Information posted on the internet is available for viewing anywhere in the world. Technically speaking, once posted on a website, the information is also copied, cached and saved on dozens of servers and end-user terminals in any number of territories. Content on the internet can therefore cause harm - and give rise to legal claims - in many different territories. Ever since the internet became a ubiquitous form of media, courts had to address questions of jurisdiction and conflict of law in relation to claims concerning content published online.

In Europe, questions of jurisdiction are governed by European legislation (Regulation (EC) 44/2001) known today as the Brussels Regulation, a descendant of the Brussels Convention of 1969.

Various issues relating specifically to the operation of online services are governed by another piece of EU legislation, the E-Commerce Directive (2000/31/EC).

In a recent important decision in the case of eDate Advertising GmbH v X, the Court of Justice of the European Union (“CJEU”) interpreted this legislation in the context of one claim for breach of privacy (or personality rights) brought in a German court against an Austrian website and another privacy infringement claim brought before a French court against a UK newspaper publisher in relation to content posted in the online edition of the paper in English.

The rules on forum

The Brussels Regulation lays down a general principle that claims against persons domiciled in a member state of the EU must be brought before the courts of the member state where they are domiciled. The general principle is subject to a number of specific exceptions, one of which, in Article 5(3) of the Regulation, provides that in matters of tort, delict or quasi delict, persons (including legal entities) domiciled in a EU member state may be sued in the courts of another member state in the place where the harmful event occurred or may occur.

Does this mean that in cases where a harmful event is caused by information posted online by a defendant domiciled in a EU member state, the claim can be brought in any EU member state?

Not exactly. The CJEU held that the only courts that will have full jurisdiction in such cases are the courts of the member state where the defendant is domiciled (or where it is established, in the case of a legal entity) or where the centre of his business interests is based. The courts of such country will have jurisdiction to hear a claim relating to the entire damage caused by the defendant’s publication.

Partial jurisdiction where a claim is not brought in the defendant's home jurisdiction

The claimant, though, has the alternative option, in accordance with Article 5(3) of the Regulation, to bring proceedings in any other member state where the publication was or may have been viewed. But in that case the jurisdiction of the court will be limited to the damage caused in that member state.

The CJEU was sensitive to the fact that online service providers can be formally established in one country but in practice trade from another. Accordingly, it held that the main jurisdiction covers not only the country of formal incorporation but also the main place of business of the defendant. This will ensure that ISPs do not choose a place of registration in a member state where it would be the least convenient for potential claimants to sue them. On the other hand, the court’s decision discourages forum shopping by claimants.

The applicable law in claims concerning online publications

If a claim is brought in a particular forum on the basis that harm was caused in that jurisdiction, which laws will govern the question of liability?

The CJEU addressed the question of choice of law under the provisions of the E-Commerce Directive. The Directive indicates (in recital 22) that service providers should be, in principle, subject to the laws of the member states in which they are established.

The underlying purpose of the E-Commerce Directive is to ensure a free movement of online services across the EU. To make that possible - subject only to limited exceptions - service providers cannot be expected to comply with the laws of each of the 27 EU member states and must be allowed to operate under the laws of the jurisdiction where they are established.

The Directive defines the scope of harmonisation (the ‘coordinated field’) in Article 2(h)(i). It comprises:

  1. the requirements concerning establishing an online service; and
  2. issues of conduct, quality of content, advertising and contracts and questions of liability.

With which laws should I comply?

Article 3(1) of the Directive requires member states to ensure that online service providers established in their respective territories comply with the national provisions applicable in that member state. Article 3(2) requires member states not to restrict the activities of online service providers established in other member states in matters falling under the coordinated field.

Article 3(4) contains miscellaneous exceptions to the rule. These exceptions include matters relating to crime prevention, public health, public security and consumer protection (including investors protection). It should be note, in this context, that these areas are largely subject to uniform or harmonising rules across Europe under various other directives and regulations, such as in relation to the licensing of pharmaceuticals and medical devices, the protection of investors and many other aspects of consumer protection. However, insofar as the laws in these excepted areas still vary, each country can impose its laws on service providers established in other member states.

The CJEU held that Article 3(4) is exhaustive and, therefore, except in regard to the specifically excluded areas where each member state can impose its laws on service providers established in other member states, the liability of an online service provider - regardless of the forum where the claim is brought - must be governed by the laws of the member state where the service provider is established.

Accordingly, even though a claim can be brought against an online service provider established in the EU member state, not only in the country where the service provider operates or is established, but also in any member state where the content may have been viewed (although the jurisdiction of the court will be limited to the damage caused in that particular territory), claimants are discouraged from engaging in forum shopping in that the liability will, in most cases, be subject to the laws of the country in which the online service provider is established.

Practical ramifications

Accordingly, if French privacy laws are stricter than those applying in the UK, and a claimant chooses to bring an action against a UK online publisher before a French court, not only will the court’s jurisdiction be limited to the damage caused in France, liability will have to be established under UK law, not under the laws of the forum.

The decision in eDate Advertising GmbH v X will be welcome by online service providers - from website operators to telecom providers - as it would limit their exposure to legal claims in any number of jurisdictions. Service providers will also be able to choose to establish themselves in jurisdiction where the substantive laws - such as laws of defamation and privacy which are highly relevant to the media - are convenient for their operation (although this will not guarantee they will be sued only in that jurisdiction).

For copyright and other intellectual property owners that struggle to find effective means of enforcing their rights against online abuse, this decision brings mixed news. It is useful to have better clarity as to the legal position on jurisdiction and the law that applies to liability. However, there will be less choice available to right holders as to the convenient forum for bringing enforcement claims in Europe and liability would always have to be based on the law of the place where the defendant is established.