International and domestic Internet regulation –cases, contradictions and trends

The essence and purpose of the worldwide web was to enable and promote the free exchange of information and ideas – free in all senses – free from geographical boundaries, free from censorship and free from financial charge. Regulation was neither intended nor envisaged.

However the old adage "one person’s freedom ends where another’s starts" is as relevant to the global opportunities offered by the internet as it is to any other dealing or relationship in life. Moreover society demands protection for its vulnerable members and this is probably the primary justification for all international and domestic regulation.

The perennial debate between privacy and freedom of expression as against centralised regulation is now taking place in the global context of the internet and very different approaches are being adopted and developed in the laws of different countries. Because of its global nature the application of all these rules is relevant to anyone using the internet – it is unrealistic to view issues only on a national level – the whole world is the market.

My practice involves the consideration of legislation and case law in the US, UK and other EU member states as well as EU directives and in this talk I am going to touch on the areas where regulation is in place either directly or indirectly.

The protection of personal data is a potential casualty of the massive exchange and availability of information on the net. The privacy of net users and confidentiality of their communications is or should be protected by Data Protection laws but in fact is threatened by competing laws such as those that restrict the use of encryption.

The UK Data Protection Act 1998 and the Data Protection and Privacy Regulations which implement EU directives come into force on 1st March. Under the rules any controller of personal data stored on computer must register with the Data Protection Commissioner and this applies to users outside the EU who use equipment in UK to process data for use and/or transit outside the UK. A controller is defined as a person who determines the purposes for which and the manner in which personal data are processed. Failure to comply with registration and other formal procedures under the Act attracts criminal liability punishable by fine.

All data controllers must similarly comply with the data protection principles found in the Act and this also applies to data controllers who only process on paper and need not register. Civil courts can award compensation against data controllers for contravention of this and other requirements under the Act and order rectification, blocking, erasure or destruction of inaccurate data.

This means that any data processor wherever based who has an online presence, for example a publisher of online newspapers, or any e commerce trader/dealer that is subscription based, or accepts credit card payment, and uses any equipment/unit in the UK must ensure that personal data is processed fairly. This generally requires consent of the data subject unless the processing is necessary to comply with legal obligations or in the interests of the data subject. The data must be accurate and up to date, it must not kept for longer than necessary and as well as being secure within the UK must not be transferred outside the UK unless there is a corresponding level of protection guaranteed which should be the case within the EU.

There are exemptions from registration and compliance with the data protection principles – generally where data is processed for purely personal purposes or pursuant to various governmental judicial or legislative requirements. ISPs and the software and hardware industry are obviously integral to the net but they are also in the front line when allegations of invasion of privacy are made. Registration is essential and the net user should be informed about the use of invisible processing such as cookies, automatic hyperlinks and all hidden source code that identifies or discloses personal details and have the option to refuse such processing.

The UK is relatively amenable to the EU principles – the US is not. Freedom of speech enshrined in the First Amendment underpins federal and state jurisprudence and is probably the reason for this. The perceived shortcomings in the protection afforded personal data in the US is the subject of a continuing dialogue between the European Commission and the US Government concerning what are called the "international safe harbour principles." Unless agreement is reached there could be real obstacles to continuing economic activity between Europe and the US. The current proposal is for a complainant to enforce direct within the US for breach but there is as yet no guarantee that US will accept jurisdiction or legislate to extend its existing laws that only provide redress based on "deceptive business practice".

The development of encryption systems has enabled net users to control their own data protection and to maintain confidentiality and anonymity over the net. Encryption has met with markedly different approaches worldwide.

The EU’s main objective is to promote unrestricted economic activity throughout its member states and in its amended proposal the E-Commerce Directive has expressly stated that to ensure the confidentiality of electronic messages Member States should abstain from prohibiting or restricting the use of cryptographic methods or similar tools. Despite this some of the national governments have rules restricting the use of encryption. For example, in France the import of most secure encryption systems is restricted and there is a requirement to deposit with a public officer the key to decode a message when required by a competent authority.

This is known as key escrow and is expressly excluded by the UK Electronic Communications Bill currently before Parliament. The original Bill has been amended and no longer includes the much-publicised and controversial section dealing with the investigation of protected electronic data. However this area is now covered in the Regulation of Investigatory Powers Bill (RIP) sponsored by the Home Office and being introduced this month. RIP preserves the principle that law enforcement agencies under judicial/governmental warrant will be able to demand the key to decrypt electronic data in its possession from whomever they think may have it. The original Bill carried penalties for non-compliance – upto 5 years and a further 2 for disclosing the demand! It is obvious that such measures will affect data protection principles and are capable of being used to decode data beyond what is needed for genuine law enforcement.

The US has recently relaxed its laws prohibiting the export of powerful encryption systems but it is still ambivalent about its national response. Last May the Ninth Circuit US Court of Appeal ordered a rehearing in respect of a 2/1 ruling that computer source code is speech protected by the First Amendment and that it can therefore be posted on the net without government approval.

Another problem area is where to make claims in respect of internet matters. The global reach of the internet and the speed of net transmission make it more difficult to identify and stop those infringing or otherwise damaging personal and intellectual property rights. There are difficult jurisdictional issues involved and these become even more important where one country’s laws are diametrically opposed to those of another.

For example, the UK is notorious for its defamation laws which require the defendant to prove the truth of a published statement rather than the claimant to prove that the allegation is false. Accordingly a number of foreign claimants have brought proceedings in the UK against foreign defendants rather than litigate in the country of either party.

Perhaps the best known Internet litigator in this area is Dr. Laurence Godfrey who is a physics lecturer and researcher. Dr. Godfrey has spent much of the last 10 years bringing libel actions in the UK against newsgroup users and ISPs. In most of the cases publication of the alleged defamatory material was posted by non-UK residents in newsgroups hosted on servers outside the UK. In a series of UK actions Godfrey was successful in recovering what might best be described as a nuisance settlement.

Godfrey also provided the UK with its first judicial ruling on defamation on the net by suing Demon in 1998. The decision is based on the court’s interpretation of the Defamation Act 1996 which excludes an ISP from liability as a publisher but apparently imposes liability for publication as secondary publisher on transmission of a defamatory posting – once notified of the offending material an ISP is under a duty to remove it. This decision is difficult and raises more questions than it answers but it is in line with the proposed E-Commerce Directive which excludes criminal and civil liability for intermediaries acting as mere conduits in transmitting/hosting information unless and until they have actual knowledge of an unlawful activity/information and fail to remove or disable the activity/information expeditiously.

There must of course be a publication in the UK to found jurisdiction but this can be satisfied by the existence of a single newspaper for example. So what amounts to "publication" on the net? Does mere access from the UK satisfy this or do you need proof of hits from UK and how many? As a foreign site operator do you become UK based if your site is automatically mirrored onto a UK site. There has been no ruling on this point in the UK and the US has tended to find jurisdiction where the defendant has targeted its statement. There are cases on this that I have referenced in my paper if anyone is interested in further research. Nicosia v De Rooy No.C98-3029 MMC (N.D.Cal.1999) and Blakey v Continental Airlines Inc. 992 F. Supp 731 (D.N.J.1998).

The E–Commerce Directive also provides some help on jurisdictional issues between member states. It specifies that a service provider is established and situated where it has the centre of its economic activities and therefore neither the location of the technology used nor the ability to access an internet site will of itself found jurisdiction. In Europe there is also current consultation on amendments to the Brussels and Rome Conventions which deal with the determination of jurisdiction and applicable law respectively in issues arising between contracting states to accommodate the impact and reality of online communications.

In a recent case brought by the Federal Trade Commission (FTC) in US an Australian and a Portuguese national were each injuncted for pagejacking which involves replicating web pages including the meta-tags which they used on their own sites but on which JavaScript added by the defendants directed unsuspecting users to their own sexually explicit sites from which they were unable to escape (mouse trapping). Jurisdiction is founded on the basis of minimum contacts with the US which is established by using the internet to contract and solicit business in the jurisdiction.

The Directive also provides that member states shall not impose a general obligation on ISPs to monitor transmitted or stored information. However a recent case in France has come perilously close to doing just that. In Lynda Lacoste v Multimania Company & Ors in December the Nanterre court distinguished between an internet access provider and hosting service and held that in providing the latter an ISP is under a duty of care to inform, control and act. It must inform its subscribers of third party rights and it must adopt reasonable measures that a professional would implement to avoid obviously illegal content. The court also considered that an ISP should require identification elements of its subscribers. This severe judgment not only runs contrary to the proposed Directive but raises important privacy issues.

The distinction between control over transmission and control over content and the respective liability of ISPs and authors is the subject of a variety of case law and legislation. The US made a deliberate policy decision aimed at promoting use of the net in excluding liability for all providers and users of interactive computer services in respect of third party content. The relevant provision is s230(c) Communications Decency Act 1996 (CDA). This section is effective even where the ISP has editorial control over third party content (Blumenthal v Drudge & AOL 992 F.Supp. 44 D.D.C.1998) which is arguably unfair to print editors who have no corresponding protection.

It is intended that the proposed E-Commerce Directive and the Directive on the harmonisation of certain aspects of intellectual property rights come into force simultaneously to establish a clear framework of rules relevant to the issue of liability of intermediaries for all such types of infringement at EU level. Meanwhile the fact that ISPs are excluded from liability in the proposed Directives has not prevented the French courts (again!) from providing case law to the contrary in holding that an ISP would have been held liable for infringement of copyright and trademark despite being merely passive and acting diligently on notification. (Christian Dior/Jean Paul Gaultier v Fashion TV Paris & Ors 22nd February 1999).

The US CDA expressly excludes copyright which is dealt with under the Digital Millenium Copyright Act 1998 ("DMCA") and excludes liability if offending material is removed on notification. A new anti-cybersquatting law has been introduced into the US Trademark Act 1946 and s43(d) provides a new civil offence for anyone who with a bad faith intent to profit registers, traffics or uses a domain name that is identical or confusingly similar to a mark distinctive at time of registration of the domain name or is identical, confusingly similar or dilutive of a mark famous at the time of registration.

This should clarify the law and hopefully halt the enormous growth of domain name litigation in the US where claims of infringement (requiring confusion) and dilution (blurring/tarnishing and not requiring confusion) have involved not only domain name registrants but the Registrars/Registries themselves such as Network Solutions Inc. ("NSI"). The Act confirms the Lockheed Martin Corp. decision in October 1999 that NSI had insufficient control over the means of infringement, was akin to a post office in providing a service not a product and could not be a contributory infringer. Section 32(2) excludes a domain name authority from liability for infringement so long as it acts expeditiously to suspend, modify or transfer the domain name and to supply the court with documents in the event of dispute over use of a domain name.


The continuing development of more and more sophisticated technology enabling consumers to communicate and create in ever-increasing ways will lead to different circumstances with legal implications. The ThirdVoice software application which enables personal annotations to be made on third party text and published to other ThirdVoice users raises a copyright issue. Do these electronic notes have the same effect as footnotes appearing on the subsequent publication of a copyrighted printed work? The latter would necessarily involve reproduction of the work and undoubtedly attract liability for infringement. However in the former case the postings themselves are stored on Third Voice’s server as a separate and discrete layer of information – rather like drawing a moustache on Warhol’s Marilyn Monroe through tracing paper or a transparency. Accordingly, when the electronic note is opened within the text by a Third Voice user, it is arguable that the note and text are not published together in the physical sense although this effect is produced.

There is no global regulation of the Internet as such but this paper outlines the rules being formulated and imposed by the governments and courts of various jurisdictions. There is also a fair amount of self-regulation. The World Intellectual Property Organisation (WIPO) is very effective in actively promoting codes of conduct and global resolution procedures for the mutual benefit of rights owners and users. The Internet Corporation for Assigned Names and Numbers (ICANN) has recently reached agreement with Network Solutions Inc (NSI) whereby the latter has relinquished its monopoly over domain name registration and is co-operating in an accreditation and resolution process. In the music industry the success of MP3 spawned much litigation largely brought by the Recording Industry Association of America (RIAA) concerned to protect its artists revenue. There has been some backing off – artists want exposure as well as revenue - but the truce is only tentative and is in trouble over its latest service to users.

The Internet Watch Foundation (IWF) was set up in the UK in 1996 to meet the growing concern about the availability of illegal material – especially child pornography – on the net. It works with government, industry and consumers to achieve its objectives of hindering the transmission of such material and producing a labelling, rating and filtering system operative in the hands of the user. Last year it was integral in the establishment of an European consortium – INCORE (Internet Content Rating for Europe) which is now going global with partners in Australia and the US.

I appreciate that my talk may have raised more questions than it has answered. I suspect that this will not change and the exponential growth of the internet and related technologies will continue to outstrip the efforts of the regulators.


Marietta Cauchi is a Solicitor with London firm Finers Stephens Innocent and has written individual articles on a number of the topics referred to above for national and international


Copyright ã Marietta Cauchi February 2000