The European Union's controversial new copyright rules are on a collision course with EU data privacy rules. The GDPR guards data protection, privacy, and other fundamental rights in the handling of personal data. Such rights are likely to be affected by
an automated decision-making system that's guaranteed to be used, and abused, under Article 17 to find and filter out unauthorized copyrighted material. Here we take a deep dive examining how the EU got here and why Member States should act now to
embrace enforcement policies for the Copyright Directive that steer clear of automated filters that violate the GDPR by censoring and discriminating against users.
Platforms Become the New Copyright Police
Article 17 of the EU's Cop yright Directive (formerly Article 13) makes online services liable for user-uploaded content that infringes someone's copyright. To escape liability, online service operators have to show that they made
best efforts to obtain rightsholders' authorization and ensure infringing content is not available on their platforms. Further, they must show they acted expeditiously to remove content and prevent its re-upload after being notified by rightsholders.
Prior to passage of the Copyright Directive, user rights advocates alerted lawmakers that operators would have to employ upload filters to keep infringing content off their platforms. They warned that then Article 13 will turn online
services into copyright police with special license to scan and filter billions of users' social media posts and videos, audio clips, and photos for potential infringements.
While not everyone agreed about the features of the
controversial overhaul of outdated copyright rules, there was little doubt that any automated system for catching and blocking copyright infringement would impact users, who would sometimes find their legitimate posts erroneously removed or blocked.
Instead of unreservedly safeguarding user freedoms, the compromise worked out focuses on procedural safeguards to counter over-blocking. Although complaint and redress mechanisms are supposed to offer a quick fix, chances are that censored Europeans will
have to join a long queue of fellow victims of algorithmic decision-making and await the chance to plead their case.
Can't See the Wood For the Trees: the GDPR
There's something awfully familiar
about the idea of an automated black-box judgment system that weighs user-generated content and has a significant effect on the position of individuals. At recent EU copyright dialogue debates on technical and legal limits of copyright filters, EU data
protection rules--which restrict the use of automated decision-making processes involving personal data--were not put on the agenda by the EU officials. Nor were academic experts on the GDPR who have raised this issue in the past (read this analysis by
Sophie Stalla-Bourdillon or have a look at this year's CPDP panel on copyright filters ).
Under Article 22 of the GDPR , users have a right "not to be subject to a decision based solely on automated processing, including
profiling, which produces legal effects concerning him or her or similarly significantly affects him or her." Save for exceptions, which will be discussed below, this provision protects users from detrimental decisions made by algorithms, such
as being turned down for an online loan by a service that uses software, not humans, to accept or reject applicants. In the language of the regulation, the word "solely" means a decision-making process that is totally automated and excludes any
real human influence on the outcome.
The Copyright-Filter Test Personal Data
The GDPR generally applies if a provider is processing personal data, which is defined as any information relating to an
identified or identifiable natural person ("data subject," Article 4(1) GDPR ). Virtually every post that Article 17 filters analyze will have come from a user who had to create an account with an online service before making their post. The
required account registration data make it inevitable that Copyright Directive filters must respect the GDPR. Even anonymous posts will have metadata, such as IP addresses ( C-582/14, Breyer v Germany), which can be used to identify the poster.
Anonymization is technically fraught, but even purportedly anonymization will not satisfy the GDPR if the content is connected with a user profile, such as a social media profile on Facebook or YouTube.
Defenders of copyright
filters might counter that these filters do not evaluate metadata. Instead, they'll say that filters merely compare uploaded content with information provided by rightsholders. However, the Copyright Directive's algorithmic decision-making is
about much more than content-matching. It is the decision whether a specific user is entitled to post a specific work. Whether the user's upload matches the information provided by rightsholders is just a step along the way. Filters might not
always use personal data to determine whether to remove content, but the decision is always about what a specific individual can do. In other words: how can monitoring and removing peoples' uploads, which express views they seek to share,
not involve a decision about based on that individual?
Moreover, the concept of "personal data" is very broad. The EU Court of Justice (Case C-434/16 Nowak v Data Protection Commissioner ) held that "personal
data" covers any information "provided that it 'relates' to the data subject," whether through the content (a selfie uploaded on Facebook), through the purpose (a video is processed to evaluate a person's preferences), or
through the effect (a person is treated differently due to the monitoring of their uploads). A copyright filter works by removing any content that matches materials from anyone claiming to be a rightsholder. The purpose of filtering is to decide
whether a work will or won't be made public. The consequence of using filtering as a preventive measure is that users' works will be blocked in error, while other (luckier) users' works will not be blocked, meaning the filter creates a significant effect
or even discriminates against some users.
Even more importantly, the Guidelines on automated decision-making developed by the WP29 , an official European data protection advisory body (now EDPB ) provide a user-focused
interpretation of the requirements for automated individual decision-making. Article 22 applies to decisions based on any type of data. That means that Article 22 of the GDPR applies to algorithms that evaluate user-generated content that is
uploaded to a platform.
Do copyright filters result in "legal" or "significant" effects as envisioned in the GDPR? The GDPR doesn't define these terms, but the
guidelines endorsed by the European Data Protection Board enumerate some "legal effects," including denial of benefits and the cancellation of a contract.
The guidelines explain that even where a filter's judgment does
not have legal impact, it still falls within the scope of Article 22 of the GDPR if the decision-making process has the potential to significantly affect the behaviour of the individual concerned, has a prolonged impact on the user, or leads to
discrimination against the user. For example, having your work erroneously blocked could lead to adverse financial circumstances or denial of economic opportunities. The more intrusive a decision is and the more reasonable expectations are frustrated,
the higher the likelihood for adverse effects.
Consider a takedown or block of an artistic video by a creator whose audience is waiting to see it (they may have backed the creator's crowdfunding campaign). This could result in
harming the creator's freedom to conduct business, leading to financial loss. Now imagine a critical essay about political developments. Blocking this work is censorship that impairs the author's right of free expression. There are many more examples
that show that adverse effects will often be unavoidable.
Legitimate Grounds for Automated Individual Decision-Making
There are three grounds under which automated decision-making may be allowed
under the GDPR's Article 22(2). Users may be subjected to automated decision-making if one of three exceptions apply:
it's necessary for entering into or performance of a contract,
authorized by the EU or member state law, or
based on the user's explicit consent.
Copyright filters cannot justly be considered "necessary" under this rule . "Necessity" is narrowly construed in the data protection framework, and can't merely be
something that is required under terms of service. Rather, a "necessity" defence for automated decision-making must be in line with the objectives of data protection law, and can't be used if there are more fair or less intrusive measures
available. The mere participation in an online service does not give rise to this "necessity," and thus provides no serious justification for automated decision-making.
Perhaps proponents of upload filters will argue that they will be
authorized by the EU member state's law that implement the Copyright Directive. Whether this is what the directive requires has been ambiguous from the very beginning.
Copyright Directive rapporteur MEP Axel Voss insisted
that the Copyright Directive would not require upload filters and dismissed claims to the contrary as mere scare-mongering by digital rights groups. Indeed, after months of negotiation between EU institutions, the final language version of the directive
conspicuously avoided any explicit reference to filter technologies. Instead, Article 17 requires "preventive measures" to ensure the non-availability of copyright-protected content and makes clear that its application should not lead to any
identification of individual users, nor to the processing of personal data, except where provided under the GDPR.
Even if the Copyright Directive does "authorize" the use of filters, Article 22(2)(b) of the GDPR says
that regulatory authorization alone is not sufficient to justify automated decision-making. The authorizing law--the law that each EU Member State will make to implement the Copyright Directive--must include "suitable" measures to safeguard
users' rights, freedoms, and legitimate interests. It is unclear whether Article 17 provides enough leeway for member states to meet these standards.
Without "necessity" or
"authorization," the only remaining path for justifying copyright filters under the GDPR is explicit consent by users. For data processing based on automated decision-making, a high level of individual control is required. The GDPR
demands that consent be freely given, specific, informed, and unambiguous. As take-it-or-leave-it situations are against the rationale of true consent, it must be assessed whether the decision-making is necessary for the offered service. And consent must
be explicit, which means that the user must give an obvious express statement of consent. It seems likely that few users will be interested in consenting to onerous filtering processes.
Article 22 says that even if automated
decision-making is justified by user consent or by contractual necessity, platforms must safeguard user rights and freedoms. Users always have the right to obtain "human intervention" from platforms, to express their opinion about the content
removal, and to challenge the decision. The GDPR therefore requires platforms to be fully transparent about why and how users' work was taken down or blocked.
Conclusion: Copyright-Filters Must Respect Users' Privacy Rights
The significant negative effects on users subjected to automated decision-making, and the legal uncertainties about the situations in which copyright-filters are permitted, should best be addressed by a policy of legislative
self-restraint. Whatever decision national lawmakers take, they should ensure safeguards for users' privacy, freedom of speech and other fundamental rights before any uploads are judged, blocked or removed.
If Member States
adopt this line of reasoning and fulfill their legal obligations in the spirit of EU privacy rules, it could choke off any future for EU-mandated, fully-automated upload filters. This will set the groundwork for discussions about general monitoring and
filtering obligations in the upcoming Digital Service Act.
(Many thanks to Rossana Ducato for the exchange of legal arguments, which inspired this article).
Thanks to the adoption of a disastrous new Copyright Directive, the European Union is about to require its member states to pass laws requiring online service providers to ensure the unavailability of copyright-protected works. This will likely result in
the use of copyright filters that automatically assess user-submitted audio, text, video and still images for potential infringement. The Directive does include certain safeguards to prevent the restriction of fundamental free expression rights, but
national governments will need some way to evaluate whether the steps tech companies take to comply meet those standards. That evaluation must be both objective and balanced to protect the rights of users and copyright holders alike.
Quick background for those who missed this development: Last March, the European Parliament narrowly approved the new set of copyright rules , squeaking it through by a mere five votes (afterwards, ten MEPs admitted they'd been
confused by the process and had pressed the wrong button).
By far the most controversial measure in the new rules was a mandate requiring online services to use preventive measures to block their users from posting text, photos,
videos, or audio that have been claimed as copyrighted works by anyone in the world. In most cases, the only conceivable preventive measure that satisfies this requirement is an upload filter. Such a filter would likely fall afoul of the ban on general
monitoring anchored in the 2000 E-Commerce Directive (which is currently under reform) and mirrored in Article 17 of the Copyright Directive.
There are grave problems with this mandate, most notably that it does not provide for
penalties for fraudulently or negligently misrepresenting yourself as being the proprietor of a copyrighted work. Absent these kinds of deterrents, the Directive paves the way for the kinds of economic warfare , extortion and censorship against creators
that these filters are routinely used for today.
But the problems with filters are not limited to abuse: Even when working as intended, filters pose a serious challenge for both artistic expression and the everyday discourse of
Internet users, who use online services for a laundry list of everyday activities that are totally disconnected from the entertainment industry, such as dating, taking care of their health, staying in touch with their families, doing their jobs, getting
an education, and participating in civic and political life.
The EU recognized the risk to free expression and other fundamental freedoms posed by a system of remorseless, blunt-edged automatic copyright filters, and they added
language to the final draft of the Directive to balance the rights of creators with the rights of the public. Article 17(9) requires online service providers to create effective and expeditious complaint and redress mechanisms for users who have had
their material removed or their access disabled.
Far more important than these after-the-fact remedies, though, are the provisions in Article 17(7), which requires that Member States shall ensure that users...are able to rely on
limitations and exceptions to copyright, notably quotation, criticism, review and use for the purpose of caricature, parody or pastiche. These free expression protections have special status and will inform the high industry standards of professional
diligence required for obtaining licenses and establishing preventive measures (Art 17(4)).
This is a seismic development in European copyright law. European states have historically operated tangled legal frameworks for copyright
limitations and exceptions that diverged from country to country. The 2001 Information Society Directive didn't improve the situation: Rather than establishing a set of region-wide limitations and exceptions, the EU offered member states a menu of
copyright exceptions and allowed each country to pick some, none, or all of these exceptions for their own laws.
With the passage of the new Copyright Directive, member states are now obliged to establish two broad categories of
copyright exceptions: those quotation, criticism, review and caricature, parody or pastiche exceptions. To comply with the Directive, member states must protect those who make parodies or excerpt works for the purpose of review or criticism. Equally
importantly, a parody that's legal in, say, France, must also be legal in Germany and Greece and Spain.
Under Article 17(7), users should be able to rely on these exceptions. The protective measures of the Directive--including
copyright filters--should not stop users from posting material that doesn't infringe copyright, including works that are legal because they make use of these mandatory parody/criticism exceptions. For avoidance of doubt, Article 17(9) confirms that
filters shall in no way affect legitimate uses, such as uses under exceptions or limitations provided for in Union law and Recital 70 calls on member states to ensure that their filter laws do not interfere with exceptions and limitations, in particular
those that guarantee the freedom of expression of users.
As EU member states move to transpose the Directive by turning it into national laws, they will need to evaluate claims from tech companies who have developed their own
internal filters (such as YouTube's Content ID filter) or who are hoping to sell filters to online services that will help them comply with the Directive's two requirements:
1. To block copyright infringement; and
2. To not block user-submitted materials that do not infringe copyright, including materials that take advantage of the mandatory exceptions in 17(7), as well as additional exceptions that each member state's laws have encoded
under the Information Society Directive (for example, Dutch copyright law permits copying without permission for "scientific treatises," but does not include copying for "the demonstration or repair of equipment," which is permitted
in Portugal and elsewhere).
Evaluating the performance of these filters will present a major technical challenge, but it's not an unprecedented one.
Law and regulation are no stranger to
technical performance standards. Regulators routinely create standardized test suites to evaluate manufacturers' compliance with regulation, and these test suites are maintained and updated based on changes to rules and in response to industry conduct.
(In)famously, EU regulators maintained a test suite for evaluating compliance with emissions standards for diesel vehicles, then had to undertake a top-to-bottom overhaul of these standards in the wake of widespread cheating by auto manufacturers.
Test suites are the standard way for evaluating and benchmarking technical systems, and they provide assurances to consumers that the systems they entrust will perform as advertised. Reviewers maintain standard suites for testing the
performance of code libraries, computers and subcomponents (such as mass-storage devices and video-cards) and protocols and products, such as 3D graphics rendering programs.
We believe that the EU's guidance to member states on
Article 17 implementations should include a recommendation to create and maintain test suites if member states decide to establish copyright filters. These suites should evaluate both the filters' ability to correctly identify infringing materials and
non-infringing uses. The filters could also be tested for their ability to correctly identify works that may be freely shared, such as works in the public domain and works that are licensed under permissive regimes such as the Creative Commons licenses
EFF previously sketched out a suite to evaluate filters' ability to comply with US fair use . Though fair use and EU exceptions and limitations are very different concepts, this test suite does reveal some of the challenges of
complying with Article 17's requirement the EU residents should be able to rely upon the parody and criticism exceptions it defines.
Notably, these exceptions require that the filter make determinations about the character of a
work under consideration: to be able to distinguish excerpting a work to critique it (a protected use) versus excerpting a work to celebrate it (a potentially prohibited use).
For example, a creator might sample a musician's
recording in order to criticize the musician's stance on the song's subject matter (one of the seminal music sampling cases turned on this very question ). This new sound file should pass through a filter, even if it detects a match with the original
recording, after the filter determines that the creator of the new file intended to criticize the original artist, and that they sampled only those parts of the original recording as were necessary to make the critical point.
However, if another artist sampled the original recording for a composition that celebrated the original artist's musical talent, the filter should detect and block this use, as enthusiastic tribute is not among the limitations and exceptions permitted under the Infosoc Directive , nor those mandated by the Copyright Directive.
This is clearly a difficult programming challenge. Computers are very bad at divining intent and even worse at making subjective determinations about whether the intent was successfully conveyed in a finished work.
However, filters should not be approved for use unless they can meet this challenge. In the decades since the Acuff-Rose sampling decision came down in 1994, musicians around the world have treated its contours as a best practice in
their own sampling. A large corpus of music has since emerged that fits this pattern. The musicians who created (and will create) music that hews to the standard--whose contours are markedly similar to those mandated in the criticism/parody language of
Article 17--would have their fundamental expression rights as well as their rights to profit from their creative labors compromised if they had to queue up to argue their case through a human review process every time they attempted to upload their work.
Existing case-law among EU member states makes it clear that these kinds of subjective determinations are key to evaluating whether a work is entitled to make use of a limitation or exception in copyright law. For example, the
landmark Germania 3 case demands that courts consider a balancing of relevant interests when determining whether a quotation is permissible.
Parody cases require even more subjective determination, with Dutch case law holding that
a work can only qualify as a parody if it evokes an existing work, while being noticeably different, and constitutes an expression of humor or mockery. ( Deckmyn v. Vandersteen (C-201/13, 2014) ).
Article 17 was passed amidst an
unprecedented controversy over the consequences for the fundamental right to free expression once electronic discourse was subjected to automated judgments handed down by automated systems. The changes made in the run-up to the final vote were intended
to ensure a high level of protection for the fundamental rights of European Internet users.
The final Article 17 text offers two different assurances to European Internet users: first, the right to a mechanism for effective and
expeditious complaint and redress, and second, Article 17(7) and (4)'s assurance that Europeans are able to rely on their right to undertake quotation, criticism, review and use for the purpose of caricature, parody or pastiche ... in accordance with
high industry standards of professional diligence.
The Copyright Directive passed amid unprecedented controversy, and its final drafters promised that Article 17 had been redesigned to protect the innocent as well as punishing the
guilty, this being the foundational premise of all fair systems of law. National governments have a duty to ensure that it's no harder to publish legal material than it is to remove illegal material. Streamlining the copyright enforcement system to allow
anyone to block the publication of anything, forever, without evidence or oversight presents an obvious risk for those whose own work might be blocked through malice or carelessness, and it is not enough to send those people to argue their case before a
tech company's copyright tribunal. If Europeans are to be able to rely upon copyright limitations and exceptions, then they should be assured that their work will be no harder to publish than any other's.