European Court of Human Rights in Strasbourg handed down its first "ISP liability" case - Delfi AS v. Estonia (App. No. 64569/09). The case concerns a question of liability of an Internet news portal for third party comments made on its website under one of the news items.
First some background:
First some background:
7. The applicant company is the owner of Delfi, an Internet news portal that publishes up to 330 news articles a day. Delfi is one of the largest news portals on the Internet in Estonia. It publishes news in Estonian and Russian in Estonia and also operates in Latvia and Lithuania.
8. At the material time, at the end of the body of the news articles there were the words “add your comment” and fields for comments, the commenter’s name and his or her email address (optional). Below these fields there were buttons “publish the comment” and “read comments”. The part for reading comments left by others was a separate area which could be accessed by clicking on the “read comments” button. The comments were uploaded automatically and were, as such, not edited or moderated by the applicant company. The articles received about 10,000 readers’ comments daily, the majority posted under pseudonyms.
9. Nevertheless, there was a system of notify-and-take-down in place: any reader could mark a comment as leim (an Estonian word for an insulting or mocking message or a message inciting hatred on the Internet) and the comment was removed expeditiously. Furthermore, there was a system of automatic deletion of comments that included certain stems of obscene words. In addition, a victim of a defamatory comment could directly notify the applicant company, in which case the comment was removed immediately.
The comments appeared under an article on the Delfi portal with the headline ‘SLK Destroyed Planned Ice Road’ (ice roads are public roads over the frozen sea which are open between the Estonian mainland and some islands in winter). The plaintiff, Mr. L. was a member of the supervisory board of SLK and the company’s sole or majority shareholder at the material time. The article attracted 185 comments. About twenty of them contained personal threats and offensive language directed against L. As a consequence, Mr. L notified the Internet news portal and requested a payment of approximately 32.000 euros. The portal removed the offensive comments on the same date, but refused to pay any damages.
Three weeks later, L. brought a civil suit against the news portal. The first instance court shielded portal from liability applying the hosting safe harbor (Art. 14 of eCommerce Directive). L. appealed. The second instance sided with him and opined that the safe harbor does not apply, because the provider was not merely passive. When the first instance de novo decided the case applying provided interpretation, it deemed news portal ineligible for safe harbor and qualified him as a publisher of comments. The news portal appealed. The second instance then confirmed the liability of the ISP for third party comments. It noted that the ISP was not a technical intermediary in respect of the comments, and that its activity was not of a merely technical, automatic and passive nature; instead, it invited users to add comments. Thus, the applicant company was a provider of content services rather than of technical services. Also, it noted that measures taken by it were insufficient to prevent third party wrongdoing. As the last instance, the Supreme Court of Estonia confirmed the decision stressing that
[..] an information society service provider, falling under that Act and the Directive on Electronic Commerce, had neither knowledge of nor control over information which was transmitted or stored. By contrast, a provider of content services governed the content of information that was being stored. In the present case, the applicant company had integrated the comment environment into its news portal and invited users to post comments. The number of comments had an effect on the number of visits to the portal and on the applicant company’s revenue from advertisements published on the portal. Thus, the applicant company had an economic interest in the comments. The fact that the applicant company did not write the comments itself did not imply that it had no control over the comment environment. It enacted the rules of comment and removed comments if the rules were breached. The users, on the contrary, could not change or delete the comments they had posted; they could merely report obscene comments. Thus, the applicant company could determine which comments were published and which not. The fact that it made no use of this possibility did not mean that it had no control over the publishing of the comments. [..] Furthermore, the Supreme Court considered that in the present case both the applicant company and the authors of the comments were to be considered publishers of the comments. In this context, it also referred to the economic interest of an internet portal’s administrator, which made it a publisher as entrepreneur, similarly to a publisher of printed media. The Supreme Court found that the plaintiff was free to choose against whom to bring the suit, and L. had chosen to bring the suit against the applicant company. The Supreme Court found that on the basis of its legal obligation to avoid causing damage to other persons the applicant company should have prevented clearly unlawful comments from being published. Furthermore, after the comments had been published, it had failed to remove them on its own initiative, although it must have been aware of their unlawfulness. The courts had rightly found that the applicant company’s failure to act had been unlawful.
As far as I can conceive the Estonian case it seems to misapply the eCommerce Directive. The arguments put forward by the court on why the third party comments do not qualify for passive service are not those the CJEU had in mind. The profit making nature, technical pre-design of service, or technical control would render most of the services ineligible (pre-Google-France case-law in France, I think, is a good example of this). From the decision, I personally don't see why the hosting of comments would not be of passive nature and hence should not enjoy the safe harbor shield.
In any case, because Estonian court declared safe harbors inapplicable, the court was in its opinion free of the Union law restrains and applied general tort law to find wrongful omission on the side of the ISP (§ 61). For this reason, the ISP was treated as a co-publisher of the third party comments. I am not sure if this is right. Even if the ISP loses safe harbor, it is still to some extend shielded by prohibition of the general monitoring obligation. This is because Art. 15 does not make this prohibition dependent on a "possession" of the safe harbor, but on performance of a certain technical activity.
Member States shall not impose a general obligation on providers, when providing the services covered by Articles 12, 13 and 14, to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity.
Update 1/11/2013: Graham Smith rightly pointed out to me a logical incoherence of this argument in this context, as despite being true, it does not justify application of Art. 15 in a case, where hosting safe harbor was found to be inapplicable.
Therefore, I would argue that even if the safe harbor does not apply anymore, Estonian tort law sanctioning omission is limited to impose such preventive obligations that would amount to a general monitoring obligation.
Therefore, I would argue that even if the safe harbor does not apply anymore, Estonian tort law sanctioning omission is limited to impose such preventive obligations that would amount to a general monitoring obligation.
Of course, misapplication of Union law is not the issue to deal with for the ECHR. The Court looks only into whether human right limits were respected by imposing such liability. The decision quickly establishes that imposed liability was 1. sufficiently prescribed by the law and 2. follows a legitimate aim of protecting reputation of others. The main question therefore was whether the ISP’s rights under Article 10 [freedom of expression] were excessively restricted in the present case by holding it liable for comments written by third parties. And hence whether the restriction was “necessary in a democratic society”. So let's have a look at the ECHR arguments.
3. The Court’s assessment
(d) Necessary in a democratic society(i) General principles
78. The fundamental principles concerning the question whether an interference with freedom of expression is “necessary in a democratic society” are well established in the Court’s case-law and have been summarised as follows [..]
“(i) Freedom of expression constitutes one of the essential foundations of a democratic society and one of the basic conditions for its progress and for each individual’s self-fulfilment. Subject to paragraph 2 of Article 10, it is applicable not only to ‘information’ or ‘ideas’ that are favourably received or regarded as inoffensive or as a matter of indifference, but also to those that offend, shock or disturb. Such are the demands of pluralism, tolerance and broadmindedness without which there is no ‘democratic society’. As set forth in Article 10, this freedom is subject to exceptions, which ... must, however, be construed strictly, and the need for any restrictions must be established convincingly ...
(ii) The adjective ‘necessary’, within the meaning of Article 10 § 2, implies the existence of a ‘pressing social need’. The Contracting States have a certain margin of appreciation in assessing whether such a need exists, but it goes hand in hand with European supervision, embracing both the legislation and the decisions applying it, even those given by an independent court. The Court is therefore empowered to give the final ruling on whether a ‘restriction’ is reconcilable with freedom of expression as protected by Article 10.
(iii) The Court’s task, in exercising its supervisory jurisdiction, is not to take the place of the competent national authorities but rather to review under Article 10 the decisions they delivered pursuant to their power of appreciation. This does not mean that the supervision is limited to ascertaining whether the respondent State exercised its discretion reasonably, carefully and in good faith; what the Court has to do is to look at the interference complained of in the light of the case as a whole and determine whether it was ‘proportionate to the legitimate aim pursued’ and whether the reasons adduced by the national authorities to justify it are ‘relevant and sufficient’.... In doing so, the Court has to satisfy itself that the national authorities applied standards which were in conformity with the principles embodied in Article 10 and, moreover, that they relied on an acceptable assessment of the relevant facts ....”
(ii) Application of the principles to the present case
84. Turning to the present case, the Court notes at the outset that there is no dispute that comments posted by readers in reaction to the news article published on the applicant company’s Internet news portal were of a defamatory nature. Indeed, the applicant company promptly removed the comments once it was notified by the injured party, and described them as “infringing” and “illicit” before the Court. However, the parties’ views differ as to whether the applicant company’s civil liability for the defamatory comments amounted to a disproportionate interference with its freedom of expression. In other words, the question is whether the applicant company’s obligation, as established by the domestic judicial authorities, to ensure that comments posted on its Internet portal did not infringe the personality rights of third persons was in accordance with the guarantees set out in Article 10 of the Convention.
85. In order to resolve this question, the Court will proceed to analyse in turn a number of factors which it considers to be of importance in the circumstances of the present case. Firstly, the Court will examine the context of the comments, secondly, the measures applied by the applicant company in order to prevent or remove defamatory comments, thirdly, the liability of the actual authors of the comments as an alternative to the applicant company’s liability, and fourthly the consequences of the domestic proceedings for the applicant company.
86. The Court notes that the news article published on the Delfi news portal addressed a topic of a certain degree of public interest. It discussed a shipping company’s moving its ferries from one route to another and in doing so breaking the ice at potential locations of ice roads, as a result of which the opening of such roads – a cheaper and faster connection to the islands compared to the company’s ferry services – was postponed for several weeks. The article itself was a balanced one, a manager of the shipping company was given the opportunity to provide explanations, and the article contained no offensive language. Indeed, the article itself gave rise to no arguments about defamation in the domestic proceedings. Nevertheless, the article dealt with the shipping company’s activities that negatively affected a large number of people. Therefore, the Court considers that the applicant company, by publishing the article in question, could have realised that it might cause negative reactions against the shipping company and its managers and that, considering the general reputation of comments on the Delfi news portal, there was a higher-than-average risk that the negative comments could go beyond the boundaries of acceptable criticism and reach the level of gratuitous insult or hate speech. It also appears that the number of comments posted on the article in question was above average and indicated a great deal of interest in the matter among the readers and those who posted their comments. Thus, the Court concludes that the applicant company was expected to exercise a degree of caution in the circumstances of the present case in order to avoid being held liable for an infringement of other persons’ reputations.
87. As regards the measures applied by the applicant company, the Court notes that, in addition to the disclaimer stating that the writers of the comments – and not the applicant company – were accountable for them, and that it was prohibited to post comments that were contrary to good practice or contained threats, insults, obscene expressions or vulgarities, the applicant company had two general mechanisms in operation. Firstly, it had an automatic system of deletion of comments based on stems of certain vulgar words. Secondly, it had a notice-and-take-down system in place according to which anyone could notify it of an inappropriate comment by simply clicking on a button designated for that purpose, to bring it to the attention of the portal administrators. In addition, on some occasions the administrators of the portal removed inappropriate comments on their own initiative. Thus, the Court considers that the applicant company cannot be said to have wholly neglected its duty to avoid causing harm to third parties’ reputations. Nevertheless, it would appear that the automatic word-based filter used by the applicant company was relatively easy to circumvent. Although it may have prevented some of the insults or threats, it failed to do so in respect of a number of others. Thus, while there is no reason to doubt its usefulness, the Court considers that the word-based filter as such was insufficient for preventing harm being caused to third persons.
88. The Court has further had regard to the notice-and-take-down system as used by the applicant company. Indeed, the question of whether by applying this system the applicant company had fulfilled its duty of diligence was one of the main points of disagreement between the parties in the present case. The Court firstly notes that the technical solution related to the Delfi portal’s notice-and-take-down system was easily accessible and convenient for users – there was no need to take any steps other than clicking on a button provided for that purpose. There was no need to formulate reasons as to why a comment was considered inappropriate or to send a letter to the applicant company with the pertinent request. Although in the present case the interested person did not use the notice-and-take-down feature offered by the applicant company on its website, but rather relied on making his claim in writing and sending it by mail, this was his own choice, and in any event there is no dispute that the defamatory comments were removed by the applicant company without delay after receipt of the notice. Nevertheless, by that time the comments had already been accessible to the public for six weeks.
89. The Court notes that in the interested person’s opinion, shared by the domestic courts, the prior automatic filtering and notice-and-take-down system used by the applicant company did not ensure sufficient protection for the rights of third persons. The domestic courts attached importance in this context to the fact that the publication of the news articles and making public the readers’ comments on these articles was part of the applicant company’s professional activity. It was interested in the number of readers as well as comments, on which its advertising revenue depended. The Court considers this argument pertinent in determining the proportionality of the interference with the applicant company’s freedom of expression. It also finds that publishing defamatory comments on a large Internet news portal, as in the present case, implies a wide audience for the comments. The Court further notes that the applicant company – and not a person whose reputation could be at stake – was in a position to know about an article to be published, to predict the nature of the possible comments prompted by it and, above all, to take technical or manual measures to prevent defamatory statements from being made public. Indeed, the actual writers of comments could not modify or delete their comments once posted on the Delfi news portal – only the applicant company had the technical means to do this. Thus, the Court considers that the applicant company exercised a substantial degree of control over the comments published on its portal even if it did not make as much use as it could have done of the full extent of the control at its disposal.
90. The Court has also had regard to the fact that the domestic courts did not make any orders to the applicant company as to how the latter should ensure the protection of third parties’ rights, leaving the choice to the applicant company. Thus, no specific measures such as a requirement of prior registration of users before they were allowed to post comments, monitoring comments by the applicant company before making them public, or speedy review of comments after posting, to name just a few, were imposed on the applicant company. The Court considers the leeway left to the applicant company in this respect to be an important factor reducing the severity of the interference with its freedom of expression.
91. The Court has taken note of the applicant company’s argument that the affected person could have brought a claim against the actual authors of the comments. It attaches more weight, however, to the Government’s counter-argument that for the purposes of bringing a civil claim it was very difficult for an individual to establish the identity of the persons to be sued. Indeed, for purely technical reasons it would appear disproportionate to put the onus of identification of the authors of defamatory comments on the injured person in a case like the present one. Keeping in mind the State’s positive obligations under Article 8 that may involve the adoption of measures designed to secure respect for private life in the sphere of the relations of individuals between themselves (see Von Hannover (no. 2), cited above, § 98, with further references), the Court is not convinced that measures allowing an injured party to bring a claim only against the authors of defamatory comments – as the applicant company appears to suggest – would have, in the present case, guaranteed effective protection of the injured person’s right to private life. It notes that it was the applicant company’s choice to allow comments by non-registered users, and that by doing so it must be considered to have assumed a certain responsibility for these comments.
92. The Court is mindful, in this context, of the importance of the wishes of Internet users not to disclose their identity in exercising their freedom of expression. At the same time, the spread of the Internet and the possibility – or for some purposes the danger – that information once made public will remain public and circulate forever, calls for caution. The ease of disclosure of information on the Internet and the substantial amount of information there means that it is a difficult task to detect defamatory statements and remove them. This is so for an Internet news portal operator, as in the present case, but this is an even more onerous task for a potentially injured person, who would be less likely to possess resources for continual monitoring of the Internet. The Court considers the latter element an important factor in balancing the rights and interests at stake. It also refers, in this context, to the Krone Verlag (no. 4) judgment, where it found that shifting the defamed person’s risk to obtain redress for defamation proceedings to the media company, usually in a better financial position than the defamer, was not as such a disproportionate interference with the media company’s right to freedom of expression (see Krone Verlag GmbH & Co. KG v. Austria (no. 4), no. 72331/01, § 32, 9 November 2006).
93. Lastly, the Court notes that the applicant company was obliged to pay the affected person the equivalent of EUR 320 in non-pecuniary damages. The Court is of the opinion that this sum, also taking into account that the applicant company was a professional operator of one of the largest Internet news portals in Estonia, can by no means be considered disproportionate to the breach established by the domestic courts.
94. Based on the above elements, in particular the insulting and threatening nature of the comments, the fact that the comments were posted in reaction to an article published by the applicant company in its professionally-managed news portal run on a commercial basis, the insufficiency of the measures taken by the applicant company to avoid damage being caused to other parties’ reputations and to ensure a realistic possibility that the authors of the comments will be held liable, and the moderate sanction imposed on the applicant company, the Court considers that in the present case the domestic courts’ finding that the applicant company was liable for the defamatory comments posted by readers on its Internet news portal was a justified and proportionate restriction on the applicant company’s right to freedom of expression.
There has accordingly been no violation of Article 10 of the Convention.
From the decision, two things are clear. The first, that non-existence of any liability of an ISP could infringe the conflicting right, here right to freedom of speech, because such right imposes also certain obligation on the state to guarantee the effective protection of right (§ 91). This kind of logic could be of course used by IP right owners in the context of Art. 1 of the First Protocol of ECHR as well. The second conclusion is that ECHR seems to provide quite wide margin to Member States when it comes to strictness of the liability of ISPs. The States will probably therefore have a very broad room for instituting they own solutions of liability, and ECHR will be only very limited shaping force when it comes to monetary liability. Of course, when it comes to other enforcement techniques as such injunctions against innocent third parties, the picture and possible conflicts could be very different.
As Lehofer rightly points out, the decision does not necessarily apply to non-commercial providers. Here the ECHR might be more sensitive than to business entities.
It is interesting to note that ECHR did not deal with the freedom to conduct a business. This could have been interesting because it seems that the CJEU is in the one of its decisions (§ 46-49 of Scarlet Extended) equating prohibition of general monitoring obligation under Art. 15 eCommerce Directive automatically with disproportionate interference with the freedom to conduct business. In this case, ECHR seems to accept certain general monitoring obligation as proportionate limitation of the freedom of expression.
The argument of the ECHR that having technical setting where it is too easy to post anonymous comments under sensitive articles also requires more action from the ISP, is in my opinion the right one. This is regular part of analysis of the tort of negligence by omission, where an obligation to act to protect others arises only in certain cases. Creating or maintaining a dangerous situation for right of others is usually one of them (see e.g. Art. 4:103 PETL).
What I can not, however, relate to is that in the context of Estonian decision, the ECHR basically upheld that preventive obligation can be graduated to even such a extend that an ISP has to filter all the comments, and it will be still compatible with the Convention. Of course, one can argue that if the news portal would employ better registration of users, the decision of the court could have been different. I have nevertheless doubts if such a change would really lead for ECHR to the opposite result. This is because it seems to me that no monitoring obligation for the ECHR is not a matter of constitutional proportionality, but rather kind of innovation policy instrument, that is not indispensable from the human rights perspective. I would disagree here. Chilling effects to which general monitoring obligation imposed on ISPs can lead to are definitely more problematic from the human rights perspective as the ECHR seems to admit at this point.
I guess in the next such a case, the European civil society should intervene more vigorously according to Article 36 of the Convention to better educate the European Court of Human Rights about some of those chilling effects to which imposition of general monitoring obligation in a regular business setting, which tries to minimize the costs, usually leads to.
Update 1/11/2013: At IGF 2013, I had an opportunity to extensively discuss issues related to Delfi v. Estonia not only within a small IGF session, but also with Karmen Turk, who represents Delfi before ECHR. Karmen confirmed several speculations, which I mentioned above, adding that Estonian courts applied following provisions of Estonian Law of Obligations Act.
§ 1043. Compensation for unlawfully caused damage
A person (tortfeasor) who unlawfully causes damage to another person (victim) shall compensate for the damage if the tortfeasor is culpable of causing the damage or is liable for causing the damage pursuant to law.Apparently, the court was not entirely clear on where does the duty to act come from. The situation in the Estonian law from 2001 seems to me quite similar to other civil law countries with older codifications, where duty to act is often only implicit and "invented" by courts. In terms of too narrow application of the hosting safe harbor (see above), I was told that it is not the first decision of the Supreme court going this (wrong) direction. Let's see if Delfi takes this to the Grand Chamber of ECHR.
§ 1045. Unlawfulness of causing of damage
(1) The causing of damage is unlawful if, above all, the damage is caused by:
4) violation of a personality right of the victim;
7) behaviour which violates a duty arising from law;
§ 1046. Unlawfulness of damaging personality rights
(1) The defamation of a person, inter alia by passing undue judgement, by the unjustified use of the name or image of the person, or by breaching the inviolability of the private life or another personality right of the person is unlawful unless otherwise provided by law. Upon the establishment of unlawfulness, the type of violation, the reason and motive for the violation and the gravity of the violation relative to the aim pursued thereby shall be taken into consideration.
§ 1055. Prohibition on performance of damaging acts
(1) If unlawful damage is caused continually or a threat is made that unlawful damage will be caused, the victim or the person who is threatened has the right to demand that behaviour which causes damage be terminated or the making of threats with such behaviour be refrained from. In the case of bodily injury, damage to health, violation of inviolability of personal life or any other personality rights, it may be demanded, inter alia, that the tortfeasor be prohibited to approach other persons (restraining order), the use of housing or communication be regulated or other similar measures be applied.