Last week brought the shock news that an Italian court was sentencing Google executives under Italian data protection laws in relation to user generated content (UGC) posted on a You-Tube type service operated by Google.
The UGC in question showed a teenager with Down's syndrome being taunted and filmed by his bullies on a mobile phone. In a further act of harassment, the bullies posted the footage online for the world to see.
There is no doubt that the act of bullying itself was shameful and that the bullies should be punished for it (whether or not they were, I do not know). That is not the main point here.
Similarly, it is undisputed that the victim's privacy was invaded. Needless to say, he did not consent to being bullied in the first place, let alone being filmed and published online. In the UK, this could amount to breach of privacy (or, more accurately, the common law breach of confidence as stretched by the judiciary and Article 8 of the Human Rights Act 1998).
By publishing this private content, the bullies are the ones primarily in the wrong as their 'analogue' bullying becomes, in addition, cyberbullying (in the UK, the civil wrong and criminal offence of harassment). But that is not the main point either. They are primarily in the wrong, but the Italian court pointed the finger of blame beyond them to a 'bigger bully', Google.
The shock factor in this case is that certain US-based Google executives were held criminally liable (in an Italian court) for hosting the UGC in question on Google's (internationally available) site. The sting in the tail is that the cause of action was under Italian data protection law (rather than, for example, defamation, privacy or e-commerce) laws.
We'll need to wait for the Italian judgment to be published in order to examine the exact facts of the case and the judge's reasoning. In the meantime, let's consider the headline issues raised by the case:
- applicable law and jurisdiction;
- the 'hosting exemption'; and
- data protection laws.
Applicable Law and Jurisdiction
Applicable law and jurisdiction in an online context is a can of worms so I will touch on it very briefly here.
Websites often state in their terms and conditions that use of the website is subject to the laws of a particular country. Despite this, there are certain 'mandatory provisions' of third party countries which will override that country's laws where the website is seen to target the citizens of those third party countries. This will depend on the type of law (e.g. data protection and consumer protection laws are often 'exported' in this way). This case has the added complexity of Italy being a member state of the EU and, as such, subject to certain Directives, etc.
Even if one country's laws apply, that doesn't mean that all disputes must be heard in that country's courts. There have been instances where one country has heard a dispute in its courts by applying the laws of another country. As Italy is an EU member state, appeals on European points of law may be made to the ECJ.
I should also add that the extent to which officers/directors can be held personally liable for their company's acts and omissions depends largely on the applicable law (e.g. Italian or US) and the cause of action (e.g. defamation or privacy).
Of course, the Google executives did not - could not possibly - have known about the video in question. They did not make the video, did not post it, did not authorise it to be posted, and undoubtedly discouraged it from being posted (the terms and conditions would have made it clear that users are not permitted to upload unlawful UGC).
In considering whether Google is liable for displaying unlawful (e.g. defamatory) UGC, the question is whether it should have known about the video and removed it. This comes down to constructive, or imputed, knowledge, 'notice and take down' mechanisms, and whether Google went far enough to discharge its 'duty of care' as host of UGC. It seems that Google did, in fact, remove the video without undue delay upon notification.
Section 19 of the UK's E-Commerce Regulations contains a well-established exemption from liability for Google-type internet intermediaries hosting UGC. This exemption is what enables Google and countless other online companies, from ISPs like AOL to auction sites like eBay to forums like Mumsnet, to conduct their businesses. Without this exemption, they would face astronomical costs in moderating all content, and/or face countless lawsuits. This would have the effect of stifling UGC and the Internet as we know it would not exist. The US has similar provisions in its legislation. So does Italy, in line with Article 14 of the E-Commerce Directive.
The hosting exemption is, however, qualified by the requirement for Google et al to operate effective and expeditious 'notice and take-down' policies. That is, when they are notified of offensive content, they must act swiftly to remove it. This mechanism has worked to date in that it seems to strike a workable balance between fostering sharing of information (e.g. UGC) and safeguarding people's rights (e.g. privacy).
In ruling that Google's executives are personally, criminally liable for UGC hosted by a site owned by Google, the Italian court's decision would, at first glance, seem to upset this balance. However, upon closer examination, this is not the case because, in fact, one of the counts against Google was for defamation and it was dismissed (it can be safely assumed) on the basis of the hosting exemption.
I do not intend to examine this charge, or the judge's reasoning, until I have had the opportunity to review the judgment in full. The main point to bear in mind is that Article 1(5) of the E-Commerce Directive expressly states that its provisions shall not apply to the Directives governing data protection. Therefore Google would not have had the protection of the hosting exemption under this count of breach of Italy's data protection laws. Recital (14) of the E-Commerce Directive explains:
"The protection of individuals with regard to the processing of personal data is solely governed by Directive 95/46/EC ...and Directive 97/66/EC ...which are fully applicable to information society services; these Directives already establish a Community legal framework in the field of personal data and therefore it is not necessary to cover this issue in this Directive in order to ensure the smooth functioning of the internal market... the implementation and application of this Directive should be made in full compliance with the principles relating to the protection of personal data, in particular as regards unsolicited commercial communication and the liability of intermediaries; this Directive cannot prevent the anonymous use of open networks such as the Internet."
So the indictment of the Google executives under Italian data protection law does not threaten to deprive internet intermediaries of the hosting exemption in relation to unlawful UGC. However, it does highlight that online companies must be vigilant as to the multitude of data protection laws which may govern their activities. In our experience, all companies tend to underestimate the importance of complying with data protection laws. This case may herald a turning point that sees data protection compliance rising up the agenda for online businesses.
On a different note, I think it is quite telling that, although many people left outraged comments on Google's website against the video in question in this case, not one of them actually clicked the button to flag it. As Google cannot be expected to monitor every item of UGC uploaded, so it cannot be expected to monitor every comment made in relation to each post. If, at the time, the Google site did not feature such a panic button, then the lesson to online UGC hosts is to include one. If, however, there was a panic button but users did not think to click it, then users need to be educated to do so. The UK's click clever click safe campaign drives home the message of how to use the Internet safely by following simple steps. It is aimed at children, but adults and children alike would do well to observe its 'zip it, block it, flag it' mantra.
We all need to act responsibly online, from cyberbullies (who leave cyber footprints as evidence of their bullying), to teens and adults (who can be too free with the personal information they make available online), to the internet intermediaries, who cannot simply claim ignorance and blanket exemptions against all potential liability, particularly in the field of data protection.
Laurence Kaye Solicitors