Seven years ago I started to take an annual look at what the coming year might hold for internet law in the UK. This exercise has always, perforce, included EU law. With Brexit now fully upon us future developments in EU law will no longer form part of UK law. Nevertheless, they remain potentially influential: not least, because the 2018 EU Withdrawal Act provides that UK courts may have regard to anything relevant done by the CJEU, another EU entity or the EU after 31 December. In any case I am partial to a bit of comparative law. So this survey will continue to keep significant EU law developments on its radar.
What can we expect in 2021?
Digital Single Market EU Member States are due to implement the Digital Copyright Directive by 7 June 2021. This includes the so-called snippet tax (the press publishers’ right) and the Article 17 rules for online sharing service providers (OSSPs). The UK is not obliged to implement the Directive and has said that it has no plans to do so. Any future changes to the UK copyright framework will be “considered as part of the usual domestic policy process”.
The Polish government’s challenge to Article 17 (Poland v Parliament and Council, Case C-401/19) is pending. Poland argues that Article 17 makes it necessary for OSSPs, in order to avoid liability, to carry out prior automatic filtering of content uploaded online by users, and therefore to introduce preventive control mechanisms. It contends that such mechanisms undermine the essence of the right to freedom of expression and information and do not comply with the requirement that limitations imposed on that right be proportionate and necessary.
Linking and communication to the public The UK case of Warner Music/Sony Music v TuneIn is due to come before the Court of Appeal early in 2021.
Pending CJEU copyright cases Several copyright references are pending before the EU Court of Justice.
The YouTube and Uploaded cases (C-682/18 Peterson v YouTube and C-683/18 Elsevier v Cyando) referred from the German Federal Supreme Court include questions around the communication to the public right, as do C-392/19 VG Bild-Kunst v Preussischer Kulturbesitz (Germany, BGH), C-442/19 Brein v News Service Europe (Netherlands, Supreme Court) and C-597/19 Mircom v Telenet (Belgium). Advocate General Opinions have been delivered in YouTube/Cyando, VG Bildt-Kunst and Mircom.
YouTube/Cyando and Brein v News Service Europe also raise questions about copyright injunctions against intermediaries, as does C-500/19 Puls 4 TV.
Linking, search metadata and database right
C-762/19 CV-Online Latvia is a CJEU referral from Riga Regional Court concerning database right. The defendant search engine finds websites that publish job advertisements and uses hyperlinks to redirect users to the source websites, including that of the applicant. The defendant’s search results also include information - hyperlink, job, employer, geographical location of the job, and date – obtained from metatags on the applicant’s website published as Schema.org microdata. The questions for the CJEU are whether (a) the use of a hyperlink constitutes re-utilisation and (b) the use of the metatag data constitutes extraction, for the purposes of database right infringement.
Online intermediary liability
The UK government published its Full Consultation Response to the Online Harms White Paper on 15 December 2020, paving the way for a draft Online Safety Bill in 2021. The government has indicated that the draft Bill will be subject to pre-legislative scrutiny.
The German Federal Supreme Court has referred two cases (YouTube and Cyando – see above) to the CJEU asking questions about (among other things) the applicability of the ECommerce Directive hosting protections to UGC sharing sites. The Advocate General’s Opinion in these cases has been published.
Brein v News Service Europe and Puls 4 TV (see above for both) also ask questions around the Article 14 hosting protection, including whether it is precluded if communication to the public is found.
The European Commission published its proposals
for a Digital Services Act and a Digital Markets Act on 15 December 2020. The
proposed Digital Services Act includes replacements for Articles 12 to 15 of
the ECommerce Directive. The proposals
will now proceed through the EU legislative process.
The European Commission’s Proposal for a Regulation on preventing the dissemination of terrorist content online is nearing the final stages of its legislative process, the Council and Parliament having reached political agreement on 10 December 2020. The proposed Regulation is notable for requiring one hour takedown response times and also for proactive monitoring obligations - potentially derogating from the ECommerce Directive Article 15 prohibition on imposing general monitoring obligations on conduits, caches and hosts.
The prospect of a post-Brexit UK-US trade agreement has
prompted speculation that such an agreement might require the UK to adopt a
provision equivalent to the US S.230 Communications Decency Act. However, if
the US-Mexico-Canada Agreement precedent were adopted in such an agreement, that
would appear not to follow (as explained here).
The US and the UK signed a Data Access Agreement on 3 October 2019, providing domestic law comfort zones for service providers to respond to data access demands from authorities located in the other country. No announcement has yet been made that Agreement has entered into operation. The Agreement has potential relevance in the context of a post-Brexit UK data protection adequacy decision by the European Commission.
continue on a Second Protocol to the Cybercrime Convention,
on evidence in the cloud.
State surveillance of communications
The kaleidoscopic mosaic of cases capable of affecting the UK’s Investigatory Powers Act 2016 (IP Act) continues to reshape itself. In this field CJEU judgments remain particularly relevant, since they form the backdrop to any data protection adequacy decision that the European Commission might adopt in respect of the UK post-Brexit. The recently agreed UK-EU Trade and Co-operation Agreement provides a period of up to 6 months for the Commission to propose and adopt an adequacy decision.
Relevant CJEU judgments now include, most recently, Privacy International (Case C-623/17), La Quadrature du Net (C-511/18 and C-512/18), and Ordre des barreaux francophones et germanophone (C-520/18) (see discussion here and here).
Liberty has a pending judicial review of the IP Act bulk powers and data
retention powers. Some EU law aspects (including bulk powers) were stayed
pending the Privacy International reference to the CJEU. The Divisional Court rejected the claim
that the IP Act data retention powers provide for the general and indiscriminate
retention of traffic and location data, contrary to EU law. That point
may in due course come before the Court of Appeal.
In the European Court of Human Rights, Big Brother Watch and various other NGOs challenged the pre-IP Act bulk interception regime under the Regulation of Investigatory Powers Act (RIPA). The ECtHR gave a Chamber judgment on 13 September 2018. That and the Swedish Rattvisa case were subsequently referred to the ECtHR Grand Chamber and await judgment. If the BBW Chamber judgment had become final it could have affected the IP Act in as many as three separate ways.
In response to one of the BBW findings the government has said that it will introduce ‘thematic’ certification by the Secretary of State of requests to examine bulk secondary data of individuals believed to be within the British Islands.
Software - goods or services?
Judgment is pending in the CJEU on a referral from the UK Supreme Court asking whether software supplied electronically as a download and not on any tangible medium constitutes goods and/or a sale for the purposes of the Commercial Agents Regulations (C-410/19 Computer Associates (UK) Ltd v The Software Incubator Ltd). The Advocate General’s Opinion was delivered on 17 December 2020.
Law Commission projects
The Law Commission has in train several projects that have the potential to affect online activity.
It is expected to make recommendations on reform of the criminal law relating to Harmful Online Communications in early 2021. The government has said that it will consider, where appropriate, implementing the Law Commission’s final recommendations through the forthcoming Online Safety Bill. The Law Commission issued a consultation paper in September 2020 (consultation closed 18 December 2020).
The Law Commission has also issued a Consultation Paper on Hate Crime Laws, which while not specifically focused on online behaviour inevitably includes it (consultation closed 24 December 2020).
The pandemic has focused attention on legal obstacles to transacting electronically and remotely. Whilst uncommon in commercial transactions, some impediments do exist and, in a few cases, have been temporarily relaxed. That may pave the way for permanent changes in due course.
Although the question typically asked is whether electronic signatures can be used, the most significant obstacles tend to be presented by surrounding formalities rather than signature requirements themselves. A case in point is the physical presence requirement for witnessing deeds, which stands in the way of remote witnessing by video or screen-sharing. The Law Commission Report on Electronic Execution of Documents recommended that the government should set up an Industry Working Group to look at that and other issues.
Traditionally this survey does not cover data protection (too big, and a dense specialism in its own right). On this occasion, however, the Lloyd v Google appeal pending in the UK Supreme Court should not pass without notice.
EU Member States had to implement the Directive establishing the European Electronic Communications Code (EECD) by 21 December 2020. The Code brings ‘over the top’ messaging applications into the scope of ‘electronic communications services’ for the purpose of the EU telecommunications regulatory framework. As a result, the communications confidentiality provisions of the ePrivacy Directive also came into scope, affecting practices such as scanning to detect child abuse images. In order to enable such practices to continue, the European Commission proposed temporary legislation derogating from the ePrivacy Directive prohibitions. The proposed Regulation missed the 21 December deadline and continues through the EU legislative process.
Meanwhile there is as yet no conclusion to the long drawn out attempt to reach consensus on a proposed replacement for the ePrivacy Directive itself.
[Updated 29 December 2020 to add sections on Data Protection and ePrivacy.]