

d) The GDPR is only for search engines, as in option (c), but erase means
*erase*.  No more per-query search result removals.

I suppose (c) is better for the Internet, so I should want to endorse it.
But that's not how courts interpret statutory language in laws that
supersede prior court rulings, in legal systems I'm familiar with.  It also
is meaningfully worse than Costeja in terms of the burden on expression and
information rights of Internet users.  Still, if there is a good argument
for (c) -- or something better than (c) -- I want to understand it, and I
hope lots of great lawyers will advance it aggressively in the next 2 years
as lawmakers hammer out interpretation of the GDPR.   I fear we all need to
be worrying about (a) and (b) quite a bit, though.


On Fri, Dec 11, 2015 at 4:18 AM, kyungsinpark <kyungsinpark at korea.ac.kr>

> We at Open Net are having an internal discussion on the matter that has
> been prolonged a bit.  One of our directors believes that the Google Spain
> decision is narrowly based on the fact that Google crawls the Web with
> various search words beforehand and maintains an index of those search
> words to the previously retrieved html files, which constitutes a veritable
> database of the web's contents, and that the decision is not expected to be
> applied to an intermediary that merely hosts contents without such
> pre-created index (even if those contents will be subject to search by an
> internal search engine).  So, he believes that 17a is probably not meant to
> apply to a content host but only to Google that keeps such index.  What do
> you make of this?
> I know that the language does not make distinction between web hoster and
> search engine but I don't know any case where originals are removed upon a
> data protection basis.  I know of Manni case pending at ECJ that deals with
> removal of originals but there the data are clearly kept in the form of a
> data base, so even if it is decided in favor of removal, my colleague's
> position is left untouched.
> -----Original Message-----
> From: liability-bounces at cis-india.org [mailto:
> liability-bounces at cis-india.org] On Behalf Of Jeremy Malcolm
> Sent: Saturday, November 21, 2015 5:48 AM
> To: manilaprinciples <manilaprinciples at eff.org>
> Cc: liability at cis-india.org
> Subject: [Liability] Concerns with GDPR over risk of censorship and
> conflict with Manila Principles
> Dear Manila Principles supporters,
> EFF has just published a blog post expressing our concerns with the
> incompatibility of the current drafts of the EU General Data Protection
> Regulation (GDPR) with the Manila Principles:
> https://www.eff.org/deeplinks/2015/11/unintended-consequences-european-style-how-new-eu-data-protection-regulation-will
> In summary, our view is that the provisions which require restriction and
> erasure of personal information supplied to Internet platforms by third
> parties, would place too much responsibility on intermediaries with too
> little due process, and that they fail to adequately consider the freedom
> of expression interests of content providers.  This could lead to
> "DMCA-like" censorship of information, using personal data protection as a
> pretext.
> The above post links to a short paper commenting from EFF and ARTICLE 19
> that we are circulating to policymakers.  If you organisation shares our
> concerns and would also like to endorse that paper, please let either of us
> know and we will add your name to the paper when it is circulated.
> As time is short, we would ask that you provide your endorsement within
> 72 hours if possible, or if not, let us know how much time you will need.
> Thanks.
> --
> Jeremy Malcolm
> Senior Global Policy Analyst
> Electronic Frontier Foundation
> https://eff.org
> jmalcolm at eff.org
> Tel: 415.436.9333 ext 161
> :: Defending Your Rights in the Digital World ::
> Public key: https://www.eff.org/files/2014/10/09/key_jmalcolm.txt
> PGP fingerprint: FF13 C2E9 F9C3 DF54 7C4F EAC1 F675 AAE2 D2AB 2220 OTR
> fingerprint: 26EE FD85 3740 8228 9460 49A8 536F BCD2 536F A5BD
> Learn how to encrypt your email with the Email Self Defense guide:
> https://emailselfdefense.fsf.org/en
> _______________________________________________
> ManilaPrinciples mailing list
> ManilaPrinciples at eff.org
> https://lists.eff.org/mailman/listinfo/manilaprinciples

Daphne Keller
Director, Intermediary Liability
Center for Internet and Society
Stanford Law School
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/manilaprinciples/attachments/20151211/fa59f2aa/attachment-0001.html>

More information about the ManilaPrinciples mailing list