Introduction

The case of CG v. Facebook Ireland Ltd & Anor ([2016] NICA 54) deliberates on the liability of information society services, specifically Facebook, for the misuse of private information resulting from user-generated content. The plaintiff, CG, a convicted sex offender, sought damages and injunctive relief against Facebook and Joseph McCloskey, who operated Facebook profile pages that disseminated private information and fostered harassment against CG. The primary legal issues revolved around whether Facebook, as an information society service provider, could be held liable for third-party misuse of private data under the Data Protection Act 1998 and the e-Commerce Directive 2000/31/EC.

Summary of the Judgment

The Court of Appeal in Northern Ireland reviewed the liability of Facebook Ireland Ltd (“Facebook”) and Joseph McCloskey (“McCloskey”) concerning the misuse of private information and unlawful harassment against CG. Stephens J had previously held Facebook liable for damages due to the dissemination of CG's private information on Facebook profile pages operated by McCloskey, including threatening comments. McCloskey was also found liable for unlawful harassment.

On appeal, Facebook contended that it should not be liable under the e-Commerce Directive as it lacked actual knowledge of the unlawful activity. Additionally, there was a cross-appeal regarding Facebook's status as a data controller under Section 5 of the Data Protection Act 1998. The Court upheld Facebook's liability for a specific period but allowed the cross-appeal, concluding that Facebook is indeed a data controller and entitled to protection under the e-Commerce Regulations against certain claims under the Data Protection Act.

Analysis

Precedents Cited

The judgment extensively referenced key cases shaping privacy and data protection law:

• Murray v Express Newspapers plc [2008] EWCA Civ 446: Established a broad objective test for reasonable expectation of privacy.
• Kenneth Callaghan v Independent News and Media [2009] NIQB 1: Applied the Data Protection Act 1998 as a touchstone for private information.
• Google Spain v AEPD & Mario Costeja González [2014] QB 1022: Emphasized the broad territorial scope of the Data Protection Directive concerning data controllers.
• Weltimmo v Nemzeti Adatvedelmi (C-230/14) EU: Reinforced the effective and real exercise of activity through stable arrangements as criteria for establishment within a member state.
• R (on the application of C) v Secretary of State for Justice [2016] UKSC 2: Highlighted the balance between open justice and the risk of harm to individuals.

These precedents underscored the court's approach to determining the reasonable expectation of privacy and the scope of data protection laws, especially in the context of multinational entities like Facebook.

Legal Reasoning

The court's legal reasoning hinged on several key points:

• Misuse of Private Information: The court adopted an objective test to determine whether CG had a reasonable expectation of privacy. It assessed the cumulative disclosure of CG's name, photograph, location, and criminal history, especially within the harassment context.
• Actual Knowledge under e-Commerce Directive: Facebook's liability hinged on whether it had actual knowledge of the unlawful activity. The court found that through the XY litigation and subsequent correspondence, Facebook should have been aware of the misuse of private information.
• Data Controller Status: On cross-appeal, the court determined that Facebook, through its UK subsidiary, Facebook UK Ltd, was established in the UK and thus a data controller under the Data Protection Act 1998. This necessitated adherence to UK-specific data protection obligations.
• Exemptions under e-Commerce Regulations: While the e-Commerce Directive provides exemptions for ISS providers from liability for certain damages, the court found that these exemptions did not apply once Facebook had actual knowledge of the misuse.

The court meticulously analyzed whether Facebook met the criteria for being a data controller and whether it had failed to act expeditiously upon gaining knowledge of the misuse, thereby negating its exemptions under the e-Commerce Regulations.

Impact

This judgment has significant implications for both information society service providers and individuals seeking remedies for misuse of private information:

• Clarification of Data Controller Status: It affirms that multinational entities like Facebook can be deemed data controllers in multiple jurisdictions based on their operational structures and activities.
• Responsibility to Act on Knowledge: Service providers are held accountable to act expeditiously upon gaining actual knowledge of unlawful activities, tightening the scope of protection for individuals against online harassment and misuse of private data.
• Interplay Between Directives: The case delineates the boundaries between the e-Commerce Directive and the Data Protection Directive, emphasizing that exemptions under one do not necessarily preclude liabilities under the other.
• Reinforcement of Privacy Rights: It underscores the judiciary's role in balancing the freedom of information with individual privacy rights, especially in the digital age.

Future cases involving online platforms will likely draw upon this precedent to assess liability, particularly concerning user-generated content and the responsibilities of platform providers.

Complex Concepts Simplified

Data Controller

A data controller is an entity that determines the purposes and means of processing personal data. In this case, Facebook, through its UK subsidiary, was identified as a data controller because it processed personal data (CG's information) within the UK context.

Reasonable Expectation of Privacy

This concept assesses whether an individual expects that certain personal information remains private. The court evaluates factors like the nature of the information, how it was disclosed, and the context, such as harassment, to determine if privacy rights were breached.

e-Commerce Directive

The e-Commerce Directive is an EU law that provides legal rules for online services, including limiting the liability of service providers like Facebook for third-party content unless they have specific knowledge of illegal activity.

Data Protection Act 1998

The Data Protection Act 1998 governs how personal data should be handled in the UK. Being classified as a data controller under this act imposes certain responsibilities on entities like Facebook to protect individuals' personal information.