The UK having now cut its direct ties with EU law, what does its future hold for the intermediary liability protections in Articles 12 to 15 of the Electronic Commerce Directive?
Until recently, the government’s policy has been taken to
be as stated in its 2019 “eCommerce
Directive guidance for businesses if there’s no Brexit deal”:
“Immediately following the UK’s
exit from the EU in a no deal scenario, the government will minimise disruption
by prioritising continuity and stability. Therefore the UK’s policy approach
will continue to align with the provisions contained in the Directive,
including those on liability of intermediary service providers and general monitoring.”
Articles 12 to 14 provide limitations on the liability of
conduits, caches and hosts for unlawful user information. Article 15 prohibits
EU member states from imposing general monitoring obligations on those intermediaries.
Whether and how long the government’s commitment to Articles 12 to 15 would
survive was an open question. With nothing said in the UK-EU Trade and Co-Operation
Agreement about online intermediary liability, there appeared to be nothing to
prevent the government – should it wish to depart from its previous policy – from legislating
in future contrary to Articles 12 to 15 - subject always to the possibility of
a legal objection on fundamental rights grounds.
There was a detectable drift away from the overt commitment to
Article 15 with the publication of the government’s Full Consultation Response to
the Online Harms White Paper, published on 15 December 2020. The Response strayed into
proposing proactive monitoring obligations that could not readily be reconciled
with that policy. That drift was also evident in the simultaneously published Interim Voluntary Codes of Practice on Terrorism, and Online Child Sexual Exploitation and Abuse, which
are in effect a template for obligations likely to be imposed under the future
Online Safety Bill. The Full Response was silent on the apparent conflict with Article
15.
Now, the government has dropped its commitment to maintain
alignment with Article 15. A new version of its post-Brexit eCommerce Directive guidance, published on 18 January 2021, says this:
“The eCommerce Directive also
contains provisions relating to intermediary liability and prohibitions against
imposing general monitoring obligations.
The government is committed to
upholding the liability protections now that the transition period has ended.
For companies that host user-generated content on their online services, there
will continue to be a ‘notice and take down’ regime where the platform must
remove illegal content that they become aware of or risk incurring liability.
The government also intends to
introduce a new Online Safety regulatory framework. This will require companies
to take action to keep their users safe, including with regard to illegal
content. Details on what this will mean for companies are set out in the Online
Harms White Paper: Full government response to the consultation, and the
government plans to introduce legislation to Parliament this year.”
Notably, although a commitment to preserving some kind of hosting
protection remains, there is now silence on preserving the prohibition on general monitoring
obligations. The significance of this omission can hardly be overstated.
Legislation that takes conscious bites out of the Directive’s
protections is one thing. But there is also a more subtle threat. Active
maintenance of the statute book will be needed if the liability protections to
which the government appears to be committed are not to be corroded by simple
neglect. The Article 12 to 14 protections for conduit, caching and hosting
activities are potentially liable to erode over time as the statute book is augmented
and amended.
The reason for this lies partly in the horizontal nature of
the protections. They are not tailored specifically to copyright, to
defamation, to obscenity, or to any of the other myriad kinds of criminal and
civil liability that might be incurred online.
Articles 12 to 14 are shields that apply across the board, whatever the subject
matter of the liability.
The risk of erosion lies in the way in which successive
governments have gone about legislating those protections. When the ECommerce
Directive was first implemented in UK law, the 2002 Regulations enacted the Art
12 to 14 liability protections across the board: they applied to all existing
laws under which liability within scope of the Directive might be incurred
(except for financial services, for which the protections were legislated
separately).
But, crucially, the 2002 Regulations stated that they did not
have prospective effect. This meant that they applied only to legislation in
existence when they came into force. On every occasion thereafter that a new
criminal offence or civil wrong was created, or an existing one amended, the
protections required by Arts 12 to 14 had to be specifically enacted for that
offence or civil wrong. Administrative Guidance on Consistency of Future
Legislation issued at the time by the Department of Trade and Industry stated:
“Legislators will need to give
careful consideration to the question of whether any new requirements - again,
whether in primary, secondary or tertiary legislation and whether reserved or
devolved- create any offences which (or the aiding or abetting of which) could
possibly be committed by a mere conduit, cache or host within the meanings of
Regulations 17-19. If so, they will need to ensure that they recognise these
limitations on the liability of intermediary service providers. Similar
considerations will apply to any form of civil liability created by any new
requirements.”
In an ideal world, this would have been done within the primary legislation
that created the new or amended liability. Sometimes that happened. We can, for
instance, see the conduit, caching and hosting protections included in Schedule
1 of the Hate Crime and Public Order (Scotland) Bill currently making its way through the Scottish Parliament. Sometimes, however, it was
overlooked and the omission had to be remedied separately. Since the
protections were required by an EU Directive, the necessary provisions could be
enacted pre-Brexit by secondary legislation under the European Communities Act
1972. This was done on around 15 occasions, in addition to regulations implementing the protections for the financial services sector.
The result is a veritable hodgepodge of primary and
secondary legislation enacted over the best part of 20 years, implementing –
not always using the same language – the intermediary protections required by Articles 12 to 14 of the Directive. At
my last count, in addition to the 2002 Regulations themselves there were over 30 separate subject matter-specific
implementations dotted around different primary and secondary legislation – and I may well not have found
them all.
Post-Brexit, the option of plugging gaps via European Communities Act is no longer available. There will therefore be a greater premium on ensuring that, as in the Scottish Hate Crime Bill, the protections are included in the relevant legislation itself. If active scrutiny and maintenance are neglected, and the requisite protections are omitted from future legislation that creates new offences and civil liability, there will be a slow accretion of liabilities and offences to which the Directive’s conduit, caching and hosting protections do not apply.
If an omission has to be remedied, it would (unless
some usable order-making power that I have not spotted is buried somewhere in
the Brexit legislation) have to be done by further primary legislation.
There is one potential qualification to this analysis. Could
“Retained EU law” under the 2018 Withdrawal Act give the Directive itself a
degree of post-Brexit prospective effect? If so, could the Directive’s liability
protections be invoked against a future offence created by post-Brexit
legislation which has omitted to address the liability position of conduits, hosts and
caches? I do not pretend to know the answer to that, other than noting that the
2002 DTI Administrative Guidance was in no doubt that the liability provisions
of the Directive had direct effect:
“If legislators fail to address
such issues or fail to make proper provisions, the Directive will have direct
effect in prohibiting them from imposing liability.”