Human Rights in Ireland is a group blog that contains many useful posts on, as you might expect, human rights in Ireland. I was very pleased to write a guest post for the blog, which has just been published. I’m republishing it here for those who have not already seen it. I do recommend that you subscribe to the full HRinI feed!
The recent attempt by JP McManus to secure the removal of ‘fake profiles’ on Facebook (reported by the Irish Times on 30 May) through an application for an injunction (struck out after the pages were taken down) is just the latest reminder of the importance of intermediaries when it comes to law and the Internet. In this situation, McManus appears to have been doing something that isn’t difficult to understand – turning to the law to make the offending page disappear from the Web. In the UK, of course, we have seen the last few weeks as a significant time in the development of the law on privacy injunctions, with judges, newspapers and certain Twitter users taking fairly different approaches.
However, it’s far from a new problem. Within the then-novel field of what some called cyberlaw, the middle part of the 1990s was dominated by earnest debates in journals, courts and parliaments on the future of law. John Perry Barlow’s assertiveDeclaration on the Independence of Cyberspace of 1996 told governments they were not welcome in this new world that was governed by its own social contract, dismissing laws on everything from property to identity; ‘they are all based on matter, and there is no matter here’. Many responded by pointing to existing legal principles or forms of technological enforcement. Regarding Facebook, Twitter and other sites, the key resolution of these early debates, which continues to shape their rights and responsibilities as well as those of their users and those their users write about, was in new statutory principles on liability. For example, article 14 of the E-Commerce Directive (2000/31), transposed into Irish law as SI 68/2003, points to a ‘notice and takedown’ approach. This means that Facebook is not liable for – say – a defamatory statement posted by one of its users, as long as it ‘upon obtaining such knowledge or awareness [of the unlawful activity], acts expeditiously to remove or to disable access to the information’. In the case of ISPs acting as ‘mere conduits’ (like your friendly broadband provider), a greater degree of immunity is provided.
The position is a little different in the US, where a distinction is drawn between intellectual property (governed by a notice and takedown system in the Digital Millennium Copyright Act) and other (non-criminal) claims (close to absolute immunity without a takedown requirement, under the Communications Decency Act). Other provisions may also be relevant at a national level, such as s 27 of the Defamation Act 2009 in Ireland on innocent dissemination.
Whatever the position of the intermediary, important rights are at stage. Too much immunity, and the aggrieved person will say that they cannot see their rights vindicated; Danielle Keats Citron also argues that there are consequences for equality. Too little, and the intermediary becomes risk-averse, taking down content at the mere hint of potential possible illegality, as Ahlert, Marsden & Yung’s famous study demonstrated in 2004, with deleterious consequences for the right to communicate. Even where conditional immunity is pursued, there are further questions to be answered – what is expeditious, for example, and does it vary based on the gravity of the situation or the number of people who have retweeted the information? What of providers located in the US without meaningful assets, customers or facilities in the EU? Furthermore, beyond the big issue of liability, hosts may also be faced with Norwich Pharmacal orders, to disclose the name of a user where the host is ‘mixed up’ without fault in the wrongs of others.
Although much of the news coverage of Twitter seems to have glossed over this point, such an order was granted in respect of Facebook as far back as 2008: Applause Store Productions v Raphael  EWHC 1781 para 10. There are some unresolved issues (which the ECJ has hinted at) on the balance between privacy and e.g. copyright enforcement, and of course, there are limits to (a) how tolerant a court is of mass applications and (b) how much information is available (or useful) through this process.
Indeed, the Irish Times also reports that McManus had raised constitutional and data protection claims. Neither are particularly surprising, and it surely won’t be long before an Irish court has the opportunity to try and deal with this balance. The most significant case so far has been about a betting chat room (Mulvaney v Sporting Exchange t/a Betfair  IEHC 133), but that was a fairly straightforward application of the Directive; the various ‘music’ cases did discuss (albeit unsatisfactorily) the need to balance various rights in the context of the claims of record companies against ISPs. Certainly, reliance on Convention rights has been important in the grant of privacy injunctions in England; the recent cases have been about the need for injunctions in the face of disclosure (e.g. CTB  EWHC 1326 (QB)), rather than takedown disputes. However, if the Irish courts see a fully-argued constitutional claim, difficult issues of EU law will need to be negotiated. It must surely be hoped that the current reviewof the E-Commerce Directive will take note of the decade’s worth of development and interpretations and sets out a system for intermediaries, including a method (despite its title) to give thorough consideration to relevant fundamental rights as part of the process, whether they are engaged directly or indirectly.