SCL Student Essay Prize Winning Entry: Is Law or ISP Action Key to Internet Enforcement?

This is the essay which won the SCL Student Essay Prize for 2018 for Alvin Cheung on the set topic ‘Are state legislation and case law, or Internet Service Provider action, more important to the enforcement of rules on Internet users? Discuss with respect to key internet platforms’ Terms of Service and privacy policies.’


The Internet has managed to connect 54.4% of the population – a staggering 4.16 billion people.[1] Access to the Internet has an increasingly egalitarian edge to it, as it allows 89 million people from ‘least developed countries’ to partake in convenient information searches and business transactions.[2] More importantly, it allows people to have a platform to freely express their opinions, regardless of social status. However, precisely because of the Internet’s incredible reach and foundations on ‘egalitarianism’, the Internet is almost impossible to regulate effectively. This has opened avenues to users abusing the use of the Internet without suffering consequences – including defamation, hate speech, fraud, false news, or objectionable content. Evidently, the widespread nature of such a problem has led to two options: regulation by ISPs or intervention by national or international legal authorities. This is the crux of the essay question: do legal consequences stemming from key pieces of state legislation in the UK and case law from both the UK and the Court of Justice of the European Union form greater deterrents to potential misusers of the Internet than the consequences as stated in the ISPs’ Terms and Conditions and private policies? This essay will look at both direct and indirect enforcement from three different angles: the consequences, the motivation, and intersection between law and ISP action.

An ISP is ‘any person or entity that provides an information society service (ISS) for remuneration through electronic means for the processing and storage of data relying on any platform of electronic communication’.[3] These services include the ‘online sale of goods, networked communication links, information hosting by the recipient of a service, point-to-point relaying of information’ and even web design.[4] Not only does this include BT, Sky and Virgin Media,[5] but also platforms such as Facebook, Google and Twitter.

Consequences: Legal v Practical

The first question this essay has to ask is what enforcement through court machinery entails, and what the consequences are if ISPs take action to enforce their Terms and Conditions.

First, what is most important to consumers of the Internet? The answer is probably the Internet services themselves. As of the first quarter of 2018, Facebook had 2.19b monthly active users.[6] Google has 1 billion users over seven different services, including YouTube and Google Play.[7] Twitter had 336 million monthly users in the most recent quarter.[8] The miscellaneous services these platforms provide – web-messaging, facilitating business transactions, video-sharing, advertisements – have become such an integral part of our lives – no matter what our profession - that we cannot afford to lose them. Facebook and Google are extremely clear about breaches of their Terms of Service. For Facebook, if one engages in ‘misleading or fraudulent behaviour’, ‘upload viruses or malicious codes’, or repeatedly ‘infringe on one’s intellectual property rights’, Facebook reserves the right ‘to disable the account’.[9] Google is even more straightforward – in the second section of ‘Using our Services’, they quickly put forth the idea of ‘suspending or stop providing their Services’ if ‘one misuses their services’.[10] Given the importance of services in our daily lives, the Terms of Service act as a powerful deterrent and indirectly enforces rules on Internet users not to engage in fraud, defamation or share objectionable content such as child pornography.

This is also seen in BT’s and Virgin Media’s Terms and Conditions. BT introduces a five-point plan of deterring people from ‘making sexist, racist or discriminatory comments’ and ‘interfer[ing] with people’s right to privacy’, which includes ‘blocking, limiting or suspending your access to any or all of our services’.[11] In Section G(6) of Virgin’s Terms and Conditions, they purport to ‘end the agreement and terminate any licence’.[12] Restricting participation on internet platforms is bad enough, it is even a greater deterrent when ISPs have the power to restrict access to the Internet altogether.

However, the counter-argument to the relative importance of ISP action to enforcing rules on Internet users is that the claims against and potential damages one might incur after breaching rules of the Internet are the biggest deterrent to Internet users, and is what motivates users to behave responsibly. This obviously comes from state legislation and case law. In the landmark case of Jack Monroe v Katie Hopkins [2017] EWHC 433 (QB) the ‘serious harm’ test of the Defamation Act 2013 came into practice and Monroe was awarded £24,000 in damages after Hopkins claimed Monroe condoned vandalization on Twitter. In another case, Sloutsker v Romanova [2015] EWHC 2053 (QB), the President of the Israel Jewish Congress was awarded £110,000 in damages against a Russian journalist who had accused him of ‘fabricating evidence of criminal prosecution’ of her husband. Paradoxically, not only does a defendant (if found liable) have to pay sizeable damages, but they also suffer from negative media coverage which can cause their reputation to plummet as well. Therefore, the high-profile nature of court cases can lead to a two-pronged wound on the defendant. This perhaps motivates a large number of people to regulate their own conduct.

However, it is clear, from the point of the victim, it is easier to go through the process of simply reporting misuse of the Terms and Conditions – such as reporting ‘discriminatory, hateful or pornographic content’ (Instagram) instead of navigating the complex legal system. Moreover, by comparison, legal claims incur the costs of litigation. If, as the case of Sloutsker v Romanova demonstrates, legal cases have the potential to run for at least three years. This could cost slightly underprivileged families a fortune in lawyer fees. On the other hand, given the egalitarian nature of the Internet, one does not need to incur monetary costs to report an incident and ISPs often take immediate action. Therefore, ISP action seems to be a better way to enforce the rules on abusive Internet users.

Finally, I would like to consider the impact of privacy policies in conjunction with the right to be forgotten. In the privacy policies of both Facebook and Google, both contain sections which state they ‘disclose personal information to protect the security of the person; to address fraud, security or technical issues’. However unlikely that people read Privacy Policies, the statement that these conglomerates have gathered such a vast literature of personal information could deter people from engaging in fraudulent or objectionable behaviour in the first place. Moreover, I would argue the more effective deterrent is in the comprehensive nature of their data collection – ranging from ‘billing information’[13] (Facebook), to ‘downloading, viewing or streaming content on a device’ (Amazon),[14] to ‘browser information and Mac Address’ (Sky).[15] When one gives up quasi-total privacy, one hopes to gain service or third-party services which will convenience them. The importance put on privacy is seen by the outrage caused by the Cambridge Analytica scandal as people’s data were harvested without consent. This is further evidenced by the implementation of the GDPR across the EU.[16] Therefore, according to these trends and incidents, a consumer certainly does not want to lose complete privacy – something an individual desperately values - and be barred from using the services after they violate the rules of the Internet. Therefore, I would argue privacy policies themselves form a strong deterrent for potential rule-breakers, and indirectly enforces rules of the Internet.

On the other hand, the recognition of the right to be forgotten in case law (Google Spain (2014))[17] is potentially dangerous as it may undermine people’s tendency to follow the rules of the Internet if they do not suffer consequent damages to their reputation in the long-term. Moreover, in a recent UK national case, a businessman won his legal action to remove search results about a criminal conviction in a landmark ‘right to be forgotten’ case.[18] If this is the trajectory the law is moving towards, given the CJEU’s ruling in 2014 which stated ‘irrelevant’ and outdated data should be erased on request,[19] people are less inclined to self-regulate their own behaviour towards defamation, discrimination and fraud due to the lack of reputational deterrence. If anything, case law - seeking to strike a compromise to the right to privacy - seems to have an adverse effect on the enforcement of Internet rules.

The Motivational Comparison: The Government and the Internet Providers

The enforcement of rules for Internet users, similar to anti-discrimination law,[20] have two overarching purposes: prevention and protection. However, when it comes to the effective enforcement of rules on the Internet, ISP action would seem to be more important. This is because ISPs have two strong motivations to act: the need to maintain an enjoyable environment and the avoidance of the costs of litigation and incurring possible liability.

First, I would argue the Internet is a separate domain where platforms value the freedom of expression, but such a value is incorporated into a framework which primarily values the enjoyment of the user. This is seen by the reference to respecting ‘Community Standards’ in four different sections of Facebook’s Terms of Service, and the emphasis on keeping the platform ‘safe and respectful’ so as to ‘build community and bring the world closer together’.[21] In the Community Standards, there are no less than six sections on how a user would breach those principles – ranging from using Facebook to coordinate harm to sexual exploitation of children. It is even arguable these Terms and Conditions go further than that of the law – for example, Facebook targets the dissemination of ‘false news’ and ‘cruel and insensitive remarks’. ISPs’ need to promote a communitarian and enjoyable online experience is particularly exemplified when ‘ideas that offend, shock and disturb’ are not limitations in paragraph 2 of article 10. On a semantic level, BT’s coinage of their Terms and Conditions ‘Acceptable Use Policy’, and the continuous emphasis of using Internet services to ‘respect people’s views’ and ‘protect people’s privacy’ by refraining from sending ‘unsolicited communications such as spam’ or ‘intentionally distress[ing] people’.[22]

Such an emphasis on an individual’s enjoyment of their services is important. If a platform fails to rectify online abuse, a consumer’s satisfaction with the service decreases and would switch to a better-regulated platform, given the plethora of alternatives available today. If consumers desert the platform, it drops in both commercial value and suffers financially due to a dip in investment from other companies.[23]

Secondly, companies could possibly incur liability. This is demonstrated by Delfi AS v Estonia (2015)[24] where the where an Internet news portal was sued for failing to take down offensive comments posted by end-users (who posted anonymously and without pre-registration) in a reasonable amount of time. Curiously, the platform had already expeditiously removed the offensive comments as soon it was notified about them, but the commercial news portal was held liable in damages as a result. Although there is an argument in Tamiz v United Kingdom (2017)[25] that Google Inc was not held liable, and that as long as the ISP does not ‘offer any content’ (as per para.116), one can definitely argue that ISPs are more motivated to strictly enforce rules on Internet users according to their Terms and Conditions in the fear that consumers will be able to sue them and claim damages as a result. Of course, this also signifies an increase in the costs of litigation, which ISPs will desperately try to avoid.

Consequently, the strong motivation of ISPs to enforce their Terms and Conditions due to financial and litigation reasons mean it is probably a more pressing concern to users of the Internet to regulate their own conduct in the first place. This is a form of effective, indirect enforcement.

On the other hand, national legislatures and international/national case law do not actively seek to enforce rules on the Internet. Instead, it focuses on a larger task of balancing the right to freedom of expression and the right to privacy, which are protected under the European Convention of Human Rights under article 10 and 8 respectively.[26] Currently, there is no one piece of UK state legislation which specifically targets responsible use of the Internet. Instead, there are several pieces of legislation such as the Fraud Act 2006, the Equality Act 2010, the Defamation Act 2013, or most recently, the Investigatory Powers Act 2016 – which tackles problems of fraudulent behaviour and discrimination via the online platforms.

However, there is an argument that courts – through case law – are more than willing to set strong legal precedent on the limits on the free use of the Internet. As the Grand Chamber in Delfi says, ‘defamatory and other types of clearly unlawful speech, including hate speech and speech inciting violence, can be disseminated like never before […] liability for defamatory speech must, in principle, be retained and constitute an effective remedy for violations of personality rights’. This was also highlighted in Google Spain (2014) where the ECJ pointed to the ‘heightened’ reach of the Internet, which makes defamation and other unlawful speech a more pressing issue for courts to resolve. Given the Internet’s increasingly ubiquitous nature, one could certainly make a compelling case that the courts’ strong incentive to punish defamation online would lead users to regulate their own conduct. However, it seems balancing rights is still at the forefront of the ECtHR’s mind, when they consider the ‘triviality of comments’, ‘extent of their publication’ and the ‘significance of damage’ (Tamiz) to whether liability in libel is made out.

The Intersection of Law and Internet Action

But perhaps this comparative exercise of which ‘body’ is more important towards the enforcement of rules on Internet users is ultimately futile, as they are ultimately complementary tools. It is worth noting that, in the Community Standards of Facebook, the Terms and Conditions of Google and the Acceptable Use Policy of BT, there is a highlighting of ‘illegality’, and the companies reserve the right to ‘report you to the police or other law enforcement agencies’.[27] This shows that ISP action often has a legal deterrent to it as well.

On the other hand, legal instruments seem to fully respect the ability of ISPs to deal with these types of situations, adapting a non-interventionist policy in ascribing liability to ISPs when they fail to rectify these types of situations. Barring Magyar v Hungary (2015),[28] the Grand Chamber has been unwilling to ascribe liability on ISPs which fail to take down third-party comments it had run on the blog – decisions stretching from Delfi (2015) (it was only the domestic courts who found them liable, and told them to pay damages at a low level), Phil v Sweden (2017)[29] and Tamiz (2017). This seems to point out that European case law has generally formed a ‘non-interventionist’ policy towards ISPs in order to preserve their independence. Therefore, one could make the argument that ‘state legislation and case law’, and ‘ISP action’, are mutually reinforcing. It follows that the exercise of determining ‘which is more important’ is one that is only theoretically interesting.


In conclusion, ISP action is more important in directly and indirectly enforcing rules on Internet users in terms of consequences and motivation, but such an exercise is practically unhelpful, given that legal machinery and ISP action mutually reinforce each other when it comes to regulating users’ behaviour and preventing wrongs such as defamation, discrimination and objectionable content.

Alvin Cheung ( is studying for a BA in Jurisprudence (Law) at the University of Oxford. 

[1] Miniwatts Marketing Group, ‘Internet World Stats – Usage and Population Statistics’ (May 7 2018)

[2] Dave Lee, ‘Internet used by 3.2 billion people in 2015’ (BBC Technology Report on Internet use, May 26 2015):

[3] Council Directive (EC) 2000/31 article 2 which provides regulatory framework to e-commerce

[4] Adebola Adeyemi, ‘Liability and exemptions of internet service providers (ISPS): assessing the EU electronic commerce legal regime’ (2018) 24(1) CTLR 6

[5] ISPreview, ‘Top 10 Broadband ISPs’ (2018),

[6] Statista, ‘Number of monthly active Facebook users worldwide as of 1st quarter 2018’ (Statistics and Studies from more than 22,500 Sources 2018),

[7] Ben Popper, ‘Google announces over 2 billion monthly active devices on Android’ (The Verge 2017),

[8] Statista, ‘Number of monthly active international Twitter users’,

[9] Facebook, ‘Terms of Service’, (Section 3: Your commitments to Facebook and community April 19 2018),,

[10] Google, ‘Google Terms of Service’, (Using our Services October 25 2017),

[11] British Telecommunications plc., ‘Consumer Acceptable Use Policy’, (Our rights 2018),,

[12] Virgin Media, ‘Terms and Conditions’, (Using the Services 2018),

[13] Facebook, ‘Data Policy’ (2018),

[14] Amazon, ‘Privacy Notice’ (Security and Policy Legal Policies, 22 May 2018),

[15] Sky, ‘Sky Privacy and Cookies Notice’ (2018),

[16] Intersoft Consulting, ‘General Data Protection Regulation: Article 15 – Right to access by the data subject’ (2018). This includes mandatory pseudonymization, and the right to access and knowledge on how an individual’s information is processed (Article 15).

[17] Somewhat contrasts to Wegrzynowski and Smolczewski v. Poland (2013)). This recognizes that the GDPR has replaced the ‘right to be forgotten’ with the ‘right to erasure’

[18] Jamie Grieson and Ben Quinn, ‘Google loses landmark ‘right to be forgotten’ case’, (The Guardian article on Technology and Right to be Forgotten 13 April 2018):

[19] Case C-131/12, Google Spain SL v Agencia Española de Protección de Datos [2014] ECJ 317

[20] Iyiola Solanke, Discrimination as Stigma: A Theory of Anti-discrimination Law (Bloomsbury, Portland 2017)

[21] Facebook, ‘Community Standards’ (2018),

[22] BT, ‘Consumer Acceptable Use Policy’

[23] Such as a dip in advertisements

[24] Delfi AS v. Estonia (64569/09) [2015] EMLR 26 (ECHR (Grand Chamber))

[25] Tamiz v. United Kingdom (3877/14) (2017)

[26] Siofra O’Leary, ‘Balancing rights in a digital age’, Irish Jurist (2018), 59. 59-62.  30 BT, ‘Acceptable Use Policy’

[27] BT, ‘Acceptable Use Policy’

[28] Magyar v. Hungary (64569/09) (2015)

[29] Pihl v. Sweden (4742/14) (2017)

Published: 2018-07-09T12:50:00

    Please wait...