SCL Student Essay Prize Winning Entry: Is Law or ISP Action Key to Internet Enforcement?

July 8, 2018


The Internet has managed to
connect 54.4% of the population – a staggering 4.16 billion people.
[1] Access to the
Internet has an increasingly egalitarian edge to it, as it allows 89 million
people from ‘least developed countries’ to partake in convenient information
searches and business transactions.[2]
importantly, it allows people to have a platform to freely express their
opinions, regardless of social status. However, precisely because of the
Internet’s incredible reach and foundations on ‘egalitarianism’, the Internet
is almost impossible to regulate effectively. This has opened avenues to users
abusing the use of the Internet without suffering consequences – including
defamation, hate speech, fraud, false news, or objectionable content.
Evidently, the widespread nature of such a problem has led to two options:
regulation by ISPs or intervention by national or international legal
authorities. This is the crux of the essay question: do legal consequences
stemming from key pieces of state legislation in the UK and case law from both
the UK and the Court of Justice of the European Union form greater deterrents
to potential misusers of the Internet than the consequences as stated in the
ISPs’ Terms and Conditions and private policies? This essay will look at both
direct and indirect enforcement from three different angles: the consequences,
the motivation, and intersection between law and ISP action.

An ISP is ‘any person or entity
that provides an information society service (ISS) for remuneration through
electronic means for the processing and storage of data relying on any platform
of electronic communication’.[3]
These services
include the ‘online sale of goods, networked communication links, information
hosting by the recipient of a service, point-to-point relaying of information’
and even web design.[4]
Not only does
this include BT, Sky and Virgin Media,[5]
but also
platforms such as Facebook, Google and Twitter.

Consequences: Legal v

The first question this essay
has to ask is what enforcement through court machinery entails, and what the
consequences are if ISPs take action to enforce their Terms and Conditions.

First, what is most important
to consumers of the Internet? The answer is probably the Internet services
themselves. As of the first quarter of 2018, Facebook had 2.19b monthly active
Google has 1
billion users over seven different services, including YouTube and Google Play.[7]
Twitter had 336
million monthly users in the most recent quarter.[8]
miscellaneous services these platforms provide – web-messaging, facilitating
business transactions, video-sharing, advertisements – have become such an
integral part of our lives – no matter what our profession – that we cannot
afford to lose them. Facebook and Google are extremely clear about breaches of
their Terms of Service. For Facebook, if one engages in ‘misleading or
fraudulent behaviour’, ‘upload viruses or malicious codes’, or repeatedly ‘infringe
on one’s intellectual property rights’, Facebook reserves the right ‘to disable
the account’.[9]
Google is even
more straightforward – in the second section of ‘Using our Services’, they
quickly put forth the idea of ‘suspending or stop providing their Services’ if ‘one
misuses their services’.[10]
Given the
importance of services in our daily lives, the Terms of Service act as a
powerful deterrent and indirectly enforces rules on Internet users not to
engage in fraud, defamation or share objectionable content such as child

This is also seen in BT’s and
Virgin Media’s Terms and Conditions. BT introduces a five-point plan of
deterring people from ‘making sexist, racist or discriminatory comments’ and ‘interfer[ing]
with people’s right to privacy’, which includes ‘blocking, limiting or
suspending your access to any or all of our services’.[11]
In Section G(6)
of Virgin’s Terms and Conditions, they purport to ‘end the agreement and
terminate any licence’.[12]
participation on internet platforms is bad enough, it is even a greater
deterrent when ISPs have the power to restrict access to the Internet

However, the counter-argument
to the relative importance of ISP action to enforcing rules on Internet users
is that the claims against and potential damages one might incur after
breaching rules of the Internet are the biggest deterrent to Internet users,
and is what motivates users to behave responsibly. This obviously comes from
state legislation and case law. In the landmark case of Jack Monroe v Katie
[2017] EWHC 433 (QB)
the ‘serious
harm’ test of the Defamation Act 2013 came into practice and Monroe was awarded
£24,000 in damages after Hopkins claimed Monroe condoned vandalization on
Twitter. In another case, Sloutsker v Romanova [2015] EWHC 2053 (QB),
the President of the Israel
Jewish Congress was awarded £110,000 in damages against a Russian journalist
who had accused him of ‘fabricating evidence of criminal prosecution’ of her
Paradoxically, not only does a defendant (if found liable) have to pay
sizeable damages, but they also suffer from negative media coverage which can
cause their reputation to plummet as well. Therefore, the high-profile nature
of court cases can lead to a two-pronged wound on the defendant. This perhaps
motivates a large number of people to regulate their own conduct.

However, it is clear, from the
point of the victim, it is easier to go through the process of simply reporting
misuse of the Terms and Conditions – such as reporting ‘discriminatory, hateful
or pornographic content’ (Instagram) instead of navigating the complex legal
system. Moreover, by comparison, legal claims incur the costs of litigation.
If, as the case of Sloutsker v Romanova demonstrates, legal cases have
the potential to run for at least three years. This could cost slightly
underprivileged families a fortune in lawyer fees. On the other hand, given the
egalitarian nature of the Internet, one does not need to incur monetary costs
to report an incident and ISPs often take immediate action. Therefore, ISP
action seems to be a better way to enforce the rules on abusive Internet users.

Finally, I would like to
consider the impact of privacy policies in conjunction with the right to be
forgotten. In the privacy policies of both Facebook and Google, both contain
sections which state they ‘disclose personal information to protect the
security of the person; to address fraud, security or technical issues’.
However unlikely that people read Privacy Policies, the statement that these
conglomerates have gathered such a vast literature of personal information
could deter people from engaging in fraudulent or objectionable behaviour in
the first place. Moreover, I would argue the more effective deterrent is in the
comprehensive nature of their data collection – ranging from ‘billing information’[13]
(Facebook), to ‘downloading,
viewing or streaming content on a device’ (Amazon),[14]
to ‘browser
information and Mac Address’ (Sky).[15]
When one gives
up quasi-total privacy, one hopes to gain service or third-party services which
will convenience them. The importance put on privacy is seen by the outrage
caused by the Cambridge Analytica scandal as people’s data were harvested
without consent. This is further evidenced by the implementation of the GDPR
across the EU.[16]
according to these trends and incidents, a consumer certainly does not want to
lose complete privacy – something an individual desperately values – and be
barred from using the services after they violate the rules of the Internet.
Therefore, I would argue privacy policies themselves form a strong deterrent
for potential rule-breakers, and indirectly enforces rules of the Internet.

On the other hand, the
recognition of the right to be forgotten in case law (Google Spain (2014))[17]
potentially dangerous as it may undermine people’s tendency to follow the rules
of the Internet if they do not suffer consequent damages to their reputation in
the long-term. Moreover, in a recent UK national case, a businessman won his
legal action to remove search results about a criminal conviction in a landmark
‘right to be forgotten’ case.[18]
If this is the
trajectory the law is moving towards, given the CJEU’s ruling in 2014 which
stated ‘irrelevant’ and outdated data should be erased on request,[19]
people are less
inclined to self-regulate their own behaviour towards defamation,
discrimination and fraud due to the lack of reputational deterrence. If
anything, case law – seeking to strike a compromise to the right to privacy –
seems to have an adverse effect on the enforcement of Internet rules.

The Motivational Comparison:
The Government and the Internet Providers

The enforcement of rules for
Internet users, similar to anti-discrimination law,[20]
have two
overarching purposes: prevention and protection. However, when it comes to the
effective enforcement of rules on the Internet, ISP action would seem to be
more important. This is because ISPs have two strong motivations to act: the
need to maintain an enjoyable environment and the avoidance of the costs of
litigation and incurring possible liability.

First, I would argue the
Internet is a separate domain where platforms value the freedom of expression,
but such a value is incorporated into a framework which primarily values the
enjoyment of the user. This is seen by the reference to respecting ‘Community
Standards’ in four different sections of Facebook’s Terms of Service, and the
emphasis on keeping the platform ‘safe and respectful’ so as to ‘build community
and bring the world closer together’.[21]
In the Community
Standards, there are no less than six sections on how a user would breach those
principles – ranging from using Facebook to coordinate harm to sexual
exploitation of children. It is even arguable these Terms and Conditions go
further than that of the law – for example, Facebook targets the dissemination
of ‘false news’ and ‘cruel and insensitive remarks’. ISPs’ need to promote a
communitarian and enjoyable online experience is particularly exemplified when ‘ideas
that offend, shock and disturb’ are not limitations in paragraph 2 of article
10. On a semantic level, BT’s coinage of their Terms and Conditions ‘Acceptable
Use Policy’, and the continuous emphasis of using Internet services to ‘respect
people’s views’ and ‘protect people’s privacy’ by refraining from sending ‘unsolicited
communications such as spam’ or ‘intentionally distress[ing] people’.[22]

Such an emphasis on an
individual’s enjoyment of their services is important. If a platform fails to
rectify online abuse, a consumer’s satisfaction with the service decreases and
would switch to a better-regulated platform, given the plethora of alternatives
available today. If consumers desert the platform, it drops in both commercial
value and suffers financially due to a dip in investment from other companies.[23]

Secondly, companies could
possibly incur liability. This is demonstrated by Delfi AS v Estonia (2015)[24]
where the
where an Internet news portal was sued for failing to take down offensive
comments posted by end-users (who posted anonymously and without
pre-registration) in a reasonable amount of time. Curiously, the platform had
already expeditiously removed the offensive comments as soon it was notified
about them, but the commercial news portal was held liable in damages as a
result. Although there is an argument in Tamiz v United Kingdom (2017)[25]
that Google
Inc was not held liable, and that as long as the ISP does not ‘offer any
content’ (as per para.116), one can definitely argue that ISPs are more
motivated to strictly enforce rules on Internet users according to their Terms
and Conditions in the fear that consumers will be able to sue them and claim
damages as a result. Of course, this also signifies an increase in the costs of
litigation, which ISPs will desperately try to avoid.

Consequently, the strong
motivation of ISPs to enforce their Terms and Conditions due to financial and
litigation reasons mean it is probably a more pressing concern to users of the
Internet to regulate their own conduct in the first place. This is a form of
effective, indirect enforcement.

On the other hand, national
legislatures and international/national case law do not actively seek to
enforce rules on the Internet. Instead, it focuses on a larger task of
balancing the right to freedom of expression and the right to privacy, which
are protected under the European Convention of Human Rights under article 10
and 8 respectively.[26]
Currently, there
is no one piece of UK state legislation which specifically targets responsible
use of the Internet. Instead, there are several pieces of legislation such as
the Fraud Act 2006, the Equality Act 2010, the Defamation Act 2013, or most
recently, the Investigatory Powers Act 2016 – which tackles problems of
fraudulent behaviour and discrimination via the online platforms.

there is an argument that courts – through case law – are more than willing to
set strong legal precedent on the limits on the free use of the Internet. As
the Grand Chamber in Delfi says, ‘defamatory and other types of clearly
unlawful speech, including hate speech and speech inciting violence, can be
disseminated like never before […] liability for defamatory speech must, in
principle, be retained and constitute an effective remedy for violations of
personality rights’. This was also highlighted in Google Spain (2014) where
the ECJ pointed to the ‘heightened’ reach of the Internet, which makes
defamation and other unlawful speech a more pressing issue for courts to
resolve. Given the Internet’s increasingly ubiquitous nature, one could
certainly make a compelling case that the courts’ strong incentive to punish
defamation online would lead users to regulate their own conduct. However, it
seems balancing rights is still at the forefront of the ECtHR’s mind, when they
consider the ‘triviality of comments’, ‘extent of their publication’ and the ‘significance
of damage’ (Tamiz) to whether liability in libel is made out.

The Intersection of Law and
Internet Action

But perhaps this comparative
exercise of which ‘body’ is more important towards the enforcement of rules on
Internet users is ultimately futile, as they are ultimately complementary
tools. It is worth noting that, in the Community Standards of Facebook, the
Terms and Conditions of Google and the Acceptable Use Policy of BT, there is a
highlighting of ‘illegality’, and the companies reserve the right to ‘report
you to the police or other law enforcement agencies’.[27]
This shows that
ISP action often has a legal deterrent to it as well.

On the other hand, legal
instruments seem to fully respect the ability of ISPs to deal with these types
of situations, adapting a non-interventionist policy in ascribing liability to
ISPs when they fail to rectify these types of situations. Barring Magyar v
Hungary (2015),[28]
the Grand Chamber has been unwilling to ascribe liability on ISPs which
fail to take down third-party comments it had run on the blog – decisions
stretching from Delfi (2015) (it was only the domestic courts who found
them liable, and told them to pay damages at a low level), Phil v Sweden
and Tamiz
This seems to point out that European case law has generally formed
a ‘non-interventionist’ policy towards ISPs in order to preserve their
independence. Therefore, one could make the argument that ‘state legislation
and case law’, and ‘ISP action’, are mutually reinforcing. It follows that the
exercise of determining ‘which is more important’ is one that is only
theoretically interesting.


conclusion, ISP action is more important in directly and indirectly enforcing
rules on Internet users in terms of consequences and motivation, but such an
exercise is practically unhelpful, given that legal machinery and ISP action
mutually reinforce each other when it comes to regulating users’ behaviour and
preventing wrongs such as defamation, discrimination and objectionable content.

Alvin Cheung (
is studying for a BA in Jurisprudence (Law) at the University of Oxford. 

[1] Miniwatts
Marketing Group, ‘Internet World Stats – Usage and Population Statistics’ (May
7 2018)

[2] Dave
Lee, ‘Internet used by 3.2 billion people in 2015’ (BBC Technology Report on
Internet use, May 26 2015):

[3] Council
Directive (EC) 2000/31 article 2 which provides regulatory framework to

[4] Adebola
Adeyemi, ‘Liability and exemptions of internet service providers (ISPS):
assessing the EU electronic commerce legal regime’ (2018) 24(1) CTLR 6

[5] ISPreview,
‘Top 10 Broadband ISPs’ (2018),

[6] Statista,
‘Number of monthly active Facebook users worldwide as of 1st quarter 2018’ (Statistics and Studies from
more than 22,500 Sources 2018),

[7] Ben
Popper, ‘Google announces over 2 billion monthly active devices on Android’
(The Verge 2017),

[8] Statista,
‘Number of monthly active international Twitter users’,

[9] Facebook,
‘Terms of Service’, (Section 3: Your commitments to Facebook and community
April 19 2018),,

[10] Google,
‘Google Terms of Service’, (Using our Services October 25 2017),

[11] British
Telecommunications plc., ‘Consumer Acceptable Use Policy’, (Our rights 2018),,

[12] Virgin
Media, ‘Terms and Conditions’, (Using the Services 2018),

[13] Facebook,
‘Data Policy’ (2018),

[14] Amazon,
‘Privacy Notice’ (Security and Policy Legal Policies, 22 May 2018),

[15] Sky,
‘Sky Privacy and Cookies Notice’ (2018),

[16] Intersoft
Consulting, ‘General Data Protection Regulation: Article 15 – Right to access
by the data subject’ (2018). This includes
mandatory pseudonymization, and the right to access and knowledge on how an
individual’s information is processed (Article 15).

[17] Somewhat
contrasts to Wegrzynowski and Smolczewski v. Poland (2013)). This
recognizes that the GDPR has replaced the ‘right to be forgotten’ with the ‘right
to erasure’

[18] Jamie
Grieson and Ben Quinn, ‘Google loses landmark ‘right to be forgotten’ case’,
(The Guardian article on Technology and Right to be Forgotten 13 April 2018):

[19] Case
C-131/12, Google Spain SL v Agencia Española de Protección de Datos [2014]
ECJ 317

[20] Iyiola
Solanke, Discrimination as Stigma: A Theory of Anti-discrimination Law (Bloomsbury,
Portland 2017)

[21] Facebook,
‘Community Standards’ (2018),

[22] BT,
‘Consumer Acceptable Use Policy’

[23] Such
as a dip in advertisements

[24] Delfi
AS v. Estonia
(64569/09) [2015] EMLR 26 (ECHR (Grand Chamber))

[25] Tamiz
v. United Kingdom
(3877/14) (2017)

[26] Siofra
O’Leary, ‘Balancing rights in a digital age’, Irish Jurist (2018), 59. 59-62.  30 BT, ‘Acceptable
Use Policy’

[27] BT,
‘Acceptable Use Policy’

[28] Magyar
v. Hungary
(64569/09) (2015)

[29] Pihl
v. Sweden
(4742/14) (2017)