From Americans potentially making use of the UK’s new revenge porn legislation, to Belgians and Austrians taking on Facebook in Ireland, stories in the press over the past few months have reinforced the global nature of social media. As inevitable as the upward trend in social media crime statistics, we can be certain that legal matters arising from cyber issues will continue to be jurisdictionally complex.
In my September 2014 update I reported that social media crimes made up ‘at least half’ of all calls made to the British police. According to recent figures, last year 1,209 people were found guilty of crimes under s127 of the Communications Act 2003, compared with 143 in 2004. The main reason for this is public awareness, and with lobby groups gathering momentum, the government will be under pressure to introduce more legislation to protect cyber victims.
Section 33-35 of the most recent piece of legislation, the Criminal Justice and Courts Act 2015 (CJCA), created a new criminal offence in response to behaviour known as ‘Revenge Porn’. It’s a broad term used to describe a range of actions usually involving an individual (often an adult ex-partner) uploading onto the internet intimate sexual images of the victim, to cause the victim humiliation or embarrassment.
This legislation has not been tested by the courts yet, but it is clearly only a matter of time. The latest high profile revenge porn incident involves an American singer/actress who is bringing a claim against a British ex-partner. Unfortunately, Chrissy Chambers cannot make use of the new CJCA because the posting of the videos predates the new legislation.
According to recent reports, government agencies and individuals face a long struggle to enforce laws despite having the right legislation. What happens when the frequently US based social media companies fail to co-operate?
The Belgian Privacy Commission is taking on Facebook in order to protect Belgian citizens’ privacy. Saying that it is ‘make or break time’, the Commission’s president is taking Facebook to court for allegedly breaching Belgian national and European privacy law. The arguments presented in the Privacy Commission’s Recommendation no. 04/2015 of 13 May 2015 explain some of the potential jurisdictional difficulties in holding Facebook to account for breach of member states’ privacy legislation.
For instance, Facebook (whose European headquarters are in Dublin)"exclusively recognises the Irish Privacy Commission's competence and therefore contests the competence of other Member States' data protection authorities. Moreover, Facebook holds that only Irish national data protection law can be applied to all European users of its social network".
This document asserts that in their view, the Belgian Commission is ‘competent’ and that Facebook is subject to Belgian law in respect to privacy breaches within that jurisdiction. A court in Brussels will hear the case on the 18th of June 2015 and we await further developments with interest. The outcome of the Belgian case is important because it may affect other similar actions throughout Europe. The Belgian privacy commission is part of a contact group with the data protection authorities in Hamburg, as well as the Netherlands, Spain and France.
In addition to the Belgian case, on the 8th of April 2015 there was a preparatory hearing in Vienna for the largest privacy class action in Europe. On the 1st of July 2015 the Vienna Regional Court found that it had no jurisdiction to hear the class action against Facebook. The court did not make any findings on the content of the lawsuit. According to the website, the case will be appealed to the Higher Regional Court. Austrian Facebook user and privacy activist Max Schrems was unhappy with what was happening to his personal records.
Schrems believes that companies inside the EU should not be able to transfer data to the US under ‘safe harbour’ protections, and that the Irish Data Protection Commission should be more careful with information being exchanged. Although he lost his initial case, the Irish High Court judge referred the case to the Court of Justice of the European Union asking it to examine whether Ireland’s data watchdog is bound by ‘safe harbour’. The judgment was due on 24 June 2015 but has been delayed.
Many EU states are unhappy with Facebook relying solely on the Irish Privacy Commission, which seems to deprive national lawyers of the ability to apply national law when companies such as Facebook and Google invade citizens’ privacy. Facebook and others claim that if one data protection authority supervises and regulates their compliance with local laws, as informed by European law, then they are free to operate in other European member states without further regulation. However, this could soon be subject to a new pan-EU data protection law, recently agreed to by the EU Council.
The actions of Facebook and others have been condemned by CEO Tim Cook of tech giant Apple. In a White House summit on Cybersecurity and Consumer Protection in Stanford, Cook remarkedthat "some of the most prominent and successful companies (in Silicon Valley) have built their businesses by lulling their customers into complacency about their personal information. We believe that people have a fundamental right to privacy. The American people demand it, the constitution demands it, morality demands it". Strong words indeed.
However Apple’s iCloud is continuing to cause consternation amongst users. Last year the storage system was hacked and nude pictures of celebrities appeared online. Apple assured consumers that there were no breaches in their systems. A recent UK Daily Mirror investigationhas found a 300 percent rise in reports of "victims being humiliated or threatened with intimate photos taken from iCloud" by hackers. They report that most incidents occurred between March 2013 and March 2015, with 23 of the 28 reports being in the last year. We can only hope that the new revenge porn legislation can assist victims bringing actions in England and Wales.