Last month I posted about the settlement of the Max Mosley litigation against Google (see my post here). Had that case been fought to its conclusion, we would at the very least have had the pleasure of gaining greater insight into the weird and wonderful world of the E-commerce legislation. However, sadly that was not to be. The good news is that E-Commerce cases now appear to be like buses. No sooner has one case settled, than another one comes motoring down the litigation highway. This time E-Commerce principles have surfaced, not in the context of a right to be forgotten case, but rather in the context of a Strasbourg case concerning the application of Article 10 rights.

The case in question, Delfi AS v Estonia (Case no. 64569/09), concerned an Estonian internet news portal called Delfi. In common with many internet news organisations, Delfi permits readers to write comments about the online stories which they publish. In 2006, Delfi published a story concerning the alleged destruction of certain Estonian ice roads by a particular company (S). The story, which was itself legally unobjectionable, attracted lots of reader comments, including comments which were very attacking of S’s majority shareholder (L). The comments in question were not only defamatory but also amounted to hate speech and an incitement to violence against L, all of which is unlawful under Estonian law. Upon complaint by L, Delfi immediately removed the comments (this was some six weeks after they had first been posted). However, L was not happy with this retrospective deletion of the comments. He brought a claim for damages against Delfi on the basis that Delfi had acted unlawfully by publishing the comments on the site. L eventually won his case in the domestic court and was awarded 320 Euros in compensation.

Delfi then took the case to the Strasbourg court. It alleged that the domestic court’s findings breached its Article 10 right to freedom of expression. A core plank of Delfi’s case was that it had to be treated as a mere intermediary under EU E-Commerce legislation, with the result that it was not liable in respect of the comments. Delfi contended that any other approach to the application of the E-Commerce principles would result in an undue interference with its Article 10 rights. The Strasbourg court rejected Delfi’s case. It held that Delfi was not acting merely as an intermediary in connection with the comments. This was particularly given that:

• Delfi had comprehensive powers of editorial control over the comments once they had been posted;
• moreover, Delfi positively encouraged the posting of comments on the basis that this would increase its potential to accrue advertising revenue.

In this respect, the comments on the Delfi site were, in the court’s view, to be contrasted with: ‘other fora on the Internet where third-party comments can be disseminated, for example an Internet discussion forum or a bulletin board where users can freely set out their ideas on any topics without the discussion being channelled by any input from the forum’s manager; or a social media platform where the platform provider does not offer any content and where the content provider may be a private person running the website or a blog as a hobby’ (§116).

The court went on to hold that whilst Delfi could not be expected to pre-vet comments prior to their publication, its obligations as online publisher of the comments were such that it should immediately and of its own motion detect and remove unlawful content (i.e. without waiting for a complaint brought). The court held that such an approach to the management of the comments constituted a justified interference with Delfi’s Article 10 rights.

This is an important judgment for a number of reasons.

• First, it suggests that the defences available to online intermediaries under the E-Commerce are to be narrowly construed. In short, the greater the degree of editorial control over and entrepreneurial interest in the data in question, the more likely it is that the court will find that the defences are not available.
• Second, it suggests that, when it comes to the publication of data online, Article 10 cannot be treated as an all-purpose get out of jail free card. Instead, as with speech expressed through traditional media, Article 10 rights must be balanced against other affected rights (although note paragraph 113 where the court alluded to the need to adopt a ‘differentiated’ and ‘graduated’ approach to the enforcement of rights as against internet service providers, as opposed to traditional publishers).
•  Third, it suggests that, in this post Google-Spain world, the CJEU is not alone in its desire to create strong controls around the ways in which data is managed online, particularly where there is a profit-making element to the data processing scheme.

So put simply, online comment is not free, at least not for those media organisations which seek to profit from facilitating free expression within the online environment.

Anya Proops

So Max Mosley has done a deal with Google in respect of his claim that Google had breached his rights under the DPA 1998 by refusing to block certain images and videos accessible via the Google search engine (see this FT article which suggests that the settlement also applies to claims brought by Mr Mosley in Germany and France). The settlement of the claim, which follows on from Google’s failed strike out application (discussed further below), leaves unanswered a number of really important questions concerning the application of data protection rights in the online world. Not least, the settlement leaves open the question of the extent to which the so-called ‘right to be forgotten’ can operate so as to force internet search engines, not only to de-index individual URLs on request, but also to block access to the offending data globally (i.e. as ISEs already do, for example, where images of child pornography are identified).

This is an important issue for those data subjects who garner significant public attention within the online environment, as was the case with Mr Mosley. The difficulty for such individuals is that online stories or comments about them can proliferate on the internet at such a rate that they cannot practicably achieve the online amnesia they crave. No sooner have they requested that the relevant internet search engine remove a number of privacy-invasive links, than the story has sprung up in a raft of other different locations on the net, with the result that the individual is effectively left trying to capture lightening in a bottle. This raises the question as to whether a right to be forgotten mechanism which is limited to de-indexing only specific those URL’s identified by the data subject is fit for purpose in terms of achieving the outcomes envisaged by the CJEU in Google Spain. Put shortly, if the ISE is the lightening conductor for privacy intrusive data, can it properly be required to stop the lightening at its source and block all access to the data in question? Is this the way in which the right to be forgotten ultimately cashes out in the online world?

Which takes us on to the defences which Google sought to run in the Mosley case because, certainly in the context of the strike out application, Google was not seeking to argue that data in issue (images and video of Mr Mosley engaging in private sexual activity) was not private or that its online dissemination did not cause substantial damage or substantial distress to Mr Mosley for the purposes of s. 10. Nor did Google seek to dispute that the damage or distress suffered by Mr Mosley was ‘unwarranted’ for the purposes of s. 10(1). Instead, its entire case in the context of the strike out was mounted on the basis that it was shielded from all liability under the DPA by virtue of the protections afforded to intermediary ‘internet society services’ (ISSs) under Part IV of the E-Commerce Directive (Directive 2000/31/EC).

For the uninitiated, Part IV of the E-Commerce Directive is designed to afford protections to intermediary ISSs which are genuine data intermediaries in the sense that they merely transmit, cache (i.e. store) or host data generated by others. The idea which lies behind Part IV is that the development of electronic commerce within the information society, one of the key objectives of the E-Commerce Directive (see recital [2]), would be frustrated if entities acting essentially as online data messengers could too readily get shot by third party claimants. Thus, we see:

• in Article 12 a limitation on liability where the ISS is acting as a mere conduit;
• in Article 13 a limitation on liability where the ISS is merely caching the data;
• in Article 14 a limitation on liability where the ISS is merely hosting the data (this was the provision invoked by Facebook in CG v Facebook, as to which see my post here) and, finally,
• in Article 15 a specific exclusion of any general obligation on the part of the ISS to monitor content falling within the scope of Articles 12, 13 or 14.

Google’s case on the strike out was that it was not liable in respect of Mr Mosley’s claim under s. 10 DPA on the basis that: (a) it was merely caching the data in issue (thus Article 13 of the E-Commerce Directive was engaged) and, in any event (b) the order being sought by Mr Mosley would conflict with the requirement of Article 15 of the E-Commerce Directive, as it would result in Google having to engage in general monitoring of cached content.

Mitting J considered both of these arguments in the context of Google’s strike out application (see his judgment here). So far as Google’s case on Article 13 was concerned, Mitting J clearly took the view that, where an individual’s data protection rights are being infringed by virtue of an ISS’s continued processing of privacy-invasive data, there is nothing in Article 13 of the E-Commerce Directive which purports to limit the ISS’s liability to cease processing that data; quite the contrary Article 13(2) specifically leaves the door open to a cease processing order being made in these circumstances (see in particular [47]). This conclusion dovetailed with Mitting J’s more general (albeit provisional) conclusion that the Data Protection Directive and the E-Commerce Directive were intended to work ‘in harmony’ with one another (see [45]-46]). On the Article 15 defence, Mitting J was clearly sceptical about Google’s argument that the order being sought by Mr Mosley would result in the kind of general monitoring which was ostensibly prohibited by Article 15 [54]. However, he accepted that this was an issue which would have to be decided by the trial judge.

Of course, in light of the recent settlement, it is clear that that issues concerning Google’s Article 15 defence are now unfortunately not going to be decided by the trial judge. Which leaves us all pondering in particular the following important questions:

• First, where right to be forgotten claims are formulated as claims to have data blocked by the relevant ISE, will such claims in practice effectively require a form of general monitoring by the ISE?
• Second, if they do require a form of general monitoring, does that mean that the claims must fail by reference to Article 15 of the E-Commerce Directive or does Article 15 itself have to fall silent in the face of the imperatives of the data protection legislation? (Mitting J made clear in his judgment he was not expressing a view on this issue)
• Third, what about claims for compensation brought against an ISE which refuses to block data? Do E-Commerce principles afforded ISEs a refuge against such claims? (Notably, Mitting J had stayed Mr Mosley’s compensation claim pending the outcome in Vidal-Hall so he did not address this issue).

It is perhaps worth pointing out here that no reference was made in Mitting J’s judgment to the EU Charter of Fundamental Rights (presumably because Charter rights were not specifically relied on in argument). Obviously in the post-Vidal-Hall world, Charter rights – including not least Article 8 (concerning the protection of personal data) – are bound to play a dominating role in discussions concerning the relationship between the E-Commerce Directive and data protection rights. Which all tends to suggest that this is an area which remains rich in litigation potential.

Finally, it should be pointed out that as at today’s date the various images which Mr Mosley was seeking suppress all appear still to be available online via Google. It remains to be seen whether in time these images will in fact quietly sink into the soup of online forgetfulness.

Anya Proops

I have just had my attention drawn to this interesting article from the Japan Times about how the right to be forgotten is beginning to gain traction in Japan. Just goes to show that Europe is not the only environment within which this highly controversial right can potentially gain a foothold.

Anya Proops

Just two short but important pieces of news. First, I can now confirm that Google has applied for permission to appeal to the Supreme Court in respect of the Court of Appeal’s landmark judgment in Vidal-Hall v Google. The SC’s judgment on the application is awaited. Second, it would appear that the case of CG v Facebook which I blogged about earlier this year (see here) is also currently on appeal in Northern Ireland, with a cross-appeal being brought by CG on the question of whether the court erred when it concluded that Facebook fell outside the territorial scope of the DPA 1998. For further news on these important cases, watch this space.

Anya Proops

I have today been speaking at the IAPP conference at A&O alongside David Smith (UK Deputy Information Commissioner), Bruno Gencarelli (European Commission, Head of Data Protection Unit) and Wojciech Wiewiórowski (Assistant European Data Protection Supervisor). The conference yielded a number of really interesting insights, a number of which I highlight below.

First and perhaps most importantly, Mr Gencarelli made clear that, so far as the draft General Data Protection Regulation was concerned, the firm expectation within Europe was that the GDPR would be agreed by the end of this year. This is obviously important given that the apparently endless European wranglings over the shape of the GDPR had led some to question whether the GDPR would be finalised within the foreseeable future. Mr Gencarelli also pointed out that we could expect that, over the ensuing two year transition period, the GDPR principles would be further refined and developed, as the European Commission engaged in a trilogue with the European Data Protection Authorities and industry bodies. This inevitably suggests that the conclusion of the formal negotiations over the GDPR will not in any sense bring the process of developing European data protection principles to an end.

Mr Gencarelli also highlighted the significant impact which the EU Charter had had on the legal approach to data protection. As he put it, the fact that data protection rights were given specific protection under the Charter meant that data protection rights now had a greater legal resonance and significance than was previously the case. Notably, Mr Gencarelli’s observations on this issue obviously chime closely with the approach to the application of Charter rights adopted by the Court of Appeal in its recent judgment in Vidal-Hall v Google.

Mr Wiewiórowski also provided some fascinating insights into the European perspective on data protection. He reflected in particular upon the role being played by the CJEU in terms of pushing the privacy agenda within Europe under the existing Directive. Mr Wiewiórowski made clear that, in his view, this was a judicial trend which was itself born out of discussions on the new privacy-preoccupied agenda embodied in the Commission’s proposals for the GDPR. Thus, in effect, the EU judiciary was working in a highly dialectical relationship with the EU legislature to produce a new cultural approach to privacy rights within Europe.

Mr Wiewiórowski also made the interesting point that developments in the UK data protection jurisprudence had a disproportionately large impact on the development of data protection law within Europe as a whole. As he observed, this was not because UK lawyers and judges were seen as being cleverer than their European counterparts. Rather it was simply a product of the somewhat prosaic fact that UK judgments are in English, with the result that they are more readily comprehensible to our EU colleagues. Thus, he suggested that the Court of Appeal’s judgment in Vidal-Hall was now being discussed very widely within Europe, particularly because it was a judgment which could be accessed and understood by practitioners across the European piste.

Mr Wiewiórowski also made some very interesting observations about the approach taken within the GDPR to the ‘journalistic exemption’. As many readers of this blog will know, there is currently a debate going on within Europe as to whether the approach to the exemption proposed by the Council of Europe gives enough protection to classic journalistic freedoms. This debate has arisen particularly because the Council’s proposed text removes any reference to journalism per se. This has prompted many within the media to raise concerns that Europe is unacceptably seeking to dilute protection for journalists in a way that fundamentally offends against Article 10 of the European Convention on Human Rights and Article 11 of the EU Charter. Mr Wiewiórowski expressed the view that the scope of the journalistic exemption was perhaps one of the most challenging issues to arise under the draft GDPR and he was not at all confident that this issue would be satisfactorily resolved by the time the GDPR was finalised. These are obviously really important observations, not least because they suggest that existing questions as to how data protection rights are to be reconciled with Article 10 rights are unlikely to be finally resolved merely as a result of the enactment of the GDPR.

In terms of the domestic regulatory perspective, David Smith’s presentation very helpfully illuminated how the ICO was approaching the right to be forgotten regime.

On this regime, Mr Smith made clear that, since Google Spain was decided, the ICO had received approximately 200 complaints from data subjects in response to refusals by Google to delete particular links. Of those 200 complaints, roughly 150 had been decided in Google’s favour, with the remaining 50 being decided in favour of the data subjects. Mr Smith indicated that the ICO was now engaged in discussions with Google about this latter set of cases.

Mr Smith also made clear that the ICO had been impressed with Google’s overall approach to the right to be forgotten regime and that there were generally no significant differences of approach between the ICO and Google in terms of how the regime was to be applied. He did however indicate that one area of disagreement was as to whether Google should be notifying publishers when they receive requests from individual applicants. Google’s position on this issue is that typically publishers should be notified. By way of contrast, the ICO’s position is that notification should take place only in exceptional cases. Obviously, this divergence of view takes us back to the important and, as yet, unresolved question as to how data protection rights should be reconciled with Article 10 freedom of expression rights. Clearly as matters currently stand, Google is preferring a more pro-Article 10 approach than the ICO. Query whether Google will continue to adopt such a stance in future.

Notably, Mr Smith also made clear that the ICO’s view was that google.com should be treated as caught by the CJEU’s judgment in Google Spain. Again this is an important point. As matters currently stand, Google’s position is that google.com is not caught by the judgment. This has the result that users within Europe can potentially avoid all the amnesiac effects of the Google Spain judgment simply by setting their default browsers to google.com. Evidently the ICO regards this as an illegitimate loophole which Google should now look to close.

In terms of the wider question of whether the CJEU’s judgment in Google Spain had had a damaging effect on the internet as a whole, Mr Smith made clear that in his view that this was not the case. He pointed out that Google had now delivered important results for data subjects in hundreds of thousands of cases. By way of contrast, he said the ICO had received only a handful of complaints about deletion. Mr Smith pointed out that obviously the introduction of the right to be forgotten regime had not resulted in the internet grinding to a halt, and that it had not sounded the death-knell of Article 10 rights. Instead, what it had done in his view was deliver real tangible results for data subjects in a wide range of cases. As Mr Smith put it, what the judgment in Google Spain had achieved was the practical recognition within the online world of important human values, including values relating to the autonomy of the individual and the need for forgiveness.

Additionally Mr Smith made clear that, whereas once the ICO’s voice may not have been seen as an important voice in litigation on data protection issues, now the ICO was increasingly being recognised by the courts as an important contributor in legal debates on those issues. He used the ICO’s involvement in the recent case of Vidal-Hall as an illustration of this important development. As Mr Smith put it the effect of these developments was that the ICO could now be more active and assertive when it came to litigation on key data protection issues.

Finally, it is worth pointing out that Mr Smith, Mr Gencarelli and Mr Wiewiórowski all agreed that, so far as the concept of ‘personal data’ was concerned, the GDPR did not expand the existing definition. Instead, all it did was clarify the existing law, as adopted in the Directive. Notably, this is consistent with the approach taken to the definition by the ICO in the case of Vidal-Hall.

So much food for thought emerging from the conference. Incidentally, those who are interested in future IAPP events may like to note that the IAPP is holding its European Data Protection Congress in Brussels in December 2015. No doubt the congress will offer an important opportunity to debate some of the issues referred to above.

Anya Proops

Readers of this blog will doubtless be well aware of the recent landmark judgment of the Court of Appeal in Vidal-Hall & Ors v Google, where it was held that compensation is available for mere distress caused by  breach of data protection legislation. Interestingly, it is being reported today that the US Supreme Court will in due course be deciding a case on a similar issue, namely whether compensation is available where websites publish inaccurate data concerning individuals but the inaccuracy in the data causes no pecuniary loss. It appears that the issue will be considered by the Court in the context of a class action brought against an internet search engine that compiles publicly available data on people and lets subscribers view that information online – see further AP’s report on the case here. See also the Amicus Brief filed by Ebay, Facebook, Yahoo and Google in support of the appeal being brought by the ISE. That Brief, which rests heavily on in terrorem arguments, asserts not least that:

“Amici are concerned that this decision will substantially and improperly lower the bar for invoking the jurisdiction of federal courts, inviting abusive and costly litigation, including class actions seeking millions or even billions of dollars in statutory damages under FCRA [Fair Credit Reporting Act] and similar statutes. Amici are members of a rapidly growing and transforming technology industry that provides services to hundreds of millions of individuals each day. Users of amici’s services routinely conduct financial transactions, share information and content, and interact with people all over the world on platforms offered by amici. The services amici provide, the information they collect, and the interactions they facilitate arguably could be subject to laws that contain private rights of action and allow for statutory damages”

Of course, in the UK we have yet to see any comparable group litigation emerging in response to inaccurate data processed by data controllers. However, in the wake of Vidal-Hall, it can only be a matter of time before such cases are brought before the English Courts.

Anya Proops