In times where businesses shift more and more of their services to a digital environment, it results increasingly difficult to get hold of the ‘bad guys’ and to enforce judicial measure against them. Over the years, such difficulty has been acknowledged by lawmakers and addressed through the attempt to involve the providers of online services – as the owners or managers of the ‘place’ where illegal conduct occurs – into the efforts performed to stop (or prevent) the presence of illegal content on the Internet. Providers strongly object to such involvement by arguing that the incredible amount of information stored on their platforms does not allow them to perform the control function of a ‘watchdog’. The confrontation ended up in a compromise, which providers feel not exactly comfortable with.
The provider liability exemption.
In many jurisdictions Internet service (hosting) providers benefit from a liability exemption with respect to third parties’ content posted on their online platforms.
In the European Union such exemption originates form Directive no. 31 of 2000 (governing “certain legal aspects of information society services, in particular electronic commerce, in the Internal Market”, and commonly known as the 'Directive on electronic commerce'). According to section 14/1 of the Directive “Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that: (a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or (b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information”.
How far can this exemption be stretched?
While the provision’s wording makes clear that it did not intend to offer Providers an absolute free pass for activities performed on their online platforms, it did not take long before questions arouse around the limits of this exemption. Hence, no wonder that after the Directive’s implementation in the member states of the EU, Courts were called to deal with this issue both, on a national as well as on an international level.
The position of the Court of Justice of the European Union (CJEU).
The Court of Justice of the European Union was approached on this specific problem back in 2009 through a case (no. C-324/09) involving companies L’Oreal and eBay. The Grand Chamber of the Court resolved the case through decision dated July12, 2011, which established a range of general principles:
- Directive 2000/31 seeks (in Articles from 12 to 15) “to restrict the situations in which intermediary providers of information society services may be held liable pursuant to the applicable national law”, following that “it is therefore in the context of national law that the conditions under which such liability arises must be sought, it being understood, however, that….certain situations cannot give rise to liability on the part of intermediary service providers”.
- “Although it is thus for the referring” [national] “court to determine the conditions under which liability… arises, it is for the Court” [CJEU] “to consider whether the operator of an online marketplace may rely on the exemption from liability provided for by Directive 2000/31”.
- “.. an internet service consisting in facilitating relations between sellers and buyers of goods is, in principle, a service for the purposes of Directive 2000/31”, therefore being “.. apparent from the definition of‘information society service’.. . that that concept encompasses services provided at a distance by means of electronic equipment for the processing and storage of data, at the individual request of a recipient of services and, normally, for remuneration” and resulting “..clear that the operation of an online marketplace can bring all those elements into play”.
- “The fact that the service provided by the operator of an online marketplace includes the storage of information transmitted to it by its customer-sellers is not in itself a sufficient ground for concluding that that service falls, in all situations, within the scope of Article 14(1) of Directive 2000/31”.
- “.. in order for an internet service provider to fall within the scope of Article 14 of Directive 2000/31, it is essential that the provider be an intermediary provider ..”, that not being “the case where the service provider, instead of confining itself to providing that service neutrally by a merely technical and automatic processing of the data provided by its customers, plays an active role of such a kind as to give it knowledge of, or control over, those data”.
- “.. the mere fact that the operator of an online marketplace stores offers for sale on its server, sets the terms of its service, is remunerated for that service and provides general information to its customers cannot have the effect of denying it the exemptions from liability provided for by Directive 2000/31”, however when “.. the operator has provided assistance which entails, in particular, optimising the presentation of the offers for sale in question or promoting those offers, it must be considered not to have taken a neutral position between the customer-seller concerned and potential buyers but to have played an active role of such a kind as to give it knowledge of, or control over, the data relating to those offers for sale”, being therefore unable to “.. rely ..on the exemption from liability referred to in Article 14(1) of Directive 2000/31”.
The Judges then went on to offer some indications on the concept of ‘awareness’ (also a crucial element to avoid liability) by explaining that when a “..provider has confined itself to a merely technical and automatic processing of data…. it may none the less only be exempt ..from any liability for unlawful data that it has stored on condition that it has not had‘actual knowledge of illegal activity or information’ and, as regards claims for damages, has not been‘aware of facts or circumstances from which the illegal activity or information is apparent’ or that, having obtained such knowledge or awareness, it has acted expeditiously to remove, or disable access to, the information”.They concluded by noting that “..if the rules set out in Article 14(1)(a) of Directive 2000/31 are not to be rendered redundant, they must be interpreted as covering every situation in which the provider concerned becomes aware, in one way or another, of such facts or circumstances”, explaining that “the situations thus covered include, in particular, that in which the operator of an online marketplace uncovers, as the result of an investigation undertaken on its own initiative, an illegal activity or illegal information, as well as a situation in which the operator is notified of the existence of such an activity or such information. In the second case, although such a notification admittedly cannot automatically preclude the exemption from liability provided for in Article 14 of Directive 2000/31, given that notifications of allegedly illegal activities or information may turn out to be insufficiently precise or inadequately substantiated, the fact remains that such notification represents, as a general rule, a factor of which the national court must take account when determining, in the light of the information so transmitted to the operator, whether the latter was actually aware of facts or circumstances on the basis of which a diligent economic operator should have identified the illegality”.
While this case referred to sales performed on an online marketplace and to “facts or circumstances on the basis of which a diligent economic operator should have realized that the offers for sale in question were unlawful”, it is interesting to remind that the CJEU had also occasion to deal with intermediary’s role and liabilities with respect to the tenant of a (physical) marketplace in the Czech Republic (case no. is C-494/15, Tommy Hilfiger LLC, judgement July 7, 2016).
The Court found – in relation to infringements of intellectual property rights – that the position of a tenant of market halls with sales areas for rent, in which sub-lessors offered counterfeited goods for purchase, falls within the concept of an ‘intermediary’ whose services are used by a third party to infringe an intellectual property right. In the court’s view, “the fact that the provision of sales points concerns an online marketplace or a physical marketplace such as market halls is irrelevant in that connection”. On such premise, the Court then concluded that its position as an ‘intermediary’ exposed the tenant to the risk of being targeted with injunctions meant to prevent the continuation of infringing conduct, meaning that a ‘provider’ could get involved in an enforcement action to prevent further infringement.
In the preceding paragraphs we have learned that the liability exemption does not cover the case when a hosting provider, not engaged in managing posted content, becomes aware of (or receives notice about) the ‘illegality’ of such content. A negligent attitude or a neglectful failure to act in relation to a notification from a third party complaining about the presence of illegal content on provider’s online platform might easily prevent providers form being able to rely on the liability exemption. However, the ‘awareness’ requirement is clearly a ‘dynamic’ element, involving a case-by-case evaluation. Several elements will necessarily come into play: an overall evaluation of the correctness of the alleged facts, an assessment on the degree of seriousness of said infringement, the timeliness of provider’s reaction to remove infringing content, other - context specific - aspects.
The European Court of Human Rights (ECHR) had recently occasion to deal with such aspects (see Third Section, decision dated March 9, 2017 Pihl vs. Sweden) originating from a defamatory statement posted on a blog – with a relatively small audience – run by a not-for-profit organization. Even though the post was removed the day after applicant’s complaint about the incorrectness of the content and despite the fact that the organization had immediately published a corrective and apologizing statement, the offended person objected that the defamatory content was still available on the search engines, argued that the blog owner had failed to remove timely and therefore claimed a rather symbolic damage compensation (of approximately Euro 0,10). On such factual premises, the case ended before the ECHR as the applicant found that all the approached Swedish Courts had failed to give leave to his claims and had excluded the blog owner’s liability.
With respect to the obligations and liabilities of subjects assuming an ‘intermediary role’ on the Internet, the ECHR considered that aspects such as “the context of the comments, the measures applied by the company in order to prevent or remove defamatory comments, the liability of the actual authors of the comments as an alternative to the intermediary’s liability, and the consequences of the domestic proceedings for the company…” had to be evaluated. This in order to assess whether in the specific case “a fair balance between the applicant’s right to respect for his private life under Article 8 and the association’s right to freedom of expression guaranteed by Article 10 of the Convention” had been achieved.
As to the timeliness of the reaction the Court noted that the defamatory content had been removed “..one day after being notified by the applicant that the post was incorrect..” and that the association had immediately published a notice “with an explanation for the error and an apology”.
As to the ongoing presence on the Internet of the questioned content (still be found by using search engines) the Court reminded that “the applicant is entitled to request that the search engines remove any such traces of the comment”.
Finally, the Court also considered that the applicant had failed to substantiate that “..he took any further measures to try to obtain the identity of the author of the comment” and conceded that, being “..the scope of responsibility of those running blogs regulated by domestic law and that, had the comment been of a different and more severe nature, the association could have been found responsible for not removing it sooner”. However, it concluded that “in view of the above, and especially the fact that the comment, although offensive, did not amount to hate speech or incitement to violence and was posted on a small blog run by a non-profit association which took it down the day after the applicant’s request and nine days after it had been posted,…that the domestic courts acted within their margin of appreciation and struck a fair balance between the applicant’s rights under Article 8 and the association’s opposing right to freedom of expression under Article 10”.
Hence the application was rejected.
The national implementing provisions of Directive no. 31 of 2000.
With respect to hosting providers’ liability the implementing Italian Statute Law (i.e. Legislative Decree no. 70 of 2003, article 16) reflects closely the Directive’s wording as contained in Article 14. Which leaves us with the issue of WHENa provider risks to see its role transformed into ‘active’ hosting, potentially involving liability for infringing content/conduct performed on provider’s platform.
Italian case-law dealing with the issue.
Already back in 2016, the IP Section of a local First Instance Court in Rome issued a decision with some interesting guidance about the role of ISPs involved in ‘active hosting’.
A TV Station, broadcasting on a national level and owning the distribution rights of several popular shows, sued a US company offered in streaming on its web site pieces of such local shows.
Being the servers, hosting the online platform used for the questioned streaming practice, located outside Italy, the defendant tried to block plaintiff’s action by bringing up a lack of jurisdiction argument, then – on the merits – went on to rely on a ‘no obligation to control and monitor obligation’ with respect to content hosted on its platform (so-called provider exemption).
The approached Court in Rome got rid of the ‘lack of jurisdiction’ objection, considering that relevant appeared to be not the place where the infringing content had been uploaded to the online platform but the geographic context where the damaging effects had occurred (in the specific case, the local – Italian –market).
The Court then passed on to examine the role (and liabilities) of the provider with respect to the questioned streaming practices and:
- disagreed with the defendant arguing that his position as a provider of a ‘social network’, allowed him to facilitate ‘content sharing’ and entitled him – as long as he did not get involved in any actual and active managing and structuring content uploaded by third parties – to benefit from the provider exemption and considered such argument as simplistic, both in relation to his claim to be one of the most famous online portals offering digital content as well as with respect to the fact that the defendant actually runs a ‘global business’, based on selling advertising space on the platform, on performing as an ‘aggregator’ (selecting and organizing in various forms the uploaded content) and on having an ‘editorial team’ in place for optimizing services offered by making use of sophisticated techniques to target platform visitors based on their online behavior,
- confirmed that existing Statute Law did not impose a general in-advance monitoring and controlling obligation on ISPs, but also reminded that provider’s liability came into play anytime it had achieved adequate knowledge about illegal conduct performed on the platform (in the specific case, court action was preceded by several cease and desist letters from the plaintiff, simply ignored by the defendant),
- having ascertained that the alleged infringement had occurred, ordered the defendant to restrain from continuing infringing conduct and established a fine (Euro 10.000) for any further violation and for every day of delay in complying with the Court’s prescriptions,
- awarded Euro 115,000 in damage compensation (determining the respective amount in relation to the number and duration of the posted infringing videos as well as according to the ‘consent price’ - i.e. the fee charged for licensing content’s use – generally applied in the market,
- ordered the defendant to bear the costs for giving twice a public notice about the judgment on two national newspapers and to publish such notice also on his online platform,
- served the defendant with the legal fees for the proceeding, determined in Euro 20.000 (plus Euro 600 in costs and reimbursement of experts’ fees).
Now the Highest Italian Civil Court (“Corte di Cassazione”) had its say.
A few weeks ago, the Highest Italian Civil Court came to deal with the problem of ‘active hosting’ and the consequent implications as to provider’s liability. The Court had been asked to resolve a dispute between a TV station, owning the IP rights on broadcasted shows, and an online platform, which – in the ‘Video’ section – had diffused parts of said shows.
The First Chamber of the Court issued two decisions – on March 19, 2019, nos. 7708 and 7709 – and set general criteria to be applied to assess when ‘active hosting’ occurs.
First, the Court held that the specific problem had to be referred to the general context of liability in cases where different subjects are jointly involved in illegal acts or omissions; hence, a provider could not rely on the liability exemption anytime he takes part to illegal acts or omissions.
Elements to consider for‘active hosting’.
Then, the Court held that as elements capable of revealing provider’s ‘active role’ should be considered the following (not being necessary all of them to be found), when performed through a business service management: filtering, selecting, indexing, organizing, cataloguing, aggregation, evaluation, use, modification, extracting or promoting content posted on online platforms or adopting techniques for evaluating users’ behavior to favor loyalty enhancing effects. In short, such ‘active role’ would result anytime the provider performs a conduct, suitable to ‘actively enrich’ the browsing experience of an indistinct group of visitors.
Providers have no general control obligation.
The Judges also did confirm that providers do not bear a general obligation as to supervising/monitoring the information transmitted or memorized on their platforms or as to actively researching circumstances or facts revealing the presence of illegal content.
They also reminded that both, the Directive no. 31 of 2000 as well as the case-law of the CJEU were clear in setting limits for national implementing provisions as to cases in which the liability of providers could come into play.
Hosting Providers’ obligations.
With respect to “hosting” services the Court held that – according to existing EU and Statute Law - providers become liable; (a) when they are aware that content present on their platforms is illegal or had actual knowledge of facts or circumstances, revealing the illegal nature of such content, and (b) when they do not act immediately to remove or block access o illegal content as soon as they are informed by the competent authorities about the presence of such content.
Being undisputable, in the specific case, that illegal conduct had performed by accessing content protected under IP provisions, the question was to assess whether provider’s joint liability occurred due to its ‘awareness’ of such illegal conduct and due to a not timely block of access to and removal of the questioned content.
The concept of‘actual awareness’.
In the Court’s view ‘actual awareness’ occurs anytime the harmed right holder notifies the provider – through a communication suitable to the purpose - about the presence of illegal content on its platform (where the complainant bears a burden of proof with respect to that fact that proper notification had been given).
Provider’s exposure to damage compensation.
As mentioned before, hosting providers have no obligation to monitor in-advance content posted on their platforms. However, they do have an obligation to remove such content, once they have knowledge of the presence of posts of illegal nature and they face claims for damage compensation, when they fail to timely remove them once they are aware (or made aware) of their presence.
In short, providers are not supposed to ‘actively researching’ illegal conduct present on their platforms but to ‘take action’, once they have knowledge about such content.
Premise for‘taking action’ and requirements for provider’s exposure to damage claims.
According to the Court, two premises must be met to have hosting provider’s liability coming into play: (a) irrespective of the means of communication, has to achieve knowledge about the illegal nature of the content posted on its platform, and (b) he must consciously omit to take proper steps to prevent the continuation of illegal conduct.
Once properly notified about the presence of illegal content, it will be up to the provider to prove that there was no technical or legal way available to prevent such presence.
What does a notice about illegal content need to flag to providers?
Obviously, the hosting provider must receive information suitable to acknowledge and to identify the questioned content. In its L’Oreal decision (see above) the CJEU had clarified that its up to the national judge to assess whether a notice to the provider is sufficiently clear and specific.
With respect to this aspect the Italian High Court reminds that Communication of the European Commission no. 555 of September 28, 2017 (“Tackling Illegal Content Online - Towards an enhanced responsibility of online platforms”) offers useful indication for assessing when a notice is adequate, also in the light of the fact that online platforms nowadays have (or should have) proactive measures in place (such as automatic detection and filtering technologies) to individuate and remove illegal content online (see Points 3.3.1. and 3.3.2. of the Communication) as well as to prevent the repeated posting of infringing content.
Hence, once the provider is put in a condition to individuate – also by making use of his professional diligence – infringing content, it has an obligation to act and to remove illegal posts.
If the provider, through an adequate notice, has a URL available or - given its technological capacities – is able to individuate infringing content, it has an obligation to restrain from further (i.e. repeated) publishing such content, where such obligation does not result in a burden of general, preventive control (excluded by the provisions of Directive no. 31 of 2000). Such conclusion derives from the fact that on receipt of a notice, the provider can no longer claim unawareness of the infringing content and that the IPR Enforcement Directive (no. 48 of 2004) requires Member States to “.. ensure that, where a judicial decision is taken finding an infringement of an intellectual property right, the judicial authorities may issue against the infringer an injunction aimed at prohibiting the continuation of the infringement” (so Article 11).
As to the specific case, the High Court found that it was up to the lower courts (competent on the merits of the dispute) to determine whether a notice delivered to the provider was sufficient to allow the latter to detect the illegal content and to take action or not. Having the lower courts failed to properly verify whether the notice given was sufficient for said purpose, the dispute had to be sent back to the Court of Appeal for a retrial focusing on such verification and, especially, whether a notice not bearing the URL of the infringing content could be considered as suitable for individuating the latter (just by the titles of the posted videos or through other indications).
The liability exemption does not put a hosting provider automatically on the safe side. Providers need to think, think and thing again about what they do when providing their services and need to carefully consider to which extent their activities ‘interfere’ with content uploaded by third parties. They also must bear in mind that, once they are made aware of infringing content present on their platforms, timely action has to be taken both, to block such content as well as to prevent continuation of the infringement. A defense arguing that the notice given to them about illegal content was not enough ‘specific’ or ‘detailed’ could easily result as a risky stand, as the respective evaluation will be performed by courts on case-by-case basis. Hence, it will not be enough to argue that a provider has not done anything wrong, being necessary also to substantiate that it has done the right thing at the right moment.