Intermediary Issues

Third Party Discovery and Providers

In ordinary civil proceedings, pre-trial discovery is usually ordered or agreed in respect of all documents possessed or under the control of each party to the litigation.  At the trial, a party to litigation must answer questions in relation to matters in issue, put to them. There are very limited cases, where legal professional privilege or other privileges apply.

The civil courts grant orders in certain types of case, which require persons to disclose the identity of others.   A stand-alone order for discovery may be made, prior to the commencement of proceedings. There must be clear evidence of wrongdoing.  The orders will only be made in exceptional cases.

If a person gets mixed up in the wrongful acts of another or facilitates their wrongdoing, he may come under a duty to assist those who have been wronged, by giving information regarding the identity of the wrongdoers. This is so, even though he has no personal fault or liability in relation to the matter.

So-called “Norwich Pharmaceuticals” orders have been granted to compel the identification of persons who have misused the Internet in some way, such as by publishing defamatory statements anonymously or breaching another’s intellectual property rights. The Data Protection Acts do not apply to disclosure required by court order.


Norwich Pharmaceutical Orders

Orders have been made against various internet intermediaries, requiring the disclosure of the identity of persons, for the purpose of seeking redress from them in civil proceedings in consequence of their wrongdoing. Such orders have been made against Internet Service Providers in order to identify persons facilitating downloading and dealing in breaches of copyright provided the requisite evidence of wrongdoing is forthcoming.

The Irish courts have been willing to grant orders compelling Internet providers to disclose the identity of the relevant parties.  Where there is wrongdoing, the data protection rights and rights of confidentiality rights that ordinarily apply, do not apply.  The disclosure will be limited to the purpose of the proceedings.

The grant of orders has been controversial where the persons whose anonymity in question has not been given the prior opportunity to oppose the application.  The Constitution and the European Convention on Human Rights require, that other than in cases of exceptional necessity, that persons have the opportunity to challenge the grant of orders in advance.

Practical difficulties may arise in an allowing third party to contest the order anonymously.  In other contexts, the Irish courts have used procedures in cases which sought to protect the identity of parties concerned They were allowed to contest the attempt to identify that they themselves revealing their identity.


Intermediaries and Internet Service Providers

Internet service providers are unlikely to be deemed publishers, for the purposes of defamation law.  Difficult questions of interpretation arise as to whether and to what extent groups which hold discussions, are distributors or publishers.  Distributors are not generally liable unless they are negligent.  However, publishers are strictly liable.

An intermediary (internet) service provider is not liable for information transmitted in a communication network if the information has been passively carried (and no more).  Conditions apply. It is a condition that the intermediary service provider did not initiate the transmission, did not select the receiver of the transmission and did not select or modify the information contained.

There is a specific exemption for caching. Caching involves creating temporary copies of a web page.  This facilitates a user using the same content, which can be provided by the local copy made by the internet service provider, rather than going back to the source page on the occasion of each subsequent re-use of the page.

The intermediary service provider is not liable for the automatic, intermediate and temporary storage of information for the sole purpose of making more efficient, its onward transmission to other users of the service upon their request.  Certain conditions apply.  In particular, the intermediary service provider must not modify the information and must comply with certain rules and industry practices.

It must act quickly in order to remove and disable access, once it acquires actual knowledge of the fact that the information from which it has sourced, has been removed, had access disabled or if a Court or administrative authority has ordered its removal or disablement.


Passive Providers and Mere Conduits

Intermediary service providers providing hosting services enjoy certain exemptions. This covers the storage of information, which has been provided by the service recipient.  The hosting provider will not be liable for information stored, provided that it complies with certain conditions.

It must not have actual knowledge of the unlawful activity concerned and must not be aware of facts or circumstances, from which the unlawful activity is apparent. Upon obtaining such knowledge or awareness, it must act quickly to remove or disable access to the information.

The exemption applies to passive service providers.  Intermediaries and operators which edit or control the content may not qualify for the exemption.  Bodies qualifying for the exemption may be deemed to become actually aware of circumstances if they become sufficiently prominent. The exemption does not apply where the service recipient is acting under the control of the intermediate service provider.

Internet service providers who are mere conduits, or who provide caching or hosting services have an obligation to monitor content.  They may be obliged by EU states to notify the public authorities of illegal activity.


Internet and other Intermediate Service Providers

Case law prior to the below Directive, suggested that an ISP could be liable as a publisher. Later cases confirmed that if the ISP played a passive role, then it would not be deemed to be a publisher. It has been held that Google’s ordinary functions, do not make it a publisher at common law. Different considerations arise where an entity hosts or has some element of control over the material.

An Irish court has held a chatroom with editorial control, to be an intermediary service provider for the purpose of the legislation.  Accordingly, it had no liability where it did not have actual knowledge of the publication. The protection of the legislation has been afforded to a news organization in relation to comments on a news article, in circumstances where   the organisation did not have knowledge of the defamatory content.

The ultimate position will depend on the circumstances and on the nature of control over the website. If the operator of the site goes beyond storage and hosting, the immunity may be lost. If the site is moderated, the protection of the legislation is unlikely to be available.


EU Directive Protecting ISP

The EU E-Commerce Directive contains a number of provisions which protect internet service providers, which are mere conduits. An intermediate internet service provider (ISP), is not liable for information transmitted in, or for the provision of access to, a communication network if it has been provided by a recipient of the service, provided that following conditions are complied with

  • the ISP did not initiate the transmission;
  • the ISP did not select the receiver of the transmission and
  • did not select or modify the content or information contained in it.

The transmission and provision of access to a communications network include automatic, intermediate and transient storage of information, in so far as it is for the purpose of carrying out transmission of the network and provided that the information is not stored for any period longer than reasonably necessary.

An ISP provider is not liable for the automatic, intermediate or temporary storage of information which is performed to make the system of onward transmission more efficient.


Conditions of ISP Immunity

The intermediate service provider is not liable, provided that it

  • does not modify the information;
  • complies with conditions relating to access;
  • complies with the rules regarding the updating of information that has been specified in a manner widely recognised or used in the industry
  • does not interfere with the lawful use of technology widely recognised or used by the industry, to obtain data on the use of information and
  • acts expeditiously to remove or disable access to the information it has stored, on obtaining actual knowledge of the fact that the initial source of the transmission has been removed from the network, where access has been disabled or where a court or administrative authority has ordered its removal or disablement.

Courts may make orders against ISPs requiring it not to infringe or to cease infringement of legal rights.


ISP Defence Hosting

An ISP provider acting as a host which stores information provided by a recipient of the service is not liable for information stored at the request of the recipient. This is provided the following conditions are complied with;

  • the ISP does not have actual knowledge of the unlawful activity concerned
  • the ISP is not aware of facts from which unlawful activity is apparent;
  • the ISP on obtaining knowledge or becoming aware acts expeditiously to remove or disable access to the information.

The defence is not available where the recipient of the service is acting under the control of the ISP. A court may make orders prohibiting infringement or requiring that it cease.


Obligations or Internet Service Providers and Intermediaries

An EU  Directive provides that that Member States must not impose a general obligation on ISPs to monitor information they transmit or store nor may they impose any obligation to actively seek facts or circumstances indicating illegal activity.

States may establish obligations for information society providers, promptly to inform public authorities of alleged illegal activities undertaken or information provided by customers or obligations to communicate to the competent authorities, at their request, information enabling the identification of the recipients of their services, with whom they have storage agreements.

Once the ISP has been informed of the defamatory material, the question arises as to what it is obliged to do to remove it. Where removal is impracticable without enormous cost, expense or complication, there is a limit to the steps which are required of the ISP to remove it.


Data Retention I

The Communications (Retention of Data) Act regulates and limits the retention of data by the providers of public electronics communications services or public communications networks. The Data Protection Commission is the national supervisory authority for the legislation.

The Act relates to data relating to the communications, but not its actual content. The content of data is not to be retained by service providers, other than in limited cases where they are required by law.

Service providers must retain data relating to fixed and mobile telephony for a two years period.  Data relating to internet access, e-mail and internet telephony must be retained for one year.  Data relating to unsuccessful call attempts are to be retained where in the case of telephone data, it is stored in the State and in relation to internet data it is logged in the state.


Data Retention II

Data is to be retained in such a way that it can be disclosed without undue delay pursuant to a disclosure request.  Service providers must ensure that it is of the same quality and subject to the same security and protection, as other data on its network.  Provision is made for the destruction of telephony data after two years and one month and internet data after one year and one month.

Service providers may not have access to the data, except

  • they have the consent of the person to whom the data relates;
  • they are complying with a lawful disclosure request from the Garda Siochana, the Defence Forces or Revenue Commissioners;
  • in compliance with a court order or
  • when authorised by the Data Protection Commission.

Gardai and Defence Forces Access

A disclosure request must come from a member of the Garda Siochana above the rank of chief superintendent, from a Defence Forces officer at the rank of colonel or above or a person at principal officer level in the Revenue Commissioners.

The Gardaí may make a disclosure request, only if it is required for the prevention, detection and investigation and prosecution of a serious offence, safeguarding national security or saving human life. In the case of the Defence forces, the disclosure must be necessary for the security of the State. In the case of the Revenue it must be necessary for the prevention, detection or investigation of revenue offences.

Reports must be made annually to the Minister for Justice in relation to the disclosure request by each of the Gardaí, Defence Forces and Revenue. Comments are to be made on the requests. There is provision for the compilation of statistics on requests.  The State is to prepare a report and present it to the EU Commission annually.

There is a compliance system, similar to that applicable to the 1993 legislation on the interception of telecommunications data. Equivalent provision for a complaints referee and a designated High Court judge are provided.


References and Sources

Legislation

Data Protection Act 1988

Data Protection (Amendment) Act 2003

Data Protection Act 2018

Communications (Retention of Data) Act 2011

Criminal Justice (Surveillance) Act 2009

Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (An Garda Síochána) Regulations 2009, S.I. No. 275 of 2009

Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (Revenue Commissioners) Regulations 2009, S.I. No. 290 of 2009

Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (Defence Forces) Regulations 2010, S.I. No. 80 of 2010

EU Legislation

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (Official Journal L 8 of 12.1.2001, pp. 1-22)

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending (declared invalid by Court of Justice ruling, see below).

Directive 2002/58/EC (Official Journal L 105 of 13.4.2006, pp. 54-63)

Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009

Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (Official Journal L 173 of 26.6.2013, pp. 2-8).

European Communities (Directive 2000/31/Ec) Regulations 2003

European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, S.I. No. 336 of 2011

Irish Books

EU Data Protection Law        Kelleher & Murray     2018

Information & Technology Communications Law    Kennedy & Murphy    2017

Social Networking      Lambert           2014

Law Society PPG Hyland       Technology & Intellectual Property Law                   2008

Information Technology Law in Ireland        2 Kelleher & Murray  2007

Data Protection Law in Ireland: Sources & Issues     2 Lambert 2016

Privacy & Data Protection Law in Ireland     Kelleher           2015

Data Protection: A Practical Guide to Irish & EU Law         Carey   2010

Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003

Privacy and Data Protection Law in Ireland  2nd ed Denis Kelleher 2015

EU and UK Texts

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015

Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014

Cloud Computing Law Christopher Millard 2013

Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013

Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013

A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013

Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012

Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012

Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011

Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011

Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011

Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010

Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008

The Law of Personal Privacy David Sherborne, Mark Thomson, Hugh Tomlinson Due August 2019

Tort Law and the Protection of Privacy John Hartshorne  April 2019

The Privacy, Data Protection and Cybersecurity Law Review The Privacy, Data Protection and Cybersecurity Law Review 5th ed Edited by: Alan Charles Raul 2017

International Cybersecurity and Privacy Law in Practice International Cybersecurity and Privacy Law in Practice  Charlotte A. Tschider 2017

Determann’s Field Guide to International Data Privacy Law  3rd ed Lothar Determann

The Law of Privacy and The Media 3rd ed Edited by: Nicole Moreham, Mark Warby 2016