DRAFT VERSION – PLEASE DO NOT CITE WITHOUT PERMISSION Balancing Fundamental Rights on the Internet. Service Providers as Quasi-‐Constitutional Actors? Marco Bassini University of Verona [email protected]
The paper aims at exploring how, as result of recent judicial achievements, private actors are playing a more and more significant role when it comes to balancing fundamental rights on the Internet. Notably, in the European scenario most of Internet operators are nowadays far from being considered merely service providers, also in light of the constitutional implications deriving from the nature of the activities carried out by the same. Against the background of the Directive 2000/31/EC, several issues have emerged pushing for more constitutional relevance of the role played by service providers. The Google Spain judgment, for instance, has revealed that Internet search engine service providers may be tasked with significant responsibilities with respect to the protection of personal data in their capacity as controller pursuant to the Directive 95/46/EC. While attaching such new liabilities to operators, however, the decision at the same time makes Internet service providers’ role crucial with regard to the protection of freedom of expression. This way, a new constitutional relevance emerges, since functions which are assumed to pertain to public authorities (judges and lawmakers) are now de facto exercised by private operators. It has therefore to be questioned whether this approach is appropriate at least in two respects. First of all, it is at issue whether the constitutional protection of values which enter into conflict on the Internet is likely to satisfactorily pass through functions performed by private operators. Balancing fundamental rights, in fact, should prima face rely on a public authority and the involvement of private actors is likely, as said above, to trigger a constitutional or quasi-‐constitutional relevance of the same. Secondly, the point is whether burdening Internet providers with new liabilities only reflects the crucial nature of their services for the protection of fundamental rights or, in a purely market view, is an option that is likely to discourage operators from targeting European residents when offering their services. In light of these remarks, the idea comes through that any process concerning the governance of the Internet lato sensu is unlikely to achieve far-‐reaching results when not properly considering the (whether undesirable or not) quasi-‐constitutional relevance of certain private actors.
1. Introduction. Internet providers towards ‘more’ responsibility? One of the most significant consequences of the digital (r)evolution of the last twenty years is that several legal categories have become obsolete. Regardless of the opportunity to introduce new legal instruments (or to adapt the existing ones) when it comes to facing the developments brought to light by the new technologies, sometimes legal regimes modeled on the basis of the characteristics of certain phenomena turns out to be ineffective. The steady evolution of the new technologies is posing several issues with respect to the degree of appropriateness of certain (even) recent pieces of legislation1. These changes may also
An example is provided by the Directive 95/46/EC (“Data Protection Directive”): even if this act is quite recent, it has proved to be ineffective vis-‐a-‐vis the challenges of the new digital technologies. The EU
DRAFT VERSION – PLEASE DO NOT CITE WITHOUT PERMISSION reflect, to a certain extent, the complexity of the legal relationships taking place by virtue of the new technologies, most notable via the Internet. Against the prevailing technological-‐oriented view, also some constitutional nuances are involved in this process. An example that serves to make things clearer is offered by the legal regime concerning Internet service providers in the European Union, which is the subject of this paper2. The relevant legal framework has been set out by the so called ‘E-‐Commerce Directive’, which dates back to 20003. The provisions set forth in the Directive define the legal regime for operators providing Internet services in a way that mirrors the complexity of the role played by these actors in the information society, albeit at its very beginning in Europe. Two are the distinguishing features of this regime4. On the one hand, the absence of any general monitoring obligation on the shoulders of Internet providers. On the other hand, the Directive has laid downs a set of exemptions from liability which applies under condition that the provider has no actual knowledge or awareness of unlawful activities or information. This legal regime is clearly inspired by the purpose of limiting intermediaries’ liability for any unlawful activity or information transmitted or stored via their services. As noted, this legal regime has key implications also from a constitutional point of view, as it aims at reaching the widest possible circulation of contents. However, this legal framework is nowadays more and more called into question, and also its constitutional implications seems to be relevant. The purpose of the present paper is to describe the main trends that are affecting the regime of Internet service providers as result of recent judicial achievements, in order to highlight the quasi-‐ constitutional relevance that these actors have assumed in the information society. Two main trends will be now discussed. First, the attempts made by various domestic courts to reduce the scope of the liability exemptions by interpreting restrictively the relevant provisions of the E-‐Commerce Directive on the basis of the difference between ‘active’ and ‘passive’ providers. Second, the paper will more in detail focus on the recent decision of the Court of Justice in the Google Spain case and on the consequences of qualifying search engine providers as data controller pursuant to the Data Protection Directive (Directive 95/46/EC). Having explored the above, some remarks concerning the critical points posed by these trends will be drawn.
institutions have then started to consider a proposal to reform this legal framework which aims at replacing the Directive with a new Regulation on data protection. 2 See O. Pollicino and E. Apa, Modeling the Liability of Internet Services Providers: Google vs. Vivi Down. A Constitutional Perspective, Milan, 2013. 3 Directive 2000/31/EC (“E-‐Commerce Directive”). 4 See P. Von Eecke, ‘Online service providers and liability: a plea for a balanced approach’, 48 CML Review (2011) 1455.
DRAFT VERSION – PLEASE DO NOT CITE WITHOUT PERMISSION 2. Internet service providers: active versus passive? (passim) The Court of Justice of the European Union and a number of domestic courts of Member States are interpreting the legal provisions applying to Internet service providers under EU law in light of the evolution of the respective services over the time. More in details, it has to be noted that behind the liability exemptions set forth by the E-‐ Commerce Directive was the assumption that Internet providers acted in a purely passive manner, without exercising any control over the content transmitted5. This was the main reason why the approach adopted by the E-‐Commerce Directive was to hold providers immune from liability on the assumption they had no control over contents. However, these services have reached a high level of complexity since the Directive came into force. While at the time the relevant legal framework was set out there were no difficulties to determine whether an Internet service provider was acting or not in a passive way, to date the growing complexity of these services has led to a number of cases where it is disputable that a provider enjoys exemptions from liability. Therefore, it is for courts to determine whether the exemptions established by the Directive shall apply. Depending on the circumstances of the case, courts have assessed whether the conditions for the liability exemptions were met or not6. Some domestic courts, such as the Italian ones, have provided a peculiar construction of these provisions. Most notably, as far as hosting providers are concerned, the Italian courts have created a kind of hybrid by carving out the legal paradigm of the ‘active hosting provider’ in the wake of the decisions of the Court of Justice of the European Union in the Google/Louis Vuitton 7 and eBay/L’Oréal 8 cases. This notion, in the construction given by several judgments by Italian courts9, includes those service providers that do not operate in a purely passive way and, thus, could not benefit of the liability exemptions in case unlawful information or contents are transmitted or stored10.
This view is reflected by the Recital 42 of the Directive, which reads as follows: ‘The exemptions from liability established in this Directive cover only cases where the activity of the information society service provider is limited to the technical process of operating and giving access to a communication network over which information made available by third parties is transmitted or temporarily stored, for the sole purpose of making the transmission more efficient; this activity is of a mere technical, automatic and passive nature, which implies that the information society service provider has neither knowledge of nor control over the information which is transmitted or stored’. 6 In particular, the courts have taken into account that some Internet service providers were no longer operating as mere intermediaries by reason of certain features that were not essential for their functioning. The applicability of the liability exemptions is questioned, for instance, when it comes to search engine providers which ‘suggest’ how to complete the keyword in the queries or to the so called ‘user-‐generated-‐ content’ platforms where the contents posted by users are classified into different categories or coupled with advertising messages mirroring the type of content visited or researched by the user. 7 CJEU, 23 March 2010, C-‐236/08 to 238/08, Google France SARL and Google Inc. 8 CJEU, 12 July 2011, C-‐324/09, L’Oréal and others. 9 See Court of Rome, 20 October 2011; Court of Milan, 9 September 2011; Court of Milan, 20 January 2011; Court of Appeals of Milan, 21 December 2012; Court of Turin, 5 May 2014; Court of Turin, 23 June 2014; Court of Appeals of Milan, 7 January 2015. 10 According to the Italian case law, a provider may qualify as active hosting provider, for instance, when the terms and conditions entered into by the parties provides the exercise of control on the information, when advertising messages related to the contents are displayed or when unlawful contents have been uploaded directly by the provider. It is disputed whether such qualification occurs when contents are indexed or selected, or when the provider has established a notice-‐and-‐take down procedure.
DRAFT VERSION – PLEASE DO NOT CITE WITHOUT PERMISSION These operators are not ipso facto treated in the same way as content providers, but having something plus (‘quid iuris’) than passive providers may most likely face liability for unlawful activities such as copyright infringements or defamatory comments: they are supposed, in other terms, to have ‘actual knowledge’ of the unlawful contents and supposed to remove the same without a prior notice by the competent authority (as required by the Directive in the case of passive providers). Then, the model of liability foreseen in the E-‐Commerce Directive, as interpreted by some domestic courts, seems to be revisited as a consequence of the growing up of Internet services. This view of Internet providers, most notably of the hosting providers, as actors which are no longer to be regarded as mere intermediaries impacts also on the protection of certain fundamental rights: freedom of expression is of course the crucial value at stake when the role of Internet providers is affected by these interpretative trends. 3. Google Spain: more than an Internet search engine service provider The very constitutional relevance of the role of Internet providers emerges when it comes to consider different legal regimes which may apply to the same operator. In this respect, the Google Spain11 judgment delivered by the Court of Justice of the European Union has marked a point of no return while clarifying that search engine providers do also meet the definition of ‘data controllers’ pursuant to the Data Protection Directive. Then, the judgment rendered by the Court in this case constitutes a useful case-‐study to bring to light the constitutional implications which are now related to the role played by Internet service providers12. Here, the view expressed by the Court is not based on a different application of the provisions concerning Internet service providers, but rather rests on the complexity of the role that the Internet providers play nowadays in the information society. The ruling, which has given rise to a number of comments, marked a very significant turning point since, on one hand, it boosted a renewed interpretation of the EU data protection legislation while, on the other, it significantly affected, although indirectly, on the regime of liability of Internet service providers. Labeled as an explicit and long-‐awaited statement of the right to be forgotten, the judgment has a very broad subject but impacts especially on the position of the operators of search engines. Indeed, referring to the ‘right to be forgotten’ as such sounds perhaps improper, as long as this expression is meant as the claim of an individual to obtain the removal from the Internet of news or piece of information that he/she considers outdated or no longer of public interest. The Court of Justice, in fact, focused exclusively on the role of search engines and on the responsibilities that they bear as data controllers with respect to the indexing of news contained on web pages or websites operated by third parties. By supporting an interpretation of the relevant provisions of the Data Protection Directive contrary to the view expressed by the Advocate General in his Opinion13, the Court of Luxembourg
CJEU, C-‐131/12, 13 May 2014, Google Spain, Google Inc. See O. Pollicino and M. Bassini, ‘Reconciling Right to be Forgotten and Freedom of Information in the Digital Age. Past and Future of Persona Data Protection in the EU’, 2 Diritto pubblico comparator ed europeo (2014), 640. 13 Opinion of the Advocate General Jääskinen, 25 June 2013, C-‐131/12, Google Spain, Google Inc. 11 12
DRAFT VERSION – PLEASE DO NOT CITE WITHOUT PERMISSION has considerably (even though indirectly) expanded the scope of liability of the Internet search engine service providers. The key assumption of the Court is that these operators do actually qualify as data controllers pursuant to the Data Protection Directive. According to Article 2(d) the Directive 95/45/EC, in fact, the data controller is defined as ‘the natural or legal person … which alone or jointly with others determines the purposes and means of the processing of personal data’. Thus, if Internet search engine service providers meet the definition of ‘data controller’, this leads significant implications for this category of operators. Most notably, the same are bound by the obligations which are established by the Data Protection Directive with respect to the data controller, including the obligations to comply with the data subject’s requests with respect to their personal data. So, while on one hand a search engine provider can enjoy ‘as such’ the liability exemptions laid down by the E-‐Commerce Directive, on the other one may face additional obligations set forth by the Data Protection Directive, to the extent the operator is found to match the definition of data controller. The preliminary ruling that gave rise to the decision of the Court of Justice concerned a point which ranks among the most debated in several Member States: the possibility for the concerned individuals to obtain the removal of the results generated by search engines relating to news considered no longer of public interest, without prior consulting the owner of the website being indexed. As noted, this claim sounds slightly different from a proper right to be forgotten meant as a right to ‘disappear’ from the Internet. However, providing individuals with such an instrument is supposed to allow individuals to protect themselves from the main source of harm for the protection of personal identity and reputation when it comes to the Internet, namely the search engines. The same search engine on the shoulders of which the protection of some constitutional interests relies. The very critical point lies with the Court of Justice choice to place in the hands of private actors, such as Internet search engine service providers, the power to handle individual requests to obtain the removal of personal data. Said decision, in fact, is supposed to entrust search engine operators with the function of balancing the right to data protection with the other fundamental rights at stake, namely freedom of expression and freedom to conduct business. According to some scholars, this could attach a quasi-‐constitutional status to Internet providers14. The reasoning of the Court which led to this conclusion has followed gradual steps. First, the Court has stated that the activity carried out by a search engine, consisting of the indexing and display as search results of the content of third parties websites constitutes a processing of personal data pursuant to the Data Protection Directive. This notion, under Article 2, lit. b) of the Directive 95/46/ EC, is very broadly defined, so this first point is not disputed and does not raise critical issues. The crucial point is rather the following step taken by the Court of Justice, when it comes to answering the question whether a search engine qualifies as data controller. Here the line of reasoning of the Court of Justice diverges from that of the Advocate General. The latter, in fact, had concluded that only under exceptional circumstances a search engine provider could qualify as data controller. In Jääskinen’s view, in fact, the mechanical and automated indexing of information (not necessarily containing personal data) retrieved from third parties web
See O. Pollicino, ‘Google rischia di «vestire» un ruolo para-‐costituzionale’, Il Sole 24 Ore, 15 May 2014.
DRAFT VERSION – PLEASE DO NOT CITE WITHOUT PERMISSION sites was such to exclude that the search engine was determining means and purposes of the processing and thus qualifying as data controller15. The Court of Justice, on the contrary, has found that an Internet search engine provider acts as data controller: to hold differently, according to the Court, would be contrary not only to the wording of the provision but also to its purpose, which is to provide a notion sufficiently wide of controller in order to grant effective protection to individuals and their personal data16. In this step the judges seem to fall into a clear excusatio non petita: the Court seeks a broad definition of data controller for the sake of a comprehensive protection of the data subjects. However, this assumption is not free of consequences for Internet search engine service providers, as it triggers significant consequences in term of legal obligations, the same obligations that in the view of the Advocate General the search engine ‘cannot in in or in fact fulfill’. This way, in fact, the Court makes the same provisions concerning the data controller under the Data Protection Directive applicable to the Internet search engine service providers. In particular, among others, the provisions applying to Google in the case were Article 12, lit. b), allowing individuals to ask the controller for the erasure, blocking or rectification of personal data and Article 14, par. 1, lit. b), which establishes the right of data subjects to object to the processing of personal data. By coupling these provisions with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, the Court of Justice provides the right to be forgotten in this peculiar ‘right to delisting’ version with legal grounds, making the claim to the removal of personal data enforceable against Internet search engine service providers. Making, thus, the right to data protection enforceable against the freedom to impart and search information. It is worth remarking some critical aspects which bring to light the nature of quasi-‐ constitutional actors of Internet service providers . First, the Court has failed to laid down at all any criteria on the basis of which the search engine provider is required to carry out a balance between the protection of personal data and the protection of other interests such as freedom of expression. In particular, the Court has not even mentioned Article 11 of the Charter in the judgment. The impact on freedom of expression is even more clear if one considers that the removal from the search results is possible without a prior consultation of the web site owner. If a right of the web site owner to have its site ‘indexed’ has probably no legal grounds, there is a competing general interest of individuals to find and research information, which constitutes essential profiles of the freedom of information. Additionally, the threat to the protection of freedom of speech is even more serious if one considers that restrictions on fundamental rights do generally rest in the hands of judges, as any limitations should be grounded on an order by the judicial authority. This is not the case, as the restriction on the possibility for users to access information only depends on the discretionary assessment of the individual complaint by the search engine.
Opinion, p. 89: ‘the internet search engine service provider cannot in law or in fact fulfill the obligations of controller provided in Articles 6, 7 and 8 of the Directive in relation to the personal data on source web pages hosted on third-‐party servers. Therefore a reasonable interpretation of the Directive requires that the service provider is not generally considered as having that position’. 16 CJEU, C-‐131/12, p. 34: ‘it would be contrary not only to the clear wording of that provision but also to its objective — which is to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects — to exclude the operator of a search engine from that definition on the ground that it does not exercise control over the personal data published on the web pages of third parties’.
DRAFT VERSION – PLEASE DO NOT CITE WITHOUT PERMISSION It has to be pointed out that the judgment of the Court of Justice does not prevent individuals from bringing their claims before the competent judicial and administrative authority, either directly or in case the request is rejected by the search engine. However, the lack of a judicial review still constitutes a critical point of the decision. The Court of Luxembourg has correctly underlined that the processing of personal data carried out by the search engine is autonomous and separate from that of the owner of the web site where the retrieved news were originally published. Notwithstanding, the judgment has set out no criteria for the balance between opposite interests at stake. And also, nothing is said with respect to the purposes for which the processing by the search engine is carried out. The Court of Justice has only clarified that the Internet search engine service provider does not enjoy the exemptions laid down with regard to the processing for journalistic purposes by Article 9 of the Data Protection Directive from the obligations, among others, to obtain the consent of the data subjects. Also, the Court has paid no regard to the freedom to conduct business which enjoys likewise protection under Article 16 of the Charter of Fundamental Rights of the European Union. As detailed below, the decision seems to go against the business model that is mirrored by the legal regime of Internet service providers outlined by the E-‐Commerce Directive, at least as long as the category of the search engines is concerned. In the reasoning, however, the Court has underestimated the consequences for the operators, which may thus encounter obstacles while doing their business. Having said that, against this background Article 1(5)(b) of the E-‐Commerce Directive itself states that the Directive shall not apply to questions relating to information society services covered by Directive 95/46/EC. Relying on this provision to exclude any debate concerning the evolution of the role of Internet service providers, however, would seem to me too much simplistic. Furthermore, the exact meaning of this provision, as well as its scope, still remain unclear: some domestic courts have tried to enforce this safe harbor but these attempts, as in the Italian Google Vivi Down case, did not lead to significant results. In any cases, should one assume that the liability exemptions do not apply when it comes to data protection issues, this interpretation would not affect the idea that Internet service providers are moving towards a new legal model, reflecting the constitutional relevance of their role. Then, regardless of the application of the liability exemptions laid down by the E-‐Commerce Directive, the Internet search engine service providers are now bound by the obligation stemming from the role of ‘data controller’. The Court of Justice, then, has acknowledged that different legal regimes may apply to operators which match different status. Internet search engine service providers, in light of the foregoing will continue to benefit from the exemptions from liability established by the E-‐Commerce Directive with respect to the unlawful activities carried out by its services. While, in their capacity as data controllers, will be bound by the obligations provided by the Directive 95/46/EC. It goes without saying that, as a consequence of the judgment of the Court, the favor behind the legal regime of Internet service providers has been undermined. Conversely, the scope of liability of the same has been extended. Said extension is an effect, first of all, of having made enforceable against search engine operators the rights that data subjects are entitled to under the Data Protection Directive. A few weeks after the judgment, Google has implemented a web site to allow individuals to ask the search engine to remove results for queries that include their name.
DRAFT VERSION – PLEASE DO NOT CITE WITHOUT PERMISSION If, on one hand, the activity carried out by a private operator like Google mirrors the relationship between data subjects and data controller, on the other one the removal of search results arises out of a balance between the right to data protection and the freedom of expression. Then, the power to restrict the exercise of a fundamental right rests in the hands of private actors instead of a public authority. Not all the relationships between data subjects and data controllers are such as to assume public relevance: it is by virtue of the nature of search engine of the data controller that the removal (or the reject) of personal data acquires the nature of a restriction on freedom of expression for the sake of protection of personal data. This confirms, more than other factors, the quasi-‐constitutional status of the search engine providers. 4. The aftermath of the judgment Google Spain. Concluding remarks As a reaction to the questions left unanswered by the decision of the Court of Justice, both the Google Advisory Council on the Right to Be Forgotten and the Article 29 Data Protection Working Party have handed down respectively a report17 and an opinion18 focusing on the criteria for the removal of search results. Nothing can explain better than that the overlap between private and public functions. Two bodies, i.e. the independent committee appointed by the leading private operator in the market of search engines and the entity where the national data protection authorities of the Member States are represented, have taken similar steps in order to resolve the uncertainties of the decision of the Court of Justice. Without entering into the merits of these documents, it seems that the report adopted by the private actor (Google) would most likely have more significant effects than the resolution of the institutional body where the European data protection authorities sit. The latter, in fact, is intended to provide data protection authorities and judges with some guidelines as to the interpretation of the relevant provisions of the Data Protection Directive. The report issued by the Advisory Committee to Google, instead, reflects the point of view (even though through the eyes of an independent body) of the leading worldwide Internet search engine provider, which was concerned as party of the proceedings before the Court of Justice and is the first (although not exclusive) addressee of the most part of the requests of removal filed by individuals. However, the criteria set forth in the report of the Google committee are of course tailored to the nature of private operator of the search engine provider. Private powers vs. public powers? Here, the contrast between the power of the market and the power of public authorities is even more clear. Thus one could question whether the rules laid down in this respect do actually fulfill the general interest of the public to a sound balance between the protection of personal data and other competing rights. The criteria set forth by a private actor, indeed, are likely to be more ‘business-‐ oriented’ than ‘fundamental rights oriented’: in other terms, Google will take into account the value of freedom to conduct business when counterweighing the balance with the right to be forgotten. At the same time, the judgment of the Court has exposed any Internet search engine service provider to the risk to face claims of ‘censorship’ or undue restrictions on freedom of expression by the
The Advisory Council to Google on the Right to Be Forgotten, 6 February 2015. Article 29 Data Protection Working Party, Guidelines on the Implementation of the Court of Justice of the European Union Judgment on "Google Spain and Inc. v. Agencia Española de Protección de Datos(AEPD)and Mario Costeja González” C-‐131/12, 26 November 2014, WP 225 14/EN.
DRAFT VERSION – PLEASE DO NOT CITE WITHOUT PERMISSION concerned web sites’ owners in the cases where the right to data protection is found to prevail over freedom of expression. In light of the foregoing, may a trend toward ‘more responsibility’ be justified? While it would be easy to rely on the assumption ‘the more one enjoys freedom, the more the same faces responsibility’ (very similar to the principle ‘ubi commoda, ibi et incommoda’ derived from the Roman Law), this conclusion should be rejected. It is not by burdening private operators which perform functions having constitutional relevance with more liability that the protection of the fundamental rights at issue is strengthened. Rather, it is the switch from a purely ‘business-‐oriented’ view to a ‘fundamental rights sensitive’ approach that may lead to a reasonable balance among the competing interests involved, whose protection nowadays necessarily pass through the role even (but not limited to) of private operators.