As the shock waves of the ECJ’s decision in Google Spain v González  EUECJ C-131/12 (13 May 2014) continue to lap up against California’s shorelines, thorny questions continue to arise by the day as to the scope of the decision.
As I blogged a couple of weeks ago, one of these questions is how the decision sits alongside the “safe harbour” provisions in Articles 12, 13, and 14 of the E-Commerce Directive 2000, which provide important protection for intermediaries against damages claims against them in relation to third party content.
On close analysis, the position in the UK under the Data Protection Act 1998 (the “DPA”) may be surprising to some, particularly readers in the US; it appears to be the case that, regardless of notice to Google, if the unlawful data processing by Google is sufficient to cause the data subject damage (which in Johnson v Medical Defence Union (No. 2) (CA)  EWCA Civ 262 was held to mean pecuniary loss) or both damage and distress under section 13 of the DPA, the data subject can recover damages from Google unless Google can show (under section 13(3)) that it took “such care as in all the circumstances was reasonably required” to comply with the Data Protection Act.
There is is no express requirement in section 13 that the data controller has actual knowledge of the unlawful nature of the data processing. For example, if the data controller failed to adopt adequate security measures to prevent a hacker publishing unlawful material, it might be liable regardless of knowledge of the inaccuracy of the data.
In other words, in serious cases, Google might be liable for damages for unlawful data processing even if it did not have actual knowledge of the unlawful data processing.
The critical question will of course be what is “reasonably required” of Google for the purposes of the defence under section 13(3) and the extent to which knowledge is relevant, but the issue is worth examining in a little more detail.
The safe harbour provisions
The safe harbour provisions in Articles 12, 13 and 14 of the E-Commerce Directive 2000 provide protection against damages claims (not injunctions) for:
- “Mere conduit” – where services provided by the internet intermediary consist of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network (Article 12);
- “Caching”- where the internet intermediary’s service consists of the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information’s onward transmission to other recipients of the service upon their request (Article 13); and
- “Hosting”- where an information society service is provided that consists of the storage of information provided by a recipient of the service (Article 14).
So, for example, Article 14 provides a defence to the intermediary hosting provider in circumstances where “(a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or(b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.” Google’s blogging service, Blogger.com would benefit from this defence in circumstances where it acted quickly to remove unlawful material upon notice of it.
Each of these provisions have slightly different conditions attached and each have made their way into the national law of 28 member states in slightly different ways. The English equivalent is Regulations 17, 18, and 19 of the E-Commerce (EC Directive) Regulations 2002.
Exclusion for matters relating to personal data
However, whilst these safe harbour provisions apply to a wide variety of claims for defamation, breach of privacy, copyright and trade mark infringement, they do not apply to data protection claims. This was very specifically considered in recital 14 to the E-Commerce Directive:
“(14) The protection of individuals with regard to the processing of personal data is solely governed by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(19) and Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector(20) which are fully applicable to information society services; these Directives already establish a Community legal framework in the field of personal data and therefore it is not necessary to cover this issue in this Directive in order to ensure the smooth functioning of the internal market, in particular the free movement of personal data between Member States; the implementation and application of this Directive should be made in full compliance with the principles relating to the protection of personal data, in particular as regards unsolicited commercial communication and the liability of intermediaries; this Directive cannot prevent the anonymous use of open networks such as the Internet.”
Indeed matters covered by the Data Protection Directive were specifically excluded by Regulation 3(1)(b) of the E-Commerce (EC Directive) Regulations 2002, the implementing legislation in the UK.
And so Google’s helpful new online tool for making requests for personal data to be blocked from its search results may help it to comply with notices to prevent processing made under section 10 of the DPA, but it does not necessarily help Google to avoid claims for damages.
A take-down example
Let’s take the situation where an anonymous internet user posts inaccurate and highly offensive and distressing personal data about another individual (the data subject) on multiple Google hosted blogs, which all appear prominently in the Google search rankings. The data subject asks Google to remove the material from its hosted websites and to block the material from its search results on the basis that the data is inaccurate contrary to the fourth data protection principle (Schedule 1 to the DPA). Google removes the material two weeks later but not before the data subject has suffered serious damage and distress. Is Google liable for that damage and distress?
In relation to a claim for libel and malicious falsehood, Google may have to show that the two week turnaround time was “expeditious” within the meaning of Article 14 of E-Commerce Directive (Regulation 19 of the E-Commerce Regulations in the UK). But in relation to a claim for damages under section 13 of the DPA it would have to show that it took “such care as in all the circumstances was reasonably required”. Does that mean it had obligations before it had notice (bearing in mind that the “no general obligation to monitor” protection of Article 15 of the E-Commerce Directive does not apply)? Time will tell as to whether there is any difference between these requirements.
Google as a host v Google as a search engine
It is also important in this debate to assess whether there is any difference between Google as a search engine and Google as a host of websites. Google will argue, as it did successfully in England in Metropolitan Schools v Google ( EWHC 1765 (QB) (16 July 2009)), that its services as a search engine are passive in nature and therefore within the “mere conduit” definition. However, that case did not decide that Google could never be liable as a search engine for defamatory material appearing in its search results. It simply found that Google was not liable for the automated generation of snippets in that particular case. It is worth remembering what Eady J said:
“A search engine, however, is a different kind of Internet intermediary. It is not possible to draw a complete analogy with a website host. One cannot merely press a button to ensure that the offending words will never reappear on a Google search snippet: there is no control over the search terms typed in by future users. If the words are thrown up in response to a future search, it would by no means follow that the Third Defendant has authorised or acquiesced in that process .
There are some steps that the Third Defendant can take and they have been explored in evidence in the context of what has been described as its “take down” policy. There is a degree of international recognition that the operators of search engines should put in place such a system (which could obviously either be on a voluntary basis or put upon a statutory footing) to take account of legitimate complaints about legally objectionable material. It is by no means easy to arrive at an overall conclusion that is satisfactory from all points of view. In particular, the material may be objectionable under the domestic law of one jurisdiction while being regarded as legitimate in others .
In this case, the evidence shows that Google has taken steps to ensure that certain identified URLs are blocked, in the sense that when web-crawling takes place, the content of such URLs will not be displayed in response to Google searches carried out onGoogle.co.uk. This has now happened in relation to the “scam” material on many occasions. But I am told that the Third Defendant needs to have specific URLs identified and is not in a position to put in place a more effective block on the specific words complained of without, at the same time, blocking a huge amount of other material which might contain some of the individual words comprising the offending snippet .
It may well be that the Third Defendant’s “notice and take down” procedure has not operated as rapidly as Mr Browne and his client would wish, but it does not follow as a matter of law that between notification and “take down” the Third Defendant becomes or remains liable as a publisher of the offending material. While efforts are being made to achieve a “take down” in relation a particular URL, it is hardly possible to fix the Third Defendant with liability on the basis of authorisation, approval or acquiescence.” 
And so the key question in defamation law is how long does Google have to respond and what efforts it needs to expend in relation to the blocking of a specific URL before it can be said to acquiesce in the publication and therefore be liable in damages? In that respect, Google’s position is no different than when it is performing the role as a host, which was considered by the Court of Appeal in Tamiz v Google ( EWCA Civ 68), a case in which Google just about got away with not removing the material complained of over a period of five weeks.
The Financial Times reported that Google received around 41,000 take-down requests within 4 days of announcing its new online take-down tool. Of those, it would be very interesting to see how many of these complaints have intimated claims for damages and how many could equally be made as claims for defamation. Google may want to find a way of prioritising these over frivolous attempts by criminals to hide their past demeanours because claimants will shortly be queuing up to complain about any take-down requests that are not being dealt quickly enough.
Ashley Hurst is a Partner specialising in media and internet disputes at Olswang LLP