Blogs | Information democracy | Data protection standards | Freedom of expression online

GDPR incompatibility – the blind spot of the copyright debate

By EDRi · March 27, 2019

The debate around the Copyright Directive reform has been intense. Former Article 13, which became Article 17 in the text voted by the European Parliament on 26 March, created the greatest controversy between stakeholders arguing about the so-called “value gap” in the creative sectors, upload filters, and a new platform liability regime, among others issues. However, few observers have analysed the impact of Article 13/17 on the General Data Protection Regulation (GDPR). On 23 March, Dr. Malte Engeler, a German judge, published an article explaining why the filtering technology required by the Copyright Directive might be incompatible with European data protection rules.

Article 13/17 requires content hosting providers to give their best efforts to prevent the upload or re-upload of copyright-protected works – which can only be achieved with upload filters – except if they are covered by specific copyright exceptions such as quotation, criticism or parody. For filters to function properly while taking into account those exceptions, they would need to recognise the context of the upload, that is to say information surrounding the content including personal data of the user uploading it. The question Engeler asks is under which legal basis of GDPR would platforms be able to process such personal data?

According to Engeler, platforms would be considered controllers in the sense of the GDPR because they decide which technologies they will use to monitor content. When analysing a film extract uploaded without authorisation, a filter would need to know whether it was used by a film critic – which would be legal according to the copyright exceptions listed in Article 13/17 – or by a user attempting to illegally distribute the film. Detecting such differences in the use of the same piece of content would depend on “meta information about the upload” such as the user identity, the place, and the date. This information would be considered personal data, and its analysis by the algorithm would be processing under GDPR.

The article goes on by examining the legal basis provided for in the GDPR (Article 6(1)), under which such processing would be allowed. Consent could not be freely given because all platforms would be required to have this processing in place, leaving no alternative to users. Making upload filters part of the terms and conditions would not respect the criteria of necessity of paragraph 1b, which allows the processing of personal data to execute a contract. Furthermore, the processing of personal data by content filters is neither necessary to protect the user’s vital interests, nor is it done for public or legitimate interests pursued by the platform – they don’t want an obligation to put filters in place. This leaves the platform with the legal basis whereby the processing is necessary for compliance with another legal obligation (para. 1c), which would be compliance with the copyright Directive.

However, considering the high risk of liability, smaller platforms will likely have to implement third party filters, bought as a service from bigger companies that have invested tens of millions of euros in such technologies. As a result, few big content filtering companies will be able to process the above-mentioned personal data of the vast majority of users. The new copyright Directive would thus lead to centralised filtering mechanisms.

This is problematic in regards to the principle of proportionality mentioned in the GDPR and in the Charter of Fundamental Rights of the European Union. Such a filtering system was already discarded by the Court of Justice of the European Union (CJEU) because it failed to strike a fair balance “between the right to intellectual property, on the one hand, and the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information on the other”. The legal obligation that Article 13/17 creates for platforms is incompatible with the right to protection of personal data, which makes it hard to rely on for the processing of personal data under the GDPR.

Copyright Directive: Does the best effort principle comply with GDPR? (23.03.2019)

Press Release: Censorship machine takes over EU’s internet (26.03.2019)

SABAM vs Netlog – another important ruling for fundamental rights (16.02.2012)

All you need to know about copyright and EDRi (15.03.2019)

(Contribution by Chloé Berthélémy, EDRi)