The liability of intermediaries, such as social media companies, and the scope of the defences under the 2002 Regulations/e-Commerce Directive is a matter of considerable significance as many thousands of content-related complaints are made on a daily basis.
If claimants can establish a cause of action in relation to the acts of a service user, an ISS may be liable for damages unless it can rely on one of the safe harbour defences. The focus here is only on the defence for hosts.
Reasonable expectation of privacy and sensitive personal data under the DPA
The NICA’s findings on reasonable expectation of privacy in CG v Facebook underline the importance of cumulative information and context when assessing whether such information is private. Pieces of information which may not otherwise or alone have attracted a reasonable expectation of privacy may do so when published together or in a context in which they are likely to result in intrusion into a person’s private and family life. There is an overlap here between the interests protected by the tort of MPI and the Protection from Harassment Act 1997.
In CG the NICA observed that there is not always a convergence between what is (sensitive) personal data under the DPA and information in respect to which a person has a reasonable expectation of privacy. Unspent criminal convictions are the archetypal example of this: they are sensitive personal data within the meaning of s.2 of the DPA but would not attract any reasonable expectation of privacy.
After holding that (among other information) CG had no reasonable expectation of privacy regarding the publication of his convictions (alone), the court did not go on to address the position under the DPA. Consequently, the court did not consider the application of the Regulation 19 defence to the DPA claim. This may not have led to a different outcome but it is nevertheless a surprising omission.
Notification and knowledge
The primary significance of these decisions lies in the guidance they contain concerning the concepts of notice and knowledge, which are central to intermediary liability. It is worth reciting what the 2002 Regulations say in this regard.
Regulation 19 establishes the so-called hosting safe harbour defence for ISS, such as Facebook. It provides:
[T]he service provider (if he otherwise would) shall not be liable for damages or for any other pecuniary remedy … as a result of that storage where …the service provider—
(i) does not have actual knowledge of unlawful activity or information and, where a claim for damages is made, is not aware of facts or circumstances from which it would have been apparent to the service provider that the activity or information was unlawful; or
(ii) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information, and….
The relationship between giving notice and ISSs acquiring such knowledge is set out in Regulation 22:
In determining whether a service provider has actual knowledge … a court shall take into account all matters which appear to it in the particular circumstances to be relevant and, among other things, shall have regard to—
(a) whether a service provider has received a notice through a means of contact made available in accordance with regulation 6(1)(c), and
(b) the extent to which any notice includes— …
(ii) details of the location of the information in question; and
(iii) details of the unlawful nature of the activity or information in question.
These judgments in CG and J20 contain guidance as to the interpretation of these regulations and the expectations of both complainants and intermediaries:
- There is no requirement to give notice through Facebook’s online notification procedure; providing an ISS with actual knowledge of the relevant matters is sufficient regardless of how notice is given. Intermediaries must provide a “speedy, direct and accessible service” (CG at ). ISS are unlikely to be able to rely on technical defects in the process through which notice is given of an allegedly unlawful publication (J20 at ).
- The NICA judgment in CG suggests that providing information on the location of a page complained of is necessary . CG had provided the URLs for the material for which Facebook was held to be liable. Having made this finding, the court did not address whether reference to the location of material must necessarily include a URL. The decision in J20 suggests that, in relation to Facebook pages, reference to (and possibly the URL of) the impugned page as a whole would suffice, without providing the individual URLs of all posts complained of.
- As to the vexed question of what information must be provided when giving notification of alleged unlawful content (in order to fix an intermediary with knowledge), these decisions provide a partial answer. In CG the NICA held that: “the omission of the correct form of legal characterisation of the claim ought not to be determinative of the knowledge of facts and circumstances which fix social networking sites such as Facebook with liability. What is necessary is the identification of a substantive complaint in respect of which the relevant unlawful activity is apparent” (CG at ). The NICA considered that this test was not met where the claimant relied on misconceived causes of action and failed to advance any detailed analysis of the materials provided to the intermediary in support of his argument that a page amounted to a misuse of private information . Although such considerations are undoubtedly fact sensitive, the following observations of the High Court in J20 are arguably of greater assistance to claimants: an ISS
“should be expected to know the relevant law in relation to such matters as defamation, harassment and breach [misuse] of private information when a complaint is drawn to its attention. It cannot simply turn a blind eye to complaints and say that a complainant has failed to properly categorise the legal basis of that complaint” .
Colton J’s decision suggests that the courts may expect an ISS to remove content when one of these causes of action is evident on the face of the material and without the need for further information, c.f., for example, a defamation claim with innuendo meanings . This issue is likely to demand further guidance from the courts.
- The approach to the 2002 Regulations should take account of the fact that those using a notice and take down procedure will often not have the benefit of professional legal advice (CG at ). It remains to be seen whether the courts assess the abovementioned considerations differently depending on whether a complainant is legally represented.
- In CG the court held that claimants bear the burden of proof of demonstrating that an ISS had actual knowledge of the facts and circumstances . It is then for the ISS to show that it acted expeditiously to take down the material.
These cases show that what is required to fix an ISS with knowledge of the facts and circumstances is likely to depend on the (potential) cause(s) of action involved. Fixing an ISS with the requisite knowledge of breaches of the DPA, such as the publication of medical data or information about religious beliefs, may be straightforward. By contrast, a privacy claim founded on cumulative information or in a specific factual context may require more detailed notice.
The application of the DPA to Facebook Ireland
A pivotal feature of the NICA’s judgment in CG is its holding that Facebook Ireland is established in the UK within the meaning of s.5 of the DPA, on the basis of Facebook UK’s role in its operations. This point has not yet been addressed in any reported decision in England and Wales and was left open by Warby J in Richardson v Facebook  EWHC 3154 (at ). This outcome is nonetheless unsurprising in the light of the Court of Justice’s decisions in both Google Spain and Weltimmo. This confirmation that Facebook Ireland is subject to the DPA is of great importance for people seeking to get material removed from this platform.
The application of the e-Commerce Directive to DPA liability
The NICA’s decision in CG that the e-Commerce Directive/Regulations applies to claims for damages under the DPA is also significant. Were the e-Commerce Directive’s protections not available, social media platforms (and other intermediaries) may be liable for users’ breaches of the DPA regardless of their knowledge. Claimants would be able to circumvent the e-Commerce Directive’s safe harbour defences by shoe-horning claims into the DPA.
Although this issue was raised in a strike-out/summary judgment hearing in Google v Mosley 2015 EWHC 59 (QB) (see  – ), which settled before trial, it has not been determined in the English courts. Nor has the interrelationship between the e-Commerce and Data Protection Directives been considered by the Luxembourg court. While it is difficult to conclude that the relevant provisions of the e-Commerce Directive are acte clair on this point, there was no discussion in CG of making a reference to Luxembourg.
The NICA’s conclusion on this point is perhaps unsurprising given that it would seem anomalous for the safe harbour defences to protect intermediaries for civil and criminal liability for users’ content of which they have no knowledge in all areas apart from data protection. Going forward, any doubt that the defences do apply to such liability has been resolved by the General Data Protection Regulation (which takes effect from 25 May 2018).
Safe harbour defences and injunctions
These decisions leave unresolved the question of whether the safe harbour defences protect intermediaries from being the subjects of injunctive relief in relation to user content. Whether or not the e-Commerce Regulations transpose correctly the e-Commerce Directive’s apparent requirement that intermediaries (without knowledge) should not be subject to any form of legal liability remains unresolved.
The decisions in CG and J20 are of considerable importance for their discussion of the concept of notice under the 2002 Regulations. The NICA’s decision in CG also resolves two issues which have been preoccupying data protection lawyers for some time: the application of the DPA to Facebook Ireland, and the application of the e-Commerce Directive/Regulations to DPA claims.
Surprisingly, there have been few reported decisions in England and Wales dealing with intermediary liability. At the time of writing, there are at least two other cases before the Northern Ireland courts concerning Facebook’s liability as a host – judicial guidance on intermediary liability seems set to continue flowing across the Irish sea.
Part 1 of this post appeared on 20 January 2017
Aidan Wills is a barrister at Matrix Chambers. He specialises in media and information law, public law and employment law.