Responding to GDPR "Right to Erasure" Requests
The General Data Protection Regulation (GDPR) is a sweeping new data protection and privacy law out of the EU. One of the things the GDPR includes is the ability of EU citizens to send "Right to Erasure" requests to websites, asking that those websites remove content that might be private. Recently, we received one of these requests from our domain registrar asking that we remove a court document from our database on CourtListener. It appears that this is a growing problem for other legal publishers too, with techdirt doing a write up of the issue late last week:
GDPR Being Used To Try To Disappear Public US Court Docket https://t.co/PlXcm0wl4n
— techdirt (@techdirt) September 21, 2018
GDPR is a major development in the regulation of the Internet. It includes protections for individuals and a variety of regulations that apply to service providers like us. When GDPR went into effect, we were easily able to comply with its numerous privacy regulations because we were already being extremely conservative about who we shared data with and how much data we collected (see our privacy policy for details). For us, adopting compatible procedures with the GDPR just meant a few tweaks — no big deal.
Until last week that is, when we received a "Right to Erasure" request demanding that we remove a case from CourtListener. Now we have an EU regulation that's at odds with our goal of gathering and sharing important legal information. What's worse, if we complied with this request, we would be removing precedential information from CourtListener. Our policy is to never do that without a court order from a competent jurisdiction. In short, this take down request is at odds with our goals — and with the design of the American legal system.
So where do we bend? Who wins in this conflict between us, the GDPR, and the individual wishing to remove content from CourtListener? What follows is our approach to responding to this kind of request. The short version is that we won't comply. We don't believe we are subject to the GDPR, and even if we were, it has numerous carve outs specifically for the kind of information we provide.
Read on for the details of our approach.
How We Strike A Balance Historically
CourtListener is a website operated by the non-profit Free Law Project. CourtListener attempts to collect primary legal materials, such as United States court documents, and to archive and provide legal research tools for the public, journalists, and scholars to use these materials.
CourtListener frequently receives requests from individuals or corporations who wish their name or a court document mentioning them to be removed from the site. We do not feel we have a role as an extra-judicial body to decide which of these to remove. As explained in the site's Removal Policy, when we receive these requests, we take steps to try to remove CourtListener links from search engines. However, we do not remove content from CourtListener unless a court of competent jurisdiction orders us to.
In this way, those doing searches on generic search engines are not likely to encounter the information, but those doing research on CourtListener may still access the document. We have adhered to this policy or one like it since 2010, and it has served us well as a balance between an individual or corporate privacy interest and the need for high-quality open legal data.
We do not believe we should or must change this approach in response to the GDPR.
We Are Not Subject to the GDPR
As a California public benefit corporation with 501(c)(3) non-profit status in the United States, we categorically reject the notion that we are subject to laws or regulations promulgated by the European Union or its member states.
We collect United States legal materials for a U.S. audience. Our principal place of business, our Executive Director, our board members, our servers, our ISP, and all of our regular activities are located within California. We place no advertisements in European jurisdictions, and have never purposefully directed any of our activities at any European state or its citizens.
As a generally-available website on the internet, CourtListener is accessible to internet users not only in the United States, but globally, whether the user is in Europe, other parts of the Americas, the Middle East, Africa, Asia, or the Pacific Islands. A chief difficulty with purporting to apply an EU-specific law to a site like CourtListener is the inevitability of conflicting laws or regulations from all of these other jurisdictions.
Put simply, Free Law Project is wholly based within the United States and therefore follows U.S. law. It has no activities in Europe, and so is not obligated to follow EU law.
Even If We Were Subject to GDPR, We Wouldn't Have to Remove this Information
Even were the GDPR to apply to Free Law Project, which we reject, the GDPR itself recognizes that not every "Right to Erasure" request will be honored. The GDPR provides several exceptions that would apply to sites like CourtListener.
First, the GDPR recognizes a right of freedom of expression, and Free Law Project firmly believes that its freedom to speak includes the right to make available these U.S. primary legal materials.
Second, the GDPR also recognizes an exception for archiving purposes in the public interest, for scientific or historical research purposes, or statistical purposes. This is precisely the activity of Free Law Project, which aims to create an archive of U.S. legal materials for the public interest and for scientific, statistical, and historical research purposes.
Notably, the nature of legal research also critically relies on individual names. Historical precedent within U.S. law has led to the practice of referring to cases by the names of the parties. For example, the 1966 United States Supreme Court decision holding that prisoners must be advised of their rights before being questioned by police is captioned Miranda v. Arizona, and is universally known and referred to as “Miranda”, the name of the arrested person in the case.
If a litigant wishes to preserve their privacy through judicial proceedings, their appropriate remedy is with the original court who can seal documents or order the use of pseudonyms. This practice was followed in the 1973 United States Supreme Court decision on a woman’s right to an abortion, Roe v. Wade, when it referred to the petitioner throughout with the pseudonym "Jane Roe." When a litigant fails to take such steps to preserve their purported privacy interests before the court, then third-party sites that merely collect the public documents that courts produce should not be obligated to recognize an interest the litigant only belatedly decided to assert.
Finally, in specific cases, other exceptions to the GDPR might apply, such as the broad exception "for the establishment, exercise or defence of legal claims."
In conclusion, as explained in our Removal Policy, we have given extensive thought to the appropriate balance between the public’s interest in access to the law and the privacy interests of individual litigants. We believe our current Removal Policy strikes the correct balance, and we will not alter it to comply with regulations that can have no proper application to our activities.
