'The General Shape of EU Internet Regulation After Google Spain': David Erdos
Duration: 15 mins 47 secs
Share this media item:
Embed this media item:
Embed this media item:
About this item
| Description: |
Dr David Erdos, University of Cambridge delivers the first lecture from the "The General Shape of EU Internet Regulation After Google Spain" section of the "EU Internet Regulation After Google Spain" conference.
This conference was held at the Faculty of Law, University of Cambridge on 27 March 2015, and brought together leading experts on Data Protection and Privacy from around the World. The conference was held with the support of the Centre for European Legal Studies (CELS). This entry provides an audio source for iTunes U. |
|---|
| Created: | 2015-04-15 10:36 |
|---|---|
| Collection: | EU Internet Regulation After Google Spain: Conference 2015 MOVED |
| Publisher: | University of Cambridge |
| Copyright: | David Erdos, Mr D.J. Bates |
| Language: | eng (English) |
Transcript
Transcript:
I'm going to make three claims about this judgment, which is ostensibly only about generalized search engines, and the internet ecosystem as a whole. In some ways, I'm following on from Orla’s excellent presentation this morning in some of these claims. Hopefully there will also be some differences and a difference of emphasis as well.
So the first claim is that Google Spain in fact largely solidifies, or at least the fallout from Google Spain in terms of how to DPA's have responded to it, solidifies the dominant data protection paradigm. A paradigm which is dominant legally and even more so is dominant amongst data protection authorities. And that paradigm has serious implications, not just for the generalized search engines, but for almost every type of internet actor. You might say, "well how can that be?" in the sense that Google Spain was seen as so novel and so distinctive and in a way so narrowly cast on one particular actor. Well I think it's because there's a huge gap between legal interpretation, the interpretive stance including of data protection regulators, and enforcement. Enforcement has been extremely limited and sporadic. So extremely limited and sporadic that much of the Internet community until the Google Spain decision was virtually unaware any of these things in principle could apply.
So what is this paradigm I’m talking about? Well it’s composed of four key pillars I think, some of which map onto Orla’s various elucidations. The first pillar is that not much is excluded on the Internet from data protection and that has two elements to it. The key terms of the Directive have an extremely broad scope. We know this right back from the Lindqvist case, where simply referring on an internet page to working conditions or hobbies of an identifiable person was processing of personal information. It didn't matter that it was an unstructured page. It didn't matter that the information was relatively trivial. Fast forward to Satamedia and the claim there was "oh but there must be some kind of public domain exception", at least if the material has already been published in the media, surely there is some kind of exemption for media published material. And the Court said: Absolutely not. Personal information is any information relating to an identifiable person. Processing is virtually anything you can do with data and regulated processing anything on the digital type device is always covered.
The second element of not much being excluded is that the exemptions are exhaustive and extremely limited. Again Lindqvist showed the way on this. It dealt with the scope of EU law being an exemption and the Court said: Well that's only about state authorities performing highly specific state-like functions like national security. Even that we now see much more debate about. Private and family life, they said, could never relate to indeterminate publication, could never relate to publication generally on the Internet.
Satamedia reiterated those precise claims and also dealt with the idea - "well aren’t there some kind of implicit exemptions here?". No - the limitations on scope, they said, were exhaustive and they were narrow. That's the first pillar.
But you might say "well Satamedia said okay we don't have the exemptions but we have a special journalistic and other expressive purposes, so is there an issue?". Well, yes because the second pillar is that the special journalistic and other purposes are in no sense unbounded. They're not unbounded because even when they apply, as Satamedia said, any derogation has to be only as strictly necessary. We're not dealing with an exemption, we’re dealing with a derogation but more importantly for our purposes they are not unbounded because despite the language of Satamedia saying disclosure to the public is a journalistic activity that public is a collective public. It’s disclosure to the body politic. It’s trying objectively to contribute to a general public debate. That kind of activity is included but that does not mean that any form of indeterminate publication, for individualized privatized purposes is covered. And again we kind of knew that from the Lindqvist case, where poor Mrs Lindqvist’s website was clearly an indeterminate publication and the Commission sought to come to her rescue by saying: oh well her pages are a literary or artistic work - it's a work of literary and artistic expression and should be treated as such. And the court pointedly refused to accept that as valid. It didn't address it but it refused to say: yes of course this is expressive purposes for the purposes of [the] special purposes. Mrs Lindqvist’s site was not orientated to a collective public debate.
But the third pillar is yes there might indeed be a need to balance data protection with other rights, and even with the general principle of proportionality, and we again know this from the Lindqvist case. Effectively what the Court said in Lindqvist was: we're not willing to say you’re a journalist, we're not willing to say you're exempt but, by the way, authorities and courts must take care to ensure that the Directive isn’t interpreted to be in conflict with freedom of expression and similar rights.
But it’s rather unclear because another strand and the last pillar of the data protection paradigm is that data protection norms are often overriding. There is no particular need to balance with freedom of expression. Any need for balance has already been accommodated within the data protection regime and the key case here is Bavarian Larger, where you had a transparency request, the first instance court sought to say: Well we'll look to see if privacy and integrity are violated, we’ll kind of eyeball it, we will not apply the rigors the data protection law if we don't think privacy and integrity are being affected very much. [But] the Court of Justice eventually said: No that’s not what you should be doing. Any undermining of privacy and integrity must always examined and assessed in conformity with all the legislation on personal data. You simply apply the statute; you apply the code.
So that's the paradigm and it’s shared by dominant legal interpretations but even more so it’s shared as a dominant regulatory approach. If you ask DPAs, as I did, what they're interpretative stance is, you will find: very broad scope, a limited notion of what journalism and the like is, and then a dispute as to when you balance when you don't need to balance. And that broad contour applies broadly to all online operators from news archives - and by the way there's an interesting debate about when the full rigours of the right to be forgotten apply because Google News as I understand it as an aggregator is considered to be fully within the right to be forgotten but maybe The Times newspaper index, for example, isn't but at what point do you move over from one to the other - it's a complicated issue I’d have thought - but anyway from news archives to bloggers to all forms social networking to dating web sites, street mapping, as well as search engines. Every internet actor is in principle affected by this paradigm.
I sought to test this empirically through a survey of European Economic Area - so EU plus the three associated states - Data Protection Authorities and got a very good response of eighty percent of the national data protection authorities replied, plus six operating at the sub-national level, mainly in Germany, so it's a pretty authoritative result. I presented them with publication scenarios linked to all of those seven online media actors which I've been talking about. This was before the Google Spain decision was handed down. And in terms of interpretative stance it backed up a very rigorous in principle interpretation of this paradigm. A maximum of only twelve percent of the standard answers as to these publication scenarios - which by the way are in your handout in terms of the very precise questions which were asked - but they concerned everything from a blogger, news archive to a street mapping service. Across all the examples a maximum of twelve percent of the standard answers in any one case said that the activity was exempt from data protection. In terms of special expression, a plurality of Data Protection Authorities only considered that the journalistic or allied special purposes exemption applied as regards news archives - much to my surprise, even in the case of the individual blogger blogging about celebrity gossip there was not a plurality of support for the idea that the activity is journalistic or a like. Apart from the news archive and the blogger, where in the case for a blogger there would seem to be support for the idea you did need to have a balance with other fundamental rights, between just under fifty percent and almost a hundred percent of DPAs simply responded that data protection law had to apply in full. So, you know, really rigorous interpretation of the law in principle and not just for general search engines [but] for pretty much all internet actors.
So what about enforcement. I also asked for them: have you actually taken enforcement action in these areas, and if they had actually there was also an element of the questionnaire which I won't go into about what enforcement action they had taken. And I think the results here were intriguing in a way were the flip side of the broad interpretative approach which I’ve been talking about because this was the very narrow nature of enforcement. Almost twenty five percent data protection authorities said: oh we might have this broad interpretative approach but we've never taken any enforcement action since the Directive has been in place against any these actors in relation to publication. Then if you look at the next two [categories] along where roughly ten percent [each] have only taken action in one or two cases which might be, say for Google Street View. You are looking at a picture in terms of enforcement where almost a half of DPAs have effectively never really taken any significant enforcement action despite that being the paradigm and there I think use you begin to understand the dynamic where the Internet community seems to be unaware that data protection is considered to apply. Well, it’s unaware because there's been so little enforcement of it. I asked about budgeting and the survey seemed to suggest that perhaps the average budget of a DPA is only around three and a half million Euro which translates into roughly €0.30 per individual resident in the jurisdiction. And I think you can see that that kind of level resourcing is just at a total mismatch at the level of tasks the law sets Data Protection Authorities because this is just one relatively discrete area that DPAs are meant to be regulating. This is by no means the only part that’s meant to be regulated. It’s got to regulate the public sector, it’s got regulate all forms of data of which publication is just one and three and a half million Euro is simply not going to come anywhere near performing that task. And I also tried to complete, along with many research assistants, a public domain analysis of enforcement, which to be honest showed much less evidence of active enforcement. I mean what evidence there was showed very soft forms of enforcement and very limited forms of enforcement, compared to what was being reported in the survey. So even less seems to be [evident] - in terms of regular and active activity - than those results I just showed you a moment ago.
So just a few brief conclusions and looking to the future in a way because obviously these conclusions are what I began with, but is there any real reason to think that this will change? I think it will only change if it is recognised that it is dysfunctional have a situation where the interpretative stance of regulators is at such variance with the practice in terms of how that is in reality enforced. It will only begin to change if we have a debate about the dysfunctionality and costs for the rights people think they have, for the responsibilities that controllers might have. If we start to have that debate about that balance and gap being a problem. And also it will only start to change if we begin to address the resources and budgeting that regulators have available in this area to perform what, in an Internet area, are more and more important tasks of balancing people's rights to be protected against freedom of expression.
So the first claim is that Google Spain in fact largely solidifies, or at least the fallout from Google Spain in terms of how to DPA's have responded to it, solidifies the dominant data protection paradigm. A paradigm which is dominant legally and even more so is dominant amongst data protection authorities. And that paradigm has serious implications, not just for the generalized search engines, but for almost every type of internet actor. You might say, "well how can that be?" in the sense that Google Spain was seen as so novel and so distinctive and in a way so narrowly cast on one particular actor. Well I think it's because there's a huge gap between legal interpretation, the interpretive stance including of data protection regulators, and enforcement. Enforcement has been extremely limited and sporadic. So extremely limited and sporadic that much of the Internet community until the Google Spain decision was virtually unaware any of these things in principle could apply.
So what is this paradigm I’m talking about? Well it’s composed of four key pillars I think, some of which map onto Orla’s various elucidations. The first pillar is that not much is excluded on the Internet from data protection and that has two elements to it. The key terms of the Directive have an extremely broad scope. We know this right back from the Lindqvist case, where simply referring on an internet page to working conditions or hobbies of an identifiable person was processing of personal information. It didn't matter that it was an unstructured page. It didn't matter that the information was relatively trivial. Fast forward to Satamedia and the claim there was "oh but there must be some kind of public domain exception", at least if the material has already been published in the media, surely there is some kind of exemption for media published material. And the Court said: Absolutely not. Personal information is any information relating to an identifiable person. Processing is virtually anything you can do with data and regulated processing anything on the digital type device is always covered.
The second element of not much being excluded is that the exemptions are exhaustive and extremely limited. Again Lindqvist showed the way on this. It dealt with the scope of EU law being an exemption and the Court said: Well that's only about state authorities performing highly specific state-like functions like national security. Even that we now see much more debate about. Private and family life, they said, could never relate to indeterminate publication, could never relate to publication generally on the Internet.
Satamedia reiterated those precise claims and also dealt with the idea - "well aren’t there some kind of implicit exemptions here?". No - the limitations on scope, they said, were exhaustive and they were narrow. That's the first pillar.
But you might say "well Satamedia said okay we don't have the exemptions but we have a special journalistic and other expressive purposes, so is there an issue?". Well, yes because the second pillar is that the special journalistic and other purposes are in no sense unbounded. They're not unbounded because even when they apply, as Satamedia said, any derogation has to be only as strictly necessary. We're not dealing with an exemption, we’re dealing with a derogation but more importantly for our purposes they are not unbounded because despite the language of Satamedia saying disclosure to the public is a journalistic activity that public is a collective public. It’s disclosure to the body politic. It’s trying objectively to contribute to a general public debate. That kind of activity is included but that does not mean that any form of indeterminate publication, for individualized privatized purposes is covered. And again we kind of knew that from the Lindqvist case, where poor Mrs Lindqvist’s website was clearly an indeterminate publication and the Commission sought to come to her rescue by saying: oh well her pages are a literary or artistic work - it's a work of literary and artistic expression and should be treated as such. And the court pointedly refused to accept that as valid. It didn't address it but it refused to say: yes of course this is expressive purposes for the purposes of [the] special purposes. Mrs Lindqvist’s site was not orientated to a collective public debate.
But the third pillar is yes there might indeed be a need to balance data protection with other rights, and even with the general principle of proportionality, and we again know this from the Lindqvist case. Effectively what the Court said in Lindqvist was: we're not willing to say you’re a journalist, we're not willing to say you're exempt but, by the way, authorities and courts must take care to ensure that the Directive isn’t interpreted to be in conflict with freedom of expression and similar rights.
But it’s rather unclear because another strand and the last pillar of the data protection paradigm is that data protection norms are often overriding. There is no particular need to balance with freedom of expression. Any need for balance has already been accommodated within the data protection regime and the key case here is Bavarian Larger, where you had a transparency request, the first instance court sought to say: Well we'll look to see if privacy and integrity are violated, we’ll kind of eyeball it, we will not apply the rigors the data protection law if we don't think privacy and integrity are being affected very much. [But] the Court of Justice eventually said: No that’s not what you should be doing. Any undermining of privacy and integrity must always examined and assessed in conformity with all the legislation on personal data. You simply apply the statute; you apply the code.
So that's the paradigm and it’s shared by dominant legal interpretations but even more so it’s shared as a dominant regulatory approach. If you ask DPAs, as I did, what they're interpretative stance is, you will find: very broad scope, a limited notion of what journalism and the like is, and then a dispute as to when you balance when you don't need to balance. And that broad contour applies broadly to all online operators from news archives - and by the way there's an interesting debate about when the full rigours of the right to be forgotten apply because Google News as I understand it as an aggregator is considered to be fully within the right to be forgotten but maybe The Times newspaper index, for example, isn't but at what point do you move over from one to the other - it's a complicated issue I’d have thought - but anyway from news archives to bloggers to all forms social networking to dating web sites, street mapping, as well as search engines. Every internet actor is in principle affected by this paradigm.
I sought to test this empirically through a survey of European Economic Area - so EU plus the three associated states - Data Protection Authorities and got a very good response of eighty percent of the national data protection authorities replied, plus six operating at the sub-national level, mainly in Germany, so it's a pretty authoritative result. I presented them with publication scenarios linked to all of those seven online media actors which I've been talking about. This was before the Google Spain decision was handed down. And in terms of interpretative stance it backed up a very rigorous in principle interpretation of this paradigm. A maximum of only twelve percent of the standard answers as to these publication scenarios - which by the way are in your handout in terms of the very precise questions which were asked - but they concerned everything from a blogger, news archive to a street mapping service. Across all the examples a maximum of twelve percent of the standard answers in any one case said that the activity was exempt from data protection. In terms of special expression, a plurality of Data Protection Authorities only considered that the journalistic or allied special purposes exemption applied as regards news archives - much to my surprise, even in the case of the individual blogger blogging about celebrity gossip there was not a plurality of support for the idea that the activity is journalistic or a like. Apart from the news archive and the blogger, where in the case for a blogger there would seem to be support for the idea you did need to have a balance with other fundamental rights, between just under fifty percent and almost a hundred percent of DPAs simply responded that data protection law had to apply in full. So, you know, really rigorous interpretation of the law in principle and not just for general search engines [but] for pretty much all internet actors.
So what about enforcement. I also asked for them: have you actually taken enforcement action in these areas, and if they had actually there was also an element of the questionnaire which I won't go into about what enforcement action they had taken. And I think the results here were intriguing in a way were the flip side of the broad interpretative approach which I’ve been talking about because this was the very narrow nature of enforcement. Almost twenty five percent data protection authorities said: oh we might have this broad interpretative approach but we've never taken any enforcement action since the Directive has been in place against any these actors in relation to publication. Then if you look at the next two [categories] along where roughly ten percent [each] have only taken action in one or two cases which might be, say for Google Street View. You are looking at a picture in terms of enforcement where almost a half of DPAs have effectively never really taken any significant enforcement action despite that being the paradigm and there I think use you begin to understand the dynamic where the Internet community seems to be unaware that data protection is considered to apply. Well, it’s unaware because there's been so little enforcement of it. I asked about budgeting and the survey seemed to suggest that perhaps the average budget of a DPA is only around three and a half million Euro which translates into roughly €0.30 per individual resident in the jurisdiction. And I think you can see that that kind of level resourcing is just at a total mismatch at the level of tasks the law sets Data Protection Authorities because this is just one relatively discrete area that DPAs are meant to be regulating. This is by no means the only part that’s meant to be regulated. It’s got to regulate the public sector, it’s got regulate all forms of data of which publication is just one and three and a half million Euro is simply not going to come anywhere near performing that task. And I also tried to complete, along with many research assistants, a public domain analysis of enforcement, which to be honest showed much less evidence of active enforcement. I mean what evidence there was showed very soft forms of enforcement and very limited forms of enforcement, compared to what was being reported in the survey. So even less seems to be [evident] - in terms of regular and active activity - than those results I just showed you a moment ago.
So just a few brief conclusions and looking to the future in a way because obviously these conclusions are what I began with, but is there any real reason to think that this will change? I think it will only change if it is recognised that it is dysfunctional have a situation where the interpretative stance of regulators is at such variance with the practice in terms of how that is in reality enforced. It will only begin to change if we have a debate about the dysfunctionality and costs for the rights people think they have, for the responsibilities that controllers might have. If we start to have that debate about that balance and gap being a problem. And also it will only start to change if we begin to address the resources and budgeting that regulators have available in this area to perform what, in an Internet area, are more and more important tasks of balancing people's rights to be protected against freedom of expression.