Tuesday, September 23, 2014

New Paper On Novel Type of Injunctions Against Intermediaries

The readers interested in questions of intermediary liability, injunctions and online enforcement might be interested in a new paper authored by me and my friend Miquel Peguera. It is a substantially revised version of a working paper that was previously made available on SSRN in July this year. Since the copyright policy of the journal (IIC) requires us to remove the paper after its publication from SSRN for two upcoming years, I encourage all the interested readers to download it as soon as possible.

In this article we examine the legal framework of the European Union for injunctions against intermediaries whose services are used by a third party to infringe an intellectual property right, as set forth in the InfoSoc Directive and the Enforcement Directive. In particular, we consider the conditions to apply for the injunctions, taking into account how those conditions have been construed by the CJEU. We explore which is the minimum floor of injunctive relief Member States are obliged to provide under the Directives, as well as the maximum ceiling allowed, beyond which the protection granted would infringe upon the limits imposed by the EU Law. Next, we move to consider a particular type of injunctions that rights holders may apply for against intermediaries on the basis of Art. 8(3) of the InfoSoc Directive, namely those that would consist of enjoining an ISP from providing internet access to one of its users allegedly engaging in copyright infringement. A case already decided in Spain, Promusicae et al v. R Cable y Telecomunicaciones Galicia, granting such an injunction serves us as a study case to assess the problems these remedies face.

On the one hand, these privately litigated internet disconnection injunctions may be seen by rights holders as a promising tool to fight online copyright infringement – maybe an alternative to unsuccessful graduate response schemes. However, as we show in the article, these injunctions raise serious issues regarding their compatibility with the EU Charter of Fundamental Rights. Indeed, the possibility of effective and human-right-conform injunctions of this kind turns up to be very narrow. In other words, the Directive's provisions promise much, but if applied correctly, they deliver little.

Friday, September 12, 2014

CJEU on Applicability of the Safe Harbors to Free-of-Charge Websites

CJEU seems to be on copyright spree these days. Technische Universität Darmstadt C-117/13 [decision], Deckmyn C-201/13 [decision], Commission v Council C-114/12 [decision], Pez Hejduk C-441/13 [decision] and Art & Allposters C-419/13 [opinion] are all the cases I hope to be able to come back to on this blog. While these cases can wait, CJEU's new ruling - Papasavvas C-291/03 - on safe harbours can not.

Papasavvas involves pretty "disoriented" CJEU reference from the Cypriot court [reported before here]. The court wanted to know all sorts of things, but mostly whether: a) E-Commerce Directive safe harbours also apply to services that are provided free of charge, b) if so, whether newspapers could invoke any of the safe harbours for its editorial content [sic!]. Cypriot court also tried to use the country of origin principle and to rewrite European history of direct effect of the directives, but CJEU very quickly made clear what is the rule ["the Court wishes to inform the referring court that .."].

Background. On 11 November 2010, Mr Papasavvas brought an action for damages before the Cypriot court against a newspaper company, and against its Editor-in-Chief and an another journalist at that newspaper, for acts which, in his opinion, constitute defamation. Mr Papasavvas seeks damages for harm allegedly caused to him by articles published in the daily national newspaper and, which were published online on two websites (http://www.philenews.com and http://www.phileftheros.com). He requests also the national court to order a prohibitory injunction to prohibit the publication of the contested articles.


  • Free of charge, still covered?
Cypriot court asks about the concept of ‘information society services’, which is a precondition of all the safe harbours. It wants to know whether this term covers also provision of such online information services for which the service provider is remunerated not by the recipient, but by income generated by advertisements posted on a website. This questions has following source: Article 2(a) of Directive 2000/31 defines the terms ‘information society services’ by making a reference to Article 1 of Directive 98/34, which refers to any service ‘normally provided for remuneration’, at a distance, by electronic means and at the individual request of a recipient of services. 

The answer of the CJEU is very predictable - of course, as long as its an economic activity such as service running on advertising. Although predictable [due to Art. 57 TFEU], the answer by the CJEU, however, is not particularly clever one. What about websites that are run non-profit such as Wikipedia? Should they disqualify just because they have decided not to carry any advertising? Or are they also an economic activity? This is why I argued in my book that even potential economic activity should suffice. In any case, I would not immediately infer from this that Wikipedia is not anymore covered. But CJEU should have had taken this more into account when replying.

  • Does editorial content of newspapers qualify for safe harbours?
Another question related to whether editorial content of newspapers can qualify for one of the safe harbours. Instead of rejecting this invitation by pointing to the need of information to be provided by the recipient of the service, CJEU rather started invoking its case-law on what it means to be "an intermediary", i.e. to be passive, not providing assistance etc. It is no surprise then that CJEU instead of using more suitable argument of source of the information at hand [employed or contracted journalists], comes up rather with following argument:

45      Consequently, since a newspaper publishing company which posts an online version of a newspaper on its website has, in principle, knowledge about the information which it posts and exercises control over that information, it cannot be considered to be an ‘intermediary service provider’ within the meaning of Articles 12 to 14 of Directive 2000/31, whether or not access to that website is free of charge.
The problem of this is what it does not say. Namely, that this can be objected with pretty much any service out there. Carving editorial content out of safe harbours by referring to knowledge is probably the worst strategy the Court could have taken. Not being enough, CJEU then accepts invitation to add this argument to the context of the referred question - which I bet with you - will be misrepresented many times in the future:
46      In the light of the foregoing, the answer to the fifth question is that the limitations of civil liability specified in Articles 12 to 14 of Directive 2000/31 do not apply to the case of a newspaper publishing company which operates a website on which the online version of a newspaper is posted, that company being, moreover, remunerated by income generated by commercial advertisements posted on that website, since it has knowledge of the information posted and exercises control over that information, whether or not access to that website is free of charge.
No, it does not say what it states. But you need to read the context first to get that. 

  • Are safe harbours directly invokable in horizontal relationships?
Some context for US readers first. In the European Union, the Directives oblige only Member states. This means that if the state fails to implement them, you generally can not use them as a supplementary source of law, i.e. apply/invoke it directly [there are some exceptions for vertical relationships]. In the horizontal relationships [individual vs. individual] it is more than settled that only indirect effect [interpretation in the light of the Directive] is possible. CJEU here confirms again obvious. Safe harbours have no direct horizontal effects. So if the state fails to implement them, individuals can not invoke provisions of the Directive in their disputes.

All in all, I don't think this decision brings anything new. Perhaps only new sources of certain confusions.

Friday, August 15, 2014

#CETA: Should Canadian Internet Intermediaries Worry?

The Comprehensive Economic and Trade Agreement (CETA) is a proposed free trade agreement between Canada and the European Union. It is yet another alphabet soup that was cooked by our dear policy makers without first asking the public if it is hungry for any change of intellectual property protection/enforcement. As most of the other alphabet soups these days, also this was kept secret in order not to be [b]eaten by people before its ready for serving. Until, well, until German Tagesschau leaked its entire 521 pages long recipe this week.

The intellectual property chapter of CETA (Chapter 22) also contains several provisions regulating Internet intermediaries. And exactly these provisions should not be overlooked.

For the Europeans, intermediary liability provisions of CETA might first even appear boringly predictable as they do not seem to add anything new to the Union law. But this would be misleading. First of all, these provisions are definitely TRIPS-plus provisions, and if coupled with strong investment protection before the arbitration courts, flexibility of any reform of these provisions in the existing Union law will be near to zero. So as long as CETA goes beyond TRIPS, it automatically also adds to the Union law a new international obligations, which did not exist before.

For the Canadians, these obligations can be more groundbreaking. CETA seems to mandate that (i) safe harbours should not limit injunctions and  that (ii) injunctions should extend also to innocent (non-infringing) intermediaries. I have zero knowledge of the Canadian law, but I would humbly predict that at least (ii) is not currently provided for.

Article 5.5 of CETA seems to guarantee the safe harbours in the domestic law. Sounds like a great step, doesn't it? After taking a closer look, however, it becomes clear that domestic law is almost completely free in legislating the exact conditions for the two most important safe harbours, namely hosting and mere conduit ["Each Party may prescribe in its domestic law, conditions for service providers to qualify for the limitations or exceptions in this Article." (Art. 5(5)(4))]. In fact, the only thing the provision seems to guarantee is that some safe harbours for the two activities will exist in the domestic law, and that those domestic conditions can not be conditioned "on the service provider monitoring its service, or affirmatively seeking facts indicating infringing activity" (Art. 5(5)(3)). The more precise notice and take-down system, or counter-notification system is optional (Art. 5(5)(4)). Moreover, this applies only "when [they are] acting as intermediaries" [which sounds like a good Trojan horse for concepts like "passive intermediaries"]. Oh, and did I mention that this all concerns only "copyright or related rights" (Art. 5(5)(1))?

The most important mandatory rule of the safe harbours then seems to be what comes next:
This Article shall not affect the possibility of a court or administrative authority, in accordance with Parties' legal systems, of requiring the service provider to terminate or prevent an infringement.
For non-Europeans. Similarly worded rules in the E-Commerce Directive make safe harbours "injunctions-leaky" in the EU. And they are, together with some other provisions (Art. 8(3) InfoSoc, etc.), increasingly responsible for the most of the private actions against Internet services providers on the old continent [see overview here and here]. Without appropriate cause of action, of course, this would be only a half-way attempt to import the current European trend of increasing accountability of intermediaries by blocking and filtering injunctions or as US scholars would frame it - a system of more preventive notice-and-stay-down requirements.

But CETA does not stop half-way. Article 20 provides for a [differently worded] private cause of action for injunctions against innocent third parties:
1. Each Party shall provide that, in civil judicial proceedings concerning the enforcement of intellectual property rights [by accident not only copyright and related rights?], its judicial authorities shall have the authority to issue an order against a party to desist from an infringement, and inter alia, an order to that party, or, where appropriate, to a third party over whom the relevant judicial authority exercises jurisdiction, to prevent infringing goods from entering into the channels of commerce.
Please note that this a shall-provision. And that its wording could potentially achieve everything that European system of Art. 8(3) style of injunctions does today. And yes, it is exactly the provision which was among other things strongly criticized in ACTA. In fact, ACTA started (Article 2.X.2 of ACTA April Draft 2010) with a provision which was just copy and paste of Art. 8(3) InfoSoc ["The Parties [may] shall ensure that right holders are in a position to apply for an injunction against [infringing] intermediaries whose services are used by a third party to infringe an intellectual property right."]. The provision has proved, however, too controversial. Surprisingly, not because of the concerns of the Internet service providers, but of health activists who were worried about the access to medicines. This language was eventually dropped in the September 2010, but substituted by the following provision:
“Each Party shall provide that, in civil judicial proceedings concerning the enforcement of intellectual property rights, its judicial authorities shall have the authority to issue an order against a party to desist from an infringement, and inter alia, an order to that party or, where appropriate, to a third party over whom the relevant judicial authority exercises jurisdiction, to prevent infringing goods from entering into the channels of commerce.”
As you can see, this provision from the September version of ACTA is the same rule, which now re-appeares in Art. 20(1) CETA. If it becomes the law in Canada one day, its citizens can be also looking forward to a flood of privately litigated website blocking, disconnecting, filtering and other kind of creative injunctions.

One of the senior official at the Commission in Brussels told media that: "The free trade treaty with Canada is a test for the agreement with the United States". Well, if this is the case, than US readers of this blog might "forget" about their fears from their national reform of the DMCA, given that a "reform" might soon unexpectedly come from TRIPS-plus "waters".

Friday, August 1, 2014

Austrian Supreme Court Confirms Open-Ended Website Blocking Injunctions [UPC Telekabel Wien]

Last Thursday, the Austrian Supreme Court (OGH) issued the decision (OGH, 4 Ob 71/14s) in the proceedings that gave rise to the UPC Telekabel C-314/12 reference before the Court of Justice of the European Union. OGH confirmed the lower court decision, which granted an open-ended website blocking injunction against the biggest Austrian ISP. Although the outcome was quite predictable, the reasoning of the court is very interesting.

First of all, OGH comes to the conclusion that open-ended website blocking injunctions are the only (sic!) available form of such a measure under Art. 8(3) implementation [§ 81(1a) UrhG] in Austria [Ein Anspruch auf bestimmte Maßnahmen lässt sich weder aus diesem Wortlaut noch aus dem ihm zugrunde liegenden Ausschließungsrecht ableiten ... Zwar wäre rechtspolitisch auch eine andere Lösung denkbar; nach geltendem österreichischen Recht hat es aber auf dieser Grundlage bei der Beschränkung der in Art 8 Abs 3 Info-RL genannten „Anordnungen“ auf Erfolgsverbote zu bleiben. § 81 Abs 1a UrhG bietet daher keine Grundlage, dem Access-Provider konkrete Maßnahmen zur Verhinderung des Zugangs zu einer Website mit rechtsverletzenden Inhalten vorzuschreiben]. And that specific injunctions are not provided for in the Austrian law.

The Court supports this reasoning by both citing the case-law from the field of law of nuisance, and by arguing that measure-specific injunctions are more serious interference than open-ended ones, because they remove the flexibility from the obliged party (Dieser Unterlassungsanspruch ist auf Unterlassung der Mitwirkung an einem Eingriff in ein absolut geschütztes Recht gerichtet. Ein weitergehender Anspruch auf konkrete Maßnahmen ergibt sich daraus nach geltendem Recht nicht). OGH borrows numerous legal principles from law of nuisance when it concludes that traditionally plaintiffs had only a claim of defence against the interference itself and never had a claim for exact positive measures, which could prove to be ineffective in the course of time. In other words, you could never compel your neighbour to erect a certain type of fence if the interference in question could have been prevented by other sufficient means, which the defendant gave preference to.

It should be reminded that it was the CJEU itself, who suggested that this kind of flexibility is something that reduces the conflict with the right to conduct a business. I have criticized this for number of reasons here. But even if you disagree with me on all of those grounds, consider following. Is in it weird that this flexibility is somehow not appreciated by the ISPs themselves who should be its primary beneficiaries?

Second, OGH examines in detail whether the Austrian legislation complies with the requirements of i) review of reasonableness before any fine for noncompliance is imposed, and ii) possibility of users of an ISP to challenge the website block ex post. After lengthy discussion of the national provisions on execution proceedings, OGH suggests that it found a way how to implement this requirement into the law. It is very interesting that the Court assumes that in absence of such Union-conform interpretation, the Austrian law would be incompliant with the Article 8(3) [Diese unionsrechtlich begründete Auffassung wäre jedoch - ebenfalls aus unionsrechtlicher Sicht - höchst problematisch. Denn sie führte faktisch zur Unanwendbarkeit von § 81 Abs 1a UrhG, wodurch Österreich seine auf Art 8 Abs 3 InfoRL beruhende Pflicht verletzte, im nationalen Recht Regelungen vorzusehen, wonach Rechteinhaber gerichtliche Anordnungen gegen Vermittler erwirken können]. In other words, the Court apparently thinks that website blocking injunctions are part of the minimal standard required by the Union law.

As to second requirement, the reasoning of the Court is even more interesting. It follows my anticipation presented in JIPLP that such claims of users could have their legal basis in the Internet contract with an ISP [Kunden des Providers könnten ihre Rechte auf vertraglicher Grundlage gegen diesen durchsetzen]. The Court explains:

Dieses Erfordernis ist im österreichischen Recht schon deswegen erfüllt, weil Kunden ihren Provider auf vertraglicher Grundlage in Anspruch nehmen können, wenn sie Sperrmaßnahmen für unzulässig oder überschießend halten. Denn der Vertrag zwischen dem Access-Provider und seinen Kunden wird im Regelfall dahin auszulegen sein, dass alle - aber auch nur solche - Website-Sperren zulässig sind, die den Vorgaben des EuGH entsprechen. Schon diese Möglichkeit genügt, um das vom EuGH betonte Recht der Nutzer auf rechtmäßigen Zugang zu Informationen zu wahren. Um der Gefahr einander widersprechender Entscheidungen entgegenzuwirken, wird der Provider in diesem Fall dem Rechteinhaber, der eine Sperre veranlasst hat, den Streit verkünden können.

For non-German speakers [very quick and rusty translation]:

This requirement is already fulfilled in the Austrian law because the customers can sue their provider on the contractual basis in case they consider the blocking measures not lawful or excessive. Because the contract between the access provider and his consumers is to be, as a rule, interpreted meaning that all - but only those - website blocking injunctions are permitted, which correspond to requirements of the CJEU. Already this possibility suffices to guarantee the right of the customers to legal access to information, which was stressed by the CJEU. In order to reduce the risk of conflicting decisions, the provider will be in such a case able to announce the dispute to the right holder, who gave rise to such blocking.
The part that is most surprising for me comes only after this. OGH goes on to say that this does not exhaust the possibility of a user and that any user can also sue directly the rightholder [Darüber hinaus kann erwogen werden, dass Nutzer ihr Recht auf rechtmäßigen Informationszugang auch unmittelbar gegen einen Rechteinhaber geltend machen können, der es - mittelbar - durch die Veranlassung unzulässiger oder überschießender Sperrmaßnahmen verletzt]. I see you asking -- on what basis for God's sake?

Well, OGH has a pretty interesting answer. It opens by saying that CJEU "evidently assumes" that such a right of a user has an erga omnes effect, ie must be respected by all third parties, including right holders. This would mean that a user can object in the execution proceedings compliance with its right to legal access to information. But this is peanuts compared to what comes next. From the reasoning of OGH who is calling this right - an absolute right - it appears plausible that a user could sue directly also a right holder or a provider (sic!) for interference with a right to lawful access to information in a same way as you sue for an infringement of a right to intellectual property. No question, this would be revolutionary as so far all discussion about limitation of lawful access were only of human rights nature [which are of course, not directly invokable against the private individuals]. Unfortunately, OGH then questions this novelty itself by saying that this would apply only if the CJEU really meant to say this [see, similarly surprised Lehofer]. I probably do not need to stress too much what would such a right to lawful access to information as an absolute right enforceable by tort law mean for net neutrality or other debates.

What I miss in the decision is the issue of transparency. Possibility of users to challenge website blocking is dependent on transparency of what is being blocked. Giving users right to challenge, but at the same time keeping factual conditions for such right unfavourable seems to be schizophrenic.

All in all, this decision means that Austrian courts will be issuing open-ended website blocking injunctions in the future. Moreover, Austrian ISPs will need to figure out themselves what exactly to do in order to prevent any fines being imposed on them. If the provider does nothing to prevent access to websites, it will be most likely fined. The tragedy of this is not only legal uncertainty and waste of resources this creates, but also that CJEU's threshold of effective measures that are preventing or seriously discouraging the access to a targeted website and which do not lead to unbearable sacrifices for an access provider, will be most likely forgotten after the first meeting of risk averse shareholders.

PS: Fans of historical doctrinal debates might be interested that OGH at some point seems to endorse my view of (Roman) origin of this type of injunctions, when it says:
Der hier strittige Anspruch, das Vermitteln des Zugangs zu einer bestimmten Website zu unterlassen, ist gleich zu beurteilen. Denn auch dabei geht es um die Abwehr eines Eingriffs in ein dinglich wirkendes Ausschließungsrecht.
Who read my paper on in rem character of such injunctions, might know what I mean here. For others, I recommend to have a look.

Saturday, July 12, 2014

Austrian Court Sentenced a Tor Exit Node Operator

Last week, Austrian Regional Criminal Court in Graz (Landesgericht für Strafsachen in Graz) sentenced 22-year old William Weber to 3 months jail time with 3 years probation period for aiding distribution of child pornography by operating a Tor Exit Node, according to FutureZone.at.

For those who don't know Tor Project, it is a Free Software enabling online anonymity. Tor is increasingly used by activists, human rights defenders, journalists and others who need to or just want to use Internet more anonymously. Among them, of course, also criminals such as distributors of child pornography use it. Tor Exit Nodes are Tor's gateways where encrypted Tor traffic hits the Internet. Nodes are run by volunteers all over the world in order to increase the capacity and speed of the Tor Network.

William Weber was running one of such Tor Exit Nodes upon which the system relies. The Austrian Court found that this activity may lead to criminal liability for aiding and abetting of a crime of distribution of child pornography when coupled with other circumstances. Of course, mere provision of Tor Nodes would not be enough to establish at least indirect intent (bedingte Vorsatz), which such aiding and abetting under criminal laws usually requires (§ 5 StGB).

In order to find such circumstances, according to PCWorld, the court cited transcripts of chat sessions uncovered during the investigation in which the Weber told an unidentified correspondent “You can host 20TB child porn with us on some encrypted hdds”, “You can host child porn on our servers” and “If you want to host child porn ... I would use Tor.” Weber defended himself against this on his blog saying: "Yes, this logs existed – Yes, i recommended Tor to host *anything* anonymously, including child pornography – Yes, this is of course taken out of context."

From the reporting I have found, it is not clear to me if the Austrian discussed mere conduit safe harbor under Art. 12 of the eCommerce Directive [Section 13 of the Austrian eCommerce Act]. Commenting Austrian lawyers, Franz Schmidbauer and Huťko's friend Maximilian Schubert, however, referred to this provision in the media coverage [here, here, here].

Article 12 of the eCommerce Directive states in this respect that:

1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:
(a) does not initiate the transmission;
(b) does not select the receiver of the transmission; and
(c) does not select or modify the information contained in the transmission.
An operator of a Tor Exit Node in my opinion clearly falls into the definition of the mere conduit services, as it only helps to route the Internet traffic. Because eCommerce Directive cuts through all the fields of liability, including criminal liability, it might appear questionable that Weber, who most likely satisfied (a)-(c) requirements, could have been held liable for the routed traffic at all. But things are never that simple, and so is not the eCommerce Directive itself. In Recital 44 of the Directive, you find following:

(44) A service provider who deliberately collaborates with one of the recipients of his service in order to undertake illegal acts goes beyond the activities of "mere conduit" or "caching" and as a result cannot benefit from the liability exemptions established for these activities.
This provision is an extra requirement; one which relates to (in)famous CJEU requirement of passivity of intermediary activities in general, including hosting; In other words, Austrian court was free to impose criminal liability if a Tor Exit Node operator intentionally collaborated with the perpetrator of the crime of distribution of child pornography. The open question, however, is, how extensively can one understand such "deliberate collaboration". First of all, given that it is defined nowhere in the eCommerce Directive, it is clearly an autonomous term of the Union law, which is in hands of the CJEU. The Austrian courts thus might have been interested in seeing whether their local interpretation of indirect intent is still in line with this requirement. I know close to nothing about the exact facts of the case, but from the media coverage it appears that Weber did identifiably encourage exact perpetrators over chat.

This decision shows that one should be not only technically, but also legally cautious with operating a Tor Exit Nodes [perhaps Tor should add a note here]. Don't get me wrong, operation of such Nodes is very important in serving all the legitimate Tor traffic. But one should not forget that legitimacy of Tor is based on these case, and aiding identifiable misuses can be penalized. The main problem I see with this decision is not the application of the criminal liability in the current case. And I don't even worry that people would start generalizing this too much. Although we should be really careful in keeping the standard of "deliberate collaboration" very high, otherwise it might be easy to criminalize Tor Exit Nodes operators.

At least in Europe, the CJEU should be able to prevent such excess. More troubling could be that if the same logic is applied in countries with less legitimate criminal offences such as anti-state propaganda crimes, it can be very easy to criminalize Tor Exit Nodes operators. The case also shows that limited liability of intermediaries also serves protection of privacy, and that without clear rules, even technical solutions might have problems in their deployment.

Weber told media that he will not appeal the case due to legal fees. Moritz Bartl from TorServers, however, expressed himself:
This particular case went bad because of multiple reasons. We  strongly believe that it can be easily challenged. While certainly shocking, lower court ruling should not be taken too seriously, and this won't necessarily mean that all Tor relays in Austria are now automatically illegal. The ruling only happened two days ago, there is no written statement from the court yet, so we should all be patient and wait for that before we make any assumptions. We will definitely try and find some legal expert in Austria and see what we can do to fight this.
I believe that the last thing we should try, is to see things black and white here.

Wednesday, July 9, 2014

ECtHR: Delfi AS v Estonia Hearing

Today, the Grand Chamber of the European Court of Human Rights is holding a hearing in an important intermediary liability case - Delfi AS v. Estonia (web-stream here). The Court is hoped to correct many issues which the Chamber judgement so flagrantly overlooked, and as a consequence alarmed 69 organizations to support the re-hearing of the case.

In the meantime, some of the NGOs were given a possibility to intervene in the case by submitting their amicus briefs. European Information Society Institute (EISi), an NGO I volunteer for, also submitted one such brief, which is authored by me. In this submission, we make couple of suggestions to the Court, which I would like to share with the readers. EISi suggests that the Court should:
  • spells out, as an abstract principle, that any general monitoring obligation imposed upon disseminators of non-editorial third party defamatory content is incompatible with Article 10 of the Convention and
  • promote the guarantee of a content author’s right to reply to any allegations before speech is taken down from on-line circulation, by requiring that no liability can be imposed before this moment.
I invite you to read the brief.

Some other organizations made their briefs also already available.
ECtHR should also soon hear an another case that was filed earlier which focuses on liability of bloggers for users’ online comments, Jezior v. Poland.

Friday, May 30, 2014

Should We Centralize the Right to be Forgotten Clearing House?

Being in Silicon Valley during the time when the honourable Court of Justice of the European Union "cracks" its epic right to be forgotten ruling, is a very interesting social experience. Suddenly, the European part of you receives a strange lot of attention among tech folks in all the small talks. No wonder.

[cross-posted with Stanford CIS Blog]

This blog so far did not report on the decision not because I don't have any strong opinion on the issue [you can bet I do!], but because, frankly, I needed to digest its parts and think of them from several angles. I wanted to provide my sophisticated reader with more than just my emotional rants, which I rather ventilate in op-eds like this one.

Google Spain C-131/12 for me is both great and terrible. It is great because the European data protection laws definitely should apply to companies that make a lot of money in Europe, and should regulate search engines. If small European companies manage, so can their American counterparts. The decision is, however, terrible for the (im)balance it strikes. And I know this is where most of the people get passionate. I think that the optimism of many people who commented on ruling is driven by the belief that the law will be changed (e.g. my friend Julia Powles in the Guardian and Wired). If this is your framework, then I do agree. Yes, the decision will definitely move things ahead. 

This might be all true and great, but still, from the short term perspective, the decision with its (im)balance is just terrible. Steve Peers, Peter Lehofer and others already commented on the constitutionally striking language of the decision. Peter Lehofer eloquently characterized this reading of privacy as a "super-human-right". This blanket preference for one human right disturbs me, especially when it comes from a court that is increasingly taking the role of a constitutional court and even claiming to have the ultimate words on the content of those rights. As all European law students learn, perhaps as the first thing in their human rights classes, that there is no hierarchical relationship between the conflicting human rights. That's why we need a test of proportionality. The CJEU now seems to disagree.

So why do I think that the current decision can not serve as a right balance for the future law? 

First of all, the Directive itself has very narrow exceptions for the use of personal data without the permission of the individual concerned ["solely for journalistic purposes or the purpose of artistic or literary expression"]. The fact that CJEU explicitly had no problem with giving a blessing to reading that precludes search engines and other websites from referring to a legitimate article (e.g. up-to-date news article), just because no explicit exception exists. This is deeply worrying. I think that a search engine should be able to invoke the same exception, which a source website is able to invoke (e.g. journalistic, scientific, etc.). This could potentially affect not only search engines, but anybody linking to an article with an anchor which uses personal data (or think of Tweets that encompass personal data when referring to a legitimate article). I think if we expand the notion of "data controllers" and thus data protection laws, we should also expand exceptions [yes, think here of the the old problem of the copyright laws]. Otherwise we might outlaw socially legitimate processing of personal data and artificially break the chain of speech online.

Second, and this is where most of my European friends disagree, the right to object to "no longer relevant" processing of personal data, should be made an exception and not a general rule as CJEU tell us [the word "relevant" in Art. 6(1)(3) IMHO refers not to time-relevant, but proportionate]. I can personally see many instances when we want to give a second chance to people and relieve them from their personal history. Spent convictions for rehabilitated offenders, juvenile indiscretions or personal bankruptcies all share the same justification - a need to give a second chance to people. But this not universal. Not all outdated data have such properties and can be supported by such justification. In fact, I would argue it is only a small subset of all outdated information. Many people also seem to assume that a time dimension decreases the societal value of the information that has such merit. Yes in some cases, but in others it can even increase its societal value (e.g. former radical now applying for job as a high school teacher or running for the public office, etc.). I just don't think that narrative of second chance really supports a universal right of this kind.

But let's look into the application. Google just published its European removal tool. The company seems to be preparing for serious examination of all the requests. From a business perspective, this is no surprise, given that if Google wants to continue to provide its service with any meaningful value, it has to comply. Other it might potentially face criminal charges. And Google is of course capable of doing it. The problem is, however, by shifting the burden completely on a search engine, we just literally "cemented" search engine market by erecting incredibly high barriers to entry. Are mini-competitors of Google like Czech Seznam.cz also capable of doing this? I doubt so. They will most likely just automate the process to save the costs.

Of course you can argue that our preference for privacy is stronger than any concern of competition in the search engine market. But the search engine market is crucial to the online flow of information and any business online. I am not saying we should not regulate search engines, but trying to outsource some of the burden, so a more competitive environment can be preserved, would be desirable. For instance, having to apply to data protection authorities prior to removal on grounds of "no longer relevant", would be a good step [mind you, this is not about right to erasure]. 

This way, we have a state authority to determine such conflicts of freedom of expression and privacy. The authority, which is, unlike a private company, directly bound by human rights [because its a state power]. This would also centralize such decision making into one place, so the consistency can be achieved. And we can better discuss edge cases, because its all public [though anonymized]. The handling of "no-longer-relevant" complaints and defending of potential freedom of expression issues would not be in this way left to business incentives of companies, but to publicly accountable body. Again, the search engines represent a way more critical infrastructure [at least today] than any other service, and no-longer-relevant requests are way more difficult to assess than say copyright issues. So a different treatment, I think, it justified. 

This would also create more legal certainty for service providers and originators of objected speech. Because what is time-relevant for a society is determined by the state, not industry players. At the same time, it would outsource some of the decision making costs, so the barriers of entry would be lowered. Also the mental barrier for applications would be slightly increased, as filling a request to the administrative authority perhaps makes us think twice [even if its free of charge]. The examination effort of search engines would thus not be replicated many times, but be centralized to one decision-making process, with positive spill-over on less wealthy competitors.

To conclude. I think that the Google Spain ruling is really better understood as a political act of the CJEU than as some interpretation of the laws. CJEU members probably disgusted by the difficult policy debates about a new European data protection regulation and "US overreach" revealed by Snowden, decided on this strong ruling to make a political statement. US tech companies have been blocking a new Regulation in Brussels, so the judges decided to mix up the pack of cards on the policy table from Luxemburg, to see what will happen now [thus proving that Coase’s theorem does not work in the political process as well].

Only the way this ruling will be practically carried will determine whether the history will list Google Spain as a good or bad move for the European society.

PS: There are plenty of alternative options. In a conversation, Julia Powles, for instance, suggested that if Google was really concerned about smaller players, it would look seriously at creating an independent, industry-sponsored platform to do this job, because it could be a faster option than any DPA. I personally favour state-implemented solution, given the direct obligations to respect human rights. But I agree that fragmentation and tardiness of DPAs is something that would need to be solved.