A ‘Poke’ in the Eye for Claims against Facebook

The “internet has not alone changed our lives but it has also changed our vocabulary. A tablet is no longer made of stone, a bit does not help guide a horse and a cookie is more likely to affect your privacy than alleviate the pangs of hunger between meals!” A lengthy Christmas cracker joke? No, the observations – in excellent ‘Dad-joke’ style – of the Northern Ireland Court of Appeal in CG v Facebook Ireland Ltd & McCloskey (MOR10142) (Morgan LCJ, Gillen & Weatherup LJJ) at [54].

CG was an appeal and cross-appeal in a claim brought by a convicted paedophile against Facebook for misuse of private information and breach of the Data Protection Act 1998, arising out of various quasi-vigilante pages posted on Facebook which identified CG, to varying extents, as a risk to children. The judgment contains much of interest on the formulation of a misuse of private information claim, the application of the e-Commerce Directive to information society services (“ISS”) such as Facebook, and on section 5 of the DPA. Given the focus of Panopticon, those topics will be taken in reverse order.

The DPA issue arose – although both parties accepted that it did not add anything much in damages terms to the misuse claims – essentially as an alternative argument to the misuse claims. Facebook Ireland Ltd, the defendant, is an Irish company. Facebook UK Ltd is a UK company which provides marking support services to Facebook Ireland, but does not host or operate the site, and has a data processing agreement with Facebook Ireland. Because a dispute about the application of the DPA only arose during the hearing below, there was limited evidence or discussion of it in the first instance judgment and the Court of Appeal felt able to revisit the matter.

Facebook Ireland’s argument was that it was the data controller, and it was not established in the UK and the relevant data was not processed in the context of that establishment (i.e. through Facebook UK as its processor). CG’s argument, essentially based on Google Spain, was the reverse. The Court accepted CG’s analysis. Facebook UK was established to make Facebook Ireland more profitable, it holds relevant data which it processes on behalf of Facebook Ireland and there was an “irresistible inference” that the UK company was established to service Facebook: at [90]. As a result Facebook UK engaged in an effective and real exercise of activity through stable arrangements in the UK of importance to the economic activities of Facebook. Facebook was accordingly a data controller within the meaning of section 5 DPA: at [91].

However, the Court accepted Facebook’s argument that the effect of reg 19 of the Electronic Commerce (EC Directive) Regulations 2002 was to bar a claim for damages for breach of the DPA against Facebook. A claim arising under the DPA against ISS from internet postings and comments fell within the “matter covered by the e-Commerce Directive” which provide a “tailored solution for the liability of [ISS] in the particular circumstances” set out in the Directive. The Court did not consider it was a matter covered, instead, by the DP Directive and that Facebook could not, accordingly, be sued for damages under the DPA: at [95]-[96].

Perhaps more than anything else in the judgment, this is likely to be of real wider importance to ISS and deals with a question thus far essentially unresolved in English law (see Mosley v Google [2015] EWHC 59 (QB) discussed here but oddly not cited in CG). The Court of Appeal has drawn a line, not unreasonably but certainly not unarguably correctly, which says that activities squarely within the ISS field get the protection of e-Commerce provisions, and that that is precisely the point of that legislative scheme. On a number of occasions the Court referred to the sheer unimagined scale and scope of ISS activity. There will be much to be said in future cases as to whether this judgment has effectively confirmed DPA immunity for regular defendants, such as Facebook and Google.

That was not the only discussion of the e-Commerce Directive and the e-Commerce Regulations. The Court of Appeal had to consider, in view of the misuse of private information claim against Facebook, whether the e-Commerce regime limited liability in that context too. Reg 22 of the Regulations, and the scheme of the regime as a whole, was (found the Court) intended to set up an easily accessible notice and take down procedure so that a complainant can utilise the mechanism to establish actual knowledge of the offending material, and thereby damages, if Facebook does not take down the unlawful posting. That regime is intended to be speedy, direct and at minimal cost bearing in mind many will not be legally represented when requesting take downs: at [57]-[58]. The Court accepted that the regime sought to strike a balance. Monitoring content was not a permissible option, but there was an objective of protecting personal dignity and privacy: at [62]. Striking that balance meant that where Facebook did not have actual knowledge, it could only be fixed with constructive knowledge where the material provided to it notice of the basis of the claim being advanced: at [62]-[64].

The Court of Appeal was careful to try and draw a reasonable line. It was not necessary for the correspondence to have said in terms that there was breach of privacy, but if causes of action were being alleged which were patently wrong (defamation and breach of Article 2 ECHR for instance), those could not fix Facebook with knowledge of a different cause of action. Where the information which formed the private information in issue was quite specific – here, information which might enable the identification of CG’s address and thereby risk harm to him or his family – sufficient reference to that information had to be made to enable Facebook to join the dots. Facebook is obliged to act as a diligent economic operator, and it was or should have been apparent that private information was being disclosed – even if not accompanied by specific URLs – then the onus lay on Facebook to show it had acted expeditiously: at [72].

Applying that approach to the three Facebook pages and postings complained of, the Court of Appeal was satisfied that only one had been the subject of a sufficiently clear complaint which fixed Facebook with knowledge, for which Facebook had failed to evidence any expedition (despite taking down the page within approximately a week) and were therefore liable in misuse. Instinctively, the Court’s judgment feels to have made a good fist of striking that balance. It has been arguably generous to Facebook in terms of what it needs to be told before having constructive knowledge, so as to avoid any impression of a forbidden monitoring duty, but then happy to see Facebook lose its expeditious take down defence despite fairly swift action. The warning for legal representatives relying on the take down procedure is to be clear in what cause of action is being alleged and the private information being relied upon. The clearer the complaint, the more likely any subsequent claim will be sustainable. (One might think this sounds like an excellent reason for instructing counsel at the first opportunity. Always a sound approach.)

Finally then, the Court’s judgment also contains some interesting observations on the approach to establishing what is relevant private information in a misuse claim. For the most part, the interest is fact-specific, but there were some more general legal observations too. The Court cast real doubt on interchangeability between different statutory regimes. The protection from harassment regime shared a coincidence in values with misuse, but not in a way which means the overlap is complete: at [41]. Just as importantly, the Court did not accept the judge below’s analysis that sensitive personal data under s2 DPA was a useful tool in defining private information, holding that “considerable caution should be exercised before reading across” those matters, because the “fact that information is regulated for that [data protection] purpose does not necessarily make it private”: at [45].

In general terms, the Court took a fairly sceptical and robust approach to the definition of private information on which CG relied. It certainly did not accept that every piece of data about him was private, in the way that the court below had done (at [21]). What was private had to be driven by the context, and particularly the context of the harassment claim which had been brought at the same time against one of the people posting on Facebook. Accordingly, the Court accepted that publication of CG’s address would be private information where he was subject to threats, and in the circumstances of the case information on his more general locality was sufficient because it was published alongside other identifying information (such as his photograph and the circumstances of his offending): at [48]-[49]. The Court doubted that the photo alone would have been sufficient. Similarly, it was critical of suggestions that re-publication of conviction information was relevantly private information because in principle “the public has a right to know about such convictions. Information about what has happened in open court can be freely communicated by members of the public”. This was an important aspect of the open justice principle “of very significant weight which can only be outweighed by the interest of the individual in freedom from intrusion in the most compelling circumstances”: at [44].

All in all, many interesting titbits from across the Irish sea to savour over what remains of the turkey sandwiches.

Christopher Knight