It could be three months before we get the court's full explanation for convicting Google's Chief Legal Officer David Drummond, Global Privacy Counsel Peter Fleischer and former Chief Financial Officer George Reyes. That judgment will explain why they were held responsible for a video that showed an autistic child being bullied by Turin school pupils, a video that appeared on the Italian site of Google Video in 2006.
For now we can only speculate on the court's reasons. Regardless of what they were, though, the circumstances of the case highlight two problems with EU law's treatment of internet intermediaries.
Problem 1: An unreasonable caveat to safe harbour
Google VP Matt Sucherman points out that "European Union law was drafted specifically to give hosting providers a safe harbor from liability so long as they remove illegal content once they are notified of its existence." There's a significant qualification to that law, though.
The safe harbour to which Google refers is in the E-commerce Directive. It provides, broadly speaking, that a web host is not liable for videos uploaded by users on condition that the host has no "actual knowledge of illegal activity or information" or that, upon obtaining such knowledge, "acts expeditiously to remove or to disable access to the information."
However, the E-commerce Directive also provides that it does not apply to data protection cases. Article 1(5) states: "This Directive does not apply to [...] questions relating to information society services covered by Directives 95/46/EC and 97/66/EC."
Directive 95/46/EC is better known as the Data Protection Directive. (The other one, 97/66/EC, was replaced in 2002 by the Electronic Privacy and Communications Directive.) In short, if the issue is about data protection, the E-commerce Directive's safe harbour principles do not apply. The Italian convictions were based on alleged breaches of Italy's data protection law (specifically section 17, section 23 and section 26, as Italian lawyer Elvira Berlingieri explains).
This is not the first conviction of its kind. In 1998, some months before anyone outside Stanford knew about Google, a German court convicted the former head of CompuServe Germany. The company had allowed German internet users to access pages that contained illegal pornography, said prosecutors, and director Felix Somm should take the fall.
That conviction was attacked in the media as outrageous and it was overturned on appeal. But it influenced an important legal change in Europe. Safe harbour provisions were added to a proposal which became the E-commerce Directive in 2000. Internet companies breathed a sigh of relief – but they overlooked the data protection carve-out.
I do not know why the E-commerce Directive affords privacy cases special treatment. Perhaps its authors believed that equivalent protection existed already in the Data Protection Directive. It doesn’t.
Consequently, the E-commerce Directive safe harbour principle says that a company like Google has no liability for YouTube submissions that defame or infringe copyright or trade marks, that incite racism or terrorism or that depict the sexual abuse of children – provided Google takes them down quickly upon receipt of notice. It is a bold, broad principle, but one that is unfairly qualified. The law affords content that invades someone's privacy a privileged status. Host it at your peril.
In the UK, the exception for privacy cases has gone largely unnoticed, perhaps because our implementation of the Data Protection Directive was much weaker than Italy's. The Italian Personal Data Protection Code says that directors can be sent to prison for their company's transgressions. Our own Data Protection Act says that transgressors run the risk of receiving a letter telling them to behave – and if they don't, they can be taken to court and fined up to a rather paltry £5,000. The UK penalties are toughening up, though. From April, there is scope for an immediate fine of up to £500,000 instead of the nasty letter, and the Government is consulting on the possibility of custodial sentences for the worst offences, so the exception takes on more significance in the UK.
The safe harbour principle is vital for the operation of today's internet services. The exception is not. Either it should disappear from the E-commerce Directive or safe harbour provisions should be added to the Data Protection Directive.
Some protections do feature in the Data Protection Directive but they offer little comfort to internet intermediaries. One of them means that content uploaded for personal purposes can escape the regime. But a video that is made visible to anyone does not enjoy that protection, as the Lindqvist case and an Opinion from a consortium of privacy watchdogs, the Article 29 Working Party, made clear.
Problem 2: We don't know enough about notice and takedown
As I said at the start, I'm speculating on the reasons for the Google decision. The exception to the safe harbour principle is a concern whether or not it was to blame for the convictions. If for some reason the safe harbour protections did apply in this case, presumably the court felt that Google failed to remove the offending content expeditiously upon receipt of notice.
Google said that it removed the video "within hours of being notified by the Italian police." But the video was actually on Google's site for two months – it's just that it took that length of time for the police to bring the video to Google's attention. In the meantime, users had posted comments on the page that contained the video, saying it should be taken down.
Unsurprisingly, Google staff don't read all the comments on all those pages. But perhaps the court felt that these comments amounted to 'notice'. YouTube allows signed-in users to post comments on videos but also offers a prominent 'Flag' link that lets a signed-in user "report video content as inappropriate" – which ensures that someone in the YouTube team reviews the video. I would hazard a guess that Google Video offered a similar means of flagging a video in 2006, but I don't know for sure.
Is a comment posted on a video an effective form of notice? I would argue that it is not – but the E-commerce Directive was silent on this issue, and that is the second flaw in EU law that is highlighted by this case.
I should say up front that I don't know what Italian law says about the notification requirements under its safe harbour provisions (I'd be keen to hear from any readers who know about this). In the UK, though, the E-commerce Regulations go further than the Directive they implemented. The UK added an explanation of "actual notice" (at Regulation 22). It says that a court should consider whether the complainant provided his or her name and address; details of the location of the offending content; and details of its unlawful nature. This reduced the Directive's ambiguity, but not enough.
This point was made in 2005 when Yahoo! called for a clear notice and takedown procedure (13-page / 94KB Word doc) in response to a UK Government consultation on the liability of internet intermediaries. "It should provide clear and workable rules on when a company is deemed to have received notice and the form that such a notice must take," it wrote. "It is impossible for a company to make sure that all its employees are properly trained to handle such notices, and therefore a rule or guidance stating that notice must be delivered to a person designated by the company would be welcomed by Yahoo!"
At the time I had hoped that the UK would amend our law to reflect Yahoo!'s sensible point. It could have done so easily (the US already had a highly-prescriptive regime in place for notice and takedown), but it didn't.
One year after Yahoo!'s submission, a UK court had an opportunity to shed light on the nature of the duty. In the case of Bunt v Tilley the High Court ruled that a complaint sent by email did not amount to actual notice because none of the information listed at Regulation 22 was included. That result may have been different if the UK hadn't elaborated on the Directive's wording. However, Yahoo!'s concern that someone should regulate the means of submitting a complaint, not just its content, remains valid and unfulfilled at UK and EU-levels.
I share the view of many observers that the convictions of Drummond, Fleischer and Reyes are unfair and dangerous. I hope that, as with Felix Somm's conviction in Germany, theirs will be overturned. But I also hope that, as with Somm's case, last week's ruling prompts legislative change at EU-level.
By Struan Robertson, editor of OUT-LAW.COM. The views expressed are Struan's and do not necessarily represent those of Pinsent Masons. You can follow Struan at Twitter.com/struan99.
Update, 08/03/2010: A reader in Italy (who asked to remain anonymous) writes:
I have read with great interest your article: I am an Italian lawyer and have monitored this case very closely; I must say that this is one of the most accurate analysis I have read. I note that there is a question about the notifications requirement under Italian law.
Italian law is Legislative Decree 70 of 2003 which has implemented almost literally the E-Commerce Directive. There is no notice and takedown procedure detailed in the law; however, Art. 16 (implementing Art. 14 of the Directive) which regards hosting providers states: "Where an information society service is provided that consists of the storage of information provided by a recipient of the service, the service provider is not liable for the information stored at the request of a recipient of the service, on condition that:
(a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent;
(b) the provider, upon obtaining such knowledge or awareness, upon communication of the competent authority acts expeditiously to remove or to disable access to the information"
The two main differences with Art. 14 of the E-Commerce Directive are:
(i) there is no "or" between (a) and (b): both requirements are therefore necessary;
(ii) a previous communication from the competent authority is necessary.
In other words, a mere message or comment from a user is not enough.
A final comment: I believe that eventually the judge will not hold Google liable for the late removal of the content (the charges relating to defamation have been dismissed by the judge) but only for breach of data protection provisions, and in particular because the disabled boy (the data subject) has not granted his consent (in writing, being his image a sensitive data) to Google Italy. This is of course illogical, but is the result of the following reasoning:
(i) Google is the data controller because personal data are processed on Google Video;
(ii) A processing activity was carried out in Italy by the Italian company:
(iii) Therefore Google Italy is the data controller, and as such responsible for asking the prior consent of the data subject to the proessing of sensitive data.
We will see, but if this is the reasoning, there is clearly a flaw in EU legislation.
Update, 06/03/2010: A reader from Stockholm writes:
I read your interesting article at OUT-LAW (found it via TechDirt). I'm wondering about the following part of the EU Data Protection Directive:
(47) Whereas where a message containing personal data is transmitted by means of a telecommunications or electronic mail service, the sole purpose of which is the transmission of such messages, the controller in respect of the personal data contained in the message will normally be considered to be the person from whom the message originates, rather than the person offering the transmission services; whereas, nevertheless, those offering such services will normally be considered controllers in respect of the processing of the additional personal data necessary for the operation of the service;
Wouldn't that offer some protection for web hosts along the lines of the mere conduit provisions in the e-commerce directive?
It's a good point. This argument says that Google was merely the data processor in relation to the video. However, the wording you've quoted comes from a recital to the Directive, so it carries less weight than the Articles, and the Articles do not contain an exception that supports this recital. Further, the Article 29 Working Party Opinion, which I mentioned above, states: "[Social Networking Service] providers are data controllers under the Data Protection Directive."