Here’s what the staff of the Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press is tracking this week.
German high court issues rulings on ‘right to be forgotten’
Germany’s Federal Constitutional Court, the country’s final word on constitutional questions, issued two rulings implicating the European Union’s “right to be forgotten,” or “right to erasure,” granted under Article 17 of the General Data Privacy Regulation. One ruling is particularly noteworthy because it involved an erasure demand directly between a private citizen and a media outlet.
In the relevant case, a man convicted of a double murder in 1982 sought to have the German publication Der Spiegel remove articles from their online archives detailing his crime and court case. He was released for the murders in 2002, and after subsequently discovering that a search for his name on common search engines turned up the articles, he sent a letter to Der Spiegel asking the paper to take them down. After the paper refused, he sued.
Germany’s Federal Court of Justice — the country’s highest court in its system of ordinary jurisdiction (that is, it can be reversed by the constitutional court if its decisions conflict with Germany’s Basic Law) — dismissed the plaintiff’s case. The Federal Court of Justice held that, on balance, the public’s interest in this information and the paper’s freedom of expression outweighed the harm to the plaintiff’s reputation.
Upon review, the Federal Constitutional Court held that where the GDPR gives the member state the authority to craft a balancing test between a privacy right under the GDPR and another consideration like press freedom (technically known as a “derogation”), the EU country may apply its own law. Article 85 of the GDPR gives EU member states the authority to balance conflicts between the right to be forgotten and the use of private information for “journalistic purposes.”
In an English press release explaining its reasoning, the constitutional court confirmed that while a critical right of both the public and the press is preserving “unrestricted access to the original texts to the greatest extent possible,” the “realities” of today’s digital context — especially the permanence and ease of widespread dissemination of information — must be taken into account.
Finding that the Court of Justice neglected to consider whether the paper might be obligated “to provide at least some protection against search engines retrieving the articles in the context of searches related to the complainant’s name,” the court remanded for further consideration.
The second case related to an episode of the television show “Panorama” titled “Dismissal: the dirty practices of employers,” in which a former CEO was accused of unfairly treating an employee who was dismissed for trying to establish a “works council.” When the show uploaded a transcript of the broadcast, searches for the CEO’s name returned the transcript, and the CEO sought to have it removed under the right to be forgotten.
The Federal Constitutional Court ruled that — in contrast to the case directly between a private citizen and a news organization, where the GDPR grants the member state the authority to apply its own law — a similar right to be forgotten dispute between a search engine and a citizen would be subject to EU law, as it does not directly implicate journalistic expression. Looking to the EU’s Charter of Fundamental Rights, the court declared that lower courts must (as the ones in this case did) properly weigh a search engine’s freedom to conduct business, the broadcasting company’s freedom of expression, and the public’s interest in receiving the information against the plaintiff’s interest in protecting her reputation. The court upheld the dismissal of her case.
The Reporters Committee continues to monitor how data privacy laws can interact with free expression and press rights, both in the United States and overseas. As noted in previous newsletters, we have filed briefs in right-to-be-forgotten cases at the CJEU and the French high court. We have also filed comments with Canada’s Office of the Privacy Commissioner and the UK’s Data Protection Team, expressing concern in the latter about how the right to be forgotten “may have profound negative effects on freedom of expression online and the right to receive information.”
— Jordan Murov-Goodman
A group of Senate Democrats has introduced a data privacy bill seeking to provide U.S. consumers with greater control over data held and processed by third parties, similar to Europe’s General Data Protection Regulation. The press release announcing the bill — the Consumer Online Privacy Rights Act — includes statements of support from several privacy advocates, including the Electronic Privacy Information Center, the Public Interest Research Group, and Consumer Reports, as well as prominent civil rights organizations, such as the NAACP and the Lawyers Committee for Civil Rights Under Law.
According to a motion filed in the “Vault7” unauthorized disclosure case U.S. v. Schulte, the government will likely argue that Joshua Schulte, a former CIA employee, could have foreseen that classified information he disclosed specifically to the organization WikiLeaks could cause “injury” to the United States. Schulte faces more than a dozen charges, including three under the Espionage Act. Certain provisions in the law require that the government introduce some evidence that Schulte knew or should have known that disclosure would cause injury to the United States. Over at Emptywheel, independent national security journalist Marcy Wheeler writes: “[S]howing that the specific nature of the intended recipient of a leak is an element of the offense has never been required in Espionage Act leak cases before.” To our knowledge, that’s true. Schulte has filed a motion to oppose the introduction of testimony from a government witness, Paul Rosenzweig, on this point.
YouTube recently announced updates to various policies, including forthcoming changes around harassment and gaming videos. The announcement comes in the wake of a recent settlement with the Federal Trade Commission over the company’s alleged violation of the Children’s Online Privacy Protection Act, which prohibits companies from collecting young children’s personal information online without parental consent. The company noted the upcoming changes in CEO Susan Wojcicki’s quarterly letter. Content creators reportedly worry that they still don’t understand how to determine whether their content will attract child viewers and trigger COPPA.
Sen. Ron Wyden (D-Ore.) recently told The Guardian that he is examining the role of foreign surveillance companies in hacking U.S. citizens, noting the issue raises “serious national security issues.” His interest in the matter comes on the heels of a lawsuit the messenger company WhatsApp filed against Israeli company NSO Group, alleging that NSO’s software was used by governments around the world to hack over a thousand individuals, including activists, journalists, and lawyers. At a minimum, Wyden is seeking a commitment from the U.S. Department of Commerce to ensure U.S. nationals do not provide services to “foreign military intelligence services” without a license.
The Department of Homeland Security proposed a rule to mandate that all incoming or departing international travelers, including U.S. citizens, be subject to facial recognition technology, but appears to have reversed its position in light of swift pushback from civil liberties advocates who condemned the proposed regulation as a major privacy violation. Indeed, Sen. Edward Markey (D-Mass.) praised the apparent reversal. This proposal, were it to hold, potentially undercuts the continued meetings between border officials and privacy groups to fashion policies for biometric data collection of travelers. Notably, as of now, U.S. citizens can opt out of this facial comparison process. (Our colleague, Linda Moon, encountered “facial comparison technology” first-hand over the holidays at the Detroit Metropolitan Airport.)
Last week, Reporters Committee Executive Director Bruce Brown, along with Legal Director Katie Townsend and Staff Attorney Sarah Matthews, traveled to Los Angeles to receive the Amicus Award from the International Documentary Association. Coincidentally, the IDA filed suit this week with the Doc Society against the Trump administration over a policy that requires foreigners to list their social media accounts as part of their visa applications. The complaint, filed by the Brennan Center for Justice, the Knight First Amendment Institute, and Simpson Thacher & Bartlett LLP (TPFP Director Gabe Rottman’s former firm), alleges that the policy amounts to illegal surveillance and has a chilling impact on online speech. Be on the lookout for further analysis on this case from the TPFP team.
Gif of the Week: Our quick hit on YouTube’s policy changes inspired this week’s gif from the sitcom Schitt’s Creek.
Like what you’ve read? Sign up to get This Week in Technology + Press Freedom delivered straight to your inbox!
The Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press uses integrated advocacy — combining the law, policy analysis, and public education — to defend and promote press rights on issues at the intersection of technology and press freedom, such as reporter-source confidentiality protections, electronic surveillance law and policy, and content regulation online and in other media. TPFP is directed by Reporters Committee Attorney Gabe Rottman. He works with Stanton Foundation National Security/Free Press Fellow Linda Moon and Legal Fellows Jordan Murov-Goodman and Lyndsey Wajert.