If claimants can establish a cause of action in relation to the acts of a service user, an ISS may be liable for damages unless it can rely on one of the safe harbour defences. Surprisingly, there have been few reported decisions in England and Wales dealing with take-down and notice procedures and the operation of the defences under the 2002 Regulations. These decisions from Belfast provide helpful clarity on a number of key issues.
Before considering intermediary liability, it is notable that in CG the NICA does not appear to have addressed fully the DPA claim. The court rightly observed that there is not always a convergence between sensitive personal data under the DPA and information in respect to which a personal has a reasonable expectation of privacy. The publication of unspent criminal convictions is the quintessential example of this. After holding that (among other information) CG had no reasonable expectation of privacy regarding the publication of his convictions (alone), the court did not go on to address the position under the DPA. Consequently, the court did not consider the application of the Regulation 19 defence to the DPA claim. This may not have led to a different outcome but it is nevertheless a surprising omission.
Notice and knowledge
Regulation 19 of the 2002 Regulations, which was central to both claims, establishes the so-called safe harbour defence for ISS, such as Facebook. It provides:
[T]he service provider (if he otherwise would) shall not be liable for damages or for any other pecuniary remedy … as a result of that storage where …the service provide—
(i) does not have actual knowledge of unlawful activity or information and, where a claim for damages is made, is not aware of facts or circumstances from which it would have been apparent to the service provider that the activity or information was unlawful; or
(ii) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information”
The relationship between giving notice and ISSs acquiring such knowledge is set out in Regulation 22 of the 2002 Regulations:
In determining whether a service provider has actual knowledge … a court shall take into account all matters which appear to it in the particular circumstances to be relevant and, among other things, shall have regard to—
(a)whether a service provider has received a notice through a means of contact made available in accordance with regulation 6(1)(c), and
(b) the extent to which any notice includes— …
(ii) details of the location of the information in question; and
(iii) details of the unlawful nature of the activity or information in question.
The judgments in CG and J20 contain useful guidance as to the interpretation of these regulations and the expectations of both aggrieved persons and ISS:
- There is no requirement to give notice through Facebook’s online notification procedure; providing an ISS with actual knowledge of the relevant matters is sufficient regardless of how notice is given. But ISS must provide a “speedy, direct and accessible service” (CG at ).
- The approach to the 2002 Regulations should take account of the fact that those using a notice and take down procedure will often not have the benefit of professional legal advice (CG at ).
- ISS are unlikely to be able to rely on technical defects in the process through which notice is given of an allegedly unlawful publication (J20 at ).
- In CG the court held that “the omission of the correct form of legal characterisation of the claim ought not to be determinative of the knowledge of facts and circumstances which fix social networking sites such as Facebook with liability. What is necessary is the identification of a substantive complaint in respect of which the relevant unlawful activity is apparent” .
- Notwithstanding the above quote, the NICA’s findings on the facts in CG suggest that complainants would be well advised to seek legal advice because. Setting out potential causes of action and explaining why, e.g., the publication of a photograph or a person’s area of residence amounts to the misuse of private information in specific circumstances is likely to lay a stronger foundation for any subsequent claim against an ISS.
- In J20 the High Court noted that an ISS “should be expected to know the relevant law in relation to such matters as defamation, harassment and breach [misuse] of private information when a complaint is drawn to its attention. It cannot simply turn a blind eye to complaints and say that a complainant has failed to properly categorise the legal basis of that complaint” .
- The judgment in J20 suggests that the courts may expect ISS to remove content when one of these causes of action is evident on the face of the material and without the need for further information, c.f., a defamation claim with innuendo meanings .
In CG the court held that claimants bear the burden of proof of demonstrating that an ISS had actual knowledge of the facts and circumstances. It is then for ISS to that it acted expeditiously to take down the material.
These cases show that what is required to fix an ISS with knowledge of the facts and circumstances is likely to depend on the (potential) cause(s) of action involved. Fixing an ISS with the requisite knowledge of breaches of the DPA, such as the publication of medical data or information about religious beliefs, ought to be straightforward. By contrast, a privacy claim founded on cumulative information or in a specific factual context may require more detailed notice.
E-Commerce Regulations in data protection cases
A key feature of NICA’s judgment in CG is its holding that Facebook Ireland is a data controller within the meaning of section 5 of the DPA on the basis of Facebook UK’s role in its operations. This point has not yet been addressed in any reported decision in England and Wales and was left open by Mr Justice Warby in Richardson v Facebook  EWHC 3154 (at ). This outcome is unsurprising in the light of the Court of Justice’s decisions in both Google Spain and Weltimmo. CG, which is of persuasive value in the courts of England and Wales, will be of considerable utility to claimants.
The application of the e-Commerce directive to DPA liability
NICA’s decision in CG that the e-Commerce Directive/Regulations applies to claims for damages under the DPA is of profound significance. Were the e-Commerce Directive’s protections not available, social media platforms (and other intermediaries) may be liable for users’ breaches of the DPA regardless of their knowledge. Claimants would be able to circumvent the e-Commerce Directive’s safe harbour defences by shoe horning claims into the DPA.
Although this issue was raised in a strike-out/summary judgment hearing in Google v Mosley 2015 EWHC 59 (QB) (see  – ), which settled before trial, it has not been determined in the English courts. The interrelationship between the e-Commerce and Data Protection Directives has not been consider by the Luxembourg court. While it is difficult to conclude that the interpretation of article 1(5) (read with Recital 14) of the e-Commerce Directive is acte clair, there would not appear to have been discussion of a reference to the Court of Justice. Article 1(5)’s reference to ‘questions relating to information society services’ is ambiguous and this issue is highly likely to resurface.
Part 1 of this post appeared on 20 January 2017
Aidan Wills is a barrister at Matrix Chambers. He specialises in media and information law, public law and employment law.