In a decision dated March 1st, 2019, the Paris Court of Appeal reminded that specific conditions must be met for hosting providers to be held liable in case of unlawful content. The French court also ruled that hosting providers are not data controllers per se and, as such, are not subject to obligations under the Data Protection Act.
In this case, the claimant is a lawyer who alleges that a company – whose main activity is the hosting of websites and the management of advertising space – posted on two websites, without his consent, a contact sheet mentioning his name, business activity, as well as a bogus and call-charge phone number.
To make a long and complex procedural story short: the claimant initiated summary proceedings against several defendants, including the company hosting the disputed webpages to seek the removal of all his personal information from the websites and the payment of a provisional amount of €20,000. The claimant also asked the Court to acknowledge that the hosting company did not fulfil the obligations provided by Articles 32 and seq. of the former Data Protection Act – i.e., obligations lying on the data controller – as well as some information obligations provided by Law no. 2004-575 of 21 June 2004 for Trust in the Digital Economy (Loi pour la confiance dans l’économie numérique).
The Court dismissed all the claims, mainly on the ground that the company is a hosting provider and, as such, cannot be held liable because the claimant has not proved that he had met the requirements of the Law for Trust in the Digital Economy, in particular giving prior notice of the alleged unlawful content to the hosting provider.
Upon appeal, on March 1st, 2019, the Paris Court of Appeal upheld the first-instance decision (Division 1, Chamber 8 of the Paris Court of Appeal, Case no. 18/15084). More precisely, the Court stated that the defendant acted as a hosting provider which liability can be incurred provided only that several conditions are met.
Indeed, as a reminder, pursuant to Article 6-I-2 of the Law for Trust in the Digital Economy, hosting providers cannot be held liable for activities or information stored if they did not have actual knowledge of their unlawful nature. Knowledge can be presumed when the following elements listed in Article 6-I-5 have been included in the notice sent to the hosting provider:
- The date of such notice,
- Identifying information on the notifying party and the notice recipient,
- The description and location of the disputed facts (which as per case law must enable the hosting provider to locate the content in question, by opposition to a general reference to the hosted website),
- The reasons why the content should be withdrawn, and
- A copy of the request for withdrawal, interruption, or modification sent to the author or editor, or proof that the latter could not be contacted.
In the present case, the letter sent by the claimant to the defendant prior to initiating proceedings did not contain the above-mentioned mandatory information. As a consequence, the conditions to hold the hosting provider liable were not met.
Even if this is a useful reminder, this decision is a rather classic application of the provisions of the Law for Trust in the Digital Economy and its special liability regime for hosting providers resulting from the implementation of Directive no. 2000/31/EC of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (the so-called “ecommerce Directive”).
More interestingly, the Court of Appeal also ruled that, because the hosting provider is not the data controller, it is not its responsibility to take any action relating to the operation of the said websites such as complying with regulatory requirements and declarations to the French data protection authority, or obtaining the data subject’s consent.
The Court of Appeal thus provided an important clarification on the role and obligations of hosting providers. Because the latter are not by definition the person who determines the purposes and means of the processing of personal data, they must not comply with processing principles and conditions under the French Data Protection Act. If in practice the hosting company could play other roles than mere hosting, it should not be presumed that all hosting providers have systematically to meet the requirements incumbent to data processing.