On Monday and Tuesday, 4 and 5 April 2016 the Court of Appeal in Northern Ireland will hear an appeal from the judgment of Stephens J in CG v Facebook Ireland Ltd & Anor  NIQB 11. The case will require the Court to determine a number of important issues of principle relating to intermediary liability.
The claim was for misuse of private information, harassment and a breach of the Data Protection Act 1998 arising from the publication on Facebook of a convicted a sex offender’s name, current and previous address, photograph, criminal convictions, and information about his family members. This information was published on various iterations of a Facebook account entitled “Keeping our Kids Safe from Predators,” one version of which had 25,000 friends. Aimed at identifying and gathering information on sex offenders, the judge concluded that the purpose of the account was “to destroy the family life of sex offenders, to expose them to total humiliation and vilification, to drive them from their homes and to expose them to the risk of serious harm” .
CG brought the claim against both Facebook Ireland (‘Facebook’), as the host of the material, and Mr McCloskey who created and ran the account. Stephens J’s decision at first instance, included the following findings:
- The claimant had a reasonable expectation in relation to all of the matters mentioned above individually and in combination .
- The balancing exercise came down in favour of the claimant’s article 8 rights . The judge highlighted the fact that information published on the Facebook pages harmed the public interest by, among other things, creating a risk of reoffending, inciting violence and hatred and creating the potential for public order situations .
- Facebook was liable for the misuse of the claimant’s private information by failing to delete content which was obviously unlawful .
- Facebook did not have a “safe harbour” defence under regulation 19 of Electronic Commerce (EC Directive) Regulations 2002 (‘the Regulations’) on the basis that it was found to have actual knowledge of the unlawful activity arising from previous litigation concerning Mr McCloskey and correspondence from the claimant’s solicitors 
- Notwithstanding its relationship with Facebook UK Ltd, the DPA 1998 did not apply to Facebook Ireland .
- Mr McCloskey was liable for harassment .
The judge awarded CG £20,000 in damages; granted a mandatory injunction requiring Facebook Ireland to terminate Mr McCloskey’s account ; and granted a prohibitory injunction against Mr McCloskey preventing him from harassing the claimant by publishing, broadcasting or transmitting information on Facebook or otherwise .
Grounds of appeal
The appeal is brought by Facebook. The second defendant, Mr McCloskey, lodged grounds of appeal but will not take part in the appeal. The claimant has cross-appealed as is explained below.
Ground 1 – Misuse of private information
Facebook contends that the claimant did not have a reasonable expectation of privacy in relation to any of the matters published aside from his address, which they argue was not information complained of in the notification sent by the claimant’s solicitors to Facebook.
Arguing that the claimant had no reasonable expectation of privacy with respect to his photograph or name, Facebook relies on dicta from the Northern Ireland case of McGaughey v Sunday Newspapers Ltd  NICh 7:
“[A] person’s identity and appearance are unlikely to be capable of misuse, in the context of this tort, since, in the vast majority of cases, these are obvious to and/or relatively ascertainable by the public at large” .
The claimant’s name and photograph were published in the press at the time of his conviction in 2007. It is argued that the claimant’s criminal convictions had been reported in the press and that they remain public matters because they will never become spent (owing to their length).
Facebook also challenges the judge’s finding at  that a reasonable expectation of privacy attached to the information by virtue of its being categorised as sensitive personal data for the purposes of the DPA 1998. The defendant argues that while the DPA protects personal data regardless of its seriousness, article 8 is only engaged where a threshold of seriousness is reached.
Grounds 2 & 3 – Application of regulations 19 and 22 of the E-Commerce Regulations and article 15 of the E-Commerce Directive
Facebook contends that, as a hosting service, it should be exempt from all liability arising from the Mr McCloskey’s accounts by operation of article 14 of the E-Commerce Directive/ regulation 19 of the Regulations. In this regard, Facebook denies that it had actual knowledge or the relevant awareness that would cause it to lose the regulation 19 defence. It is argued that the judge misdirected himself by applying a test of what Facebook “knew or ought to have known” and wrongly took into account what Facebook ought to have known from other litigation involving Mr McCloskey but a different claimant.
Facebook argues further that the judge’s findings on actual knowledge and awareness would amount to the imposition of a requirement to monitor data of all users to avoid liability; a general monitoring obligation is prohibited by article 15 of the E-Commerce Directive.
Finally, Facebook challenges Stephens J’s conclusion at  that there is no requirement under the Regulations that a notice of illegality be given to an ISSP in any particular manner. It is contended that, having regard to the matters set out in regulation 22 of the Regulations, the letters sent by the claimant’s solicitors (which the judge held contributed to Facebook’s actual knowledge of the illegality) were insufficiently specific to constitute proper notice, both in terms of the nature of illegality alleged and the URL location of the posts.
Ground 4 – Adverse inferences about Facebook Ireland’s systems
Stephens J drew an adverse inference against Facebook on the basis of an absence of disclosure about the operation of the company’s “notice and take-down system” (namely that the system would not withstand independent scrutiny and was inadequate)  – . Facebook argues that it did not assess this to be a relevant issue in the case and there was no deliberate attempt to avoid disclosure.
Ground 5 – Level of damages
Relying on the Court of Appeal in Northern Ireland’s decision in McGaughey v Sunday Newspapers Ltd  NICA 51, Facebook contends that the award of £20,000 damages is excessive and inconsistent with dicta stating that “modest” damages are appropriate for the misuse of private information.
The claimant has cross-appealed. He argues that Stephens J was incorrect to hold that Facebook Ireland is not established in the UK for the purposes of section 5 of the DPA 1998. It is argued that following the broad interpretation given to “establishment” by the Court of Justice in Google Spain v AEPD C131/12 (25 June 2013), Facebook UK’s provision of marketing support services and its processing of certain personal data on behalf of Facebook Ireland is sufficient to render Facebook UK an establishment of Facebook Ireland in the UK.
This appeal will require the Court of Appeal in Northern Ireland to grapple with a number of issues, which have important implications for intermediary liability:
- The meaning of actual knowledge of and awareness of facts and circumstances relating to unlawful activities for the purposes of article 14 of E-Commerce Directive/ regulation 19 of the Regulations. Under this provision, ISSPs lose their safe harbour defence if they acquire actual knowledge of unlawful activities on their platforms and fail to act expeditiously to remove the material concerned. At first instance, the judge examined what Facebook knew or ought to have known about the pages, having regard to a broad range of factors, including its resources, know-how and capacity.
- Closely related to this issue is the question of notices given to ISSPs (which may give rise to actual knowledge or an awareness of the facts relating to the illegality) and the correct construction of regulation 22 of the Regulations. In this regard, the Court of Appeal in Northern Ireland is likely to consider:
- Whether there is a requirement for notice to be given a particular form or manner.
- Whether a notification relating to a social media page or account containing numerous posts is sufficiently specific to give rise to actual knowledge of individual posts on the part of the ISSP, or whether there is a need for post-specific URLs.
- The requisite degree of specificity for notice regarding the unlawful nature of the activity notified, including whether a party notifying an ISSP must refer to a particular cause of action.
- The scope and meaning of the prohibition on states imposing a general monitoring obligation on internet society service providers under article 15 of the E-Commerce Directive (which had not been transposed into UK law but nevertheless applies).
- The correct construction of regulations 19 and 20(2). Uncertainty remains as to what types of injunction may be granted against an ISSP which benefits from the safe harbour defence under regulation 19, and whether the regulations permit the granting of an injunction establishing legal liability.
- The correct application of Google Spain in domestic law, including: whether this decision applies only to data controllers domiciled outside the EU; and whether the fact that a data controller is subject to the data protection regime of another member state has any bearing on whether it can be regarded as established in the UK.
Aidan Wills is a trainee barrister at Matrix Chambers.