On Tuesday, the House and Senate Armed Services Committees finally released the proposed text of the National Defense Authorization Act, all 4400 pages of it. And as had been previously reported, a “judicial privacy” bill takes up 30 of those pages. As I’ve explained in earlier posts, this judicial privacy bill would violate the First Amendment by censoring truthful speech about public officeholders. Unfortunately, the latest text of the bill as incorporated in the NDAA is even worse than previous versions.

The basics of the bill remain the same as prior versions, and those basics are bad enough. If passed into law, every American would risk facing mandatory takedown requests for posting standard biographical facts about federal judges online, including their birthdates, the jobs of their spouses, and the colleges attended by their children. The bill also arbitrarily limits its restrictions to the internet but not other media, and it allows speech to be suppressed even if it poses no possible security threat. As I wrote late last year in the Wall Street Journal, the law would clearly fail to satisfy First Amendment scrutiny under several Supreme Court precedents.

[UPDATE December 9, 2022: On Thursday afternoon, the House passed a further revised version of the NDAA that omitted the language about Section 230 discussed in the next four paragraphs. But even without this language, the plain text of the bill still applies to the “display” of information, not just to posting. As discussed below, that requirement will still apply to social media networks and other sites that host third-party speech.]

But the latest version of the text makes it explicit that the bill would not only stifle the speech of individuals, but would also place a tremendous burden on online speech platforms. In new text, not present in prior versions, the bill now announces that nothing in the bill shall be construed “to impose liability on an interactive computer service in a manner that is inconsistent with the provisions of section 230 … if the interactive computer service—(A) has removed or disabled access to material identified in a [takedown] notice or request, as permitted under [Section 230]; and (B) otherwise complies with” the portion of the bill describing how takedown requests work.

What is the purpose of this language? Section 230 is a provision of federal law that, among other things, protects the provider of an interactive computer service (a technical term for any interactive website, like a social media platform) from being held liable in court for “any action voluntarily taken in good faith to restrict access to or availability of material …” The most straightforward reading of the privacy bill’s new language is that it is solely meant to reassure that nothing about that protection will change. If a website owner complies with a takedown request sent under this new bill and removes information posted by a third party about a judge from the site, that is an action to “restrict … availability of material.” And because of Section 230, no one can sue the website for taking down that information. As the new bill language reiterates, removing third-party material from one’s own website is legally “permitted” because of this provision of Section 230.

But this new bill language is arguably ambiguous in its implications for what happens when a website does not comply with a takedown request. The new text says that the bill should not be construed to impose liability inconsistent with Section 230 if a site removes the information about a judge and otherwise complies with a takedown request. But what if a site does not comply with a takedown request? Does this language suggest, by negative implication, that the privacy law can be construed, in that scenario, “to impose liability on an interactive computer service” in a way that would otherwise violate Section 230?

Whether this negative implication is intended or not, one thing is now clear: the requirements in the bill to comply with a takedown request apply not just to individual writers posting information online, but also to online platforms that host information posted by third parties. If it did not apply to interactive computer services that host third-party speech, then it would make no sense for the bill to stress that Section 230’s protections for content moderation decisions still apply whenever an interactive computer service complies with a takedown request by removing third-party speech. If the requirements to comply with a takedown request did not extend to removals of third-party speech, online platforms would never have to face this question in the first place.

The plain text of the privacy bill defining who must comply with a takedown request further supports this reading. The bill states that “no person, business, or association shall publicly post or publicly display on the internet” covered information about a federal judge if that judge “has made a written request to that person, business, or association not to disclose” the information. The law thus extends to “businesses” who “display” information, not just to “individuals” who actually “post” the information themselves. In other words, under the plain text of the law, a takedown request could be sent not just to an individual who posts a judge’s birthdate on Twitter, but also to Twitter itself for displaying the tweet (even though it was not written by Twitter).

Whether or not the bill implicitly abrogates Section 230 in any other way, this requirement itself goes against the spirit of Section 230, at the very least. Besides protecting moderation decisions, Section 230 also declares that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” But if a platform refuses to comply with a takedown request sent under the judicial privacy bill, the platform could be sued for a court order requiring it to comply. And if a platform loses such a suit but still refuses to take down the post, it could be sued for money damages as well. Thus, the very enforcement structure at the heart of the bill arguably treats platforms as the publishers or speakers of information about judges posted by third parties—it certainly puts them on the hook to evaluate and respond to takedown requests just as if they were the actual posters of the information, with all the same risk of liability for noncompliance.

And the burdens of compliance are exponentially more burdensome and complex for large platforms that host billions of posts. In new language, the judicial privacy bill would now require the recipient of a takedown request to not just remove the “information identified in the written request” within 72 hours but also “identify any other instances of the identified information that should also be removed.” Thus, in the hypothetical above, Twitter would not just have to remove a tweet identified in a takedown letter, but also do the work itself to determine whether the birthdate posted in that tweet has also been posted in any other tweets. Indeed, more newly revised language bolsters this reading by emphasizing that the recipient of a request must “assist the sender to locate the covered information … posted on any website or subsidiary website controlled by that person, business, or association.”

Not only will compliance with these requirements be an onerous task for companies that control websites hosting billions of posts, it will also force those companies to make fast and difficult legal judgments. The judicial privacy bill carves out an exception for facts that would otherwise be covered if they are “relevant to and displayed as part of a news story, commentary, editorial, or other speech on a matter of public concern.” While I believe this exception does not go far enough to bring the law into compliance with the First Amendment, it is a crucial exception that at least prevents the most egregious forms of censorship. To protect the speech rights of its users, platforms will thus have to evaluate, for every takedown request, whether the posted fact in question falls under this exception (all within 72 hours!). And if they refuse to comply, they will potentially have to spend the legal resources to defend that view in court after an enforcement suit is initiated.

Besides this major concern for the rights of online platforms, the latest text of the bill makes a few other changes, and most of them make the bill even more restrictive of speech than previous versions. While prior versions allowed judges to send takedown requests for facts about themselves and their immediate family members, now those immediate family members may, in addition, send takedown requests for facts about their own immediate family. So a judge’s mother could censor the birthdate of her sister (the judge’s aunt), a judge’s brother could censor the employer of his wife (the judge’s sister-in-law), or a judge’s daughter could censor the college of her son (the judge’s grandson). If the purpose of the law is to guard judicial privacy, it is even harder to justify this level of censorship for biographical facts about extended family members.

In addition, the latest version now covers not just current but future schools attended by immediate family, so congratulating a judge’s adult daughter for acceptance to Harvard Law School would be covered. The new text also covers “the name or address of the employer” of a family member, whereas prior versions covered “the name and address.” This leaves no doubt, if there was any before, that the name alone of an employer is enough to run afoul of the law. So a sentence as terse as “Justice Barrett’s husband works for SouthBank Legal” would be covered and subject to takedown.

Finally, the procedure for enforcing a takedown request if a recipient does not comply within 72 hours has been changed in two relevant ways. Whereas prior versions of the bill required judges themselves to enforce their own requests by bringing suits, that responsibility is now given to the Director of the Administrative Office of the United States Courts, who can use Department of Justice attorneys. This change was likely made because federal judges would often not have the time or resources to bring enforcement suits on their own. But one additional potential consequence is that, if the bill becomes law, this change may make it easier to bring a pre-enforcement challenge to review the constitutionality of the law, since the Director is now a natural defendant for such a suit as the single federal official charged with enforcing the law.

Moreover, since judges themselves would no longer use their own resources to bring suit, recipients of takedown request would no longer have to pay “the costs and reasonable attorney’s fees” for those judges if they fight a takedown request in court and lose. While this is a small improvement to the law, it is still the case that businesses and individuals will have to pay their own litigation costs to defend their right to post truthful information, which is no small burden.

In sum, although there is a constitutional way to balance freedom of speech with reasonable concerns for judicial security, this law does not accomplish that balance. As the latest bill text makes clear, this law would burden not just individual writers but also large online platforms with the chilling effect of threatened litigation over simple and true facts. Even if the courts eventually strike down the unconstitutional portions of the proposed law, it will needlessly cause much litigation expense and self-censorship in the interim. Congress should go back to the drawing board rather than attempting to tweak this fatally flawed bill.