Lecture Notes by Colette Oostra
Technological developments since World War II have led to the convergence of computing and telecommunications. The traditional postal, telephone, and telegraph services developed over the past century are being both supplemented and replaced by the continuing emergence of new communications services. Following these developments, some concerns have been expressed regarding the impact of the new information technologies on existing economic, social and cultural structures. The rapid development of the Internet and the growth in the types and number of services is transforming the way we live and work as employees and citizens: for example, the Internet brings important changes to the way goods and services are brought and sold.
The Internet has been compared with the old Wild West where laws were rarely invoked. But this analogy is not quite correct. There is a consensus that activity on the Internet cannot be exempted from the basic legal principles that are applied elsewhere:
A first concern is that the Internet appears to be a new forum for criminal behavior online. Initially, the main focus of attention for policy-makers was the potential of the Internet both as a forum for criminal or undesirable behavior (such as the distribution of child pornography) and as a "safe" means of communication to facilitate criminal activities off-line. A problem for these new criminal activities is the difficulty of detecting the fact that illegal activity has taken place and then identifying the liable person. Who is responsible for placing a particular piece of child pornography on the Internet? Who has failed to declare for taxation in respect of services offered online? Who has downloaded a particular piece of copyright-protected material? Gradually, it has become apparent that many other issues are involved, like online commercial activities, protection of intellectual property rights etc.
A second concern was related to the increasing trans-border data flow on the Internet. The transmission of data across national borders in electronic form was one of the earliest manifestations of the new forms of communications and the potential impact of transborder data flows became an important issue. Trans-border data flows cover all kinds of electronic transmission of information across political and cultural boundaries for processing or storing in computer files. Today, the increasing uses of telecommunications channels and the merger of previously disparate telecommunications and computer technologies have rendered the transfer of data from one country to another commonplace and have created an emerging international information economy.
The legal environment of these international flows has received more and more attention because of their significance for economic growth and international trade. From an economic point of view, an efficient international information flow, together with international trade and investment, permit the optimal utilization of global resources and promote the exchange of data necessary for further innovation.
For the International Chamber of Commerce, there is a need for an unrestricted flow of business information because of the vital importance of the efficient exchange of information in the development and growth of modern international trade and production. There is a right of a business to communicate freely within and outside its corporate structure; and there is a right of business to access and utilize national and international communications facilities on a fair, competitive and non-discriminatory basis. The legal framework must constitute a tool for developing free international information flows.
However, according to the Chamber of Commerce, the legal framework can also create potential barriers to the free flow of information. The discrepancies between national regulations can inhibit the growth of international data flows. Multinational enterprises and US government have complained about what they call neo-protectionist measures taken by several countries. These barriers have been erected for different reasons, some economic in nature, others based on conceptions of national sovereignty interests, national security, competitiveness and productivity regulations, employment, computer-related-crime, taxation, intellectual property etc. The diversity of national regulations create a barrier to international flows of information: the legal requirements for various areas are deeply different and can constitute a source of economic and organizational problems for the companies which develop international business activities. Different national provisions could even lead to restriction or prohibition of international flow of information.
Therefore international activities for the development of legal instruments by international organizations started in the seventies. Intense International efforts to reduce the national discrepancies and to harmonize regulations in respect of these issues have been developed in international organizations like the Council of Europe, the OECD, the EU, the United Nations etc. But it was clear that--in this international environment--it was not only necessary to promote a free transborder data flow; it is also necessary to take into account other opposite needs. Legal issues related to use of new information technology that might lead to restrictions of transborder data flow have been identified. Privacy and data protection, intellectual property, trade documentation, liability of ISP, security of information etc. have been subject of regulation at international level. The need for additional legislation or regulation in these fields has been examined by national and international authorities.
The Internet is a global, almost instantaneous medium of communication and exchange propelling economies and impacting societies around the world. It is a "network of networks" linking businesses, government, homes, and institutions to a wide range of interactive services, from educational and cultural products to social services, databanks, computers, electronic commerce, banking, business services etc.
The internet is not lawless. Law has always applied to the Internet, but new questions arise about how that law will be applied--and it is not always with the same predictability or certainty as is found with more traditional topics.
What is the organization and governance of the internet? How does the internet work? Internet networking is based on information being broken down into smaller pieces, or packets, that is transmitted to its destination by routers and servers, dependent on a type of address system known as the TCP/IP protocol (Transmission Control Protocol/Internet Protocol). To work as a network, each user linking to it must have a direct identifier (an IP address) recognizable by a domain name system server and must send messages or carry data which are recognizable by the network.
What is absent from the list of players in the fields of technical growth and governance is any governmental institution. The architecture of the internet--which includes ease of access, competition, interactivity, trans-nationality and almost boundless expandability--resists control by public authorities. There are, of course, relationships between governmental organizations and private organizations operating on the internet. But national and international governmental establishments have hesitated to supplant the system of management which has grown up in the private sector; consequently a structure of private non-governmental organizations have emerged which perform a public function. Example: In the USA, the management of the naming system is controlled by the Internet Corporation Assigned Names and Numbers (ICANN). ICANN is a non-profit corporation formed to assume responsibility for the IP space allocation, root server system management functions etc. It has a relationship with the US Department of Commerce, the European Commission and the World Intellectual Property Organization (WIPO) - which is a subgroup of the United Nations. For example, WIPO conducted a study of the relationship between domain names and intellectual property and made recommendations to ICANN. For domain names disputes: ICANN rules now allow the complainant to select the dispute resolution provider who will adjudicate the claim from among a list approved by ICANN, thereby reducing the dominance of US law through the choice, for example, of the WIPO Arbitration and Mediation Center.
But private organizations performing a public function--or not--are the most important actors on the Internet at this moment.
Does Internet law exist as a new legal discipline? The Internet is a complex and multinational environment where traditional concepts of regulation may not be easily applicable or enforceable. Special problems are created because of the now-familiar features such as disembodying in time and space of actor and action, the amount of traffic, and the universality of the traffic. The consequent legal difficulties are often evidential and procedural but there is no distinct new international jurisdiction called Internetcourt!
But to set one's face entirely against cyberlaw is to ignore the socially transformative nature of the internet. New relationships and transactions can be created, and the modalities by which they are secured can also be new. The way is to progress through the adaptation of existing law, as augmented by techniques of governance. In this way, it becomes possible to talk of a cyberlaw / computer law--the legal answers to issues that arise within cyberspace--so long as it is realized that many of the answers are not unique to cyberspace and may not require the passage of new laws but adaptation of existing law / case law. Examples include intellectual property and theft. But there must be innovation since the "prospect of a vast array of new services" is looming. Some legal innovation will respond to the features of the internet outlined above: electronic commerce, computer crime viruses, hacking computer systems etc.
The very design of Internet technology creates a potentially infinite communications complex which cannot readily be bounded by one government or even several acting in concert. The Internet is too widespread to be easily dominated by any single government. It is a complex and multi-national environment where traditional concepts of regulation may not be easily applicable or enforceable. Nations must abjure their traditional monopolization of the policing and regulatory functions. Rules and rule-making do exist, but the identities of the rulemakers and the instruments used to establish rules do not conform to classic patterns of regulations. As well as direct legal responses by national or international sovereigns, the new legal environment of the Internet is "a complex mix of state, business, technical and citizens' forces". There is an activation of more varied levels of power at second hand: in this way, laws, regulations and standards affect the development of the Internet. This is also true for self-regulatory solutions introduced for the availability of certain types of content on the Internet.
These new instruments--soft law self-regulation--establishing rules have the following advantages:
The Internet has engendered harmful behaviors in three broad ways:
Each type of cyber-behaviour requires a different strategic response. This observation is based upon the following elements:
Visibility of the harmful behavior is also a problem: it is very difficult to collect reliable data to estimate the extent of cybercrime, especially with regard to hacking and commercial activities.
For the policing of the Internet to achieve and maintain order, a distinction must be made between interest groups that seek to promote values, bodies which seek to create rules and laws, and bodies which seek to enforce them.
Interest groups draw their mandate from their support of a range of specific moral or political issues. (They promote their values and points-of-view.) Such interest groups range from organizations like Cyber-Rights and Cyber-Liberties, to groupings as the Internet Service Providers Association which actively seeks to promote the interests of ISPs in the UK. This category also includes the various pressure groups which represent specific concerns and who lobby in order to further their cause or protect the interests of their members.
The bodies which seek to create rules and law include policy-making groups and legislators at both national and international levels in the case of the OECD and the European Union. Their mandate is derived, directly or indirectly, from the formal democratic process. The "regulators" tend to depict the problem of cybercrimes as being an overall lack of effective regulation: they demand changes in law to empower and strengthen the existing powers of police and other regulatory organizations.
There are various organizations which are actively involved in the policing of cyberspace and which exist to enforce the norms of the former groups through various management strategies that effect a policing function. There are four main levels where policing activities take place within cyberspace:
The information above shows that there exists a pluralistic structure which currently polices the Internet and maintains order under the shadow of law, but enforces rules and laws where required. This structure combines elements of both public and private models of policing.
However, a number of questions arise regarding their future: it is likely that the incidence of cybercrime will continue to increase in proportion to the number of users. For example, during two years (96-98) the National Computing Center found that the reporting of computer-related thefts rose by 60 per cent. The annual increase will continue with the expansion of many new innovative retail practices that fall under the banner of e-commerce. This expansion suggests that the demand placed upon the state-funded police organizations will also increase where the other ways of policing fail to deal with criminal behaviors. So the question is whether or not this structure will endure, or whether the public policing function will be expanded to include the Internet. And it seems to be that this outcome will be inevitable.
A next step is the settlement of disputes on the Internet: jurisdiction and choice of law in a borderless electronic environment. The legal concept of jurisdiction is the basis for the legitimate exercise of legal authority. Traditional rules are based on geographic and political borders. A country's laws are enforceable within its territorial limits. For a national or state government to possess the power to apply its laws in a particular case, the judicial branch of that government must have jurisdiction over the subject matter of the dispute, and the defendant in the case: this is known as personal jurisdiction. A court that lacks jurisdiction over the subject matter cannot make an enforceable ruling on the merits of the case, and a court that lacks jurisdiction over the defendant cannot make a ruling that is enforceable against that defendant.
Legal systems vary around the world. Uniform domestic laws may be promoted through cooperative and consultative international groups, such as the United Nations. However, there is no overarching international court or legal systems to resolve a dispute about tort/contracts between persons from different countries. Therefore, jurisdiction, which means whether a court has the authority to hear the case, is an essential part of our legal review: the Internet knows no physical borders and laws of countries are not uniform, so which court can hear a case is a question of utmost importance.
The trans-jurisdictional nature of cybercrimes creates a problem for the enforcement of law. Decisions become complicated where different jurisdictions cover the location of the offence committed, the offender, victim, and impact of the offence. It leads to forum shopping: the prosecutors seek a site where they feel a conviction would be best secured. You could choose the US or UK because of the greater likelihood of conviction when it is easier to gain a conviction in one of those countries.
Mercedes, the German corporation and maker of the famous cars, sues Mercedes Dot.Com Inc., a Canadian corporation that provided an online news service, for the latter's registration of Internet domain names using "Mercedes". The suit is brought in Germany and the Canadian company argues that the German court does not have personal jurisdiction over it.
The court could use the principle of substantial connection: the exercise of jurisdiction is determined by examining the level of interactivity and commercial nature of the exchange of information that occurs on the website. The Court must therefore examine whether the Dot.Com is conducting electronic commerce with German residents to establish substantial connection of the activities with Germany. The Court would consider several factors like: Has Dot.Com contracted with a lot of individuals and with Internet access providers in Germany? What is the intended object of these transactions? Does the downloading of the electronic messages form the basis of this suit in Germany?
If the purpose of the activities is not simply advertising--if contracts have been concluded with services providers, and/or the company has sold passwords to a lot of subscribers--the court will conclude that there is a substantial connection with Germany and, consequently, the court of Germany will have personal jurisdiction over the case. If this substantial connection is not established, then the German Court has no jurisdiction over the case. The Canadian Court has.
The EU Directive on E-commerce has clarified the situation within the European Union: the national law of the country where the service provider has his/her establishment has jurisdiction on the case.
Liability on the ground of defamation: defamation is a publication of a false statement injurious to the reputation of another. Statements as used in the laws on defamation have been defined widely to include words, visual images, gestures, and any other method of signifying meaning. The plaintiff only needs to prove:
Defamation is of particular significance to publications made via the Internet. The Internet comprises a worldwide web, so issues involving multi-state defamation arise, and it may not be clear which court has jurisdiction and which law applies.
Principles developed for newspapers or television apply on the Internet. The internet ought to be considered no differently from extant principles that have been developed for newspapers or television. Information placed by a web-site provider for access over the Internet is sent by that person to others (potentially millions of others, simultaneously in many different jurisdictions) just as a fax or letter or TV transmission is sent by its author. However, the Internet does provide unique factual circumstances in which multi-state defamation may be committed in that it has the ability of making information available simultaneously in every jurisdiction in the world.
There are numerous opportunities for defamation on the Internet: many long-time users of bulletin boards and chatrooms see the Internet as a place where one can take on any identity and say almost anything. Examples include user messages sent to all members of a particular Internet group or posted on a web site, defamatory material contained in a database, posting on a bulletin board or in a chat session, or specific e-mail messages sent and forwarded to one or more recipients.
Peter has his domicile in England. He was employed at a bureau de change, Chequepoint International, which is a French enterprise operating a number of banks in France and elsewhere in Europe. Peter claimed damages for harm caused by the publication of a defamatory message on the site Dirty Money.com. This message refers to an alleged investigation by French police into the laundering of money obtained from the sale of drugs by, in particular, the Paris bureau de change in which Peter was temporarily employed for three months and to whom reference by name was made in the article. In France, the defendants published a retraction and apology in respect of Peter and Chequepoint International (in French). Peter replied: the action, subsequent to amendments to the statement of claim, related solely to publication in England and Wales, not France. Dirty Money seeks to strike out the claim as fundamentally there was no jurisdiction since no harmful event had occurred in England. Dirty money claimed that the French courts had jurisdiction in the dispute.
The Brussels Convention in Europe applies in the European Union for determining the jurisdiction of Member States on specific cases. The Convention stipulates that the place where the harmful event occurs has jurisdiction on it. The defendants argued that the English courts did not have jurisdiction under the Convention as the place where the harmful event occurred was France and no harmful event has taken place in England.
The primary ground of jurisdiction in the Convention is in favor of the defendant: in principle, the court of the defendant's domicile will have jurisdiction over the dispute. However, there is also a derogation from the general principle: in some cases, the courts of the Contracting State of the plaintiff's domicile have jurisdiction.
A preliminary ruling by the European Court of Justice for the interpretation of the Convention was required to determine where the harmful event occurred (with a view to establishing which court had jurisdiction to hear an action for damages). The European Court of Justice held that the place where the harmful event occurred included both the place where the damage occurred and the place of the event giving rise to it.
The plaintiff has the option of suing the defendant in either jurisdiction. There is a co-existent jurisdiction: at the option of the plaintiff (Peter), the place where the damage occurred may also have jurisdiction to hear the dispute. Where a message is distributed in several countries from a site located in a specific country, the place of the event giving rise to the damage (causal event), can only be where the miscreant publisher is established: that is the place where the harmful event originated and from which the defamatory statement was used and put into circulation. The court of the place where the sender is established has jurisdiction to hear the whole action for all damage caused by the unlawful event. That jurisdiction will usually coincide with the defendant's domicile.
The damage caused by a defamatory publication occurs in the places in which the publication was distributed and in which the victim claims to have injury to his reputation. The Contracting States in which the publication was distributed and in which the victim claims to have suffered injury to his/her reputation have jurisdiction to rule on the injury caused in that state to the victim's reputation.
Where does the damage occur in the case of an international libel published, for example, throughout each individual member state and originating from a French web-site?
The rules prescribed by the Court of Justice must apply to torts facilitated by use of the internet. The Internet ought to be considered no differently from extant principles that have been developed for television or newspapers. In the context of defamatory material circulated over the internet, the territory where the defendant web server is domiciled will have the jurisdiction to hear the dispute. This jurisdiction applies to the totality of the harmful publications of libellous material that is published in each and every Contracting State. However, the damage caused by a defamatory publication also occurs in the places in which the publication via the Internet was distributed: the territory where the victim claims to have injury to his/her reputation will also have jurisdiction to hear the dispute.
The underlying idea is the establishment of a close connecting factor between a dispute and the court which should hear the matter on the basis of the sound administration of justice. It creates a multiplicity of competent fora having jurisdiction over international libels committed via the Internet.
Suppose a defamatory statement is disseminated from an English web-site and is accessed in Germany where the victim has a reputation. Assume that the English Court has taken jurisdiction over the litigation in accordance with the defendant's domicile. Which law should be applied by the English court--English or German law?
In the case of a defamatory statement disseminated from an English website that is accessed in Germany where the plaintiff has a significant reputation, the plaintiff must according to the principle of double actionability establish:
A person claiming to be victim of online defamation may face some difficult problems:
The facts: Compuserve carried a publication in one of its forums called Rumorville, a newsletter about broadcast journalism. Cubby has recently begun publishing Skuttkebut, which was intended to be a competitor of Rumorville. Cubby alleged that Rumorville made defamatory statements about Skuttlebut that damaged its reputation. Cubby sued the principal of Rumorville as well as Compuserve, the ISP.
The Court: Compuserve's liability depended on whether it was a publisher of the defamatory statements or a distributor of them. That is the same distinction that shields bookstores from liability for the contents of the books they sell. It would be impossible to require booksellers to ensure that the contents of their inventory contained no defamatory speech. A bookstore is merely a distributor of the books. ISPs may be distributors and escape liability if they do not edit or otherwise regulate the material posted in their online services. If the ISPs do not edit the material, they will be protected from liability. However, an online service that edits, reviews, or reformulates the material would be liable as a publisher, similar to a newspaper. Compuserve, which did not review or edit the material posted by Rumorville, could not be held liable for any defamatory content.
The distinction between publisher/distributor applies in the European Union (Directive on e-commerce).
In 1996, the distinction publisher-distributor applicable to offline and online publications was overruled by Congress. Section 230 of the Communications Decency Act creates an immunity for ISPs for defamation claims.
The facts: On April 25, 1995 an anonymous posting on an AOL (America Online) bulletin board advertised "Naughty Oklahoma T-shirts" displaying offensive slogans relating to the April 19th bombing of the federal building in Oklahoma City. Interested persons were directed to contact Kenneth Zeran in Seattle, Washington. Zeran's home phone number was listed on the site. Zeran was not in any way involved in the posting or the T-shirts. He received a lot of calls, including death threats. He contacted AOL and was assured that the posting would be removed, but that AOL policy prohibited a retraction. On April 26 and over the next 4 days, there were additional postings advertising additional items such as key chains. Zeran called AOL numerous times and was assured that the account from which the messages were posted would soon be closed. Zeran filed suit against AOL claiming that it was liable for its failure to promptly remove the defamatory material from its site. AOL unreasonably delayed removing defamatory messages posted by an unidentified third party, refused to post retractions of those messages, and failed to screen for similar postings thereafter.
Defense of AOL: Section 230 of the CDA states: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provider by another information content provider." It immunized interactive computer service providers from claims based on information posted by third parties.
The Court ruled on the purpose of this statutory immunity: Congress recognized the threat that tort-based lawsuits pose to freedom of speech in the new internet medium. An important purpose of section 230 was to encourage service providers to self-regulate the dissemination of offensive material over their services.
Zeran argued: section 230 eliminates only publisher liability leaving distributor liability intact (tort of negligence). Distributors cannot be held liable for defamatory statements contained in the materials they distribute unless it is proven at a minimum that they have actual knowledge of the defamatory statement: Zeran provided AOL with sufficient notice of the defamatory statement.
For interactive computer services: the courts stated that these notices could produce an impossible burden for service providers, who would be faced with ceaseless choices of suppressing controversial speech. If computer service providers were subject to distributor liability, they would face potential liability each time they received notice of potentially defamatory statements--from any party concerning any message. Notice-based liability would provide third parties with a no-cost means to create the basis for future suits. The offended party could simply notify the relevant service provider, claiming the information to be legally defamatory. In light of the vast amount of speech communicated through interactive computer services, these notices could produce an impossible burden for service providers.
The nationalities of the parties and the country where the harm occurs are two common principles used to assert jurisdiction in international transactions. As we have already seen, however, the "location" of the harmful Internet activities is difficult to determine. Another international private law issue concerns how decisions of courts are enforced across jurisdictional boundaries. Enforcement of decisions takes place through recognition of court orders on the ground of national law, or reciprocal agreements and treaties among states. The enforcement of a court's decision in a third country is not always easy to realize.
The following case illustrates this difficulty.
The internet service provider Yahoo has an auction site with Nazi memorabilia and artifacts for sale. Under French hate crime laws such sales are illegal. The site originates in the USA, where the First Amendment protects this type of expressive conduct. There is no equivalent freedom of speech provision in France. A French court has ordered Yahoo! to find a technological means of blocking access to the site by Web users in France. Failure to do so will result in the court assessing a substantial daily fine against Yahoo! In response to the French ruling, Yahoo Inc. filed a suit in U.S. court in California, asking the court to declare that the French government has no jurisdiction over its activities. The effect of such a declaration would be that U.S. courts would not recognize the ruling, and thus the fine could not be collected from Yahoo Inc.'s assets in the USA. The Court in California stated indeed that the French Court had no jurisdiction on the case (Decision of the French Court has no effect in the US).
© Colette Oostra 2004
Fair Dealing Applies