Web Content, Personal Data Handling, Free Speech, Providers’ Liability In The Internet Environment

Article by Avv. Felix Hofer1

1. In recent years Internet Provider's liability has more and more shifted to the centre of an intense debate involving exponents of conflicting interests.: Pressure Groups are active lobbying for industry's or businesses' (economic) interests or advocating in favour of widely recognized principles (freedom of speech, no barriers to information, pluralism, cultural exchange, etc.). Politicians, Regulators, Public Authorities and Watchdogs usually tend to focus on providing some kind of viable legal framework for international relations as well as on trying to meet needs of common/general interest (safety, crime prevention, intelligence, preventive control, etc) or on granting adequate protection to sector groups/interests (consumers, children and minors, etc.). Providers struggle with: (a) delivering services characterized by sophisticated (and rapidly evolving) technology, (b) moving into areas where traditional "rules" and existing legal framework often result widely inadequate for dealing with the arising new issues/problems, and (c) facing interference and reactions from the all the other players in the game (frequently lacking of a sufficient level of familiarity the technical aspects involved by the questions at stake). Last but not least the Internet Users feel both, being targeted from all the other players mentioned above as well as deeply attracted by the potential of the services offered by new technologies2, but also consider themselves as being "invaded" by new technology's practical application3.

Additional action is brought onto the scenario by legal experts and courts, called in to disentangle complex conflicts of interests.

2. Most of those players in the game have just one aspect in common: they face enormous difficulties in properly understanding the technical implications involved by the use of electronic means and therefore truly struggle when required to provide solutions for totally new problems and when trying to apply their proven - but traditional - expertise to new devices, mechanisms and services.

It's not that long ago when courts were involved in comprehensive discussions about the "legal" nature of a website and were wondering whether a site should be assimilated to a "newsstand" or rather to a "publishing house".

3. While huge efforts had to be performed for coming across disputes and litigation in cases where the parties were located everywhere, used to target everyone and where jurisdiction and enforcement frequently resulted in riddles with almost no solution, another problem rising aspect added itself to an already sufficiently complex and messy situation: with businesses shifting to the Internet, electronic communication became, firstly, more and more popular and then crucial, especially for marketing purposes.

But electronic communication necessarily implies collecting, storing, handling, transferring, profiling, in short, "processing" of personal data by a wide range of different subjects, as agencies, advertisers, media companies, Internet providers, call centres, research companies (and many others), which subsequently face new and specific liabilities.

4. In the beginning this appeared to be just an additional (even if somehow annoying), mainly formal obligation to fulfil, but very soon how to comply with both, national and international regulation (i.e. the specific EU Directives) on personal data processing turned out as a major practical and legal problem for companies in their domestic businesses as well as in their cross-border economic relations.

In fact, the Data Protection Commissioners in the EU member countries (i.e. national, independent Authorities, in charge of the Directive's domestic implementation) started focusing their attention on new techniques, means, devices and services, as: SMS, E-Mail or Electronic Ads (e.g. Pop up Ads), Cookies or "web bugs" (mini bits of code left on user's PCs), Banners, Java Scripts, Spy Ware (key logging), RFID (radio frequency identification) tags inserted in packaging, loyalty cards, smart shopping trolleys, clothes, monitoring (low-level radiation cameras to "see" through clothing, walls or cars).

Those Commissioners:

coordinate on a trans-national level4,

concentrate not only on subjects established in the EU, but

extend their control on foreign subjects using, while processing personal data, equipment located in the EU's territory,

claim for special codes of conduct (meant to rule data processing on the Internet, data recording through audiovisual systems, data use in Direct Marketing),

do apply sanctions (usually fines, but violations of privacy rules can result also in criminal offences, punished with imprisonment up to 3 years).

5. A quick glimpse on some cases handled by Courts or Authorities throughout Europe and in other foreign jurisdictions delivers a neat idea about how tricky and nasty legal implications linked to handling of personal data can turn out. Sometimes the impact of data processing issues on businesses - or on entire business sectors - can result extremely worrying.

5.1. Germany:

A first instance Court in Berlin5 had to deal with a complaint about receipt of unsolicited commercial communication. The plaintiff had registered his cell phone number with an IS provider, offering to its clients a free SMS messaging service. The provider had passed on such data - without the cell phone holder's consent - to another company, which used it for running an advertising campaign performed via SMS.

In its decision6 the Court found that a violation of the provisions on data protection had occurred, issued a cease injunction against the two providers involved and fixed an eventual fine of 250.000 Euro for non compliance with the desist order. It also awarded 7.500 Euro as damage compensation to the plaintiff for the three unsolicited e-mails received7.

5.2. Italy:

A Professor received a promotional message sent to an e-mail address, available on the University's web site. He filed a complaint with the local Data Commissioner arguing that his address was listed on the website "for institutional purposes" only and he therefore felt that improper (commercial) use of his personal data had been performed.

The advertiser objected that the listing of the address in a 'public' directory (i.e. on the University's website) allowed public use of the data.

The Italian Privacy Commissioner stated8 that:

the fact that personal data could be found on the Internet didn't make them publicly available,

therefore the specific purpose pursued through data's diffusion on Internet resulted relevant,

in the specific case, the e-mail addresses being available on the University's website only for a 'limited purpose' (the institutional one), their use for sending commercial communication was not allowed without achieving data subject's prior consent.

In another case a bank's client, regularly receiving - despite explicit denial of consent for being targeted with unsolicited commercial communication - advertising material attached to his statement of account, complained with the Privacy Commissioner about such practice.

The Bank argued to its defence that the questioned marketing...