Bart van der Sloot
laid down in the e-Commerce Directive 2000.
rules therein contained form the general basis for
the exclusion of liability of Internet intermediaries
under European law (so called safe harbors).
Although this regime applies to virtually all offenses,
data protection issues are explicitly excluded.6 In
such cases, the Data Protection Directive
There is a third regime that is increasingly applied
as well, namely when an Internet intermediary
relies on the freedom of expression to protect its
own interests, for example under the European
Convention on Human Rights (ECHR).
It should be borne in mind that in the early days,
Internet intermediaries were predominantly of a
passive nature, and that the e-Commerce Directive is
written for providers that transmit or store material
on behalf of users only. In the modern Internet
landscape however, providers have become much
more active, for example by providing the platform
on which information is shared by users, by indexing
this information, by making it searchable and by
publishing and distributing the information over the
Internet. Examples of active Internet intermediaries
are platforms such as Facebook, video services such
as Youtube, digital markets such as eBay and modern
media such as WikiLeaks or news sites (partially
or primarily) based on stories, contributions and
comments written by users. In these examples, the
content is still provided by the users, but the role
of the Internet intermediary is no longer merely
to transmit, store or publish the material on behalf
of the user – rather it fulls an active role in the
organization and functioning of the websites and
platforms. The question thus becomes what position
these providers have with regard to material of an
infringing nature uploaded by their users.
Recently, the Court of Justice (ECJ) ruled in its
Google Spain SL and Google Inc. v Agencia Española
de Protección de Datos (AEPD) and Mario Costeja
González verdict (hereafter: Google Spain) that
Google may be required to block or delink certain
information from other website in its search
engine in order to respect the data subject’s right
Arts, vol. 32. no. 4, 2009.
5 Directive 2000/31/EC of the European Parliament and of the
Council of 8 June 2000 on certain legal aspects of informa-
tion society services, in particular electronic commerce, in
the Internal Market (Directive on electronic commerce or
the e-Commerce Directive).
6 There are however authors that have rejected a literal rea-
ding of this provision. See among others: G. Sartor, ‘‘Provi-
ders’ Liabilities in the New EU Data Protection Regulation:
A Threat to Internet Freedoms?’ International Data Privacy
7 Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the
free movement of such data (Data Protection Directive).
to be forgotten.8 The ECJ has also held that the
obligation to monitor and store all Internet trafc,
contained in the Data Retention Directive, is
invalid and violates the rights to privacy and data
protection.9 In Del v. Estonia, the European Court
of Human Rights (ECtHR) in 2013 and the Grand
Chamber of the ECtHR in 2015 ruled that online
news sites that facilitate user reactions can invoke
the right to freedom of expression, but can also
be held liable for user comments that harm third
party interests.10 The Council of Europe (CoE), in
2011, developed a new vision on modern media,
proposing inter alia to apply the classic protection
of journalists to bloggers and other new media.11
In addition, there are advanced plans in the EU to
introduce the General Data Protection Regulation,
which will radically change the legal data protection
regime laid down in the current Data Protection
Directive.12 Finally, for years now, there has been a
discussion concerning the possible revision of the
e-Commerce Directive, precisely as regards to the
liability regime for Internet intermediaries, in which
respect the European Commission in 2010 initiated a
public consultation13 and in 2012 launched a special
consultation on hosting providers.14
This contribution will explain and analyze the
three legal regimes in Europe that are applicable
to Internet intermediaries, giving special attention
to recent developments and case law. Section B
discusses the liability regime under the e-Commerce
Directive, the relevant case law of the ECJ and the
plans to amend the directive. Section C discusses
the regime under the Data Protection Directive, the
relevant case law of the ECJ, including the Google
Spain case, and the possible changes resulting from
the pending General Data Protection Regulation.
Section D discusses the doctrine on the freedom
8 Court of Justice, Google Spain SL and Google Inc. v Agencia
Española de Protección de Datos (AEPD) and Mario Costeja
González, case C131/12, 13 May 2014.
9 Court of Justice, Digital Rights Ireland Ltd (C293/12) v Minis-
ter for Communications, Marine and Natural Resources, Mi-
nister for Justice, Equality and Law Reform, Commissioner of
the Garda Síochána, Ireland, The Attorney General, interve-
ner: Irish Human Rights Commission, and Kärntner Landes-
regierung (C594/12), Michael Seitlinger, Christof Tschohl
and others, cases C293/12 and C594/12, 08 April 2014.
10 European Court of Human Rights, Del AS v. Estonia, appl.
no. 64569/09, 10 October 2013. European Court of Human
Rights, Del AS v. Estonia, appl.no. 64569/09, 16 June 2015.
11 Committee of Ministers, ‘A new notion of media’, CM/
Rec(2011)7, 21 September 2011.
12 In this contribution, for reasons of conciseness and clarity,
reference shall be made only to the original proposal by the
Commission. Commission, Proposal for a General Data Pro-
tection Regulation, COM(2012)11nal, 25 January 2012.