Sunday, 7 February 2021

Corrosion-proofing the UK’s intermediary liability protections

The UK having now cut its direct ties with EU law, what does its future hold for the intermediary liability protections in Articles 12 to 15 of the Electronic Commerce Directive?

Until recently, the government’s policy has been taken to be as stated in its 2019 “eCommerce Directive guidance for businesses if there’s no Brexit deal”:

“Immediately following the UK’s exit from the EU in a no deal scenario, the government will minimise disruption by prioritising continuity and stability. Therefore the UK’s policy approach will continue to align with the provisions contained in the Directive, including those on liability of intermediary service providers and general monitoring.”

Consistently with that, in October 2020 the government published post-transition guidance, stating that it "has no current plans to change the UK’s intermediary liability regime or its approach to prohibition on general monitoring requirements".

Articles 12 to 14 provide limitations on the liability of conduits, caches and hosts for unlawful user information. Article 15 prohibits EU member states from imposing general monitoring obligations on those intermediaries. Whether and how long the government’s commitment to Articles 12 to 15 would survive was an open question. With nothing said in the UK-EU Trade and Co-Operation Agreement about online intermediary liability, there appeared to be nothing to prevent the government – should it wish to depart from its previous policy – from legislating in future contrary to Articles 12 to 15 - subject always to the possibility of a legal objection on fundamental rights grounds.

There was a detectable drift away from the overt commitment to Article 15 with the publication of the government’s Full Consultation Response to the Online Harms White Paper, published on 15 December 2020. The Response strayed into proposing proactive monitoring obligations that could not readily be reconciled with that policy. That drift was also evident in the simultaneously published Interim Voluntary Codes of Practice on Terrorism, and Online Child Sexual Exploitation and Abuse, which are in effect a template for obligations likely to be imposed under the future Online Safety Bill. The Full Response was silent on the apparent conflict with Article 15.

Now, the government has dropped its commitment to maintain alignment with Article 15. A new version of its post-Brexit eCommerce Directive guidance, published on 18 January 2021, says this:

“The eCommerce Directive also contains provisions relating to intermediary liability and prohibitions against imposing general monitoring obligations.

The government is committed to upholding the liability protections now that the transition period has ended. For companies that host user-generated content on their online services, there will continue to be a ‘notice and take down’ regime where the platform must remove illegal content that they become aware of or risk incurring liability.

The government also intends to introduce a new Online Safety regulatory framework. This will require companies to take action to keep their users safe, including with regard to illegal content. Details on what this will mean for companies are set out in the Online Harms White Paper: Full government response to the consultation, and the government plans to introduce legislation to Parliament this year.”

Notably, although a commitment to preserving some kind of hosting protection remains, there is now silence on preserving the prohibition on general monitoring obligations. The significance of this omission can hardly be overstated.

Legislation that takes conscious bites out of the Directive’s protections is one thing. But there is also a more subtle threat. Active maintenance of the statute book will be needed if the liability protections to which the government appears to be committed are not to be corroded by simple neglect. The Article 12 to 14 protections for conduit, caching and hosting activities are potentially liable to erode over time as the statute book is augmented and amended.

The reason for this lies partly in the horizontal nature of the protections. They are not tailored specifically to copyright, to defamation, to obscenity, or to any of the other myriad kinds of criminal and civil liability that might be incurred online.  Articles 12 to 14 are shields that apply across the board, whatever the subject matter of the liability.

The risk of erosion lies in the way in which successive governments have gone about legislating those protections. When the ECommerce Directive was first implemented in UK law, the 2002 Regulations enacted the Art 12 to 14 liability protections across the board: they applied to all existing laws under which liability within scope of the Directive might be incurred (except for financial services, for which the protections were legislated separately).

But, crucially, the 2002 Regulations stated that they did not have prospective effect. This meant that they applied only to legislation in existence when they came into force. On every occasion thereafter that a new criminal offence or civil wrong was created, or an existing one amended, the protections required by Arts 12 to 14 had to be specifically enacted for that offence or civil wrong. Administrative Guidance on Consistency of Future Legislation issued at the time by the Department of Trade and Industry stated:

“Legislators will need to give careful consideration to the question of whether any new requirements - again, whether in primary, secondary or tertiary legislation and whether reserved or devolved- create any offences which (or the aiding or abetting of which) could possibly be committed by a mere conduit, cache or host within the meanings of Regulations 17-19. If so, they will need to ensure that they recognise these limitations on the liability of intermediary service providers. Similar considerations will apply to any form of civil liability created by any new requirements.”

In an ideal world, this would have been done within the primary legislation that created the new or amended liability. Sometimes that happened. We can, for instance, see the conduit, caching and hosting protections included in Schedule 1 of the Hate Crime and Public Order (Scotland) Bill currently making its way through the Scottish Parliament. Sometimes, however, it was overlooked and the omission had to be remedied separately. Since the protections were required by an EU Directive, the necessary provisions could be enacted pre-Brexit by secondary legislation under the European Communities Act 1972. This was done on around 15 occasions, in addition to regulations implementing the protections for the financial services sector.

The result is a veritable hodgepodge of primary and secondary legislation enacted over the best part of 20 years, implementing – not always using the same language – the intermediary protections required by Articles 12 to 14 of the Directive. At my last count, in addition to the 2002 Regulations themselves there were over 30 separate subject matter-specific implementations dotted around different primary and secondary legislation – and I may well not have found them all.

Post-Brexit, the option of plugging gaps via European Communities Act is no longer available. There will therefore be a greater premium on ensuring that, as in the Scottish Hate Crime Bill,  the protections are included in the relevant legislation itself. If active scrutiny and maintenance are neglected, and the requisite protections are omitted from future legislation that creates new offences and civil liability, there will be a slow accretion of liabilities and offences to which the Directive’s conduit, caching and hosting protections do not apply. 

If an omission has to be remedied, it would (unless some usable order-making power that I have not spotted is buried somewhere in the Brexit legislation) have to be done by further primary legislation. 

There is one potential qualification to this analysis. Could “Retained EU law” under the 2018 Withdrawal Act give the Directive itself a degree of post-Brexit prospective effect? If so, could the Directive’s liability protections be invoked against a future offence created by post-Brexit legislation which has omitted to address the liability position of conduits, hosts and caches? I do not pretend to know the answer to that, other than noting that the 2002 DTI Administrative Guidance was in no doubt that the liability provisions of the Directive had direct effect:

“If legislators fail to address such issues or fail to make proper provisions, the Directive will have direct effect in prohibiting them from imposing liability.”

However, any potential retention of direct effect would not offer any assistance in civil liability cases, since direct effect of Directives has been limited to the state, and not extended horizontally to affect rights as between private parties. For the Directive's intermediary liability protections the CJEU held as such in Papasavvas (C-291/13).   

[Amended 8 and 10 Feb 2021 to add reference to October 2020 government guidance; and 9 March 2021 to add reference to Papasavvas.]