Internet legal developments to look out for in 2022

Another instalment of my annual round-up of what is on the horizon for UK internet law [Updated 29 April and 2 November 2022]. It does stray a little beyond our shores, noting some significant EU developments (pre-Brexit habits die hard). As always, it does not include data protection (too big, not really my field).

Draft Online Safety Bill The UK government published its draft Online Safety Bill in May 2021. The Parliamentary Joint Pre-Legislative Scrutiny Committee published its report on the draft Bill on 14 December 2021. A sub-committee of the Commons DCMS Select Committee also published a report on 24 January 2022, as did the Lords Communications and Digital Committee Inquiry on Freedom of Expression Online on 22 July 2021.

The government is expected to introduced a Bill into Parliament by on 17 March 2022. The Bill had its Second Reading on 19 April 2022. Its Report Stage is paused, likely to be recommenced this month.  Among many things for which the draft legislation is notable, its abandonment of the ECD Article 15 prohibition on general monitoring obligations stands out.

EU Digital Services Act The European Commission published its proposals for a Digital Services Act and a Digital Markets Act on 15 December 2020. The proposed Digital Services Act includes replacements for Articles 12 to 15 of the ECommerce Directive.  Following a vote in the European Parliament on 20 January 2022, the proposed legislation will now entered the trilogue stage. Political agreement was reached on 23 April 2022. The final text was published in the Official Journal on 27 October 2022.

Terrorist content The EU Regulation on addressing the dissemination of terrorist content online will come into effect on 7 June 2022.

Erosion of intermediary liability shields by omission One by-product of Brexit is that the UK is no longer bound to implement the conduit, caching and hosting shields provided by the EU eCommerce Directive. The government says that it “is committed to upholding the liability protections now that the transition period has ended”.

However, implementation of that policy requires every new piece of legislation that could impose liability on an intermediary explicitly to include the protections. If that is not done, then, owing to the fact that the original Electronic Commerce Directive Regulations 2002 do not have prospective effect, the protections will not apply to that new source of liability.

Two examples are already progressing though Parliament: the statutory codification of the public nuisance offence in the Policing Bill (which, following Royal Assent, came into force on 26 June 2022), and the electronic election imprints offences in the Elections Bill (Royal Assent 28 April 2022, not yet in force), neither of which includes the conduit, caching and hosting shields.

Such omissions have been known in the past, and were cured by statutory instrument under the European Communities Act 1972. That option is no longer available. As time goes on, accretion of such omissions in new legislation will gradually erode the intermediary protections to which the government is committed.

Law Commission Reports The Law Commission has issued two Reports making recommendations that are relevant to online speech. The first is its Report on Reform of the Communications Offences (notably, recommending replacing S.127 Communications Act 2003 and  the Malicious Communications Act 1988 with a new harm-based offence). The second report is on Hate Crime Laws. The recommendations on communications offences, at least, are being considered for incorporation have been included in the Online Safety Bill.

Copyright The Polish government’s challenge to Article 17 (Poland v Parliament and Council, Case C-401/19) is pending was decided on 26 April 2022. Poland argued that Article 17 makes it necessary for OSSPs, in order to avoid liability, to carry out prior automatic filtering of content uploaded online by users, and therefore to introduce preventive control mechanisms. It contended that such mechanisms undermine the essence of the right to freedom of expression and information and do not comply with the requirement that limitations imposed on that right be proportionate and necessary.

The Advocate-General’s Opinion was delivered on 15 July 2021. It was something of an Opinion of Solomon: recommending that the challenge be rejected, but only on the basis that the Directive is implemented in a way that minimises false positives. The Advocate General also, in a postscript, challenged aspects of the Article 17 guidance issued by the Commission subsequent to the drafting of the Opinion. The judgment largely followed the Opinion, dismissing the challenge but on the basis of an interpretation of Article 17 that included strict safeguards against removal of lawful content.

Policing Bill The Police, Crime, Sentencing and Courts Bill has ignited significant controversy over its impact on street protests, including through its statutory codification of the common law offence of public nuisance. The potential application of the new statutory offence to online speech, however, has gone virtually unnoticed.  

Product Security and Telecommunications Infrastructure Bill An honourable mention for this Bill: a framework for imposing all kinds of security requirements on (among other things) internet-connectable products.

Back from the dead? The Digital Economy Act 2017 The non-commencement of the age verification provisions of the Digital Economy Act 2017 has long been a source of controversy. In November 2021 the High Court gave permission to two members of the public to commence judicial review proceedings. This may now in practice have been overtaken by the inclusion of pornography sites in the Online Safety Bill.

Cross-border data access The US and the UK signed a Data Access Agreement on 3 October 2019, providing domestic law comfort zones for service providers to respond to data access demands from authorities located in the other country. No announcement has yet been made that Agreement has entered into operation. It came into force on 3 October 2022.

The Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence is was open for signature from 12 May 2022 and presented to the UK Parliament in July 2022.

State communications surveillance The kaleidoscopic mosaic of cases capable of affecting the UK’s Investigatory Powers Act 2016 (IP Act) continues to reshape itself. In this field CJEU judgments will continue to be relevant in principle, since they form the backdrop to future reviews of the European Commission’s June 2021 UK data protection adequacy decision.

Domestically, Liberty has a pending judicial review of the IP Act bulk powers and data retention powers. Some EU law aspects (including bulk powers) were stayed pending the Privacy International reference to the CJEU. Those aspects are now proceeding and, according to Liberty, are likely to be in court in early 2022. The Divisional Court rejected the claim that the IP Act data retention powers provide for the general and indiscriminate retention of traffic and location data, contrary to EU law. That point may in due course come before the Court of Appeal. The Divisional Court gave judgment on the stayed aspects on 24 June 2022. Liberty's claims were rejected except for one aspect concerning the need for prior independent authorisation for access to some retained data. 

Investigatory Powers Act review The second half of 2022 will see the Secretary of State preparing the report on the operation of the IP Act required under Section 260 of the Act.

Electronic transactions The pandemic focused attention on legal obstacles to transacting electronically and remotely. Whilst uncommon in commercial transactions, some impediments do exist and, in a few cases, were temporarily relaxed. That may pave the way for permanent changes in due course.

Although the question typically asked is whether electronic signatures can be used, the most significant obstacles tend to be presented by surrounding formalities rather than signature requirements themselves. A case in point is the physical presence requirement for witnessing deeds, which stands in the way of remote witnessing by video or screen-sharing. The Law Commission Report on Electronic Execution of Documents recommended that the government should set up an Industry Working Group to look at that and other issues. The Working Group has now been formed. It issued an Interim Report on 1 February 2022.

[Updated 29 April 2022 and 2 November 2022.]

Internet legal developments to look out for in 2021

Seven years ago I started to take an annual look at what the coming year might hold for internet law in the UK. This exercise has always, perforce, included EU law. With Brexit now fully upon us future developments in EU law will no longer form part of UK law. Nevertheless, they remain potentially influential: not least, because the 2018 EU Withdrawal Act provides that UK courts may have regard to anything relevant done by the CJEU, another EU entity or the EU after 31 December. In any case I am partial to a bit of comparative law. So this survey will continue to keep significant EU law developments on its radar.

What can we expect in 2021?

Copyright

Digital Single Market EU Member States are due to implement the Digital Copyright Directive by 7 June 2021. This includes the so-called snippet tax (the press publishers’ right) and the Article 17 rules for online sharing service providers (OSSPs). The UK is not obliged to implement the Directive and has said that it has no plans to do so. Any future changes to the UK copyright framework will be “considered as part of the usual domestic policy process”.

The Polish government’s challenge to Article 17 (Poland v Parliament and Council, Case C-401/19) is pending. Poland argues that Article 17 makes it necessary for OSSPs, in order to avoid liability, to carry out prior automatic filtering of content uploaded online by users, and therefore to introduce preventive control mechanisms. It contends that such mechanisms undermine the essence of the right to freedom of expression and information and do not comply with the requirement that limitations imposed on that right be proportionate and necessary.

Linking and communication to the public The UK case of Warner Music/Sony Music v TuneIn is due to come before the Court of Appeal early in 2021.

Pending CJEU copyright cases Several copyright references are pending before the EU Court of Justice.

The YouTube and Uploaded cases (C-682/18 Peterson v YouTube and C-683/18 Elsevier v Cyando) referred from the German Federal Supreme Court include questions around the communication to the public right, as do C-392/19 VG Bild-Kunst v Preussischer Kulturbesitz (Germany, BGH), C-442/19 Brein v News Service Europe (Netherlands, Supreme Court) and C-597/19 Mircom v Telenet (Belgium). Advocate General Opinions have been delivered in YouTube/Cyando, VG Bildt-Kunst and Mircom.

YouTube/Cyando and Brein v News Service Europe also raise questions about copyright injunctions against intermediaries, as does C-500/19 Puls 4 TV.

Linking, search metadata and database right

C-762/19 CV-Online Latvia is a CJEU referral from Riga Regional Court concerning database right. The defendant search engine finds websites that publish job advertisements and uses hyperlinks to redirect users to the source websites, including that of the applicant. The defendant’s search results also include information - hyperlink, job, employer, geographical location of the job, and date – obtained from metatags on the applicant’s website published as Schema.org microdata. The questions for the CJEU are whether (a) the use of a hyperlink constitutes re-utilisation and (b) the use of the metatag data constitutes extraction, for the purposes of database right infringement.

Online intermediary liability

The UK government published its Full Consultation Response to the Online Harms White Paper on 15 December 2020, paving the way for a draft Online Safety Bill in 2021. The government has indicated that the draft Bill will be subject to pre-legislative scrutiny.

The German Federal Supreme Court has referred two cases (YouTube and Cyando – see above) to the CJEU asking questions about (among other things) the applicability of the ECommerce Directive hosting protections to UGC sharing sites. The Advocate General’s Opinion in these cases has been published.

Brein v News Service Europe and Puls 4 TV (see above for both) also ask questions around the Article 14 hosting protection, including whether it is precluded if communication to the public is found.

The European Commission published its proposals for a Digital Services Act and a Digital Markets Act on 15 December 2020. The proposed Digital Services Act includes replacements for Articles 12 to 15 of the ECommerce Directive.  The proposals will now proceed through the EU legislative process.

The European Commission’s Proposal for a Regulation on preventing the dissemination of terrorist content online is nearing the final stages of its legislative process, the Council and Parliament having reached political agreement on 10 December 2020. The proposed Regulation is notable for requiring one hour takedown response times and also for proactive monitoring obligations - potentially derogating from the ECommerce Directive Article 15 prohibition on imposing general monitoring obligations on conduits, caches and hosts.

The prospect of a post-Brexit UK-US trade agreement has prompted speculation that such an agreement might require the UK to adopt a provision equivalent to the US S.230 Communications Decency Act. However, if the US-Mexico-Canada Agreement precedent were adopted in such an agreement, that would appear not to follow (as explained here).

Cross-border 

The US and the UK signed a Data Access Agreement on 3 October 2019, providing domestic law comfort zones for service providers to respond to data access demands from authorities located in the other country. No announcement has yet been made that Agreement has entered into operation. The Agreement has potential relevance in the context of a post-Brexit UK data protection adequacy decision by the European Commission.

Discussions continue on a Second Protocol to the Cybercrime Convention, on evidence in the cloud.

State surveillance of communications

The kaleidoscopic mosaic of cases capable of affecting the UK’s Investigatory Powers Act 2016 (IP Act) continues to reshape itself. In this field CJEU judgments remain particularly relevant, since they form the backdrop to any data protection adequacy decision that the European Commission might adopt in respect of the UK post-Brexit. The recently agreed UK-EU Trade and Co-operation Agreement provides a period of up to 6 months for the Commission to propose and adopt an adequacy decision.

Relevant CJEU judgments now include, most recently, Privacy International (Case C-623/17), La Quadrature du Net (C-511/18 and C-512/18), and Ordre des barreaux francophones et germanophone (C-520/18) (see discussion here and here).

Domestically, Liberty has a pending judicial review of the IP Act bulk powers and data retention powers. Some EU law aspects (including bulk powers) were stayed pending the Privacy International reference to the CJEU. The Divisional Court rejected the claim that the IP Act data retention powers provide for the general and indiscriminate retention of traffic and location data, contrary to EU law. That point may in due course come before the Court of Appeal.

In the European Court of Human Rights, Big Brother Watch and various other NGOs challenged the pre-IP Act bulk interception regime under the Regulation of Investigatory Powers Act (RIPA). The ECtHR gave a Chamber judgment on 13 September 2018. That and the Swedish Rattvisa case were subsequently referred to the ECtHR Grand Chamber and await judgment. If the BBW Chamber judgment had become final it could have affected the IP Act in as many as three separate ways.

In response to one of the BBW findings the government has said that it will introduce ‘thematic’ certification by the Secretary of State of requests to examine bulk secondary data of individuals believed to be within the British Islands.

Software - goods or services?

Judgment is pending in the CJEU on a referral from the UK Supreme Court asking whether software supplied electronically as a download and not on any tangible medium constitutes goods and/or a sale for the purposes of the Commercial Agents Regulations (C-410/19 Computer Associates (UK) Ltd v The Software Incubator Ltd). The Advocate General’s Opinion was delivered on 17 December 2020.

Law Commission projects

The Law Commission has in train several projects that have the potential to affect online activity.

It is expected to make recommendations on reform of the criminal law relating to Harmful Online Communications in early 2021. The government has said that it will consider, where appropriate, implementing the Law Commission’s final recommendations through the forthcoming Online Safety Bill. The Law Commission issued a consultation paper in September 2020 (consultation closed 18 December 2020).

The Law Commission has also issued a Consultation Paper on Hate Crime Laws, which while not specifically focused on online behaviour inevitably includes it (consultation closed 24 December 2020).

It has recently launched a Call for Evidence on Smart Contracts (closing 31 March 2021) and is also in the early stages of a project on Digital Assets.

Electronic transactions

The pandemic has focused attention on legal obstacles to transacting electronically and remotely. Whilst uncommon in commercial transactions, some impediments do exist and, in a few cases, have been temporarily relaxed. That may pave the way for permanent changes in due course.

Although the question typically asked is whether electronic signatures can be used, the most significant obstacles tend to be presented by surrounding formalities rather than signature requirements themselves. A case in point is the physical presence requirement for witnessing deeds, which stands in the way of remote witnessing by video or screen-sharing. The Law Commission Report on Electronic Execution of Documents recommended that the government should set up an Industry Working Group to look at that and other issues.

Data Protection 

Traditionally this survey does not cover data protection (too big, and a dense specialism in its own right). On this occasion, however, the Lloyd v Google appeal pending in the UK Supreme Court should not pass without notice.

ePrivacy

EU Member States had to implement the Directive establishing the European Electronic Communications Code (EECD) by 21 December 2020. The Code brings ‘over the top’ messaging applications into the scope of ‘electronic communications services’ for the purpose of the EU telecommunications regulatory framework. As a result, the communications confidentiality provisions of the ePrivacy Directive also came into scope, affecting practices such as scanning to detect child abuse images. In order to enable such practices to continue, the European Commission proposed temporary legislation derogating from the ePrivacy Directive prohibitions. The proposed Regulation missed the 21 December deadline and continues through the EU legislative process.

Meanwhile there is as yet no conclusion to the long drawn out attempt to reach consensus on a proposed replacement for the ePrivacy Directive itself. 

[Updated 29 December 2020 to add sections on Data Protection and ePrivacy.] 

Internet legal developments to look out for in 2020

Never mind Brexit, what is coming up on the UK internet legal scene in the coming year? The highlight of 2020 is of course the January publication of the 5th edition of Internet Law and Regulation :-). That apart, here are some cases and legislation to look out for. (In accordance with long tradition this feature does not cover data protection.)

Copyright

DSM Copyright Directive Member States’ implementation of the Digital Single Market Copyright Directive is due by 7 June 2021. This includes the so-called snippet tax (the press publishers’ right) and the Article 17 rules for online sharing service providers (OSSPs).

A CJEU challenge to Article 17 by the Polish government (Poland v Parliament and Council, Case C-401/19) is pending. Poland argues that Article 17 makes it necessary for OSSPs, in order to avoid liability, to carry out prior automatic filtering of content uploaded online by users, and therefore to introduce preventive control mechanisms. It contends that such mechanisms undermine the essence of the right to freedom of expression and information and do not comply with the requirement that limitations imposed on that right be proportionate and necessary.

SatCab Directive The EU Directive extending the country of origin provisions of the Satellite and Cable Broadcasting Directive to online radio and news broadcasts was adopted in April 2019 and has to be implemented by 7 June 2021.

Linking and communication to the public In the UK case of Warner Music/Sony Music v TuneIn permission has been granted to both sides to appeal the High Court’s judgment of 1 November 2019.

Pending CJEU copyright cases Several copyright references are pending in the EU Court of Justice. Judgment in the Dutch Tom Kabinet case on secondhand e-book trading (Case C-263/18) is due was delivered on 19 December 2019. The CJEU decided against Tom Kabinet, holding that its service was a communication to the public, not a distribution subject to exhaustion of rights.

The YouTube and Uploaded cases (C-682/18 Petersongs v YouTube and C-683/18 Elsevier v Cyando) pending from the German Federal Supreme Court include questions around the communication to the public right, as do C-392/19 VG Bild-Kunst v Preussischer Kulturbesitz (Germany, BGH), C-442/19 Brein v News Service Europe (Netherlands, Supreme Court) and C-597/19 Mircom v Telenet (Belgium).

Questions about injunctions against intermediaries are also raised in C-682/18 Petersongs v YouTube, C-442/19 Brein v News Service Europe and C-500/19 Puls 4 TV.

C-264/19 Constantin Film v YouTube asks questions about the permissible scope of court orders against intermediaries requiring provision of information about alleged infringers to rightholders under the IP Enforcement Directive.

Intermediary liability

The UK government published its Online Harms White Paper on 8 April 2019. The subsequent Conservative manifesto for the December 2019 election promised to legislate for online safety, while at the same time defending freedom of expression and in particular recognising and defending the invaluable role of a free press. The government’s response to its consultation on the White Paper was originally due to be published before the end of 2019. The Queen’s Speech immediately before the election indicated that draft legislation would be subject to the pre-legislative scrutiny process.

The German Federal Supreme Court has referred two cases (YouTube and Uploaded  – see above) to the CJEU asking questions about (among other things) the applicability of the ECommerce Directive hosting protections to UGC sharing sites. C-442/19 Brein v News Service Europe (Netherlands, Supreme Court) and C-500/19 Puls 4 TV (Austria, Supreme Court) also ask questions around the Article 14 hosting protection, including whether it is precluded if communication to the public is found.

On 19 December 2019 the CJEU issued its AirBnB (C-390/18) judgment on the scope of the eCommerce Directive, holding that the kind of service provided by AirBnB is an information society service within the scope of the Directive. It also held that in criminal proceedings with an ancillary civil element, it is a defence to measures restricting an information society service incoming from another Member State that the measures had not been notified to the European Commission and the Member State concerned under Article 3(4) of the Directive.

The new European Commission is proposing a Digital Services Act, starting with a public consultation in early 2020. This will include a review of the ECommerce Directive liability shields.

On 12 September 2018 the European Commission published a Proposal for a Regulation on preventing the dissemination of terrorist content online. This followed its September 2017 Communication on Tackling Illegal Content Online and March 2018 Recommendation on Measures to Effectively Tackle Illegal Content Online. It is notable for proposing one hour takedown response times and for the ability for Member States to derogate from the ECommerce Directive Article 15 prohibition on imposing general monitoring obligations on conduits, caches and hosts. Discussions on the proposed Regulation continue.

Cross-border liability and jurisdiction

In the law enforcement field the EU has proposed a Regulation on EU Production and Preservation Orders (the ‘e-Evidence Regulation’) and associated Directive that would set up a regime for some cross-border requests direct to service providers. The UK has said that it will not opt in the Regulation.

The US and the UK signed a Data Access Agreement on 3 October 2019, providing domestic law comfort zones for service providers to respond to data access demands from authorities located in the other country. Final implementation in each country awaits completion of review by the US Congress and the UK Parliament. The EU will commence negotiations with the USA for an EU-wide agreement.

Discussions continue on a Second Protocol to the Cybercrime Convention, on evidence in the cloud.

State surveillance of communications

The UK’s Investigatory Powers Act 2016 (IP Act), has come into force, including amendments following the Watson/Tele2 decision of the CJEU. The government has said that it will introduce ‘thematic’ certification by the Secretary of State of requests to examine bulk secondary data of individuals believed to be within the British Islands.

A pending reference to the CJEU from the Investigatory Powers Tribunal in litigation brought by Privacy International (Case C-623/17) raises questions as to whether the Watson decision applies to national security, and if so how; whether mandatorily retained data have to be held within the EU; and whether those whose data have been accessed have to be notified.

Liberty has a pending judicial review of the IP Act bulk powers and data retention powers. It has been granted permission to appeal to the Court of Appeal on the question whether the data retention powers constitute illegitimate generalised and indiscriminate retention. Other aspects (including bulk powers) are stayed pending the Privacy International reference to the CJEU or (a challenge based on the Human Rights Act) were refused by the Divisional Court.

The IP Act (in particular the bulk powers provisions) may be indirectly affected by other cases pending in the CJEU: Schrems 2 (C-311/18), challenges by La Quadrature de la Net to the EU-US PrivacyShield (T-738/16) and to the French data communications data retention regime (C-511/18 and C-512/18), and a challenge to the Belgian communications data retention regime (C-520/18); in the European Court of Human Rights (in which Big Brother Watch and various other NGOs challenge the existing RIPA bulk interception regime) and by a pending domestic judicial review by Privacy International of an Investigatory Powers Tribunal decision on equipment interference powers.

The ECtHR gave a Chamber judgment in the BBW case on 13 September 2018. That and the Swedish Rattvisa case were subsequently referred to the ECtHR Grand Chamber and are awaiting judgment. If the BBW Chamber judgment had become final it could have affected the IP Act in as many as three separate ways.

In the Privacy International equipment interference case, the Supreme Court held on 15 May 2019 that the IPT decision was susceptible of judicial review. The litigation will now continue.

Compliance of the UK’s surveillance laws with EU Charter fundamental rights will be a factor in any data protection adequacy decision that is sought once the UK becomes a non-EU third country post-Brexit.

Here is an updated mindmap of challenges to the UK surveillance regime:

Software - goods or services?

Judgment is awaited from the UK Supreme Court as to whether software supplied electronically as a download and not on any tangible medium is goods for the purposes of the Commercial Agents Regulations (Computer Associates (UK) Ltd v The Software Incubator Ltd).

[Updated 20 December 2019 to add Tom Kabinet and AirBnB CJEU judgments; and 22 December 2019 to add C-511/18 and C-512/18); and 20 October 2020 with updated mindmap]