FacebookThe courts in Northern Ireland have handed down two important judgments on the civil liability of social media companies for content posted by users.

The Court of Appeal in Northern Ireland’s (“NICA”) long-awaited decision in CG v Facebook Ireland & McCloskey [2016] NICA 54 arose from privacy, harassment and data protection claims brought by a convicted sex offender on the basis of information posted on Facebook. Facebook Ireland (“Facebook”) was held to be liable for the misuse of private information (“MPI”) for some of the posts.

One day earlier in J20 v Facebook Ireland [2016] NIQB 98 the High Court found Facebook liable for MPI for material posted by users but it dismissed a harassment claim.

These judgments address the application of the e-Commerce Directive (2000/31/EC) and the e-Commerce Regulations 2002, which implement the Directive in the UK. This legislation provides protection (the so-called “safe harbour defences”) to information society services (“ISS”/intermediaries) from liability for the unlawful content/activity of their users, provided that they have not failed to remove/block it once they have actual or constructive knowledge of the material concerned. The cases discussed in this article concern only hosts but there are analogous defences for intermediaries involved in caching data, as well as “mere conduits”.

CG v Facebook Ireland


The CG case arises from the publication of information about CG, a convicted sex offender who was released on licence in 2012, on three public Facebook pages. In April 2013, Mr McCloskey re-published on a page he had created, “Keeping Our Kids Safe from Predators II,” (“the McCloskey Page”) a news article published at the time of CG’s conviction. This included information about the offences, his name and photograph. This post attracted more than 150 comments, including abuse, support for serious violence against CG and references to where he was living. In November 2013 the Second Page was set up by another person, RS (the father of one of CG’s victims), which identified CG by name as a convicted sex offender and referred to the area in which he was believed to be living – this precipitated threats of violence. In December 2013, RS posted the Third Page containing CG’s photograph. This was without reference to his locality or his name, but it gave rise to comments about his danger to children.

CG’s solicitors asked Facebook to remove the pages on the basis that they were defamatory and in violation of Article 2 of the ECHR. Facebook responded that its online tool should be used for such requests and that Facebook could not locate and investigate comments without the URL for each one. Facebook removed the April 2013 posts shortly before proceedings were issued. Facebook removed RS’s page in early December 2013 after further letters and once CG had provided the URLs.

CG issued privacy and data protection claims against Facebook and a harassment claim against Mr McCloskey. Another sex offender (XY) had previously brought harassment (and Article 3 of the ECHR) proceedings against Facebook ([2012] NIQB 96) relating to a previous iteration of Mr McCloskey’s page. XY obtained an injunction requiring Facebook to remove the page.

Judgment of the High Court

At first instance ([2015] NIQB 11) Stephens J held Mr McCloskey to be liable for harassment. An injunction was granted preventing him from harassing CG and requiring Facebook to terminate McCloskey’s page.

As to the privacy claim against Facebook, the court held that CG had a reasonable expectation of privacy in relation to a broad range of information, including: the photographs, his name used in conjunction with information about where he lives, his (previous) address or similar, and his convictions and the risks he poses (unless disclosure is required by Public Protection Arrangements NI). Rejecting the suggestion that notice of the pages/posts complained of had to be given in a particular manner, the judge held that Facebook had actual knowledge of the posts by virtue of:

a) … the XY litigation,

b) … that litigation combined with the letters sent to the first defendant and to its solicitors, and

c) … those letters combined with some elementary investigation of the profile/page and/or the internet” [95].

Accordingly, Facebook was held to be liable for MPI in respect of all three pages. Stephens J awarded CG a total of £20,000 in damages against the two defendants.

The claim under the Data Protection Act 1998 (“the DPA”)  was dismissed on the basis that it was not established that Facebook Ireland maintained an office, branch or agency in the UK through its relationship with Facebook UK, i.e., it was not established in UK for the purposes of s.5 of the DPA.

Facebook appealed and CG cross appealed. The appeal was heard in April 2016.

Judgment of the NICA

In a judgment handed by down by Morgan LCJ (with whom Gillen and Weatherup LLJ agreed), the NICA allowed parts of Facebook’s appeal and (broadly) allowed the cross appeal.

The NICA set aside most of Stephens J’s findings on reasonable expectation of privacy. Disagreeing with the approach adopted by Stephens J, the court cautioned against reading across from the definition of sensitive personal data under s.2 of the DPA to establish that information is private for the purposes of the tort of MPI. CG had no reasonable expectation of privacy in relation to the publication of his name or details of his convictions. It followed that CG had no reasonable expectation of privacy with regard to the Third Page.

Noting that the privacy claim was based on intrusion (as opposed to the publication of confidential information), the court considered the context in which the pages and comments were published was critical to the privacy claim. Morgan LCJ held that, while information such as the photograph of CG, his name, the circumstances of his offending and his general location may not ordinarily attract a reasonable expectation of privacy, the “harassment context” and threats of violence against CG meant that this was “cumulatively information in respect of which the respondent had a reasonable expectation of privacy because of the risk that those who wished to do him harm could have established his whereabouts in order to do so” [49].

Having concluded that a claim for misuse of private information was made out in respect to this information, the court approached Facebook’s defence under regulation 19 of the 2002 Regulations (i.e., the defence for hosting content) by asking:

“Whether Facebook had actual knowledge of the misuse of private information which we have identified or knowledge of facts and circumstances which made it apparent that the publication of the information was private” [62].

Morgan LCJ set aside most of Stephens J’s findings on notification and knowledge. Concerning the information published on the McCloskey Page, the NICA held that actual knowledge could not have been derived from the XY litigation, not least because it contained no privacy claim. Nor was such knowledge provided by a letter before claim referring to defamation and an apparent immediate risk to life (and not to the basis of claims for either harassment or MPI). The court considered it relevant that the correspondence indicated neither why the photograph was said to be private information nor the fact that CG was complaining about the publication of the area in which he was allegedly residing. The court held that liability could only have arisen on the basis of three matters identified by Stephens J (see above) if Facebook was subject to a monitoring obligation, which is not permitted under the e-Commerce Directive.

It was only in relation to the Second Page that was Facebook held to have had knowledge of facts and circumstances making it apparent that the material published amounted to private information. This was on the basis that a letter (on 26 November 2013) from CG’s solicitors complained of the identification of the general area in which he was living and referred to the police having warned him that his life was under threat from paramilitaries. Facebook was on notice of the risk to CG and failed to act expeditiously to take down the information. Accordingly, it was liable for the misuse of private information only from 26 November until 4/5 December 2013.

For the purposes of this litigation Facebook accepted it was a data controller of the personal data on the three pages within the meaning of s.1 of the DPA. Its argument focused on its not being established in the UK within the meaning of s.5. Applying the Court of Justice’s decisions in Case C131/12 Google Spain v APED and Gonzalez EU:C:2014:317 and Case C230/14 Weltimmo v Nemzeti Adatvedelmi EU:C:2015:639, the court held that Facebook Ireland is a data controller for the purposes of s.5 of the DPA and can therefore be liable under this act. Morgan LCJ reaffirmed that the Data Protection Directive (95/46/EC) has a broad territorial scope and should not be interpreted restrictively. It did not that matter that, in contrast to Google, EU residents might have a data protection remedy in Ireland against Facebook Ireland. The court found that:

Facebook (UK) Ltd was established for the sole purpose of promoting the sale of advertising space offered by Facebook […It…] is responsible for engaging with those within this jurisdiction who seek to use the Facebook service for advertising. It holds relevant data which it processes on behalf of Facebook in respect of advertising customers. […] [T]here is an irresistible inference in the absence of any further explanation that Facebook (UK) Ltd was established to service Facebook and is part of the wider Facebook group of companies” [90].

Finally, the court rejected CG’s contention, relying on Article 1(5) of the e-Commerce Directive, that the e-Commerce Directive does not apply to claims under the DPA. Morgan LCJ reasoned that the e-Commerce Directive provides a “tailored solution” to ISS liability. Their liability to pay damages is not a question that is covered by the Data Protection Directive and therefore the scope of the exemption from damages is not affected by that directive.

Ultimately, the court held Facebook to be liable in damages for MPI for failing to take down the Second Page expeditiously from 26 November 2013 (when it had the requisite knowledge) until 4/5 December 2013 when the information was removed. Facebook’s Regulation 19 defence was upheld in respect of the period before 26 November and in relation to the McCloskey Page. CG was ultimately awarded £2,000 in damages.

J20 v Facebook Ireland


J20 issued privacy and harassment proceedings against Facebook relating to three pages posted (and comments published thereon) between 11 and 16 September 2013. The pages included doctored photographs of the claimant and comments which, among other things, referred to him as a “Loyalist bigot” who organises parades; suggested that he was a “woman beating snake”; asserted that he did not bother with his Catholic children; and labelled him as a “tout”. The claimant sought to get the posts removed both though Facebook’s online tool and through a letter on 13 September 2016. He also obtained interim relief ordering the removal of the pages. All of these posts were deleted or removed (seemingly by the user) by 9 October 2013. Unlike in CG no claim was brought against any of the authors/publishers of the pages or comments.

Judgment of the High Court

Colton J held that the harassment claim was not made out on the basis that neither the photographs nor the comments amounted to a course of oppressive and unacceptable conduct (he contrasted these comments with those complained of in CG).

The judge held that J20 had no reasonable expectation of privacy in respect of his name, age or the area in which he lived (these were all matters of public record following his conviction for involvement in protests) or the photographs (which were taken in public places). However, Colton J held that J20 had a reasonable expectation of privacy regarding the religion of his children and his alleged status as a “tout” (informant). There was no justification for the publication of this information.

Having established that the tort of misuse of private information was made out, the judge considered Facebook’s reliance on the Regulation 19 hosting defence. The defence failed on the footing that Facebook was found to have had actual knowledge of the unlawful nature of the information posted and failed to act expeditiously to remove it. To the contrary, Facebook decided not to remove the material when the complaint was made because it concluded that the posts did not violate its community standards. Colton J concluded that Facebook was liable for MPI. He awarded only £3,000 in damages due to the limited nature, extent and duration of the breaches, as well as the fact that J20 had not suffered psychiatric injury as a result of the postings. This judgment has been appealed to the NICA.

In Part 2 of this post I will consider the implications of these two decisions.

Aidan Wills is a barrister at Matrix Chambers. He specialises in media and information law, public law and employment law.