A lot has been written on the topic of intermediary liability in the past few months. But has everything been said or read? And looking at the different pieces of the regulatory jigsaw together, are we heading in the right direction?
One important piece of the jigsaw is certainly the General Data Protection Regulation (GDPR) to become applicable in one year time, i.e. on 25 May 2018.
The GDPR, or at least its Article 2(4) and Recital 21, has been welcome by several for it appears to clarify [at first glance I would add] the relationship between the old [and still good law] E-commerce Directive and EU data protection rules.
Article 2(4) reads as follow:
“This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.”
Recital 21 repeats Article 2(4) and adds the following:
“This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.”
Because the domain of application of the E-Commerce Directive (see Article 1(5)(b)) – as regards data protection law provisions – was expressly linked to the Data Protection Directive (DPD) and the DPD only, with its replacement by the GDPR it would thus seem [once again at first glance] that finally data protection law related issues will stop being excluded from the domain of the E-Commerce Directive. In other words, it would seem that the liability exemptions to be found in the E-Commerce Directive (Articles 12-15) could apply even in cases in which data protection law violations are at stake. For more information on these Articles, see my post here.
However, things are slightly more complicated and such a syllogism can only amount to oversimplifying the interplay between the E-Commerce Directive and the GDPR if not explained carefully. [This is why I argued here that Recital 21 and Article 2(4) are in fact not enough].
To fully understand the interplay between the E-Commerce Directive and the GDPR one has to remember two things:
- The first one is that, conceptually and historically, the E-Commerce Directive liability exemptions had been conceived as exemptions from third-party liability, in other words, they were meant to be applicable in situations in which intermediary service providers’ users were engaging into illegal activities. The intimacy that exists between Articles 12 to 14 of the E-commerce Directive and Article 8(3) of the infosoc Directive (“intermediaries whose services are used by a third party to infringe a copyright or related right”) and Article 11 of the IP rights enforcement Directive (“intermediaries whose services are used by a third party to infringe an intellectual property right”) confirms the foregoing.
- The second thing to remember is that the wording of Articles 12 to 14 does not actually say that intermediary service providers shall be exempted from (financial) liability in all cases. [By ‘financial’ I mean the obligation to pay damages].
So what? Well, as a result, intermediary service providers, when acting as data controllers, might not always be able to rely upon Articles 12 to 14 to avoid financial liability (i.e. paying monetary compensation to those who have suffered as a result of their actions).
Let’s take a few examples in illustration of this point.
The first one could be that of a search engine acting as a data controller when presenting in a structured manner search results to its users. One could try to make the argument in the wake of Google v Vuitton that a search engine or a (natural) referencing service provider is a hosting provider and therefore should be able to avail itself of Article 14 of the E-Commerce Directive [although what a search engine is doing is maybe more caching than hosting]. However Article 14 does not exempt hosting providers from financial liability in all cases. It caters for one specific situation: liability for the (unlawful) information stored at the request of a recipient of the service.
It has been suggested that the right to delist certain search results from the lists produced by (natural) referencing service providers should be welcome inasmuch as it is only a limited interference with the right to freedom of expression, since the content would not necessarily need to be removed at its source. Nevertheless, in a situation of this type it would therefore not really make sense to argue that the search engine acting as a data controller, and thereby required to delist, shall not be held financially liable for the damage caused to the data subject because holding otherwise would make it liable for the (unlawful) information stored at the request of a recipient of the service.
The second example could be that of an Internet Access Provider (ISP). ISPs are conceived as mere conduits and are in principle entitled to avail themselves of Article 12 of the E-Commerce Directive. This holds true as long as we are in a situation in which liability is sought for the (unlawful) information transmitted by ISPs’ users.
Yet it is generally considered that an ISP can in some instances be a data controller. Recital 47 of the Data Protection Directive specifies that:
“Whereas where a message containing personal data is transmitted by means of a telecommunications or electronic mail service, the sole purpose of which is the transmission of such messages, the controller in respect of the personal data contained in the message will normally be considered to be the person from whom the message originates, rather than the person offering the transmission services; whereas, nevertheless, those offering such services will normally be considered controllers in respect of the processing of the additional personal data necessary for the operation of the service;”
In other words, ISPs are data controllers in relation to metadata, i.e. the ‘who, when, and how’ of the messages sent to the exclusion of their content.
Now, let’s assume that an ISP, irrespective of the invalidity of systematic and general data retention obligations, decides to systematically retain the metadata of the messages sent through its network. Not many people would try to argue that the ISP could benefit from Article 12 to exempt itself from financial liability. Why? Because the activity that makes the ISP a data controller is not exactly the same as the activity that makes the ISP an intermediary.
Going further, saying in general terms that a service provider can be both an intermediary and a data controller is misleading if it is intended to suggest that an intermediary could then always be exempted from financial liability when it acts as a data controller. In other words, saying that a service provider can be both an intermediary and a data controller at the same time is overlooking the consideration that the activities for which the service provider is an intermediary can be different in nature from the activities for which the service provider would be considered a data controller.
We are thus back to the key notion of third-party liability.
One way to make sense of the GDPR could be to say that it implicitly acknowledges that the E-Commerce Directive liability exemptions should apply even in situations in which the service provider is (primarily) liable as a data controller.
Note that the Court of Appeal in Northern Ireland did not wait for the GDPR to hold that Facebook, as a data controller and an information society provider, could avail itself of the national transposition of Article 14 of the E-Commerce Directive in CG v Facebook Ireland Ltd & Anor  NICA 54 (21 December 2016).
Such an interpretation is sensible, although if the characterisation of data controller is retained it would seem logical [but who is interested in logic?] to conclude after Google Spain that the processing performed by Facebook should therefore be distinct from the processing performed by the uploader of the information.
However because Articles 12-14, strictly speaking, only target one specific situation: liability for the (unlawful) information transmitted or stored by their users, a cumulative application of EU data protection law and e.g. Article 14 of the E-Commerce Directive could appear odd in some instances, e.g. in the case of a search engine referencing content lawfully published.
Back in 2014, the CJEU had ruled in Google Spain at para. 85-86 that:
“the processing by the publisher of a web page consisting in the publication of information relating to an individual may, in some circumstances, be carried out ‘solely for journalistic purposes’ and thus benefit, by virtue of Article 9 of Directive 95/46, from derogations from the requirements laid down by the directive, whereas that does not appear to be so in the case of the processing carried out by the operator of a search engine. It cannot therefore be ruled out that in certain circumstances the data subject is capable of exercising the rights referred to in Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 against that operator but not against the publisher of the web page.
Finally, it must be stated that not only does the ground, under Article 7 of Directive 95/46, justifying the publication of a piece of personal data on a website not necessarily coincide with that which is applicable to the activity of search engines, but also, even where that is the case, the outcome of the weighing of the interests at issue to be carried out under Article 7(f) and subparagraph (a) of the first paragraph of Article 14 of the directive may differ according to whether the processing carried out by the operator of a search engine or that carried out by the publisher of the web page is at issue, given that, first, the legitimate interests justifying the processing may be different and, second, the consequences of the processing for the data subject, and in particular for his private life, are not necessarily the same.”
Yet, properly identifying what the French call “le fait générateur de la responsabilité” (the act generating the responsibility) is actually crucial to understand when and to what extent intermediary service providers could be subject to duties.
Pushing the reasoning further, and turning to the proposed Copyright Directive now, the trend definitely seems to be to enlarge the category of primary infringement committed by intermediary service providers. This is done through the very broad interpretation of the notion of “communication to the public” and the assertion that even if hosting providers are communicating to the public (and therefore are primary copyright infringers) they could benefit from Article 14 of the E-Commerce Directive if they are not active. (See my post here).
While for those concerned by the fate of intermediary service providers who are progressively becoming a sort of ‘species in danger’, it can only make sense to argue that intermediary providers should be able to benefit from the ‘safe harbour’ even in situations in which they are prima facie (primary) copyright infringers, this recommendation should not be used as means to justify the extension of primary liability in the first place.
It is worth remembering that 7 years ago, Google v Vuitton was an attempt to reject the use of (primary or strict) liability for situations involving intermediary providers [as a paying referencing service provider could not be characterised as a trade mark infringer] and invited Member States to resort to alternative theories such as negligence-based theories.
To conclude, before making the case that the time has come to harmonise secondary liability theories to the benefit [or detriment] of intermediary providers, would not it be essential to clarify the situations in which they should be considered primarily or stricly liable? Why focus the attention on theories of secondary liability when intermediary service providers can more and more easily be characterised as primary infringers?
And isn’t it time to stop using the notion of ‘intermediary’ as it tends to hide the fact that the characterisation should be made in relation to specific features of the service (or activities) provided?
This is an interesting piece, Sophie.
> the wording of Articles 12 to 14 does not actually say that intermediary service providers shall be exempted from (financial) liability in all cases.
As I read them, Arts. 12, 13 and 14 all say that the ISS provider is “not liable for” certain things. It would be a curious reading, to my mind, to interpret this as not covering financial liability.
Indeed, each Article has a whole sub-section specifying that certain remedies remain available: broadly, injunctive relief to compel termination of an infringement. None of these sub-sections indicates that financial relief should also be available.
However, in terms of the broader debate, I don’t think that there is a dissonance between an ISS provider’s duties under the data protection framework in circumstances where it is a controller (and, soon, where it is a processor) and the concept of intermediary shielding.
As you say, this is recognised expressly in the context of the provision of an electronic communications service: Article 12, 2000/31/EC shields the provider, but the data protection framework clearly bites on its metadata processing.
Equally clearly — recital 47, 95/46/EC, as you cite — is the position that the provider is not the controller in respect of the content of the communications which it transits through its service.
The outcome, to my mind, is that one actor can be both shielded from liability and also a data controller.
The real question is the scope of each.
I agree with your view that the activities of the provider are important and, to my mind, this is what the text of 2000/31/EC does, even if not the recitals: each of 12, 13 and 14 are focused on particular activities (conveyance, proxying and storage).
It seems apparent that a communication services provider is neither responsible for the content of a communication, nor are they a controller in respect of the content. Alice may say something defamatory (e.g. by virtue of being untrue) to Bob about Charles, and the provider is protected from liability for the defamation and its communication, and from any claim from Charles based on data protection law.
Applying that concept to a service which enables a third party to upload videos, the services provider would be neither responsible from a copyright perspective for the content of the video or infringements arising from its distribution, nor from a data protection perspective for what is depicted in the video: both of these are the remit of the uploader, not the provider. Conversely, the provider would be the data controller in respect of metadata which it generates in the course of providing the service — such as a user’s viewing history, or inferred (or declared) preferences for targeting of advertising.
To attempt to argue that the provider should be a controller in respect of the content of each uploaded video would be to argue that an ECS provider should be a controller in respect of the content of a call or email, which the framework expressly disclaims: it is the uploader, nor to the provider, which determines what, if any, personal data are included in the video.
Similarly, if the service provider was the controller, we would be setting a standard which simply could not be met: if Alice records a video saying “Bob has a headache today” and uploads it, and the hosting provider is deemed to be the controller, what Schedule 3 basis does the provider have for the processing inherent in the storage of that video? Clearly, no consent has been communicated to the provider, and it is unlikely that any other basis is available. The encouragement of innovation inherent in 2000/31/EC would be pushed aside, and I’d question whether that would be the regulatory intent.
Just to clarify: The sentence ‘the wording of Articles 12 to 14 does not actually say that intermediary service providers shall be exempted from (financial) liability in all cases’ means they are exempted from financial liability but not in all cases.
Re combining a charactersiation of intermediary and data controller makes sense but my point is we need to properly identify the act that triggers the charactersiation.
It would have been very interesting to have more discussion on the characterisation of data controller in CG v Facebook Ireland, but ‘The case was opened and began before Stephens J on the basis that the Act applied to Facebook and at paragraph 5 of its defence it admitted that it was the data controller with respect to the data of users based outside of the United States of America and Canada of the social network for the purposes of the 1998 Act.’ In any case Art. 29 WP writes that ‘SNS providers are data controllers under the Data Protection Directive. They provide the means for the processing of user data and provide all the “basic” services related to user management (e.g. registration and deletion of accounts). SNS providers also determine the use that may be made of user data for advertising and marketing purposes – including advertising provided by third parties. ‘
Agreed — additional clarity would have been welcomed!
I don’t see any argument as to whether an SNS provider is a data controller of their user data / registration system, but that’s perhaps different to being a controller of personal data contained in content which the user uploads?
In terms of financial liability, if the provider is able to use the shield in respect of the act in question, I’m struggling to see how they could be liable financially for that act?
Yes this is what I am saying, if the provider is able to use the shield they are not financially liable. Not sure where the misunderstanding is.
I think I got it, what I am saying is that the provider cannot use the shield for all its activities, only if the activity is of an intermediary nature. And yes if the provider can use the shield they are exempted from (financial) liability.
In which case, yes, we are saying the same thing 🙂
Pingback: The GDPR, the proposed Copyright Directive and intermediary liability: one more time! – Sophie Stalla-Bourdillon | Inforrm's Blog
Pingback: Data Protection Concerns raised by Proposed EU Directive on Contracts for Supply of Digital Content | Peep Beep!
Pingback: Data Protection & Intermediary liability: how do the French do it? | Peep Beep!
Pingback: Data Protection and Intermediary liability: how do the French do it? – Sophie Stalla-Bourdillon | Inforrm's Blog