Website Law

Many domain name disputes settle by agreement: the domain name registrant agrees to transfer the domain name to the person making the complaint, often in exchange for payment.

I am often asked what price should be paid.

My answer usually depends upon three factors: (i) the probability of being able to recover the domain name through arbitration (or court) proceedings; (ii) the probable costs of doing so; and (iii) the value of the domain name to the complainant.

For example, suppose that a competitor of ours had registered <seqlegal.co.uk>.  We might assess our chances of recovering the domain name through the Nominet dispute resolution services as very good (say 90%).  We would know that the costs of recovering the domain would likely be the basic Nominet fee (£750 plus VAT) plus our own time spent preparing the complaint (which for the sake of argument we can value at £750 plus VAT).

Taking into account each of these factors, we would be investing £1500 plus VAT in a 90% chance of recovering the domain name.  So, subject to my comments below, £1500 plus VAT would seem to be a reasonable price to pay for a purchase of the domain name (i.e. a 100% chance of recovering the domain name).  If however the chance of recovery was lower, or the costs of arbitration proceedings were higher, the level of a reasonable price would rise.

The value of the domain name may also be relevant.  If <seqlegal.co.uk> was critical to our business, I might not want to risk a 10% chance of not recovering the domain name.  In those circumstances, I might pay a premium for the 100% chance of recovering the domain name.

Of course, in many cases settlement may be undesirable irrespective of price. Brand owners may be reluctant to reward a cybersquatter, and a payment may encourage other cybersquatters to try their luck.

Website operators commonly transfer the personal data of their users overseas.

However, the UK’s Data Protection Act 1998 expressly restricts certain transfers of personal data outside the European Economic Area : “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.

This is known as the Eighth Data Protection Principle.

The Information Commissioner recommends a 4 stage approach to analysing such personal data transfers: first, is the transfer a “transfer of data to a third country”; second, is there an “adequate level of protection”; third, have the parties put in place “adequate safeguards”; and fourth, do any of the “other derogations” from the general principle apply.

Transfer of data to a third country

The EEA consists of the EU plus Iceland, Liechtenstein and Norway.

Transfer is to be distinguished from transit: there will be no transfer of personal data where it merely passes through one jurisdiction on its way to another jurisdiction.

In the context of websites, there will be a transfer (or transfers) of personal data outside the EEA where:

- personal profile information will be published on the internet around the world (e.g. on social networking sites, auction sites, dating sites) – see Lindqvist v Kammaraklagaren (2003);

- where a website collecting and/or hosting the personal data of EEA nationals is hosted outside the EEA;

- where a website passes personal information to marketing affiliates outside the EEA.

Obviously, this list isn’t exhaustive.

Adequate level of protection

A range of different factors may be taken into account in determining whether the level of protection offered by a country or territory is adequate.

These include: the nature of the personal data, the country or territory of origin of the information contained in the data, the country or territory of final destination of that information, the purposes for which and period during which the data are intended to be processed, the law in force in the country or territory in question, the international obligations of that country or territory, any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and any security measures taken in respect of the data in that country or territory.

Very few countries have been deemed by the European Commission to offer an “adequate level of protection”. At the date of writing, only Argentina, Canada, Guernsey, the Isle of Man and Switzerland are considered to offer such protection. In addition, the Commission has recognised that US companies that sign up to the US Department of Commerce’s Safe Harbor principles offer an adequate level of protection.

In any particular case, a the data controller transferring personal data outside the EEA may be expected to demonstrate having made an analysis of the relevant factors, and having concluded that protection was adequate.

Adequate safeguards

Where a data controller is not satisfied as to the adequacy of the level of protection in the country of destination, then it may still transfer the personal data if it uses the “model clauses” or “binding corporate rules” approved by the European Commission.

The binding corporate rules are only applicable to intra-group transfers.

The model clauses may be suitable for individually negotiated hosting or affiliate arrangements, but will be of no use where the data controller is contracting on the data processor’s standard terms - are in any case they generally considered to be unwieldy.

Other derogations

There are also a number of exceptions to the general prohibition, some of which may apply in the case of personal data processed by website owners:

- the data subject has given his consent to the transfer.

- the transfer is necessary (a) for the performance of a contract between the data subject and the data controller, or (b) for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller.

- the transfer is necessary (a) for the conclusion of a contract between the data controller and a person other than the data subject which— (i) is entered into at the request of the data subject, or (ii) is in the interests of the data subject, or (b) for the performance of such a contract.

If a website owner is to justify a transfer on the grounds of consent, that consent must be fully informed and freely given. Data subjects must, according to the Information Commissioner’s guidance, have a real opportunity of withholding that consent without suffering any penalty, and must be able to withdraw that consent at a later date if they change their minds. As the Information Commissioner notes: “For these reasons, consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or structural transfers of data to a third country.

The other two relevant derogations both use the concept of “necessity”. This may be a difficult test to meet.

Examples of application

Websites, such as social networking sites, auction sites, and dating sites, which allow users to publish their personal information on the internet may be best served by seeking to rely upon the derogation which allows transfers which are necessary for the performance of a contract between the data subject and the data controller. A key question will be whether the transfer is really “necessary”. For instance, it might be argued that it is not “necessary” for an auction site which is focused only on the UK to publish the personal information of individuals outside the EEA. If relying upon this derogation, the website owner will want to make certain that there is in fact a “contract” of some kind in place (not merely a licence to use the website).

Website owners who are thinking of having sites (which process personal data) hosted outside the EEA will not be able to rely upon that “necessary for contract” derogation, nor will they be able to rely upon a consent derogation (unless they also maintain special hosting facilities within the EEA for users who do not consent!). Instead, they should seek to ensure – one way or another – that the destination offers an adequate level of protection or that adequate safeguards are in place.

Caveats

The application of the Eighth Data Protection Principle is (some might say, needlessly) complicated. If you are in doubt about a particular issue of data protection law you should consider contacting the information Commissioner’s office or seeking professional advice.

Please note that this post is grounded in the UK approach to data protection law, and the approaches of other EEA states will vary.

One of the many legal risks facing you as a web publisher comes from the law of libel: as publisher, you may be liable not only for your own writings, but also for the defamatory comments that users make on your website.

Identifying defamatory posts

How can you identify whether a particular post is defamatory or not?  Over the years the courts have put forward a lot of different tests.  A defamatory publication has been defined as:

a publication “lowering the plaintiff in the estimation of right-thinking people generally” (Sim v Stretch);

“a publication, without justification or lawful excuse, which is calculated to injure the reputation of another, by exposing him to hatred, contempt, or ridicule.” (Cropp v. Tilney);

a publication tending to make a person be “shunned and avoided”  (Youssoupoff v. MGM Pictures).

A wide range of publications may be defamatory – for example, allegations that a person is a thief or a liar, an idiot or fool, corrupt, immoral, an adulterer, carrying a disease, bankrupt or unable to pay his or her debts.

So, any comment on your website that may have a negative effect on a person’s reputation (other than a trivial effect) could be problematic.

Standard defences

Of course, there are range of defences which may be available to web publishers in respect of third party defamatory comments.

Probably the most important defence is justification (aka truth).  If a defendant can prove that a publication is true, then the defendant will have a complete defence to a libel action.  However, it can be difficult, not to mention expensive, to prove the truth of an allegation.  As a web publisher, then, you should be wary of relying upon a justification defence.

The defence of “fair comment” is closely related to justification.  This defence may be available where the offending statement is a statement of comment rather than fact, is based upon facts which can be proven to be true, and is made in good faith, without malice, on a matter of public interest.  Again, a web publisher will often be in a poor position to assess the applicability of a fair comment defence in relation to a statement made by a website user.

In addition there is a special public interest defence (sometimes called Reynolds-style privilege) which could in principle be applicable.  However, the scope of this defence is uncertain, and it is not entirely clear how it may apply to website forum or blog comments.

In summary, a web publisher should only rely upon one of the standard defences to a libel action where the applicability of the defence is clear (e.g. in the case of an allegation of criminal behaviour, a conviction has been obtained).

Special defences

As well as the standard libel defences, there are special defences under the Ecommerce Directive and the Defamation Act 1996 which may protect web publishers.  I will focus here upon the latter defence.

Section 1(1) of the Defamation Act 1996 provides that “In defamation proceedings a person has a defence if he shows that (a) he was not the author, editor or publisher of the statement complained of, (b) he took reasonable care in relation to its publication, and (c) he did not know, and had no reason to believe, that what he did caused or contributed to the publication of a defamatory statement”.

This defence should protect a web publisher from defamatory user comments providing the publisher has taken “reasonable care” and has no involvement with or knowledge of the statement.

“Reasonable care” may include having terms of use for the forum/comments section of the site which prohibit defamatory posts.

In any event, you should act promptly to remove defamatory posts when you become aware of them.

Risk assessment

Of course, some user comments are more risky than others.  E.g. a statement on your widely-read political blog that an litigious MP has takes bribes is more risky, by far, than a statement on a blog read only by your friends that your ex is ugly.

The internet would be a smaller place, in more ways than one, if all formally defamatory material was suddenly deleted.