The document discusses the evolving concept of data protection (DP) control within Europe, emphasizing the necessity for clear responsibilities among online intermediaries, such as forum owners and database managers, since the 1980s. It outlines the legal expectations placed on these entities by various regulations and case law, particularly in light of the General Data Protection Regulation (GDPR) and the E-Commerce Directive (ECD). The interaction between data protection and freedom of expression is highlighted, suggesting a need for balancing these rights in the future of legal frameworks.

1. Dr David Erdos
Faculty of Law
University of Cambridge

2. Four Key Claims
 The “control” concept in European DP has always been a
broad and granular one.
 Moreover, the EPD’s DP clause suggests that if controller
then outside “safe harbours”.
 However, general ambiguity re: “active hosts” from start.
 DP has a key role here but GDPR points to (i) active hosts
within safe harbours & (ii) role of freedom of expression.

3. Broad Control: 1980s Minitel
 Minitel the first mass online system.
 Concerns about (often anonymous) forums from start:
 Making accusations about others,
 Defamation,
 Identity theft.
 Most infamous concerned malicious postings including
telephone numbers etc. on the “Minitel rose”.
 CNIL maintained that forum owners had DP duties over space.
 For example, as regards “Minitel Rose” it argued that:
 Forum owners must ensure that no telephone numbers (or
addresses) be published without owners obtaining consent.
 Could be criminally liable for negligently allowing disclosure of
data undermining reputation and/or intimate life (Art. 41, 1978 Act)
Bernard MARTI CC-BY-SA-2.0

4. Granular Control: 1980s Databases
 Online databases widespread by 1980s.
 Many outside Europe and many escape DP law anyway.
 However, the few which came within DPA sights demonstrated an
expectation that processing controls would be granularized.
 Swedish DPA (1981): Rättsdata Legal Database
 Requirement to ensure name searches not possible.
 Requirement to bind foreign users to this (and give log to DPA)
 Norway (1985 - ): Newspaper External Digital Archives
 By default, remove any identified reference to individual suspected,
accused or judged for a criminal act after seven years.
 Exception if subject named as occupier of a public or professional
position.

5. Data Protection & the ECD 2000/31
 ECD Data Protection Clause (art. 1(5)(b)):
 Recital 14 even more unambiguous as regards dichotomy.
 Cohered with narrowness of ECD intermediaries e.g. hosts:
“This Directive shall not apply to: … questions relating to information
society services covered by Directives 95/46/EC and 97/66/EC”
“an information society service … that consists of the storage of information
provided by a recipient of the service …[and shield] shall not apply when the
recipient of the service is acting under the authority or control of the
provider.”
r2hox (Flickr

6. The Janus-faced nature of Google Spain?
 In principle, a limitation on reach of DP:
 In practice, an important sword for DP since:
 Internet search engines had previously been allowed to develop
unregulated by DP up until that point.
 (Albeit perhaps dubious) case law had developed suggesting that social
networking sites (Netlog) and internet search engines (Diana Z v
Google) should have benefit of “host” shield.
“Inasmuch as the activity [is] … liable to affect [data subject rights]
significantly, and additionally compared with that of [original] publishers
… the operator … must ensure, with the framework of its responsibilities,
powers and capabilities, that the activity meets the requirements of [data
protection] in order that the guarantees … may have full effect” (at [38])

7. ECD: Hints at a Sliding Scale?
 Traveaux concerns on position of “active hosts”:
 Such reformulation did not take place.
 However, in same context, “duty of care” recital was inserted:
“In response to the concerns of certain delegations (D [Germany], GR
[Greece]), the Cion [Commission] agreed to reformulate … to clarify that it
[the host shield] covered active as well as passive hosting”
“This Directive does not affect the possibility for Member States of requiring
service providers, who host information provided by recipients of their service,
to apply duties of care, which can reasonably be expected from them and which
are specified by national law, in order to detect and prevent certain types of
illegal activities.”

8. GDPR: Endorsing Sliding Scales?
 Reference to ECD in Art. 2(4):
 Reference to freedom of expression in Art. 85(1):
“This Regulation shall be without prejudice to the application of Directive
2000/31/EC, in particular of the liability rules of intermediary service
providers in Articles 12 to 15 of that Directive.”
“Member States shall by law reconcile the right to the protection of personal
data pursuant to this Regulation with the right to freedom of expression and
information, including processing for journalistic purposes and the purposes
of academic, artistic or literary expression.”

9. Freedom of
Expression
(Constitutions etc.)
Intermediary
Shields
(ECD 2000/31)
Data Protection
(GDPR,
Constitutions etc.)
The Future of Law in this Area?