<div dir="ltr">I think there's a valid question here about statutory construction. What is the meaning of CJEU precedent after subsequent change in the Directive or Regulation language upon which a ruling relied? This seems to be a pretty tough question under EU law, based on the conversations I've had asking EU lawyers about it. No matter what the answer, though, the GDPR still changes the equation for information and expression rights on the Internet.<div><br></div><div>I would love to talk to anyone on this list who is engaged on this issue and/or knows how this statutory construction question should play out. Below is my take. <br><div><br></div><div>Basically, the CJEU created a special removal obligation that by its terms applied only to search engines. It left unanswered whether some analogous duty exists for other kinds of controllers. (And it of course didn't address whether hosts like FB or Twitter or YT are controllers.) But clearly other controllers' duty could not be identical, for the reasons your colleague identified; and because the court was clear that underlying website operators, who presumably are controllers, do not have to remove the same things Google does; and because the remedy of removing things from certain search results but still showing them for others doesn't make sense for controllers who do not operate search indexes.</div><div><br></div><div>The GDPR now creates an obligation that is called "Right to Be Forgotten" in most drafts, roughly tracks the logic and removal standards of Costeja, and applies by its terms to all controllers. It spells out very specific steps, including removal timelines and a phase called "restriction" where the controller must temporarily restrict public access to the content, pending assessment of the data subject's objection. Its operative verb is "erase," and nowhere does the GDPR suggest that "erase" means "remove from search results for specific query terms, but keep showing for other queries." Of course, the CJEU was also drawing on the word "erase" in the 1995 Directive in telling Google to do that kind of search result removal.</div><div><br></div><div>Putting those two things together, does this mean:</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div>a) The GDPR means what its plain text says - the defined "Right to Be Forgotten" obligation applies to all controllers, including Google web search, and everyone has to follow its steps and perform erasures in the manner it describes. (FWIW that's what <a href="http://www.v3.co.uk/v3-uk/opinion/2438786/right-to-be-forgotten-could-soon-become-more-than-a-google-problem">this</a> data protection lawyer thinks.)</div><div><br></div></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div>b) The GDPR means what it says for other controllers. But search engines can still remove just for certain queries, per Costeja. That's because the interpretation of "erase" and the implicit balancing of rights underlying the Costeja remedy still apply to search engines. </div></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><br></div><div>c) The GDPR is redefining an obligation that we know, from Costeja, applies only to search engines. Other controllers can safely ignore the detailed obligations that, per plain Regulation language, appear to apply to all controllers. Google and Bing need to change their removals to follow GDPR rules, though. Among other things that means that all RTBF requests are honored immediately, but content can be reinstated if the request is later determined to be invalid (as 50% or more are, for both companies). The companies can still just remove only certain search results, per Costeja, because it interpreted the word "erase" and the same interpretation still applies.</div><div><br></div><div>d) The GDPR is only for search engines, as in option (c), but erase means <i>erase</i>. No more per-query search result removals.</div></blockquote><div><br></div><div>I suppose (c) is better for the Internet, so I should want to endorse it. But that's not how courts interpret statutory language in laws that supersede prior court rulings, in legal systems I'm familiar with. It also is meaningfully worse than Costeja in terms of the burden on expression and information rights of Internet users. Still, if there is a good argument for (c) -- or something better than (c) -- I want to understand it, and I hope lots of great lawyers will advance it aggressively in the next 2 years as lawmakers hammer out interpretation of the GDPR. I fear we all need to be worrying about (a) and (b) quite a bit, though. </div><div><br></div><div>Thanks,</div><div>Daphne </div><div> </div><div><br><div><br></div><div><br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 11, 2015 at 4:18 AM, kyungsinpark <span dir="ltr"><<a href="mailto:kyungsinpark@korea.ac.kr" target="_blank">kyungsinpark@korea.ac.kr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">We at Open Net are having an internal discussion on the matter that has been prolonged a bit. One of our directors believes that the Google Spain decision is narrowly based on the fact that Google crawls the Web with various search words beforehand and maintains an index of those search words to the previously retrieved html files, which constitutes a veritable database of the web's contents, and that the decision is not expected to be applied to an intermediary that merely hosts contents without such pre-created index (even if those contents will be subject to search by an internal search engine). So, he believes that 17a is probably not meant to apply to a content host but only to Google that keeps such index. What do you make of this?<br>
<br>
I know that the language does not make distinction between web hoster and search engine but I don't know any case where originals are removed upon a data protection basis. I know of Manni case pending at ECJ that deals with removal of originals but there the data are clearly kept in the form of a data base, so even if it is decided in favor of removal, my colleague's position is left untouched.<br>
<span class="im HOEnZb"><br>
<br>
-----Original Message-----<br>
From: <a href="mailto:liability-bounces@cis-india.org">liability-bounces@cis-india.org</a> [mailto:<a href="mailto:liability-bounces@cis-india.org">liability-bounces@cis-india.org</a>] On Behalf Of Jeremy Malcolm<br>
Sent: Saturday, November 21, 2015 5:48 AM<br>
To: manilaprinciples <<a href="mailto:manilaprinciples@eff.org">manilaprinciples@eff.org</a>><br>
Cc: <a href="mailto:liability@cis-india.org">liability@cis-india.org</a><br>
</span><div class="HOEnZb"><div class="h5">Subject: [Liability] Concerns with GDPR over risk of censorship and conflict with Manila Principles<br>
<br>
Dear Manila Principles supporters,<br>
<br>
EFF has just published a blog post expressing our concerns with the incompatibility of the current drafts of the EU General Data Protection Regulation (GDPR) with the Manila Principles:<br>
<br>
<a href="https://www.eff.org/deeplinks/2015/11/unintended-consequences-european-style-how-new-eu-data-protection-regulation-will" rel="noreferrer" target="_blank">https://www.eff.org/deeplinks/2015/11/unintended-consequences-european-style-how-new-eu-data-protection-regulation-will</a><br>
<br>
In summary, our view is that the provisions which require restriction and erasure of personal information supplied to Internet platforms by third parties, would place too much responsibility on intermediaries with too little due process, and that they fail to adequately consider the freedom of expression interests of content providers. This could lead to "DMCA-like" censorship of information, using personal data protection as a pretext.<br>
<br>
The above post links to a short paper commenting from EFF and ARTICLE 19 that we are circulating to policymakers. If you organisation shares our concerns and would also like to endorse that paper, please let either of us know and we will add your name to the paper when it is circulated.<br>
As time is short, we would ask that you provide your endorsement within<br>
72 hours if possible, or if not, let us know how much time you will need.<br>
<br>
Thanks.<br>
<br>
--<br>
Jeremy Malcolm<br>
Senior Global Policy Analyst<br>
Electronic Frontier Foundation<br>
<a href="https://eff.org" rel="noreferrer" target="_blank">https://eff.org</a><br>
<a href="mailto:jmalcolm@eff.org">jmalcolm@eff.org</a><br>
<br>
Tel: <a href="tel:415.436.9333%20ext%20161" value="+14154369333">415.436.9333 ext 161</a><br>
<br>
:: Defending Your Rights in the Digital World ::<br>
<br>
Public key: <a href="https://www.eff.org/files/2014/10/09/key_jmalcolm.txt" rel="noreferrer" target="_blank">https://www.eff.org/files/2014/10/09/key_jmalcolm.txt</a><br>
PGP fingerprint: FF13 C2E9 F9C3 DF54 7C4F EAC1 F675 AAE2 D2AB 2220 OTR fingerprint: 26EE FD85 3740 8228 9460 49A8 536F BCD2 536F A5BD<br>
<br>
Learn how to encrypt your email with the Email Self Defense guide:<br>
<a href="https://emailselfdefense.fsf.org/en" rel="noreferrer" target="_blank">https://emailselfdefense.fsf.org/en</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
ManilaPrinciples mailing list<br>
<a href="mailto:ManilaPrinciples@eff.org">ManilaPrinciples@eff.org</a><br>
<a href="https://lists.eff.org/mailman/listinfo/manilaprinciples" rel="noreferrer" target="_blank">https://lists.eff.org/mailman/listinfo/manilaprinciples</a></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div><div>Daphne Keller<br></div>Director, Intermediary Liability<br></div>Center for Internet and Society<br></div>Stanford Law School<br></div></div>
</div>