About a year and a half ago, we wrote about how the new European “General Data Protection Regulation” (GDPR) was potentially very problematic for free speech. That is, well-meaning “data protection” folks wrote up the GDPR, but it appears they did so with little thought towards what the impact might be on free speech. So, specifcally, when they include something like a right to “erasure” for certain information, you can understand, from a privacy standpoint why people may want certain data and information to be deleted from certain databases. But bring that over to the open web, rather than private databases, and you’re talking about a censorship tool around a “right to be forgotten” system.

To deal with this kind of potential problem, rather than doing the smart thing and fixing and clarifying the GDPR, Europe has left things up to each member country to try to sort things out on their own, and to explore how to set their own data protection rules in a manner that will obey the GDPR but also avoid stomping out free expression. Unfortunately, it’s unclear that many of the states are taking that balancing act very seriously. The UK quietly put up a comments request with all answers due by this Wednesday (and, of course, by the time this all gets sorted out, who’s to say if the UK will even still be in the EU… but…).

Daphne Keller, who studies these things over at Stanford Law School’s Center for Internet and Society has both a larger paper and a shorter blog post discussing this, specifically in the context of serious concerns about how the Right To Be Forgotten (RTBF) under the GDPR will be implemented, and how it may stifle freedom of expression across Europe. Right now, of course, the RTBF applies to search results, but under the GDPR it may expand to much more, including things like Twitter and Facebook:

Applying RTBF to platforms like Facebook, Dailymotion, or Twitter would be a big deal for Internet users’ expression and information rights. RTBF in its current form under Google Spain only covers search engines, and only requires “de-listing” search results – meaning that users will not see certain webpage titles, snippets, and links when they search for a data subject by name. Regulators have said that the RTBF is reconcilable with information and expression rights precisely because information is only de-listed, and not removed from the source page. But if social media or other hosts had to honor RTBF requests, much of the information they erased would not merely be harder to find – it would be truly gone. For ephemeral expression like tweets or Facebook posts, that might mean the author’s only copy is erased. The same could happen to cloud computing users or bloggers like artist Dennis Cooper, who lost 14 years of creative output when Google abruptly terminated his Blogger account.

Expanding the list of private platforms that must accept and adjudicate RTBF requests would directly affect users’ expression and information rights. But it is hard to pinpoint quite which GDPR articles speak to this issue. Is it purely a question of who counts as a controller under the GDPR’s definitions (Art. 4)? Might it be, as I have argued in other contexts, a question about the scope of objection and erasure rights (Arts. 17 and 21)? Do national expression and information rights shape a platform’s “responsibilities, powers and capabilities” under the Google Spain ruling (para. 38)? These are difficult questions. The answers will, in a very real way, affect the expression and information rights that Member State legislatures are charged with protecting.