Welcome to the Jungle: The Liability of Internet Intermediaries for Privacy Violations in Europe

Author:Bart van der Sloot

In Europe, roughly three regimes apply to the liability of Internet intermediaries for privacy violations conducted by users through their network. These are: the e-Commerce Directive, which, under certain conditions, excludes them from liability; the Data Protection Directive, which imposes a number of duties and responsibilities on providers processing personal data; and the freedom of... (see full summary)

Welcome to the Jungle: the Liability of Internet Intermediaries for Privacy Violations in Europe
Welcome to the Jungle: the Liability of Internet
Intermediaries for Privacy Violations in Europe
by Bart van der Sloot*
© 2015 Bart van der Sloot
Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and
conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obtain ed at http://nbn-resolving.
Recommended citation: Ba rt van der Sloot, Welcom e to the Jungle: the Liability of Inte rnet Intermediaries for Pr ivacy
Violations in Europe, 6 (2015) JIPITEC 211 para 1.
Keywords: liability; intermediaries; privacy violations; ECHR; freedom of expression; data protection
sion, contained inter alia in the ECHR, which, under
certain conditions, grants Internet providers several
privileges and freedoms. Each doctrine has its own
field of application, but they also have partial overlap.
In practice, this creates legal inequality and uncer-
tainty, especially with regard to providers that host
online platforms and process User Generated Con-
Abstract: In Europe, roughly three regimes ap-
ply to the liability of Internet intermediaries for pri-
vacy violations conducted by users through their net-
work. These are: the e-Commerce Directive, which,
under certain conditions, excludes them from liability;
the Data Protection Directive, which imposes a num-
ber of duties and responsibilities on providers pro-
cessing personal data; and the freedom of expres-
A. Introduction
When Internet companies and private parties
started to offer Internet services in the 1980s, there
was already discussion concerning the position
of Internet intermediaries. Initially, the provider
was often seen as the digital equivalent of a postal
company, which had neither knowledge of nor
control over the post that was delivered by it and
therefore could not, in principle, be held liable for
any illegal content. At that time however, there
existed two separate doctrines regarding third party
liability for copyright infringements in the United
States, where the Internet experienced its initial
growth. “Vicarious liability” entailed that a third
party could be held liable for infringing activities if
it had the right and ability to control over and gained
nancial prots from the activity, and “contributory
liability”, which regarded third parties that had
knowledge of and contributed to the infringing
activity.1 These doctrines were gradually also applied
to Internet service providers. This meant that if an
Internet intermediary wanted to avoid liability for,
1 A. Strowel, ‘Peer-to-Peer le sharing and secondary liability
in Copyright Law’, Cheltenham, Edward Elgar Publishing,
for example, copyright infringements by its users,
the intermediary would have to prove that it did not
know of the infringing nature of the material, that
it did not contribute in any way to the infringement
and that it had not received any nancial gain from
the infringement.2
This jurisprudential doctrine was subsequently
further developed in the US Digital Millennium
Copyright Act (DMCA) of 1998, which makes a
distinction between (1) providers that offer access to
networks and data transmission via these networks
(access providers/mere conduits), (2) providers
temporarily storing material on their server (caching
providers), (3) providers that store information or
host websites (hosting providers) and (4) providers
that offer links to websites or make content
searchable (search engine providers).3 The European
Union (EU) has a regulation similar to the DMCA,4
2 M. B. Nimmer & D. Nimmer, ‘Nimmer on copyright: a treatise
on the law of literary, musical and artistic property, and the
protection of ideas’, New York: Bender, 1994.
3 Digital Millennium Copyright Act, Pub. L. No. 105-304, 112
Stat. 2860 (Oct. 28, 1998), para. 512.
4 See for a good comparison: M. Peguera, ‘The DMCA Safe Har-
bors and Their European Counterparts: A Comparative Ana-
lysis of Some Common Problems’, Columbia Journal of Law &
Bart van der Sloot
laid down in the e-Commerce Directive 2000.
rules therein contained form the general basis for
the exclusion of liability of Internet intermediaries
under European law (so called safe harbors).
Although this regime applies to virtually all offenses,
data protection issues are explicitly excluded.6 In
such cases, the Data Protection Directive
There is a third regime that is increasingly applied
as well, namely when an Internet intermediary
relies on the freedom of expression to protect its
own interests, for example under the European
Convention on Human Rights (ECHR).
It should be borne in mind that in the early days,
Internet intermediaries were predominantly of a
passive nature, and that the e-Commerce Directive is
written for providers that transmit or store material
on behalf of users only. In the modern Internet
landscape however, providers have become much
more active, for example by providing the platform
on which information is shared by users, by indexing
this information, by making it searchable and by
publishing and distributing the information over the
Internet. Examples of active Internet intermediaries
are platforms such as Facebook, video services such
as Youtube, digital markets such as eBay and modern
media such as WikiLeaks or news sites (partially
or primarily) based on stories, contributions and
comments written by users. In these examples, the
content is still provided by the users, but the role
of the Internet intermediary is no longer merely
to transmit, store or publish the material on behalf
of the user – rather it fulls an active role in the
organization and functioning of the websites and
platforms. The question thus becomes what position
these providers have with regard to material of an
infringing nature uploaded by their users.
Recently, the Court of Justice (ECJ) ruled in its
Google Spain SL and Google Inc. v Agencia Española
de Protección de Datos (AEPD) and Mario Costeja
González verdict (hereafter: Google Spain) that
Google may be required to block or delink certain
information from other website in its search
engine in order to respect the data subject’s right
Arts, vol. 32. no. 4, 2009.
5 Directive 2000/31/EC of the European Parliament and of the
Council of 8 June 2000 on certain legal aspects of informa-
tion society services, in particular electronic commerce, in
the Internal Market (Directive on electronic commerce or
the e-Commerce Directive).
6 There are however authors that have rejected a literal rea-
ding of this provision. See among others: G. Sartor, ‘‘Provi-
ders’ Liabilities in the New EU Data Protection Regulation:
A Threat to Internet Freedoms?’ International Data Privacy
Law 2013-3.
7 Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the
free movement of such data (Data Protection Directive).
to be forgotten.8 The ECJ has also held that the
obligation to monitor and store all Internet trafc,
contained in the Data Retention Directive, is
invalid and violates the rights to privacy and data
protection.9 In Del v. Estonia, the European Court
of Human Rights (ECtHR) in 2013 and the Grand
Chamber of the ECtHR in 2015 ruled that online
news sites that facilitate user reactions can invoke
the right to freedom of expression, but can also
be held liable for user comments that harm third
party interests.10 The Council of Europe (CoE), in
2011, developed a new vision on modern media,
proposing inter alia to apply the classic protection
of journalists to bloggers and other new media.11
In addition, there are advanced plans in the EU to
introduce the General Data Protection Regulation,
which will radically change the legal data protection
regime laid down in the current Data Protection
Directive.12 Finally, for years now, there has been a
discussion concerning the possible revision of the
e-Commerce Directive, precisely as regards to the
liability regime for Internet intermediaries, in which
respect the European Commission in 2010 initiated a
public consultation13 and in 2012 launched a special
consultation on hosting providers.14
This contribution will explain and analyze the
three legal regimes in Europe that are applicable
to Internet intermediaries, giving special attention
to recent developments and case law. Section B
discusses the liability regime under the e-Commerce
Directive, the relevant case law of the ECJ and the
plans to amend the directive. Section C discusses
the regime under the Data Protection Directive, the
relevant case law of the ECJ, including the Google
Spain case, and the possible changes resulting from
the pending General Data Protection Regulation.
Section D discusses the doctrine on the freedom
8 Court of Justice, Google Spain SL and Google Inc. v Agencia
Española de Protección de Datos (AEPD) and Mario Costeja
González, case C131/12, 13 May 2014.
9 Court of Justice, Digital Rights Ireland Ltd (C293/12) v Minis-
ter for Communications, Marine and Natural Resources, Mi-
nister for Justice, Equality and Law Reform, Commissioner of
the Garda Síochána, Ireland, The Attorney General, interve-
ner: Irish Human Rights Commission, and Kärntner Landes-
regierung (C594/12), Michael Seitlinger, Christof Tschohl
and others, cases C293/12 and C594/12, 08 April 2014.
10 European Court of Human Rights, Del AS v. Estonia, appl.
no. 64569/09, 10 October 2013. European Court of Human
Rights, Del AS v. Estonia, appl.no. 64569/09, 16 June 2015.
11 Committee of Ministers, ‘A new notion of media’, CM/
Rec(2011)7, 21 September 2011.
12 In this contribution, for reasons of conciseness and clarity,
reference shall be made only to the original proposal by the
Commission. Commission, Proposal for a General Data Pro-
tection Regulation, COM(2012)11nal, 25 January 2012.
13 http://ec.europa.eu/internal_market/consulta-
14 http://ec.europa.eu/internal_market/consultations/2012/

To continue reading