A lot has been written on the topic of intermediary liability in the past few months. But has everything been said or read? And looking at the different pieces of the regulatory jigsaw together, are we heading in the right direction?
One important piece of the jigsaw is certainly the General Data Protection Regulation (GDPR) to become applicable in one year time, i.e. on 25 May 2018.
The GDPR, or at least its Article 2(4) and Recital 21, has been welcome by several for it appears to clarify [at first glance I would add] the relationship between the old [and still good law] E-commerce Directive and EU data protection rules.
Article 2(4) reads as follow:
“This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.”
Recital 21 repeats Article 2(4) and adds the following:
“This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.”
Because the domain of application of the E-Commerce Directive (see Article 1(5)(b)) – as regards data protection law provisions – was expressly linked to the Data Protection Directive (DPD) and the DPD only, with its replacement by the GDPR it would thus seem [once again at first glance] that finally data protection law related issues will stop being excluded from the domain of the E-Commerce Directive. In other words, it would seem that the liability exemptions to be found in the E-Commerce Directive (Articles 12-15) could apply even in cases in which data protection law violations are at stake. For more information on these Articles, see my post here.
However, things are slightly more complicated and such a syllogism can only amount to oversimplifying the interplay between the E-Commerce Directive and the GDPR if not explained carefully. [This is why I argued here that Recital 21 and Article 2(4) are in fact not enough].
To fully understand the interplay between the E-Commerce Directive and the GDPR one has to remember two things:
- The first one is that, conceptually and historically, the E-Commerce Directive liability exemptions had been conceived as exemptions from third-party liability, in other words, they were meant to be applicable in situations in which intermediary service providers’ users were engaging into illegal activities. The intimacy that exists between Articles 12 to 14 of the E-commerce Directive and Article 8(3) of the infosoc Directive (“intermediaries whose services are used by a third party to infringe a copyright or related right”) and Article 11 of the IP rights enforcement Directive (“intermediaries whose services are used by a third party to infringe an intellectual property right”) confirms the foregoing.
- The second thing to remember is that the wording of Articles 12 to 14 does not actually say that intermediary service providers shall be exempted from (financial) liability in all cases. [By ‘financial’ I mean the obligation to pay damages].
So what? Well, as a result, intermediary service providers, when acting as data controllers, might not always be able to rely upon Articles 12 to 14 to avoid financial liability (i.e. paying monetary compensation to those who have suffered as a result of their actions).
Let’s take a few examples in illustration of this point.
The first one could be that of a search engine acting as a data controller when presenting in a structured manner search results to its users. One could try to make the argument in the wake of Google v Vuitton that a search engine or a (natural) referencing service provider is a hosting provider and therefore should be able to avail itself of Article 14 of the E-Commerce Directive [although what a search engine is doing is maybe more caching than hosting]. However Article 14 does not exempt hosting providers from financial liability in all cases. It caters for one specific situation: liability for the (unlawful) information stored at the request of a recipient of the service.
It has been suggested that the right to delist certain search results from the lists produced by (natural) referencing service providers should be welcome inasmuch as it is only a limited interference with the right to freedom of expression, since the content would not necessarily need to be removed at its source. Nevertheless, in a situation of this type it would therefore not really make sense to argue that the search engine acting as a data controller, and thereby required to delist, shall not be held financially liable for the damage caused to the data subject because holding otherwise would make it liable for the (unlawful) information stored at the request of a recipient of the service.
The second example could be that of an Internet Access Provider (ISP). ISPs are conceived as mere conduits and are in principle entitled to avail themselves of Article 12 of the E-Commerce Directive. This holds true as long as we are in a situation in which liability is sought for the (unlawful) information transmitted by ISPs’ users.
Yet it is generally considered that an ISP can in some instances be a data controller. Recital 47 of the Data Protection Directive specifies that:
“Whereas where a message containing personal data is transmitted by means of a telecommunications or electronic mail service, the sole purpose of which is the transmission of such messages, the controller in respect of the personal data contained in the message will normally be considered to be the person from whom the message originates, rather than the person offering the transmission services; whereas, nevertheless, those offering such services will normally be considered controllers in respect of the processing of the additional personal data necessary for the operation of the service;”
In other words, ISPs are data controllers in relation to metadata, i.e. the ‘who, when, and how’ of the messages sent to the exclusion of their content.
Now, let’s assume that an ISP, irrespective of the invalidity of systematic and general data retention obligations, decides to systematically retain the metadata of the messages sent through its network. Not many people would try to argue that the ISP could benefit from Article 12 to exempt itself from financial liability. Why? Because the activity that makes the ISP a data controller is not exactly the same as the activity that makes the ISP an intermediary.
Going further, saying in general terms that a service provider can be both an intermediary and a data controller is misleading if it is intended to suggest that an intermediary could then always be exempted from financial liability when it acts as a data controller. In other words, saying that a service provider can be both an intermediary and a data controller at the same time is overlooking the consideration that the activities for which the service provider is an intermediary can be different in nature from the activities for which the service provider would be considered a data controller.
We are thus back to the key notion of third-party liability.
One way to make sense of the GDPR could be to say that it implicitly acknowledges that the E-Commerce Directive liability exemptions should apply even in situations in which the service provider is (primarily) liable as a data controller.
Note that the Court of Appeal in Northern Ireland did not wait for the GDPR to hold that Facebook, as a data controller and an information society provider, could avail itself of the national transposition of Article 14 of the E-Commerce Directive in CG v Facebook Ireland Ltd & Anor  NICA 54 (21 December 2016).
Such an interpretation is sensible, although if the characterisation of data controller is retained it would seem logical [but who is interested in logic?] to conclude after Google Spain that the processing performed by Facebook should therefore be distinct from the processing performed by the uploader of the information.
However because Articles 12-14, strictly speaking, only target one specific situation: liability for the (unlawful) information transmitted or stored by their users, a cumulative application of EU data protection law and e.g. Article 14 of the E-Commerce Directive could appear odd in some instances, e.g. in the case of a search engine referencing content lawfully published.
Back in 2014, the CJEU had ruled in Google Spain at para. 85-86 that:
“the processing by the publisher of a web page consisting in the publication of information relating to an individual may, in some circumstances, be carried out ‘solely for journalistic purposes’ and thus benefit, by virtue of Article 9 of Directive 95/46, from derogations from the requirements laid down by the directive, whereas that does not appear to be so in the case of the processing carried out by the operator of a search engine. It cannot therefore be ruled out that in certain circumstances the data subject is capable of exercising the rights referred to in Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 against that operator but not against the publisher of the web page.
Finally, it must be stated that not only does the ground, under Article 7 of Directive 95/46, justifying the publication of a piece of personal data on a website not necessarily coincide with that which is applicable to the activity of search engines, but also, even where that is the case, the outcome of the weighing of the interests at issue to be carried out under Article 7(f) and subparagraph (a) of the first paragraph of Article 14 of the directive may differ according to whether the processing carried out by the operator of a search engine or that carried out by the publisher of the web page is at issue, given that, first, the legitimate interests justifying the processing may be different and, second, the consequences of the processing for the data subject, and in particular for his private life, are not necessarily the same.”
Yet, properly identifying what the French call “le fait générateur de la responsabilité” (the act generating the responsibility) is actually crucial to understand when and to what extent intermediary service providers could be subject to duties.
Pushing the reasoning further, and turning to the proposed Copyright Directive now, the trend definitely seems to be to enlarge the category of primary infringement committed by intermediary service providers. This is done through the very broad interpretation of the notion of “communication to the public” and the assertion that even if hosting providers are communicating to the public (and therefore are primary copyright infringers) they could benefit from Article 14 of the E-Commerce Directive if they are not active. (See my post here).
While for those concerned by the fate of intermediary service providers who are progressively becoming a sort of ‘species in danger’, it can only make sense to argue that intermediary providers should be able to benefit from the ‘safe harbour’ even in situations in which they are prima facie (primary) copyright infringers, this recommendation should not be used as means to justify the extension of primary liability in the first place.
It is worth remembering that 7 years ago, Google v Vuitton was an attempt to reject the use of (primary or strict) liability for situations involving intermediary providers [as a paying referencing service provider could not be characterised as a trade mark infringer] and invited Member States to resort to alternative theories such as negligence-based theories.
To conclude, before making the case that the time has come to harmonise secondary liability theories to the benefit [or detriment] of intermediary providers, would not it be essential to clarify the situations in which they should be considered primarily or stricly liable? Why focus the attention on theories of secondary liability when intermediary service providers can more and more easily be characterised as primary infringers?
And isn’t it time to stop using the notion of ‘intermediary’ as it tends to hide the fact that the characterisation should be made in relation to specific features of the service (or activities) provided?