Jusletter IT

The case of Delfi v. Estonia¹ decided unanimously by the European Court of Human Rights on October 10, 2013 redefines the extent of due diligence required of Internet service providers in preventing violations of third party rights. An allegation of freedom of speech violation made by an Estonian service provider gave ground for assessing the obligations of hosting companies. While the court emphasized the difference in liability for own content, published by the claimant and one originating from its users, solely hosted by it within a separately maintained discussion forum, it denied assessing the applicability of the notice-and-takedown procedure well rooted in European legal systems, originating from the EU Directive on Electronic Commerce (further herein: e-commerce Directive)². The procedure grants freedom from liability to all service providers who engage in mere conduit, i.e. solely host others’ content without knowledge of its potentially illegal and do not interfere with it. Yet even though the claimant promptly disabled access to content damaging to a third party, it was held liable by national courts for the infringement. ECHR concurred with the Estonian state that such liability does not violate the claimant’s right to share information, a composite right of the freedom of speech granted by Article 10 ECHR. Deriving richly from publishers’ liability recognized in national press law regulations it endowed the Estonian service provider, offering to its users an online forum for shared discussions, with the liability for not undertaking preventive measures in order to limit threats to individual rights. The decision may therefore alter the perception of hosting providers obligations, in particular with regard to profession due diligence required from them in their daily operations. It may be seen as the first step towards a risk liability for hosting providers, obliging them to introduce additional filtering and blocking mechanisms. A conclusion significant to the freedom of speech online as the already existing notice-and-takedown procedure was regarded as a threat to free online communications.

An Estonian company, Delfi, runs one of most popular websites in Estonia, delfi.ee. Within that Internet portal it publishes daily up to 330 news items on currents events, while operating also in Lativia and Lithuania.³ As most online content providers it allows its readers to add comments to news items posted on the site. The ECHR case concerns Delfi’s liability for those comments, made by individual readers, independent of the company, rather than editorial content published online by Delfi’s hired authors. Posting comments on Delfi’s website did not require any registration or validation of identity at the material time of the case. Publishing comments could be affected by solely pressing two screen buttons – one to add a comment and another to publish it. According to the ECHR assessment, the articles on the Delfi website «received about 10,000 readers’ comments daily, the majority posted under pseudonyms».⁴ Following common practice Delfi operated on a notice-and-takedown procedure, where access to a potentially unlawful comment would be disabled upon a request made to the website administrators. The promptness of disabling potentially harmful content was under no dispute in this case – Delfi managed to swiftly respond to any takedown notice. Attempting to improve its service it voluntarily introduced a «system of automatic deletion» for offensive comments.⁵ Also in its «Rules of comment» Delfi discouraged its users from posting infringing content and warned them about potential criminal responsibility and civil liability. Despite those efforts Delfi was considered by national authorities as having a long going «notorious history of publishing defaming and degrading comments», publicly «taunting» individuals.⁶

The article focal to the ECHR decision was published by Delfi on 24 January 2006. It considered the local shipping company, who, according to the text, were planning to destroy ice roads – paths on thick ice, used for traveling to Estonian islands – for their own financial benefit. The company operated ships that would serve as an alternative to the destroyed ice roads. The Delfi article, phrased in a restrained manner, provoked hateful comments directed at the company’s manger, L. From among 185 comments to the article about 20 of them included personal insults to L. and threats to his life and personal security. Delfi hosted the comments, posted by anonymous Internet users, on a separate webpage, displayed when a screen button for «read comments» was activated.

It was L. who caused Delfi to seek protection for its freedom of speech in Strasburg. L. had been successful in convincing Estonian courts that lack of diligence on behalf of Delfi caused his personal rights to be infringed by the defaming comments it hosted. Originally seeking 32.000 EUR in damages, L. was eventually awarded 32 EUR by Estonian courts in civil litigation. No criminal charges against Delfi were filed.

The core of the legal dispute lies in the character of activities conducted by Delfi as a website host. While the claimant company identified itself a mere host for users’ content, free from liability therefore or an obligation to monitor it. Estonian courts recognized Delfi as more than just a hosting company. They found Delfi to play the role of a press publisher, ascertaining to it full editorial responsibility for illegal press materials published within its website, regardless whether the text had been provided by authors supervised by the company or independent individuals. The decision in the Delfi case is therefore of pivotal importance, as it may serve in the future delimitation of mere conduit obligations and due diligence based editorial liability for electronic media publishers.

Delfi claimed it held no editorial liability for users’ content according to the mere conduit exemption, incorporated into Estonian law following the e-commerce Directive. According to the claimant, its responsibility was to be excluded under the Information Society Services Act (Infoühiskonna teenuse seadus), which, similarly to the Directive, exempted from liability those service providers whose actions were limited to the «technical process of operating and giving access to a communication network». Delfi claimed its activities were therefore of «a mere technical, automatic and passive nature», disabling it of «either knowledge of or control over the information which is transmitted or stored».⁷ According to the e-commerce Directive, which is considered to introduce a European standard in service provider liability, «a service provider can benefit from the exemptions for ‹mere conduit› and for ‹caching› when he is in no way involved with the information transmitted».⁸

Estonian courts found that this was not the case with Delfi. Neither did it not know nor control the information stored.⁹ It invited users to provide comments, actively influencing the amount of information as well as the very fact of their appearance. What is more, on numerous previous occasions Delfi had voluntarily removed content it found potentially infringing, confirming its acknowledged editorial status.¹⁰ Its failure to do so on the occasion in question clearly allowed, in the eyes of the Estonian courts, to find it liable for lack of required editorial diligence. The courts consequently decided to introduce media law liability of a press publisher rather than apply the e-commerce Directive liability exemption to Delfi’s case. Applying publisher liability allowed to verify the level of due diligence provided by the company vis-à-vis published content, including a legal assessment of potential third party rights infringement. Deriving company’s liability from civil law obligation to prevent harm to third parties, enshrined in the Estonian Obligations Act, the national Supreme Court found Delfi’s failure to act unlawful.¹¹

Those arguments found confirmation in the ECHR decision. As much as the Court shied away from directly defining the role of a hosting company with regard to third party content, indicating it as the role of national courts to apply national regulations on mere conduit to particular circumstances of each case, it did welcome the «application of the existing tort law to a novel area related to new technologies», where the «publication of articles and comments on an Internet portal was also found to amount to journalistic activity and the administrator of the portal as an entrepreneur was deemed to be a publisher».¹² While indirectly assessing the applicability of media law to Internet hosting companies, ECHR recognized that the applied Estonian laws met the requirement of foreseeability. It recalled that even when the application of national laws requires seeking a professional legal advice in order to assess the consequences of a particular action, such national law is still to be considered foreseeable. Consequently deeming the claimant a professional publisher, ECHR required it to «proceed with a high degree of caution».¹³ Referring to professional due diligence the Court recalled the expectation of such professionals «to take special care in assessing the risks» their activity entails.¹⁴ With this statement the Court consequently identified providing online services as a potentially risk originating activity, subject to particular risk liability. Following national courts in identifying the service provider as a publisher the Court was «satisfied» that «a media publisher was liable for any defamatory statements made in its media publication».¹⁵ Identifying the claimant as «a professional publisher» the Courts assumed it «familiar with the legislation and case-law» and capable of seeking legal advice when needed. Since Delfi was one of the largest news portals in Estonia and the «degree of notoriety has been attributable to comments posted in its commenting area», the Court considered the company to have been «in a position to assess the risks related to its activities» and able to «foresee, to a reasonable degree, the consequences which these could entail».¹⁶

The Delfi claim concerned a possible Article 10 infringement. Despite a strong argument made by the government, where a possible Article 10 violation and a «mere conduit» exemption argument were mutually converse, the Court had little doubt that the case was a freedom of speech issue. Delfi claimed its right to impart information, one composite of the right to freedom of expression, had been infringed. The Court, following the arguments of the Estonian government, recognized the issue as an Article 10 case simply because of the actual role the applicant held in the publishing process. Providing editorial services the content created by its users became a form of expressing Delfi’s own opinions. Moreover, recognizing the particular role press plays in a democratic society, the Court analyzed the limits of state interference with media freedom. Referring to individual privacy and family life protection, granted in Article 8 of the European Convention on Human Rights, the Court emphasized that any state interference aimed at assuring individual dignity ought to be justified and «necessary in a democratic society». Following its earlier jurisprudence it emphasized that laying the burden of assessing the identity of individual infringers for online defamation may lead to actually depriving the victims of legal protection.¹⁷ Therefore states are under a particular positive obligation to enforce effective protection for those at risk.

The Delfi case lays an important milestone for European intermediary liability practice. The Court implied a due diligence obligation of service providers with regard to individual human rights protection. Professionals offering online services, who have impact on the quantity and quality of users’ content, may be regarded as liable for infringements caused thereby just as professional media publishers are liable for the content they publish. The due diligence standard has been well known to international law, in particular with regard to risk originating activities, such as those inflicting transboundary harm. The International Law Commission devoted much time and numerous documents to identify the elements of the due diligence principle in international law. Requiring states to take all appropriate measures to prevent significant transboundary harm may easily be applied to their obligation to prevent human rights violations. The Estonian decisions, confirmed by the European Court, may trace the part for European future human rights jurisprudence regarding online services. The existing international liability regimes in international law, in particular in international environmental law, might serve as the blueprint for further evolution of Internet services providers' liability.¹⁸

---

 

Joanna Kulesza, Ph.D., University of Lodz, Poland.