Sunday, May 27, 2007

SMS spammers forced to delete database

Another interesting case from the Data Protection Commissioner's 2006 Annual Report involves spam SMS sent by Opera Telecom to people who had texted support for the "Global Call Against Poverty Campaign". In this case the Commissioner used the enforcement powers to require Opera to delete that database in its entirety:
I received a complaint from an individual regarding the receipt of an unsolicited text message in November 2005. The message, sent by Opera Telecom, was a promotional message for a subscription service.

When my Office investigated the matter it was discovered that the complainant had attended a major music concert in Croke Park in June 2005. During the concert, those attending were encouraged to text support for the Global Call Against Poverty Campaign. The complainant did so. The information collected from these texts was stored in a database held by Opera Telecom and was subsequently used by the company for the purpose of sending unsolicited direct marketing SMS messages.

In October 2005 Opera Telecom sent a direct marketing text message to the complainant. Regulation 13 of Statutory Instrument 535 of 2003 refers to unsolicited communications, making it an offence in certain circumstances to send direct marketing messages. The message the complainant received was contrary to this Regulation. It also contravened Section 2 of the Data Protection Acts as the personal data in question had not been obtained and processed fairly and was further processed in a manner which was incompatible with the purpose for which it was originally collected.

During our investigation, my Office discovered that 16,000 concert goers had used their mobile phones to text support for the Global Call Against Poverty Campaign. My Office recognised the potential risk of all of these people being subjected to direct marketing in the same way as the complainant had been. Conscious of this risk, I initially requested in a letter to Opera Telecom that they delete the related Database. When it did not comply with this request, I used my powers under Section 10 of the Data Protection Act and issued an Enforcement Notice. An Enforcement Notice is a legal document and it is an offence not to comply with this. Opera Telecom complied with the Enforcement Notice and deleted the database.
This case highlights an important commercial point - customer and marketing databases may make up a great deal of the value in a business. Abuse those databases and you run the risk of destroying that value.

Meanwhile, if you're on the receiving end you might be interested in the Digital Rights Ireland guide to dealing with SMS spam.

Sunday, May 20, 2007

New developments in applying data protection law to the media

One aspect of the Data Protection Commissioner's 2006 Annual Report that will be of acute interest to media lawyers is its application of data protection principles to media coverage of the glitterati and in particular the children of celebrities.

There is an inevitable tension between privacy rights in general (including data protection law) and the interests of the media - particularly when it comes to the insatiable public desire for information about celebrities. Section 22A(1) of the Data Protection Act attempts to resolve this tension by providing a limited exemption from the Act for certain media activities:
Personal data that are processed only for journalistic, artistic or literary purposes shall be exempt from compliance with any provision of this Act specified in subsection (2) of this section if—

(a) the processing is undertaken solely with a view to the publication of any journalistic, literary or artistic material,

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, such publication would be in the public interest, and

(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision would be incompatible with journalistic, artistic or literary purposes.
This exemption incorporates a balancing test - the person publishing the information must reasonably believe that publication is "in the public interest" and that complying with the data protection principle at stake would not be compatible with their "journalistic, artistic or literary purposes".

The 2005 Annual Report indicated that the Data Protection Commissioner would not simply defer to an editor's decision that something was in the public interest:
While this section refers to the reasonable belief’ of the data controller, it does not, in my opinion, give a newspaper editor the sole discretion to judge if something is in the public interest. This point is perhaps more clearly expressed in Article 9 of the Data Protection Directive (95/46/EC) on which section 22A is based. This states that “Member States shall provide for exemptions or derogations from the provisions of (the Directive) for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.”[emphasis added]

In the case of a complaint received by me, I must therefore judge if the data controller properly balanced the right to privacy with the public interest in disclosure. I must have regard to the nature of the facts, including whether the data relates to a public figure or a relative of a public figure, the age of the data subject and whether sensitive data within the meaning of the Acts is involved.
The 2005 Annual Report went on to say that this balancing exercise would be carried out in light of the European Court of Human Rights decision in Von Hannover and the relevant media codes of conduct, and that particular scrutiny would be applied in matters involving children under 16 where editors "should demonstrate the existence of an exceptional public interest in order to over-ride the normally paramount interest of the child."

These principles were applied in the 2006 Report to make two separate findings of a breach of the Data Protection Acts against the News of the World and the Sunday World. The facts of the News of the World case are typical:
I received a complaint on behalf of a data subject, a well-known individual, arising from material published in the News of the World (Irish edition) in 2005. The complaint related to the subject matter of the material published and the manner in which it was obtained. The material published consisted of a photograph of the data subject and child while shopping, together with related text expressly identifying the data subject's child by name and age, and referring to a third party's perception as to how parent and child were getting along. The complainant alleged that consent was neither sought nor obtained prior to the taking of the photograph. The complainant further alleged that consent was not sought nor obtained prior to the publication of the material subsequently in the News of the World newspaper. In particular, the complainant alleged that the publication contravened Sections 2(1), 2A (1) and 22 of the Data Protection Acts. The complainant considered that their right to privacy outweighed any purported journalistic purpose or public interest in the publication of their photograph and accompanying text which was the subject of the complaint.
The News of the World argued that the parent had, in the past, invited this attention and therefore there was a public interest in publishing. This was rejected, however, with the Data Protection Commissioner applying Von Hannover to find that there was no public interest in this case:
I am obliged by Section 3 of the European Convention on Human Rights Act, 2003, to perform my functions in a manner compatible with the State's obligations under the Convention's provisions. Accordingly, in arriving at my conclusion on the applicability of the Section 22A exemption to the facts of the case, I had regard to the provisions of Articles 8 and 10 of the European Convention on Human Rights and any guidance that the European Court of Human Rights (ECtHR) had provided on how the rights to privacy and freedom of expression should be balanced - the same balance that was at issue in relation to the applicability of Section 22A of the Acts.

In this regard, I noted the Decision of the ECtHR in the case of Von Hannover v. Germany (Application No. 59320/00) - the Princess Caroline case. The Court held that the German courts, in refusing to grant Princess Caroline of Monaco injunctions against newspapers taking and publishing photographs of her, had infringed her rights under Article 8 of the Convention. The photographs in question had shown Princess Caroline engaged in various activities such as shopping, playing sport and at the beach. The Court, noting that the material related exclusively to details of the applicant's private life, considered that "the publication of the photos and articles in question, of which the sole purpose was to satisfy the curiosity of a particular readership regarding the details of the applicant's private life, cannot be deemed to contribute to any debate of general interest to society despite the applicant being known to the public." In that case, the Court considered that “anyone, even if they are known to the general public, must be able to enjoy a "legitimate expectation" of protection and of respect for their private life."

While data protection law is not specifically dealt with in the Von Hannover Decision, this case was of assistance in helping me to come to a decision as to the appropriate balance between the public interest in freedom of expression and the individual's right to protection of their personal data, as required by Section 22A of the Acts.

Section 22A(3) of the Acts provides that, in evaluating whether a publication would be in the public interest, regard may be had to codes of practice approved by the Data Protection Commissioner pursuant to the Acts. While no such code has been approved, it seemed appropriate, in reaching a determination, to take note of the newspapers' own codes of practice. In making my assessment, I therefore took account of the National Newspapers of Ireland Code of Practice. In relation to children, the Code provides that they should not be identified unless there is a clear public interest in doing so. Relevant factors are identified as the age of the child, whether there is parental permission, and whether there are circumstances that make the story one of public interest, "or, if the person is a public figure or child of a public figure, whether or how the matter relates to his/her public person or office." I also noted that the UK Press Complaints Commission Code of Practice provides that editors must not use the fame of a parent as sole justification for publishing details of a child's private life and that "in cases involving children under 16, editors must demonstrate an exceptional public interest to over-ride the normally paramount interest of the child”. I was of the view that these provisions represent a fair expression of how the principles of data protection legislation ought to be applied in relation to children and minors.

In coming to my decision, I also noted the allegation, which was not refuted by the data controller, that the photograph was taken without the consent of the data subject. I issued a Decision on this case under Section 10(1) (b) (ii) of the Acts. Among other things, I found that it did not appear to me that the public interest claimed by the data controller in publication of the material in question could be such as to justify setting aside the right to respect for a person's private and family life.
This decision is significant in a number of regards. From a practical point of view it creates a low cost and effective route for a complainant to allege an invasion of their privacy. It makes life significantly more difficult for the media - notably it goes much further than the UK Press Complaints Commission Elle McPherson decision. But it also changes the privacy landscape more generally. Until recently it seemed that privacy issues in the media would primarily be governed by the regulatory package to be implemented by the Privacy Bill 2006 and the new Press Council of Ireland. With the lapse of that Bill (and its uncertain prospects in the new Oireachtas) the Data Protection Commissioner may end up assuming, by default, a role which that Bill had envisaged for the courts. A great deal will depend on whether the Commissioner is willing to leave these complaints to be dealt with by the Press Council - and that in turn will probably depend on how effective the Press Council proves itself to be.

Friday, May 18, 2007

Creative Commons Ireland goes live

Darius Whelan and Louise Crowley at UCC have been working hard on localising the Creative Commons licences for Ireland, and they've now launched a Creative Commons Ireland site with a draft Irish licence. Eoin O'Dell has more on why this matters.

Private use of public information - using public records for marketing

Suppose you are a direct marketer. You learn that all sorts of interesting and lucrative personal data must be made public by State bodies. (For example, the Companies Registration Office must provide details of company directors.) Can you use that information for marketing purposes? Can you package and resell that information to others?

The 2006 Annual Report of the Data Protection Commissioner includes a guidance note which goes into this in detail. The crucial point is that although the Data Protection Acts don't apply to disclosure by state bodies of information which must be made available to the public, they do apply once that information passes into the hands of a third party (such as a marketer). Consequently, if you wish to reuse that information, you must notify the individuals concerned in advance and you must give them a cost free opportunity to opt-out from having that information used for direct marketing.

Full guidance note:

Guidance Note on the Use of Publicly Available Data for Direct Marketing

Last year my Office was contacted by a number of people who had received direct marketing material by post as a result of the publication of their names and addresses on various lists and registers. The authors of these lists and registers were obliged to make them available to the public under law. For example, the Companies Registration Office must make its Register publicly available. Similarly, planning authorities must publish a weekly list of planning applications and planning decisions. All of these documents contain personal data. Section 1(4)(b) of the Data Protection Acts provides that the Acts do not apply to personal data consisting of information that the person keeping the data is required by law to make available to the public. A key point here is that the exemption from data protection requirements only relates to the information in the hands of those public bodies that are obliged to make it available. Any other entity seeking to use such information once in the public domain must comply with the standard requirements of data protection.This is a point that my Office needed to highlight on a number of occasions and I am glad to say it was readily accepted in all instances by those entities in receipt of the advice.

As a result of the level of complaints made to my Office on this issue, I was asked to provide guidance on the re-use of personal data contained in publicly available documents. Set out below, as an example, is the text of an information note which I provided as guidance to the Companies Registration Office:

This information note sets out the position of the Office of the Data Protection Commissioner on the re-use of personal data contained in information in the CRO Register which the CRO is obliged by law to make available to the public. The published information contains "personal data" and each living individual is a "data subject" within the meaning of the Data Protection Acts, 1988 & 2003. Accordingly, the recipients of this information are "data controllers" within the meaning of those Acts. If those data controllers intend to use or further process this personal data in any way, they should be aware of the following Data Protection requirements:

Personal data must be processed fairly. Section 2D (1) (b) of the Data Protection Acts obliges a data controller to ensure, as far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the following information not later than the time when the data controller first processes the data or, if disclosure of the data to a third party is envisaged, no later than the time of such disclosure:

● the identity of the data controller
● if he/she has nominated a representative for the purposes of the Act, the identity of the representative
● the purpose(s) for which the data are intended to be processed
● any other information which is necessary to enable processing in respect of the data to be fair to the data subject
● the categories of data concerned
● the name of the original data controller.

The Office of the Data Protection Commissioner considers that it would be reasonable for data controllers to meet these requirements as the information in their possession contains the contact addresses of the data subjects concerned.

In addition, in accordance with Section 2(8) of the Data Protection Acts, a data controller who anticipates that the personal data within the CRO published information, for which they are now the data controller, will be processed for the purposes of direct marketing must offer those persons whose data will be so processed a cost free opportunity to object in advance to receiving direct marketing. This applies both to data controllers who intend to use the personal data for direct marketing potential customers and to data controllers who intend to process the personal data for distribution to third parties for direct marketing by the third parties.

The Office of the Data Protection Commissioner considers that there is no scope for data controllers to target for direct marketing purposes those individuals whose personal data has come into their possession in this way without first having applied this procedure.

Furthermore, data controllers who may have intentions of processing the personal data by placing it on a website (in any format) should be aware that such processing does not meet any of the conditions set down in Section 2A of the Data Protection Acts (processing of personal data) as there is no consent from the data subjects for such processing of their personal data.

The Office of the Data Protection Commissioner holds a strong position on this matter. The Office cannot envisage any case where the processing of personal data obtained in this way is necessary for the purposes of the legitimate interests pursued by the data controller. Such legitimate interests must be balanced with the fundamental rights and freedoms of the data subjects themselves. The Office considers that this balance is not reflected in the posting of such personal information on a website.

Data Controllers who fail to comply with all of the requirements set out above may be deemed to have breached the Data Protection Acts. Breaches of Data Protection legislation may be reported to, and investigated by, the Data Protection Commissioner. Where the Commissioner forms the opinion that a data controller has contravened or is contravening a provision of the Acts, he may use the enforcement powers conferred on him under the Acts. This includes the power to require a data controller to destroy the database concerned.

Wednesday, May 16, 2007

A day in the life of the surveillance society

The Data Protection Commissioner's Annual Report, following the lead of his English counterpart, has a very interesting account of a day in the life of our surveillance society and how we can expect it to make terrorist suspects of law abiding individuals:
A Day in the Life

07:00 Annie Wun wakes up and turns on her computer to access the internet. She begins by checking the news using her account on an on-line news source. She had checked the privacy policy of the website before registering and was satisfied with the uses made of her data.

07:15 Annie searches for some personal items online. The searches together with her IP address (a unique address assigned to Annie's PC by her internet service provider (ISP)) are recorded and retained by the ISP for an unknown period of time and without a specified purpose. Searches made by Annie are also retained by the search engine and sometimes clearly used for targeted marketing purposes.

07:30 Annie phones her father to talk about a story on the news. The record of her call to her father is retained by her phone provider for a period of 3 years as required by law. It will be available to An Garda Síochána (and hopefully nobody else) should the need arise as part of any criminal investigation.

08:00 Annie leaves her house and drives to work. She passes through a toll booth using her easy travel card. Information is stored about the time her car passes through the booth and other booths along the journey each time. Again this information is retained and may be accessed for law enforcement or other purposes.

09:00 Annie reaches her workplace. CCTV cameras record her arrival as her employers are concerned about the security of the workplace. The use of CCTV was communicated to employees in advance of implementing the system and it was made clear to them that images from the system would only be used for security purposes and would be kept safe and secure.

Annie's employers were also concerned about their ability to properly track their employees in terms of time worked in the workplace so, after considering many options, they introduced a biometric thumb print clock-in system which records each employee each time they enter and leave the workplace. Annie was concerned that such a system was a bit intrusive into her personal space but most of her colleagues seemed unconcerned so she went along with it. There are no details available to Annie as to what other uses her employer might make of the information or indeed what security is in place to protect her personal data stored in the system.

09:15 Annie logs onto her email to check for any emails received. She has received a number of work related emails which require her attention and one personal email. Her employer has an email and internet usage policy in the workplace stating that some limited personal use of these facilities is permitted but that inappropriate usage is not permitted. Annie understands that this means that her employer may check her emails and internet usage from time to time or in response to a genuine suspicion of inappropriate usage. However, her employer may not check her mail or internet usage on an ongoing basis since this would intrude on her legitimate, limited personal use of these systems.

11:15 Annie uses her coffee break to check her bank balance using her bank's on-line service. Her bank knows how much use she makes of her account and has credit-profiled her based on this use for a €10,000 loan which is offered to her upon log-in. She doesn't accept.

Annie had spoken to her younger brother the previous evening and agreed to send him some additional funds. He is back-packing around Europe. Annie chooses the fund transfer option. Her bank, in common with all other major financial institutions, uses the SWIFT exchange system for such transfers. It is not made clear to Annie that details of the transfer may be accessed by the US Government as part of its efforts to combat the financing of terrorism.

13:00 Annie pops out for lunch and visits her local supermarket to pick up some things for the house as she is planning a major spring clean at the weekend. She hands in her store card to collect loyalty points as part of the purchase. Her supermarket accesses her information to monitor her buying habits and offers some suitable products in her next mail shot. She doesn't mind as she personally doesn't care what the supermarket knows about her buying habits. She was, of course, recorded on the shop's CCTV system as she entered and exited the shop.

13:20 Annie visits her local library to return a self help book “Male and Female Chemistry” and takes out a book on building self esteem “Love Bomb People”. She uses her library card which stores her usage pattern on the local authority database.

13:45 Using her lunch-break, Annie phones the Revenue Commissioners to query her tax allowances. She gives her personal public service number (PPSN) to the person on the other end of the phone line. They use her PPSN to pull up her name and address and a complete record of her dealings with the Revenue Commissioners for the past number of years. This reveals that she is a member of a Trade Union (a fact that her employer is unaware of), pays her refuse charges and claimed a substantial amount in medical
expenses the previous year.

16:00 Annie has to leave work early today to attend hospital for an appointment with her specialist. Annie still suffers from pain from an accidental shotgun wound in her leg suffered in an accident while on her family farm 3 years ago. Upon arrival, she gives her details. Her full medical file is with her specialist. This is not a concern as she wishes this to be the case. She is also aware that her full medical history is entered on an electronic system in the hospital. She does not mind this either but assumes that her records are only accessed by those persons who need her information to treat her.

18:00 Annie arrives home. She picks up her post which arrived after she left the house in the morning. Her credit card company is offering her another loan and has increased the credit limit on her card (without her asking) based on their analysis of her usage. She has also received direct marketing from a company with which she had no previous dealings offering her services for the property for which she has just made a planning application. She is very surprised at this as the local authority had not informed her that her personal details would be made public as part of the planning process. She has also received an unwanted text message offering her similar services. She is also very surprised by this but remembers that her local authority had asked her for her mobile phone number as a means of contacting her.

19:00 Having eaten dinner, Annie logs onto the internet again and books a flight to New York (she will in fact have minor plastic surgery undertaken). In doing so, a large amount of her personal details, which she was required to make available to book the flight, will be made available to the US authorities, in advance of her travelling, as part of its security procedures. Using this information, an assessment will be made as to whether she poses a threat to US security. The airline, through on-screen information, had provided some details of this but Annie does not normally read all such optional information, so is not aware of this.

20:00 Annie receives a call on her mobile phone. She doesn't recognise the number but answers it in any case. Upon hearing her name the person hangs up and Annie thinks nothing more of it. Unknown to Annie, the person who had phoned her number by accident is suspected of criminal activity by An Garda Síochána. They will shortly make a formal request under the provisions of the Criminal Justice Act 2005 for all records of phone activity by that person. This will highlight that Annie's number was phoned. As a result, An Garda Síochána will also request all details of her mobile phone usage for the past 3 months to ascertain whether she is relevant to their inquiries. This will ultimately reveal that she is not but only after all her mobile phone usage - including her location when she made and received calls - is thoroughly examined. Annie finishes her day by watching Big Brother on television. Her personal data is not made available to anybody else for the rest of the day.

Surveillance Society?

Well, why would law-abiding Annie Wun have anything to worry about? Her daily life has been made easier by the use of modern technology and she has willingly shared her personal information to get these benefits. Then again, perhaps she should worry. What if the information retained about her were pulled together in one place? The profile which emerges, and the conclusions that could be drawn from it, might give her an unpleasant surprise. Step forward Annie Wun, terrorist suspect?

ANNIE WUN:

Internet News Search: Articles of Interest include “London Terrorists Charged” (internet records).
Web searches: Plastic surgery.
Fund Transfer: Made out to a male in Hamburg.
Medical records: Operated on for gunshot wound.
Criminal records/offences committed: Yes. (Two speeding fines)
Local Authority library files: A word search threw up two hits - “chemistry” and “bomb”.
Phone records: Call received from known criminal.
Shopping habits: Large variety of hazardous cleaning materials purchased.
Holiday plans: Travelling on a flight to New York next week.

Just how public should public information be?

There is a conflict between requirements that some personal information should be made public (such as the contents of electoral registers) and the data protection principle that the disclosure of personal information should be minimised. This conflict becomes acute when public files which were previously hard to access are put online. Is there a qualitative difference between personal information available on paper in a local authority office and that same information coming up as the result of a Google search? Does technology disrupt the balance between the competing interests of publicity and privacy?

This issue was dealt with in the Data Protection Commissioner's 2006 Annual Report
Local Authority: Minutes of council meetings
I received a complaint from a member of the public concerning the publication on a local authority's website of the minutes of the Council's monthly meeting. The complainant informed me that his name and address had appeared in the minutes of the meeting in the context of the sale of lands and properties under the Affordable Housing and Shared Housing Schemes. He expressed concern at the publication of his personal data in this way on a local authority website as well as the ensuing exposure of his personal data on search engines.

My Office contacted the local authority on this matter. We pointed to the important principle outlined in the Annual Report in 2003 that, even where there is legislation providing that information must be made available to the public, this may not always mean that it is appropriate to place such information on a website. On foot of my Office's intervention, the local authority took swift remedial action. It removed the document containing the personal data and edited it in such a way that all names and addresses included on it in respect of the Affordable Housing and Shared Housing Schemes were removed. The local authority also contacted one particular search engine that the complainant was concerned about and sought the deletion of the record from its cache. Finally, the Authority undertook to ensure that the website version of its minutes would, in future, be edited to prevent the disclosure of personal data.
This appears to be a sensible compromise in the individual case, but it leaves several issues open for the future. Strictly speaking, the Data Protection Acts have no application in this situation. (Section 1(4)(b) provides that "This Act does not apply to ... personal data consisting of information that the person keeping the data is required by law to make available to the public".) Consequently one might ask - if legislation requires that certain information be made public, is it appropriate that it should only be made public in a way which is particularly difficult to access? Will this create an unfair disparity in access? More sophisticated searchers will still be able to find the information they seek in person, while the general public who don't know of the availability of this information may be cut off. Should the law recognise different degrees of "publicity" in public information? Is there a parallel with developments in the European Court of Human Rights, where in cases such as Peck the Court is increasingly looking at the extent of the disclosure of personal information to see whether there has been an Article 8 violation?

For an interesting take on these issues in a US context, see Givens, Public Records on the Internet: The Privacy Dilemma.

Data Protection Commissioner 2006 Report Published

The Data Protection Commissioner has now published his 2006 Annual Report (Full text (PDF), summary).

There are several very important issues raised in that Report (including direct marketing by email, personal information which must be made public by law, and application of data protection law to the media) and I'll look at some of these in follow up posts.

Thursday, May 10, 2007

A good day to bury bad news - Labour attempts to bury spiralling cost of ID cards

BBC News:
ID card cost rises above £5bn

The official cost of the ID card scheme has risen by £400m to £5.31bn, the Home Office says.

The figure was released as Tony Blair announced his departure, leading to claims from the opposition that the government was "burying bad news".

The Tories also say that the actual rise in costs, when expressed in 2007/08 prices, is £640m.

The Home Office say that figure is 'concocted' and the increase was due to staff and anti-fraud expenditure.

Amid the row about the actual rise in the cost of the scheme, the Tories and Lib Dems also say that the Home Office broke the law by releasing the updated costings a month later than they should have.

Under the Identity Card Act, the government must give an update on the costs of the scheme twice a year. The latest update was due on 9 April.
Hopefully the fiasco of UK identity cards will deter attempts to introduce them in Ireland.

Wednesday, May 09, 2007

"Mumsnet" case shows problems with forum liability for member comments

The Telegraph reports:
The controversial childcare expert Gina Ford today dropped her threat to sue the parenting website Mumsnet after a year-long dispute was settled out of court.

Lawyers for Ms Ford, author of The Contented Little Baby Book, agreed to halt legal action after the popular website agreed to pay a contribution of her costs and prevent “personal attacks” on the site.

The agreement brings to an end a bitter dispute that began more than a year ago.

Some of Mumsnets’ 60,000 members used messageboards to attack Miss Ford’s famously rigorous childcare methods.

A sarcastic comment last August accused her of “strapping babies to rockets and firing them in to south Lebanon”.

Ms Ford, 52, a strong advocate of routine, said the remarks amounted to “serious and offensive libel” and caused her huge distress.

She began legal proceedings against the site, which receives up to 15,000 internet posts a day.

Justine Roberts, the founder of Mumsnet, in turn accused Miss Ford of conducting a “menacing” campaign to stifle negative comment, which Ms Ford strongly denied.

But after a series of legal letters and an eight-week mediation period, both parties announced today that the dispute had been settled.

The exact terms of the agreement are confidential, but it is understood that Mumsnet has apologised and made a contribution to Gina Ford’s substantial legal costs to protect its individual members from legal action.

It has also agreed to abide by its own “personal abuse” policy, preventing members from making unnecessary attacks on individuals. The ban on discussing Miss Ford’s methods has also been lifted.
Cases such as this highlight the draconian nature of English (and Irish!) libel laws, which in effect require bulletin boards and other social sites to police the actions of their users or risk being crippled by the costs (let alone the damages) of a libel action. This is difficult enough on a low-traffic site, let alone one which receives 15,000 posts a day. Quite apart from the chilling effect on freedom of expression, this also presents a competitiveness problem - why set up operations in Dublin or London when you can avail of a much more publisher friendly jurisdiction in the United States?

[Update] The Mumsnet site has now put up its own perspective on these issues:
Like many other website publishers, we have long maintained that libel law has not caught up with the digital age with the result that freedom of expression is being unacceptably curtailed. Now that we have settled our long running dispute with Gina Ford, we intend to campaign energetically for a review of how libel legislation applies to the internet.

Put crudely, the current legal situation is the rough equivalent of trying to use a set of railway signals to control the air traffic over Heathrow – the principles may be fine but different forms of communication, just like different forms of transport, require a different approach. Currently the law regards a bulletin board just as it does a newspaper or a book.

In fact the Law Commission, the body which advises the government on legislation, recognized this problem in 2002, warning that a rethink of defamation law was needed to protect freedom of speech online. At the time Hugh Beale QC, one of the law commissioners, warned: "When a website carries material to which someone objects - rightly or wrongly - it is often easier to complain to the ISP than to the author. The problem is that the law puts ISPs under pressure to remove sites as soon as they are told that the material on them may be defamatory. There is a possible conflict between the pressure to remove material, even if true, and the emphasis placed on freedom of expression by the European Convention of Human Rights."

Since then, however, no changes have been made to the law governing defamation on the internet and we believe website publishers running bulletin boards now find themselves in a similar position to that described by Mr Beale. Faced with any complaint about a bulletin board posting, website publishers, frequently small businesses or individuals with limited resources, find themselves with little choice but to remove the posting, with obvious consequences for freedom of speech.

Mumsnet has this week written to the Department of Constitutional Affairs urging the government to reconsider this area in its forthcoming consultation on defamation.

In particular we have asked to government to address these points:

1. Does holding websites liable for postings by users on their bulletin boards have the effect of unacceptably curtailing freedom of expression?
2. Is a website which swiftly removes material following a complaint protected from liability for the posting? And how swift is swift?
3. Should the different nature of bulletin board communication be taken into account in assessing whether a complainant has been defamed? For instance if a single poster makes a defamatory comment but is immediately rebutted by a large number of users should the resulting thread be considered as defamatory? Or should there be a requirement to consider bulletin board conversations in the whole?

We would stress that we accept that individuals have a right to protect their reputations. However this right always has to be balanced against the rights of others to freedom of expression. At present we believe that this balance is not struck in the right place.
The E-Commerce Directive was intended to make online business easier by removing some of these liability fears. Unfortunately, it was drafted narrowly to apply to mere conduits (telecommunications providers), caching and hosting only. This appears to leave other online intermediaries (such as search engines, bulletin boards and content aggregators) out in the cold, unless they can bring themselves within the hosting defence. Might a bulletin board be able to rely on the hosting defence in respect of user posts? I have been unable to track down any discussion of this precise issue, but Lillian Edwards analyses a related issue in respect of eBay liability for user advertisements here.