The difficulties of information management for intermediaries
By Oskar Josef Gstrein
“The medium is the message”. This phrase coined by the Canadian philosopher Marshal McLuhan in the 1960s seems to be nowhere as true as when it comes to the processing and distribution of information on the internet. The philosophy of media has boomed with the start of the new millennium and also other less “speculative” sciences such as law have to deal more and more with the aspects of information processing.
Since the collection of personal data has become a lucrative business model there is a need for more and better regulation. However, not only the sheer content of data is important. Also aspects of accessibility and possibilities for contextualization define the “value” of data.
Recently, not only private actors try to design the future of the internal market of the European Union in that regard. Regional authorities also seem to become more and more proactive in the field. The European Data Protection Supervisor Giovanni Butarelli is talking about “a defining moment for digital rights in Europe and beyond.” The European Commission has declared the “Digital Single Market” one of its top priorities for the coming years. National politicians like Angela Merkel warn their countries and the entire continent of falling behind in the technological arms race, hence not being able to shape the future of the world. And ultimately, the regional courts keep continuing to deliver judgments which aim at redefining law and its application in the digital landscape.
It could very well be argued that especially the actors last mentioned have a constantly underestimated impact when it comes to shaping the future of cyberspace and the concept of privacy in the digital age. By now the Court of Justice of the European Union (CJEU) has delivered numerous judgments with ground-breaking character.
In the year 2014 it not only struck down the EU’s data retention directive 2006/24/EC on the 8th of April. On the 13th of May it also established the right to delist information from the index of a search engine via its controversial “Google Spain” decision. And it looks like with cases such as Max Schrems’ and his Europe v. Facebook campaign pending before the court the list will not come to an end soon.
What all of these judgments have in common is that their main legal problems are not connected with the content of the information that is being processed. What is crucial is the question of how accessibility and transferability of data is organized and evaluated from a legal perspective.
This can also be seen in the SABAM vs. Netlog judgment and the UPC Telekabel Wien case. Like the already mentioned decisions these cases clearly point to the fact that modern information management and its regulation is not only a matter of the content of information, but especially of the role of the so-called “intermediaries”. The regulation of intermediaries becomes an ever more important aspect when considering the future development of the digital space. Their business practices and conduct is crucial for the accessibility, presentation and contextualization of information. When it comes to understanding the conditionality of liability of such service providers the Articles 12 to 14 of Directive 2000/31/EC can be helpful.
However, regulation of the activities of intermediaries takes not only place within the EU. The Grand Chamber decision in the case Delfi AS v. Estonia from the 16th of June 2015 the Court of Human Rights in Strasbourg (ECtHR) has delivered another important judgment which tries to strike the right balance between the fundamental rights to privacy and the freedom of expression and information.
B. The decision in Delfi AS v. Estonia
I. The background of the case
Delfi AS runs an online newsportal of national importance in the country of Estonia. On the 24th of January 2006 an article with the title “SLK Destroyed Planned Ice Road” was published. The report suggested that AS Saaremaa Laevakompanii (Saaremaa Shipping Company, a public limited liability company) made it impossible to use several ice roads. The latter temporarily connect the Estonian mainland to several islands in the region which SLK normally connects by offering ferry services.
The content of the report was not challenged as such. But Delfi also offered the possibility to comment on the article, which received 185 comments until the 25th of January 2006. Some of them were directly relating to “L” who was a member of the supervisory board of SLK and the most visible public figure of SLK at the material time. The ECtHR gave some examples of the comments under the article in his judgment:
- „(1) there are currents in [V]äinameri
(2) open water is closer to the places you referred to, and the ice is thinner.
Proposal – let’s do as in 1905, let’s go to [K]uressaare with sticks and put [L.] and [Le.] in a bag“
- „bloody shitheads…they bathe in money anyway thanks to that monopoly and State subsidies and have now started to fear that cars may drive to the islands for a couple of days without anything filling their purses. burn in your own ship, sick Jew!“
- „good that [La.’s] initiative has not broken down the lines of the web flamers. go ahead, guys, [L.] into the oven!“
- „[little L.] go and drown yourself […]”
L. wanted not only these comments to be removed from the website, but also asked for compensation for non-pecuniary damage. Delfi removed the comments six weeks after the publication. However, when it came to compensation, the publisher denied any responsibility for the content of the comments and claimed it was only acting as intermediary service provider in that regard. Several procedures were conducted in the national courts. Finally, the last instance court in Estonia (the Supreme Court) came to the conclusion that Delfi had a responsibility to protect L from the consequences of the unlawful comments and therefore should have prevented the publication in the first place. Subsequently, in October 2009, Delfi set up a more sophisticated monitoring system for the comments involving a review procedure by a set of moderators who look at any comment before it is published.
II. The proceedings in Strasbourg
After all national remedies had been exhausted Delfi made an application to the ECtHR on the 4th of December 2009. The much discussed judgment of the First Section of the ECtHR from the 10th of October 2013 turned down Delfi’s complaint that there was a violation of the freedom of expression by Estonia whose courts demanded from the company to manage the comments under the article more actively. However, on the 17th of February 2014 the judgment was accepted to be reviewed by the Grand Chamber of the Strasbourg court.
In the proceedings before the Grand Chamber the argumentation of the parties basically stayed the same. Delfi claimed that any responsibility of the company to prevent damage regarding the reputation of L infringed its freedom of expression under Article 10 of the European Convention of Human Rights. The court thus summarizes the position of Delfi with the words:
„The applicant company called on the Grand Chamber to look at the case as a whole, including the question whether the applicant company was to be characterised as a traditional publisher or an intermediary. A publisher was liable for all content published by it regardless of the authorship of the particular content. However, the applicant company insisted that it should be regarded as an intermediary and it had as such been entitled to follow the specific and foreseeable law limiting the obligation to monitor third-party comments. It argued that intermediaries were not best suited to decide upon the legality of user-generated content. This was especially so in respect of defamatory content since the victim alone could assess what caused damage to his reputation.“
Nevertheless, the Grand Chamber basically confirmed the Chamber and national courts’ judgments by coming to the conclusion:
„In connection with the question whether the liability of the actual authors of the comments could serve as a sensible alternative to the liability of the Internet news portal in a case like the present one, the Court is mindful of the interest of Internet users in not disclosing their identity. Anonymity has long been a means of avoiding reprisals or unwanted attention. As such, it is capable of promoting the free flow of ideas and information in an important manner, including, notably, on the Internet. At the same time, the Court does not lose sight of the ease, scope and speed of the dissemination of information on the Internet, and the persistence of the information once disclosed, which may considerably aggravate the effects of unlawful speech on the Internet compared to traditional media. It also refers in this connection to a recent judgment of the Court of Justice of the European Union in the case of Google Spain and Google, in which that court, albeit in a different context, dealt with the problem of the availability on the Internet of information seriously interfering with a person’s private life over an extended period of time, and found that the individual’s fundamental rights, as a rule, overrode the economic interests of the search engine operator and the interests of other Internet users […].“
„[f]inally, turning to the question of what consequences resulted from the domestic proceedings for the applicant company, the Court notes that the company was obliged to pay the injured person the equivalent of EUR 320 in compensation for non-pecuniary damage. It agrees with the finding of the Chamber that this sum, also taking into account the fact that the applicant company was a professional operator of one of the largest Internet news portals in Estonia, can by no means be considered disproportionate to the breach established by the domestic courts […].“
C. Interpretation and Context
Considering its institutional aspect the numerous and close references of the Grand Chamber of the ECtHR to EU law and CJEU jurisprudence indicates that at least in the digital space there exists a single space of human rights protection in Europe. Keeping in mind the cumbersome negotiation process concerning the EU’s accession to the ECHR this leaves some hope for a more integration-friendly future which is more strongly oriented at practical necessities than institutional battle.
Materially, the Delfi case refers to the question of “self-censorship” and asks if we have to fear a future where “chilling effects” become part of the everyday experience in the online world. The fact that modern information processing makes surveillance much easier than in the past results in new challenges. The concepts of liberty and freedom have to be emphasized more strongly and updated in the modern context in order to remain intact. Our societies have to create new spaces where it can be expected that no one interferes in the private sphere and where not having to show an expected status quo at any point in time is necessary. Put simply: There needs to be a part in everybody’s life where polarizing – not illegal behavior is possible and accepted.
However, it is also important to emphasize that information networks now are strongly integrated into the lives of their users. With more power comes more responsibility. The fact that a news portal of national importance can be run through the internet also means that it has to be able to live up to the same standards of accountability as traditional media. This is probably the strongest argument why the judgment of the ECtHR was essentially right. The professionalism of Delfi combined with the moderate and proportionate punishment leave the impression of a sound overall evaluation of the situation.
Ultimately, the question remains what Delfi v. Estonia will or should be remembered for. Considering the special circumstances of the case involving much more resources and professionalism than when it comes to the exchange of views via the Internet it seems unlikely that it will set a precedent outside of the world of professional journalism. It would be surprising if the ECtHR and even national courts would had decided in the same way if not a medium of national importance was the place where the unlawful comments were posted. If Delfi had, for example, been a small private weblog of a person or a social community or forum things would have been different. The impact of the comments would not have been that serious.
The actual lesson to be learned from this case is that we live in an age where it is not only important whether (sensitive) data is accessible or not. The question is more and more how easily and through which means it is accessible. This aspect is largely determined by the fact how intermediaries are positioned to process the relevant piece of data and under which regulatory circumstances they are required to interfere. In which scenarios will their social responsibility to protect privacy and the dignity of a person be more important than their duty to enable the free movement of data, thoughts and speech? In order to find the right answer to this question a complex balancing process is needed which can only be successfully concluded by looking at the potential scenarios and concrete cases. There is a strong need for differentiation between the different contexts of data processing.
 Oskar Josef Gstrein (email@example.com) is a research assistant of Prof. Thomas Giegerich, LLM at the Jean-Monnet Chair for European Integration at the Europa-Institut of the Saarland University. He is author of several articles in the field of European institutional law, European human rights protection and privacy issues. His PhD-Thesis is on the topic “The Right to be Forgotten as a Human Right”.
 McLuhan, Understanding Media: The extensions of Man, Mentor, 1964, New York, Chapter 1, p. 1: “In a culture like ours, long accustomed to splitting and dividing all things as a means of control, it is sometimes a bit of a shock to be reminded that, in operational and practical fact, the medium is the message.”
 Rashid, Surveillance is the Business Model of the Internet: Bruce Schneier, via: https://www.schneier.com/news/archives/2014/04/surveillance_is_the.html – accessed 24.07.2015.
 Cf. Microsoft Digital Single Market Communication Response, via: http://mscorp.blob.core.windows.net/mscorpmedia/2015/07/Microsoft-Digital-Single-Market-Communication-Response-FINAL-17-July-2015.pdf – accessed 24.07.2015.
 http://ec.europa.eu/priorities/digital-single-market/ – accessed 24.07.2015.
 Merkel said: „Europa – hier spreche ich für ganz Europa, das im Augenblick weder Google, Apple, Facebook noch andere solche Unternehmen hat – darf sich nicht nur auf seine industrielle Wertschöpfung konzentrieren, sondern muss auch darauf achten, geeignete Rahmenbedingungen zu schaffen, um große Datenmengen so zu verarbeiten, dass die Individualität geschützt ist. Darüber wird zurzeit in Europa diskutiert. Deshalb sollten wir nicht nur ablehnen, sondern wir sollten uns auch überlegen, wie wir im Konsumentenbereich noch mehr eigene europäische Unternehmen bekommen und Start-ups fördern können. Denn wir sind hierbei im Augenblick im weltweiten Vergleich nicht vorne dran.“ Rede von Bundeskanzlerin Merkel zum Deutschen Evangelischen Kirchentag am 5. Juni 2015, via: http://www.bundeskanzlerin.de/Content/DE/Rede/2015/06/2015-06-05-rede-merkel-kirchentag.html – accessed 24.07.2015.
 Media often wrongly refers to this as the „right to be forgotten“ judgement. However, the right to delist information is not about the deletion or erasure of information. It only limits access. Cf. CJEU, C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, ECLI:EU:C:2014:317. Also compare the Art 29 working group guidelines on the implementation accessible via: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp225_en.pdf – accessed 24.07.2015. And finally a report on the success of the right to delist information from the 18.06.2015 via: http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20150618_wp29_press_release_on_delisting.pdf – accessed 24.07.2015.
 CJEU, C-362/14, Reference for a preliminary ruling from High Court of Ireland (Ireland) made on 25.06.2014 – Maximillian Schrems v Data Protection Commissioner.
 CJEU, C-360/10, Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v Netlog NV, ECLI:EU:C:2012:85.
 CJEU, C-314/12, UPC Telekabel Wien GmbH, ECLI:EU:C:2014:192.
 Cf. Gasser, Schulz (editors), Governance of Online Intermediaries: Observations from a Series of National Case Studies, Berkman Center Research Publication No. 2015-5, via: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2566364 – accessed 24.07.2015.
 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‚Directive on electronic commerce‘), Official Journal L 178 , 17/07/2000 P. 0001 – 0016, via: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000L0031:en:HTML – accessed 28.07.2015. Cf. Woods, Delfi v Estonia: Curtailing online freedom of expression?, via: http://eulawanalysis.blogspot.de/2015/06/delfi-v-estonia-curtailing-online.html – accessed 28.07.2015.
 ECtHR, Delfi AS v Estonia, App. No. 64569/09, 16.06.2015.
 ECtHR, Delfi AS v Estonia, Mn 16.
 Ibidem, Mn 17.
 Ibid., Mn 16.
 Ibid., Mn 18.
 Ibid., Mn 19.
 Ibid., Mn 31.
 Ibid., Mn 32.
 ECtHR, Delfi AS v Estonia, App. No. 64569/09, 10.10.2013. via: http://hudoc.echr.coe.int/eng?i=001-126635 – accessed 28.07.2015; Cf. Synodinou, Intermediaries‘ liability for online copyright infringement in the EU: evolutions and confusions, Computer Law & Security Review, 2015, 31(1), p. 57 – 67; McCarthy, Is the writing on the wall for online service providers? Liability for hosting defamatory user-generated content under European and Irish law, Hibernian Law Journal, 2015, 14, p. 16 – 55.
 ECtHR, Delfi AS v Estonia, App. No. 64569/09, 16.06.2015, Mn 68.
 Ibid., Mn 66.
 Ibid., Mn 147.
 Ibid. Mn 160.
 Cf. Cox, Delfi v. Estonia: Privacy Protection and Chilling Effect, via: http://www.verfassungsblog.de/en/delfi-v-estonia-privacy-protection-and-chilling-effect/ – accessed 28.07.2015.