The way in which data protection and privacy can impact across the board is well illustrated by the recently published comments of the EDPS on the DG MARKT’s public consultation on procedures for notifying and acting on illegal content hosted by online intermediaries. Focusing just on the potential impact in areas where the EDPS has a role, his comments run to three pages. They can be accessed in full here.
While the EDPS supports the Commission’s initiative aimed at better defining and harmonising the conditions under which notice-and-action should take place. He however underlines that notice-and-action procedures must respect fundamental rights, including the rights to data protection and to privacy.
The EDPS is of the view that there is a need for a more pan-European harmonised definition of the notion of ‘illegal content’ for which the notice-and-action procedures would be applicable, especially as such procedures may imply the processing of personal sensitive data (such as data relating to offences).
He puts forward the view that in several cases hosting service providers may be considered as data controllers under data protection law, responsible for ensuring the appropriate processing of the data. For example, in the case of social networks, the European data protection authorities have concluded that by designing the platform and the tools for the processing of personal data, social networks are controllers of the processing of personal data on their sites and that search engines too must be considered to some extent as controllers of the personal data they process in view of the fact that they are the ones who have designed the means of the processing, ie the indexing and referencing tools, to perform in a certain way.
He recommends that the notice-and-action procedures should: address the following issues:
– the confidentiality of the notice provider and of the other persons involved (eg complainant, suspect, witnesses, etc),
– the handling of their personal data for purpose of the assessment and afterwards,
– the need for a transparent and easy manner to challenge a decision of a service provider to take down material, and
– the modalities of cooperation with law enforcement authorities.
On the issue of pro-active measures against illegal content that may be taken by hosting service providers, the EDPS comments:
‘beyond the liability exemption issue, due account must be given to Article 15 of the e-commerce Directive which clearly sets forth that service provider do not have a general obligation ‘to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity.’ The Court of Justice of the EU has emphasized this principle in several cases. The question may therefore arise as to whether the types of pro-active measures sought from hosting providers would be lawful under the e-commerce Directive and the e-privacy Directive and whether such measures would also be considered proportionate under the data protection Directive.’