CG v Facebook: Privacy Protection Online

February 27, 2015

The extent to which privacy and data protection rights can effectively resonate within the online environment is an acutely important issue for all information law practitioners. Moreover, it is an issue which seems to be gaining ever increasing traction in the litigation context, as is illustrated not least by the following developments.

  • As most readers will know, last year the CJEU sent shock waves through the information law community when it held, in Google Spain, that EU data protection legislation operated so as to enable the so-called ‘right to be forgotten’ to be asserted against Google. (That principle is due to receive further consideration from our domestic courts in the forthcoming case of Max Mosley v Google – see here).
  • Then we had the judgment of the High Court in Vidal-Hall v Google, where the court concluded, in the face of a jurisdictional defence mounted by Google, that claims brought against Google concerning its tracking of the internet browsing habits of users could properly proceed. (An appeal against the High Court’s judgment in that case is due to be heard by the Court of Appeal on 2/3 March – the ICO is intervening in support of the claimants’ case).
  • Now the High Court in Northern Ireland has given judgment in an important case involving a compensation claim made against Facebook: CG v Facebook & Anor [2015] NIQB 11.

Key aspects of the CG judgment are as follows:

  • The claim was brought by a convicted paedophile in respect of a series of postings placed on Facebook by third parties, one of whom had been named as second defendant to the claims. The postings not only included data amounting to vituperative name-calling but also repeated incitements to violence in respect of the claimant.
  • The High Court held that Facebook was liable in respect of the postings, particularly on the basis that it had misused the claimant’s private information by failing to delete the postings after Facebook’s attention had been drawn to their existence.
  • The High Court rejected Facebook’s assertion that its liability in respect of the postings was excluded on an application of the Electronic Commerce (EC Directive) Regulations 2002. On this issue, the court held that: (a) the Regulations only immunise the relevant information society service (ISS) against liability if the ISS has no actual or constructive knowledge of the unlawful activity on its site or, if it has acquired that knowledge, it acts expeditiously to remove or disable access to the relevant information and (b) Facebook could not rely on the Regulations in the present case because, after being notified of the relevant postings, Facebook had failed to remove or disable access to them.
  • The second defendant, an individual who was responsible for one of the disputed postings, was liable for misuse of the claimant’s private information in his capacity as primary publisher. He was also liable for harassment under the Protection from Harassment Act.
  • As for the claim under the DPA 1998, which was brought only against Facebook and not against the second defendant, that claim could not proceed because, on an application of the Data Protection Act 1998, s 5, the claim fell outside of the territorial ambit of the legislation. (Notably no reference was made in this context to the CJEU’s approach to territorial ambit under the data protection Directive in the Google Spain case).
  • Whilst no claim under the Data Protection Act 1998 was pleaded against the second defendant, the court made the following points about the application of the journalistic exemption contained in s 32:
    • The court noted that the claimant had conceded that the second defendant’s activities in posting material on Facebook might amount to ‘journalism’.
    • However, the court went on to conclude there was no scope for the second defendant to rely on the journalistic exemption contained in s 32. This was particularly because the second defendant could not have had any ‘reasonable’ belief that his publications were in the public interest for the purposes of s 32(1)(b).
  • The claimant was awarded £20,000 in compensation in respect of his claim for misuse of private information.

What is interesting and important about the CG judgment is that it reinforces the point that organisations which operate merely so as to facilitate online freedom of expression can no longer safely assume that they are always operating in the stratosphere, far above the mire of the privacy litigation battlefield. Instead, they must appreciate that those rights are sufficiently flexible and powerful that they can potentially draw such organisations firmly into the fray.

The full judgment is here.

Anya Proops is a barrister at 11KBW. Anya practises in information law, human rights law, public law and employment law. She is recognised in the Legal 500 as the pre-eminent leading junior in the data protection field. This report of the case first appeared as a blog post on the invaluable Panopticon blog: http://www.panopticonblog.com/