The Current Law on Intermediary Liability in Light of the EU GDPR

Even before opening a newspaper, you know that you can expect to see the following on the front page; inappropriate behaviour of politicians, Brexit and the stock value of Tesla. Undoubtedly, these are of importance to at least some of us. Thus, why do we sweep a topic that affects everyone under the carpet?

Are we using the right tools for the protection of online speech?

The intermediary liability for the actions of third parties is a question of fundamental rights for anyone participating on the internet. It concerns the culpability of internet providers such as Facebook and Google. We have been continuously hearing about the impacts of the GDPR on the storage of data. Unsolicited emails requesting that we agree to the new terms of use has flooded everyone’s inbox.

What is not being discussed is the impact of this Regulation on the freedom of expression. Consider the following scenario. Person A posts something on Facebook about you which you do not like. You then decide to notify Facebook and ask for its removal. In doing so, you are exercising your right to data protection and privacy. However, this action simultaneously affects A’s freedom of expression and the right of users to seek and access information. It goes on to affect Facebook’s right to conduct business. This results in Facebook immediately responding to any more substantive notice by quickly removing posts without questioning the legality of their contents first.

Putting the aforementioned fundamental rights on a hypothetical scale, and it noticeably favours privacy. It is debatable what the right balance is. However, most academics agree that we do not talk about balance regarding equality. Rather we discuss tipping the scale to different sides based on individual scenarios. This can be illustrated by looking at two different illegalities that we encounter on the internet. In the previous case of a Facebook post, we most commonly talk about defamation, where the consequential harm is the damage of reputation and the unreasonableness of limiting the freedom of speech. However, in some cases, we talk about offences such as incitement to terrorism, where the harm is more severe and thus justifiable to prioritise security over the freedom of speech.

What has the GDPR done?

The system introduced by the GDPR that is causing over-removal of content is the Notice-and-Takedown procedure. The first mention of this procedure dates to the early 2000s. At the time, the Electronic Commerce Directive stated that there should not be a Notice-and-Takedown obligation imposed on intermediaries unless there is a substantial breach of law and it is known to the intermediary without systematic monitoring. GDPR, in contrast, brings the concept to life.

On the one hand, due to the always developing role of the internet, we can say that intermediaries should hold greater responsibility. Doing so allows the internet to fulfill its potential of being a platform for democratic participation. Nonetheless, imposing any rules on for-profit organization must be done meticulously to prevent the companies from ‘playing it safe’ and over-removing legal content. Surprisingly, this is precisely what the GDPR did not get right.

Where are we now?

In short, the Notice-and-Takedown system creates uncertainty amongst companies as well as academics about to whom this obligation applies. Add the threat of hefty fines, which adversely impact the profits and the reputation of these firms; and you have a recipe for disaster. The new regime under the GDPR has the potential of infringing upon the fundamental rights of everyone, regardless of whether they are a reader or a writer. Since the enforcement of the Regulation, Google has noted cases of officials trying to remove their criminal records as well as financial professionals trying to delete information about defrauding clients.

The EU has tried to answer the question of intermediary liability through a system that does not support the ‘fair balance’ approach, despite being the preferred approach by the European Court before the GDPR came to be. Profits and convenient over-removal are increasingly oppressing free speech. All of this happens with no transparency and opportunity for public review. Therefore, the question remains, who is going to protect our all-important online freedom of expression?