Internet legal developments to look out for in 2021

Seven years ago I started to take an annual look at what the coming year might hold for internet law in the UK. This exercise has always, perforce, included EU law. With Brexit now fully upon us future developments in EU law will no longer form part of UK law. Nevertheless, they remain potentially influential: not least, because the 2018 EU Withdrawal Act provides that UK courts may have regard to anything relevant done by the CJEU, another EU entity or the EU after 31 December. In any case I am partial to a bit of comparative law. So this survey will continue to keep significant EU law developments on its radar.

What can we expect in 2021?

Copyright

Digital Single Market EU Member States are due to implement the Digital Copyright Directive by 7 June 2021. This includes the so-called snippet tax (the press publishers’ right) and the Article 17 rules for online sharing service providers (OSSPs). The UK is not obliged to implement the Directive and has said that it has no plans to do so. Any future changes to the UK copyright framework will be “considered as part of the usual domestic policy process”.

The Polish government’s challenge to Article 17 (Poland v Parliament and Council, Case C-401/19) is pending. Poland argues that Article 17 makes it necessary for OSSPs, in order to avoid liability, to carry out prior automatic filtering of content uploaded online by users, and therefore to introduce preventive control mechanisms. It contends that such mechanisms undermine the essence of the right to freedom of expression and information and do not comply with the requirement that limitations imposed on that right be proportionate and necessary.

Linking and communication to the public The UK case of Warner Music/Sony Music v TuneIn is due to come before the Court of Appeal early in 2021.

Pending CJEU copyright cases Several copyright references are pending before the EU Court of Justice.

The YouTube and Uploaded cases (C-682/18 Peterson v YouTube and C-683/18 Elsevier v Cyando) referred from the German Federal Supreme Court include questions around the communication to the public right, as do C-392/19 VG Bild-Kunst v Preussischer Kulturbesitz (Germany, BGH), C-442/19 Brein v News Service Europe (Netherlands, Supreme Court) and C-597/19 Mircom v Telenet (Belgium). Advocate General Opinions have been delivered in YouTube/Cyando, VG Bildt-Kunst and Mircom.

YouTube/Cyando and Brein v News Service Europe also raise questions about copyright injunctions against intermediaries, as does C-500/19 Puls 4 TV.

Linking, search metadata and database right

C-762/19 CV-Online Latvia is a CJEU referral from Riga Regional Court concerning database right. The defendant search engine finds websites that publish job advertisements and uses hyperlinks to redirect users to the source websites, including that of the applicant. The defendant’s search results also include information - hyperlink, job, employer, geographical location of the job, and date – obtained from metatags on the applicant’s website published as Schema.org microdata. The questions for the CJEU are whether (a) the use of a hyperlink constitutes re-utilisation and (b) the use of the metatag data constitutes extraction, for the purposes of database right infringement.

Online intermediary liability

The UK government published its Full Consultation Response to the Online Harms White Paper on 15 December 2020, paving the way for a draft Online Safety Bill in 2021. The government has indicated that the draft Bill will be subject to pre-legislative scrutiny.

The German Federal Supreme Court has referred two cases (YouTube and Cyando – see above) to the CJEU asking questions about (among other things) the applicability of the ECommerce Directive hosting protections to UGC sharing sites. The Advocate General’s Opinion in these cases has been published.

Brein v News Service Europe and Puls 4 TV (see above for both) also ask questions around the Article 14 hosting protection, including whether it is precluded if communication to the public is found.

The European Commission published its proposals for a Digital Services Act and a Digital Markets Act on 15 December 2020. The proposed Digital Services Act includes replacements for Articles 12 to 15 of the ECommerce Directive.  The proposals will now proceed through the EU legislative process.

The European Commission’s Proposal for a Regulation on preventing the dissemination of terrorist content online is nearing the final stages of its legislative process, the Council and Parliament having reached political agreement on 10 December 2020. The proposed Regulation is notable for requiring one hour takedown response times and also for proactive monitoring obligations - potentially derogating from the ECommerce Directive Article 15 prohibition on imposing general monitoring obligations on conduits, caches and hosts.

The prospect of a post-Brexit UK-US trade agreement has prompted speculation that such an agreement might require the UK to adopt a provision equivalent to the US S.230 Communications Decency Act. However, if the US-Mexico-Canada Agreement precedent were adopted in such an agreement, that would appear not to follow (as explained here).

Cross-border 

The US and the UK signed a Data Access Agreement on 3 October 2019, providing domestic law comfort zones for service providers to respond to data access demands from authorities located in the other country. No announcement has yet been made that Agreement has entered into operation. The Agreement has potential relevance in the context of a post-Brexit UK data protection adequacy decision by the European Commission.

Discussions continue on a Second Protocol to the Cybercrime Convention, on evidence in the cloud.

State surveillance of communications

The kaleidoscopic mosaic of cases capable of affecting the UK’s Investigatory Powers Act 2016 (IP Act) continues to reshape itself. In this field CJEU judgments remain particularly relevant, since they form the backdrop to any data protection adequacy decision that the European Commission might adopt in respect of the UK post-Brexit. The recently agreed UK-EU Trade and Co-operation Agreement provides a period of up to 6 months for the Commission to propose and adopt an adequacy decision.

Relevant CJEU judgments now include, most recently, Privacy International (Case C-623/17), La Quadrature du Net (C-511/18 and C-512/18), and Ordre des barreaux francophones et germanophone (C-520/18) (see discussion here and here).

Domestically, Liberty has a pending judicial review of the IP Act bulk powers and data retention powers. Some EU law aspects (including bulk powers) were stayed pending the Privacy International reference to the CJEU. The Divisional Court rejected the claim that the IP Act data retention powers provide for the general and indiscriminate retention of traffic and location data, contrary to EU law. That point may in due course come before the Court of Appeal.

In the European Court of Human Rights, Big Brother Watch and various other NGOs challenged the pre-IP Act bulk interception regime under the Regulation of Investigatory Powers Act (RIPA). The ECtHR gave a Chamber judgment on 13 September 2018. That and the Swedish Rattvisa case were subsequently referred to the ECtHR Grand Chamber and await judgment. If the BBW Chamber judgment had become final it could have affected the IP Act in as many as three separate ways.

In response to one of the BBW findings the government has said that it will introduce ‘thematic’ certification by the Secretary of State of requests to examine bulk secondary data of individuals believed to be within the British Islands.

Software - goods or services?

Judgment is pending in the CJEU on a referral from the UK Supreme Court asking whether software supplied electronically as a download and not on any tangible medium constitutes goods and/or a sale for the purposes of the Commercial Agents Regulations (C-410/19 Computer Associates (UK) Ltd v The Software Incubator Ltd). The Advocate General’s Opinion was delivered on 17 December 2020.

Law Commission projects

The Law Commission has in train several projects that have the potential to affect online activity.

It is expected to make recommendations on reform of the criminal law relating to Harmful Online Communications in early 2021. The government has said that it will consider, where appropriate, implementing the Law Commission’s final recommendations through the forthcoming Online Safety Bill. The Law Commission issued a consultation paper in September 2020 (consultation closed 18 December 2020).

The Law Commission has also issued a Consultation Paper on Hate Crime Laws, which while not specifically focused on online behaviour inevitably includes it (consultation closed 24 December 2020).

It has recently launched a Call for Evidence on Smart Contracts (closing 31 March 2021) and is also in the early stages of a project on Digital Assets.

Electronic transactions

The pandemic has focused attention on legal obstacles to transacting electronically and remotely. Whilst uncommon in commercial transactions, some impediments do exist and, in a few cases, have been temporarily relaxed. That may pave the way for permanent changes in due course.

Although the question typically asked is whether electronic signatures can be used, the most significant obstacles tend to be presented by surrounding formalities rather than signature requirements themselves. A case in point is the physical presence requirement for witnessing deeds, which stands in the way of remote witnessing by video or screen-sharing. The Law Commission Report on Electronic Execution of Documents recommended that the government should set up an Industry Working Group to look at that and other issues.

Data Protection 

Traditionally this survey does not cover data protection (too big, and a dense specialism in its own right). On this occasion, however, the Lloyd v Google appeal pending in the UK Supreme Court should not pass without notice.

ePrivacy

EU Member States had to implement the Directive establishing the European Electronic Communications Code (EECD) by 21 December 2020. The Code brings ‘over the top’ messaging applications into the scope of ‘electronic communications services’ for the purpose of the EU telecommunications regulatory framework. As a result, the communications confidentiality provisions of the ePrivacy Directive also came into scope, affecting practices such as scanning to detect child abuse images. In order to enable such practices to continue, the European Commission proposed temporary legislation derogating from the ePrivacy Directive prohibitions. The proposed Regulation missed the 21 December deadline and continues through the EU legislative process.

Meanwhile there is as yet no conclusion to the long drawn out attempt to reach consensus on a proposed replacement for the ePrivacy Directive itself. 

[Updated 29 December 2020 to add sections on Data Protection and ePrivacy.] 

The penultimate word on copyright intermediary liability?

The 16 July 2020 Opinion of Advocate General Saugmandsgaard Øe in YouTube/Cyando is something of a tour de force, attempting in 256 closely reasoned paragraphs to construct a Grand Unified Theory of how the intermediary liability provisions of the ECommerce Directive 2000 and the communication to the public provisions of the Copyright InfoSoc Directive 2001 can be made to sit comfortably together when applied to platforms to which users can upload and share content: video streams in the case of YouTube, and a private file storage facility with the ability to share download links in the case of Cyando.

The AG’s Opinion will not be the last word on these topics –the CJEU’s judgment in YouTube/Cyando itself will follow, as well as several other pending CJEU references. The judgments may or may not adopt the AG’s approach. However, the Opinion will be difficult to surpass for its thorough analysis of the issues and in its heroic attempt to bring coherence to a fiercely contested and mutable area of the law.

However, for platforms that fall within Article 17 of the new Digital Copyright Directive the Copyright InfoSoc Directive provisions on which the AG has opined will in due course be superseded (albeit not apparently in the UK, which has said that it has no plans to implement the Digital Copyright Directive). Article 17 enacts a sui generis version of the communication to the public right and a corresponding customised liability safe harbour that will, for platforms within Article 17, replace the general Article 14 ECD shield. Notably, the AG rejected an argument that the new Directive merely clarifies what has always been the law under the existing Copyright InfoSoc Directive and the ECommerce Directive.

Article 17, we should also remember, is under challenge in the CJEU by Poland, claiming that the illegal upload prevention provision breaches Article 11 of the Charter. From that perspective, the views of the AG regarding balance of rights under the Charter will be of interest.

Why alignment?

Aligning the two Directives is an exercise peculiar to copyright. Generally speaking, the scope of the ECommerce Directive does not have to be reconciled with that of underlying substantive laws. ECD Articles 12 to 15 are an independent horizontal overlay over an enormous range of substantive civil and criminal liability across all Member States. They provide a uniform liability shield regardless of the scope of the underlying substantive law:

“Article 14(1) of Directive 2000/31 applies, horizontally, to all forms of liability which the providers in question may incur in respect of any kind of information which they store at the request of the users of their services, whatever the source of that liability, the field of law concerned and the characterisation or exact nature of the liability.” [138]

So, if a hosting provider loses the protection of Article 14 through not removing an item of content expeditiously after becoming aware of its illegality, liability does not necessarily ensue. That has to be assessed under the substantive underlying Member State law. As the AG Opinion puts it:

“the purpose of [Article 14] is not to determine positively the liability of a provider. It simply limits negatively the situations in which it can be held liable on that basis.” [134]

Copyright, however, is somewhat different. The ECD and the 2001 Copyright InfoSoc Directive went through the EU legislative process at about the same time and were intended, together, to establish (ECD, Recital 50):

“a clear framework of rules relevant to the issue of liability of intermediaries for copyright and relating [sic] rights infringements at Community level.”

The Copyright InfoSoc Directive noted that liability for activities in the network environment concerned copyright and related rights as well as other areas. The ECD:

“… provides a harmonised framework of principles and provisions relevant inter alia to important parts of this Directive.” (Copyright InfoSoc Directive, Recital 16)

This is the basis on which it is suggested that the scope of the two Directives should be aligned. If so, however, which should be the template? Since the ECD is horizontal and thus of general application, it would be logical that any such interpretative exercise should focus on bringing the Copyright Directive into line with the ECD, not vice versa. Recital 16 of the Copyright Directive explicitly cedes precedence to the ECD: “This Directive is without prejudice to provisions relating to liability in that Directive.”

The AG’s view is that the criteria for communication to the public and the conditions for application Art 14 must and can be interpreted consistently in order to avoid, in practice, any overlap between them.

Fundamental rights compatibility

The AG addresses compatibility with the EU Charter of Fundamental Rights, opining that the ‘high level of protection’ demanded by the Copyright InfoSoc Directive does not necessarily equate to ‘maximum protection’. Although copyright is protected as a fundamental right in the Charter, that right is not absolute and must generally be balanced with other fundamental rights and interests. The Court, he says, seeks a reasonable interpretation to achieve that.

He emphasises that a general monitoring obligation on hosts to seek illegal information and activity was held by the CJEU in SABAM/Netlog to be contrary not only to Article 15 ECD, but also the Charter. It would introduce a serious risk of undermining the fundamental rights involved: platform operators’ freedom to conduct a business (Article 16), users’ freedom of expression (Article 11) and also, in his view, freedom of the arts (Article 13).

For freedom of the arts, an obligated filtering tool might not distinguish adequately between legal and illegal content, leading to the blocking of legal content. That would endanger online creativity, in that maximum protection of some forms of intellectual creativity would be to the detriment of other forms of creativity which are also positive for society.

Approach to alignment

Since the general approach of the AG is to mould communication to the public, in its application to platforms, to fit Article 14 ECD, it is logical to focus primarily on his exposition of Article 14 ECD. The Opinion is also a useful reminder of some aspects of Article 14 that are easily overlooked or misunderstood.

Generally, the AG takes the active/passive distinction to qualify for hosting protection under the ECommerce Directive, then applies it to the contrast drawn in the Copyright InfoSoc Directive between (a) someone who, by providing ‘physical facilities’, acts as an intermediary (Recital 27) and (b) someone who “intervenes actively in the communication to the public of works” ([75]).

He emphasises that the distinction has to be drawn in relation to specific content. (This focus on whether conduct is active or passive in relation to a given item of content contrasts with a common misconception that the active/passive distinction under Article 14 ECD involves an assessment of the overall role of the platform.)

He expresses reservations about the line of CJEU caselaw in GS Media, Filmspeler and Pirate Bay, which he characterises as extending the CTP right into unharmonised areas of secondary liability, founded on facilitation and knowledge of illegality. Nevertheless, he goes on to discuss the application of that reasoning to the instant cases.

For this purpose he applies to communication to the public the knowledge and awareness principles of ECD Article 14 ([111]). As with the active/passive distinction, this focuses on specific activities and information, as opposed to (in this context) consequences flowing from generalised awareness of illegality.

In summary, therefore, the AG equates “primary” communication to the public – intervention in an actual or possible transmission – with the active/passive distinction that determines initial qualification for ECD Art 14 protection; and equates “secondary” communication to the public with the ECD's knowledge-based conditions for losing the liability protection of Article 14.

Article 14 transposed to “primary” communication to the public

The following are some key points in the AG’s discussion of Article 14. References are to paragraph numbers, together with (where relevant) an italicised citation to the closest equivalent point in the AG’s discussion of the communication to the public right.

• Only a shield The purpose of Article 14 is to act as a liability shield, not to provide a positive determination of liability. [134]
• Horizontal application The Article 14 exemption applies horizontally, independently of the characterisation of the liability by the underlying substantive law.  It therefore covers both primary and secondary liability for information provided and activities initiated by users. [138]
• Additional activities Activities additional to storage provided as part of the service do not prevent applicability of Art 14. [145] Nevertheless, the exemption concerns only liability that may result from information provided by users. It does not cover any other aspect of the provider’s activity. [146]
• Active/passive hosting As regards the active/passive hosting distinction established by the CJEU:
  • Inherent control The capacity for control inherent in any hosting activity cannot amount to an active role. [151] (cf CTP [73]: being an important, or even crucial, link in the chain does not amount to an essential role.)
  • Specific content An active role must relate to specific content, where by the nature of its activity the intermediary is deemed to acquire intellectual control of that content. [152] (cf CTP [75]: intentional decision to communicate a given work.)
  • A distinction should be made between controlling the conditions for display of user information and controlling the content of that information.  [160], [162] (cf CTP [75]: determines the content in some other way.)
• Examples of an active role include:
  • Selecting stored information. [152] (CTP: [75])
  • Active involvement in the content of stored information in some other way. [152] (CTP: [75] (“determines it in some other way”)).
  • Presenting stored information to the public in such a way that it appears to be the host’s own. [152] (CTP: [75]) As to that, in the Advocate General’s view YouTube does not do so because it indicates which user uploaded the video. [156] (CTP: [83]); and Cyando does not do so because the average, reasonably informed, internet user knows that files stored by a file hosting/sharing platform do not, as a rule, come from the operator. [156]
• Examples that are not an active role include:
  • Automatic uploading without prior viewing or selection [154] (CTP: [78])
  • Providing access to content or the ability to download, by purely technical and automatic processes. [155]
  • Structuring the way in which videos are presented and integrating into a standard viewing interface [157] - [159] (CTP: [81], [82])
  • Processing of search results and indexing under different categories [157] (CTP: [81], [82])
  • Integrated search function [157], [160] (CTP: [81])
  • Automated recommendation of videos similar to those previously viewed [161], [162] (CTP: [84])
  • Remuneration by advertising [163] (CTP: [86])
  • Proactively carrying out checks for illegal content [166] (CTP: [78])

Points specific to communication to the public

For communication to the public, the AG also rejected arguments that grant of a licence by users to the platform amounted to active intervention. That would be different if the platform re-used content under the licence. [85]

Generally, profit was not a relevant criterion for the existence of communication to the public, but at most was an indicator. Revenue models related to attractiveness of content are a less useful indicator where the provision of physical facilities is generally carried on for profit. [86] to [88]

“Secondary” communication to the public and Article 14 knowledge and awareness

As to knowledge and awareness of illegality under the “secondary liability” interpretation of the communication to the public right, the AG suggested that they should be determined on the same principles as for Article 14 ECD. In other words, the conditions for loss of protection for a host under Article 14 should also found liability under the “secondary” communication to the public right as applicable to platforms such as YouTube and Cyando. 

In the AG's view knowledge of whether files are legal or illegal should not be presumed merely because the operator pursues a profit-making purpose. The GS Media presumption (aside from the fact that the CJEU seemed to have applied it only to hyperlinks [113]) should not be applied where the platform did not itself upload the content. That would contradict the Article 15 prohibition on imposing a general monitoring obligation. [115]

Further, the fact that an intermediary profits from illegal use should not be decisive. Any provider of goods or services that might be subject to both kinds of use will inevitably derive some of its profits from users who purchase or utilise them for illegal purposes. Other facts must therefore be demonstrated. [118]

The AG incorporated by reference ([111]) his discussion of the Article 14 knowledge and awareness provisions at [169] to [196]:

• The knowledge of illegality required for the protection of Article 14 to be removed relates to specific illegal information. [172], [196]. That reflects the legislative purpose that Article 14 is intended to form the basis of notice and takedown procedures, when specific illegal information is brought to the attention of the service provider. [176]
• Loss of protection based on general awareness is not compatible with the requirement of actual knowledge in Art 14(1)(a). [179]
• As to awareness of facts and circumstances from which illegality is apparent:
  • the diligent economic operator referred to in L’Oreal v eBay is assumed, on the basis of objective factors of which it has actual knowledge relating to specific information on its servers, to perform sufficient diligence to realise the illegality of that information. It has no obligation to seek facts or circumstances in general. [182], [184], [185].
  • Since many situations regarding copyright infringement are ambiguous in the absence of context, a general obligation would create a risk of systematic over-removal in order to avoid risk of liability, posing an obvious problem in terms of freedom of expression. [189]
  • In order to be apparent, illegality must be manifest. This requirement seeks, in the AG’s view, to avoid forcing the operator itself to come to decisions on legally complex questions and, in doing so, turn itself into a judge of online legality. [187]
  • In order for illegality to be apparent, a notification must provide evidence that would allow a diligent economic operator in its situation to establish that character without difficulty and without conducting a detailed legal or factual examination. [190]

Bad faith

By way of exception to his propositions regarding specific knowledge, the Advocate General went on to discuss deliberate facilitation of illegal uses, for which general awareness of illegality would suffice to found liability. The AG discusses this bad faith exception in detail under communication to the public ([120] to [131]), incorporated by reference into his discussion of Article 14 [191].

The AG suggests that general and abstract knowledge of illegality should be sufficient to disapply Article 14 protection where the operator deliberately facilitates carrying out of illegal acts by users of its service. Where objective elements demonstrate the bad faith of the provider, then it should lose the benefit of the exemption.

The AG suggests the following principles for determining bad faith:

• Intent to facilitate third party infringements should suffice [120]
• The mere fact of enabling users to publish content by an automatic process and not carrying out a general pre-upload check cannot be tantamount to wilful blindness or negligence. [122]
• Subject to notice of a specific infringement, mere negligence of a provider is (by definition) not sufficient to show that that provider is intervening ‘deliberately’ to facilitate copyright infringements committed by users. [122] 
• The way in which a provider organises its service can, in some circumstances, show the ‘deliberate nature’ of its intervention in illegal acts of ‘communication to the public’ committed by users. [123] 
• Characteristics of the service may demonstrate the bad faith of the provider in question, which may take the form of an intention to incite or wilful blindness towards such copyright infringements. [123] 
• It is appropriate to check whether the characteristics of service (a) have an objective explanation and offer added value for lawful uses and (b) whether provider has taken reasonable steps to prevent unlawful use of the service. [124] 
• But the service provider cannot be expected to check, in general, all user files before upload (cf ECD Art 15). Therefore reasonable steps should be a defence. Good faith will tend to be shown where the provider diligently fulfils ECD Art 14 withdrawal obligations [sic] or complies with any injunction obligations, or takes other voluntary measures. [124] 

It seems, therefore, that the AG is saying that the question of reasonable steps should be relevant only to rebut a presumption of bad faith that may arise if there are aspects of the service that do not, on the face of them, have an objective explanation and offer added value for lawful uses.

By way of guidance (although it would be a matter for the national court) the AG suggested that indexing and search functions [126], inserting advertisements into videos [121] (YouTube), and anonymity [129] and allowing users to generate download links [130] (Cyando) had an objective explanation and offered added value for lawful uses. On the other hand, the AG had doubts about Cyando’s practice of remunerating certain users based on the number of their downloaded files [131].

Stay-down

Stay-down arises in two separate contexts. The first is the argument that a host who is aware of the illegality of specific information on the platform should also be regarded as being aware of the illegality of further uploads of the same or equivalent information, and thus should not benefit from the Article 14 liability shield in respect of such future information.

The second question is whether, and if so how far, an injunction against an intermediary can require it proactively to prevent future uploads of the same or equivalent information to that specified in the injunction.

• No imputed awareness of future uploads of the same information. As to the first issue, the AG considered that such a ‘stay-down’ interpretation of Article 14 would significantly alter its scope. It would require upload filtering not only of the same file as that notified, but of any file with equivalent content. Such an obligation would apply not only to providers that have such technology, but also those who do not have the resources to implement it. [194]
• The AG went on to contrast that with the position in relation to injunctions against intermediaries. The CJEU has held that where a national court has determined content to be illegal, it is not contrary to the Article 15 prohibition on general monitoring obligations to grant an injunction in respect of equivalent files (i.e., in the AG’s understanding, those that use the protected work in the same way).  [220], [221] 
• In that situation the measures must still be proportionate. It does not mean that rightsholders should be able to apply for any injunction against any intermediary service provider. In some cases a provider might be too far removed from the infringements for it to be proportionate to grant an injunction. That was not the case with YouTube and Cyando in the instant cases. [215] 

Proportionality also means that the injunction must not create obstacles to legal use of the service. Its purpose or effect cannot be to prevent users uploading legal content and making legal use of the work (such as, in the case of copyright, criticism, review or parody). [222]

[Amended 28 July 2020 to correct the number of paragraphs in the AG Opinion from 255 to 256. Unaccountably I didn't count the Conclusion...; and 29 July 2020 to eliminate a repetitious sentence.] 

Internet legal developments to look out for in 2020

Never mind Brexit, what is coming up on the UK internet legal scene in the coming year? The highlight of 2020 is of course the January publication of the 5th edition of Internet Law and Regulation :-). That apart, here are some cases and legislation to look out for. (In accordance with long tradition this feature does not cover data protection.)

Copyright

DSM Copyright Directive Member States’ implementation of the Digital Single Market Copyright Directive is due by 7 June 2021. This includes the so-called snippet tax (the press publishers’ right) and the Article 17 rules for online sharing service providers (OSSPs).

A CJEU challenge to Article 17 by the Polish government (Poland v Parliament and Council, Case C-401/19) is pending. Poland argues that Article 17 makes it necessary for OSSPs, in order to avoid liability, to carry out prior automatic filtering of content uploaded online by users, and therefore to introduce preventive control mechanisms. It contends that such mechanisms undermine the essence of the right to freedom of expression and information and do not comply with the requirement that limitations imposed on that right be proportionate and necessary.

SatCab Directive The EU Directive extending the country of origin provisions of the Satellite and Cable Broadcasting Directive to online radio and news broadcasts was adopted in April 2019 and has to be implemented by 7 June 2021.

Linking and communication to the public In the UK case of Warner Music/Sony Music v TuneIn permission has been granted to both sides to appeal the High Court’s judgment of 1 November 2019.

Pending CJEU copyright cases Several copyright references are pending in the EU Court of Justice. Judgment in the Dutch Tom Kabinet case on secondhand e-book trading (Case C-263/18) is due was delivered on 19 December 2019. The CJEU decided against Tom Kabinet, holding that its service was a communication to the public, not a distribution subject to exhaustion of rights.

The YouTube and Uploaded cases (C-682/18 Petersongs v YouTube and C-683/18 Elsevier v Cyando) pending from the German Federal Supreme Court include questions around the communication to the public right, as do C-392/19 VG Bild-Kunst v Preussischer Kulturbesitz (Germany, BGH), C-442/19 Brein v News Service Europe (Netherlands, Supreme Court) and C-597/19 Mircom v Telenet (Belgium).

Questions about injunctions against intermediaries are also raised in C-682/18 Petersongs v YouTube, C-442/19 Brein v News Service Europe and C-500/19 Puls 4 TV.

C-264/19 Constantin Film v YouTube asks questions about the permissible scope of court orders against intermediaries requiring provision of information about alleged infringers to rightholders under the IP Enforcement Directive.

Intermediary liability

The UK government published its Online Harms White Paper on 8 April 2019. The subsequent Conservative manifesto for the December 2019 election promised to legislate for online safety, while at the same time defending freedom of expression and in particular recognising and defending the invaluable role of a free press. The government’s response to its consultation on the White Paper was originally due to be published before the end of 2019. The Queen’s Speech immediately before the election indicated that draft legislation would be subject to the pre-legislative scrutiny process.

The German Federal Supreme Court has referred two cases (YouTube and Uploaded  – see above) to the CJEU asking questions about (among other things) the applicability of the ECommerce Directive hosting protections to UGC sharing sites. C-442/19 Brein v News Service Europe (Netherlands, Supreme Court) and C-500/19 Puls 4 TV (Austria, Supreme Court) also ask questions around the Article 14 hosting protection, including whether it is precluded if communication to the public is found.

On 19 December 2019 the CJEU issued its AirBnB (C-390/18) judgment on the scope of the eCommerce Directive, holding that the kind of service provided by AirBnB is an information society service within the scope of the Directive. It also held that in criminal proceedings with an ancillary civil element, it is a defence to measures restricting an information society service incoming from another Member State that the measures had not been notified to the European Commission and the Member State concerned under Article 3(4) of the Directive.

The new European Commission is proposing a Digital Services Act, starting with a public consultation in early 2020. This will include a review of the ECommerce Directive liability shields.

On 12 September 2018 the European Commission published a Proposal for a Regulation on preventing the dissemination of terrorist content online. This followed its September 2017 Communication on Tackling Illegal Content Online and March 2018 Recommendation on Measures to Effectively Tackle Illegal Content Online. It is notable for proposing one hour takedown response times and for the ability for Member States to derogate from the ECommerce Directive Article 15 prohibition on imposing general monitoring obligations on conduits, caches and hosts. Discussions on the proposed Regulation continue.

Cross-border liability and jurisdiction

In the law enforcement field the EU has proposed a Regulation on EU Production and Preservation Orders (the ‘e-Evidence Regulation’) and associated Directive that would set up a regime for some cross-border requests direct to service providers. The UK has said that it will not opt in the Regulation.

The US and the UK signed a Data Access Agreement on 3 October 2019, providing domestic law comfort zones for service providers to respond to data access demands from authorities located in the other country. Final implementation in each country awaits completion of review by the US Congress and the UK Parliament. The EU will commence negotiations with the USA for an EU-wide agreement.

Discussions continue on a Second Protocol to the Cybercrime Convention, on evidence in the cloud.

State surveillance of communications

The UK’s Investigatory Powers Act 2016 (IP Act), has come into force, including amendments following the Watson/Tele2 decision of the CJEU. The government has said that it will introduce ‘thematic’ certification by the Secretary of State of requests to examine bulk secondary data of individuals believed to be within the British Islands.

A pending reference to the CJEU from the Investigatory Powers Tribunal in litigation brought by Privacy International (Case C-623/17) raises questions as to whether the Watson decision applies to national security, and if so how; whether mandatorily retained data have to be held within the EU; and whether those whose data have been accessed have to be notified.

Liberty has a pending judicial review of the IP Act bulk powers and data retention powers. It has been granted permission to appeal to the Court of Appeal on the question whether the data retention powers constitute illegitimate generalised and indiscriminate retention. Other aspects (including bulk powers) are stayed pending the Privacy International reference to the CJEU or (a challenge based on the Human Rights Act) were refused by the Divisional Court.

The IP Act (in particular the bulk powers provisions) may be indirectly affected by other cases pending in the CJEU: Schrems 2 (C-311/18), challenges by La Quadrature de la Net to the EU-US PrivacyShield (T-738/16) and to the French data communications data retention regime (C-511/18 and C-512/18), and a challenge to the Belgian communications data retention regime (C-520/18); in the European Court of Human Rights (in which Big Brother Watch and various other NGOs challenge the existing RIPA bulk interception regime) and by a pending domestic judicial review by Privacy International of an Investigatory Powers Tribunal decision on equipment interference powers.

The ECtHR gave a Chamber judgment in the BBW case on 13 September 2018. That and the Swedish Rattvisa case were subsequently referred to the ECtHR Grand Chamber and are awaiting judgment. If the BBW Chamber judgment had become final it could have affected the IP Act in as many as three separate ways.

In the Privacy International equipment interference case, the Supreme Court held on 15 May 2019 that the IPT decision was susceptible of judicial review. The litigation will now continue.

Compliance of the UK’s surveillance laws with EU Charter fundamental rights will be a factor in any data protection adequacy decision that is sought once the UK becomes a non-EU third country post-Brexit.

Here is an updated mindmap of challenges to the UK surveillance regime:

Software - goods or services?

Judgment is awaited from the UK Supreme Court as to whether software supplied electronically as a download and not on any tangible medium is goods for the purposes of the Commercial Agents Regulations (Computer Associates (UK) Ltd v The Software Incubator Ltd).

[Updated 20 December 2019 to add Tom Kabinet and AirBnB CJEU judgments; and 22 December 2019 to add C-511/18 and C-512/18); and 20 October 2020 with updated mindmap]