The High Court of Justice in Northern Ireland recently held that Facebook Ireland misused the private information of a convicted sex offender posted on a Facebook page. This is an interesting little case as it deals with the issue of adequate notice in respect of web-hosting immunity available under the Electronic Commerce (EC Directive) Regulations 2002 (“the 2002 Regulations”).
On the facts of the case, an individual (CG), who had been imprisoned for sexual crimes was is living in an urban community within Northern Ireland. The second defendant, MC published information about CG on an ‘open’ (that is, publicly accessible) Facebook page called “Keeping our Kids Safe from Predators 2”. This included personal details about CG’s identity, his family members, as well as his previous criminal convictions, together with threatening comments directed towards CG. The former was deemed by the Court to encompass so-called ‘sensitive personal data’ as defined under the UK Data Protection Act 1998 (DPA) – an interesting aside by the Court considering that a breach of data protection rules was not alleged by CG in his claim.
The Court held that CG has an expectation of privacy in relation to this private information, which was not out-balanced by the Article 10 (the right to freedom of expression) by MC. Accordingly, MC was found liable by the Court to CG for misuse of his private information, as well as harassment. The Court also found that Facebook Ireland – the first defendant – was liable for misuse of private information from the dates it received letters from CG’s solicitors about the offending material until that material was taken down from its site.
As to the issue of notice, Facebook Ireland argued that it was not liable for damages to CG under the 2002 Regulations because no URLs (web-links) identifying the content requested to be removed was provided with the requests. This is an important argument to make because, under Regulation 19, an Information Society Service provider (‘ISSP’) will not be liable for damages where it “does not have actual knowledge ofunlawful activity or information” and “is not aware of facts or circumstances from which it would have been apparent to the [ISSP] that the activity or information was unlawful”. If the ISSP subsequently obtains such knowledge, then it must act “expeditiously to remove or disable access to the information” to remain exempt from liability.
In determining whether an ISSP has “actual knowledge”, Regulation 22 of the 2002 Regulation provides that “a court shall take into account all matters which appear to it in the particular circumstances to be relevant”. Among other things, the Regulation goes on, these include having regard to whether the ISSP has received notice through a specified email address, together with the extent to which any such notice includes: i) the full name and address of the sender of the notice; ii) details of the location of the information; and, iii) details of the unlawful nature of the activity or information in question. Facebook Ireland argued that the notice it received was not appropriate having regard to this provision as applied to the manner in which the requests it received were made.
Notwithstanding, the Court found that Facebook Ireland did have “actual knowledge” in the particular circumstances and was, therefore, not able to limit its liability for damages. In particular, the Judge stated that Regulation 22 should not be viewed prescriptively to the particular manner in which notice is to be given to an ISSP in requesting removal of content, or as to how actual knowledge is acquired. Therefore, it was not deemed necessary “for [CG] to provide URLs of the individual postings or for the plaintiff to set out a definitive analysis of the unlawful nature of each and every posting”. The Judge went on to say that Facebook “would have been aware of facts or circumstances from which it would have been apparent to it that the activity or information was plainly unlawful being misuse of private information and harassment of the plaintiff”. This was by virtue of the content of the postings themselves and bearing in mind that Facebook Ireland had previously been involved in similar proceedings relating to another site page published by MC (called “Keeping our Kids Safe from Predators”).
Therefore, the Court ruled that the postings should have been (but were not) removed expeditiously following the removal requests. The Court also stated that Facebook Ireland had sufficient resources to determine whether something is unlawful under UK law, without it being necessary to have that “spelled out to it on each occasion” which laws are being contravened in relation to pages about which it receives removal requests.
It is worth noting that in the preceding, related litigation (in 2012), the High Court also found Facebook Ireland in breach of (inter alia) the right to privacy under Article 8 of the European Convention on Human Rights and, consequently, granted an interim injunction against it requiring it to remove a page entitled “Keeping Our Kids Safe From Predators”. This order was made despite the fact that Facebook had already voluntarily removed the sex offender’s name, photograph and comments relating to the photograph, and thus infringement of their rights had already occurred. However, despite this, the Court refused to order Facebook to monitor its website for republication of the offending page on the basis that such an order would lack the requisite precision, could impose a disproportionate burden and, further, would potentially require excessive supervision by the Court.
This post originally appeared on the Peep Beep! blog and is reproduced with permission and thanks