Virtual Pillories and the Hyperlink as Processing of Personal Data
Note to Court of Rotterdam in preliminary relief proceedings
dated 24 March 2009 (BH7630) and Court of Rotterdam in preliminary
relief proceedings dated 24 March 2009 (BH7631)
The publication of personal data of alleged paedophiles on a
website, as well as the publication of a hyperlink to foreign
websites where such data can be found, is in conflict with the
Dutch Personal Data Protection Act (PDPA). This was determined by
the Court of Rotterdam in preliminary relief proceedings in two
judgments which were rendered on 24 March 2009 against a
spokeswoman of the action group Stop Kindersex (SKS) (Stop Child
Sexual Abuse) about the website stopkindersex.com.
The Facts
On the website stopkindersex.com it had been
alleged, inter alia, that the claimant in the first
proceedings showed an interest in paedosexuals, that he was a
"paedolover" and that he was co-responsible for the
sexual abuse of five children. In addition thereto, personal data
and photographs had been placed on the Internet.
The second proceedings concerned the American websites
dutchpedophilesexposed.org and dutchpredators.org on which personal
data and photographs had been published of Dutchmen who had been
convicted for paedophilia. These second preliminary relief
proceedings were initiated by one of the persons who were mentioned
on the American websites. The claimant also objected to hyperlinks
on stopkindersex.com to these American websites. In the Netherlands
it is not allowed to publish personal data of alleged and/or
convicted paedophiles on the Internet this way. According to the
owners of the websites, this is allowed in the United
States.
Application of the PDPA and Definition of Data
Controller
A remarkable thing in these proceedings is that the PDPA has
been used as a basis for the judgment. In practice, during
proceedings about allegedly unlawful publications, even if it
concerns a publication of personal data, usually (only) the general
Section 6:162 of the Dutch Civil Code (unlawful act) is chosen as a
basis, whether or not in combination with the protection of
individual privacy as provided for in the European Convention on
Human Rights (ECHR) and the Dutch Constitution. In view of the
scope of the concept of 'processing of personal data' in
the PDPA it is remarkable that this law is not applied more often
in such situations. After all, as soon as somebody's individual
privacy is affected by a publication there will generally be
processing of data about an identifiable person.
In both proceedings the Court in preliminary relief proceedings
reached the conclusion that the defendant is (co-)responsible for
the processing of personal data on stopkindersex.com. The Court has
assumed that the defendant is the person who "determines
the purpose of and means for processing personal data."
The defendant had put up as a defense - though insufficiently
substantiated - that she had assigned the website and log-in data
for the server to another party that had taken over the
administration of the website. However, the Court in preliminary
relief proceedings has not limited itself to the question who is
'authorized in a formal legal sense' with respect to the
website, but has correctly taken an actual consideration as a
starting point and has come to the conclusion that it is
sufficiently plausible that it is still in the defendant's
power to post and/or delete data. The defendant is still
functioning as spokeswoman of Stop Kindersex (SKS), makes
statements in the media and her telephone number and e-mail address
are mentioned on stopkindersex.com.
Subsequently, in the first proceedings the Court in preliminary
relief proceedings came to the judgment that the claimant's
individual privacy had been violated and that this was not
outweighed by the defendant's freedom of expression. When using
this freedom of expression a number of basic principles must be
observed, including everyone's right to be presumed innocent
until proven guilty and the fact that somebody who has served his
sentence is once again a free man, with all the associated (basic)
rights. By observing that the website encourages people to take the
law into their own hands, which may have serious consequences, the
Court is clearly in line with the opinion already expressed by the
Dutch Data Protection Authority (DPA) in 2004 that 'virtual
pillories' are not desirable (see
http://www.cbpweb.nl/documenten/med_20040322_vp.stm).
Hyperlinks Are Processing of Personal Data
In the second proceedings an extra intermediate step still had to
be taken. On stopkindersex.com there were no details about the
claimant, but only hyperlinks to the American websites. The Court
in preliminary relief proceedings deemed these hyperlinks to be in
conflict with the PDPA too, because the defendant "thus
actively provides assistance to the - unlawful - (further)
distribution of personal data". The placing of a
hyperlink to personal data on a foreign website is apparently
considered to be processing of these data to which the PDPA
applies. This can indeed be ranged under the definition of
processing of personal data in Section 1 under b of the PDPA,
particularly the wording "dissemination by means of (..)
any (..) form of making available". By only making use of
a hyperlink to a foreign website, the applicability of the PDPA to
the website at issue will therefore not be circumvented.
Is the consequence of this judgment that hyperlinks to websites
where unlawful personal data are published also constitute unlawful
processing of personal data themselves? This seems, in my opinion
correctly, not to be what the Court intended, in view of the above
quoted choice of words that the defendant had "actively
rendered her assistance" in the dissemination of personal
data. This wording suggests that it was considered relevant that
the defendant had been aware of the nature of the other websites
and also that she had the intention to support the goal of these
websites. The apparent intention to guide visitors of
stopkindersex.com through to the virtual pillories and to provide
the personal details of (alleged) paedophiles to a large audience
is apparently also taken into consideration. From a technical legal
perspective, the interpretation of the wording "actively
rendered her assistance" is important. If this wording
would be interpreted differently, hyperlinks of many websites would
in principle constitute unlawful processing of personal
data. However, even if that had been the case, in practice the
consequences for the final judgment would not be substantial. After
this first step, it still has to be weighed whether the
unlawfulness is not removed because the freedom of expression
prevails, considering all circumstances of the case. The various
interests that have to be weighed are not substantially influenced
by technical legal questions.
In these proceedings regarding the hyperlinks to the American
websites, the Court came to the conclusion, as it did in the other
case that is described in this article, that the defendant's
freedom of expression does not outweigh the claimant's privacy
and therefore cannot take away the unlawfulness. Incidentally, the
claimant in the second proceedings had also claimed that his data
would be removed form the American websites. The Court denied this
claim, because it is not sufficiently plausible that the defendant
is also responsible for the processing of personal data on these
American websites.
The Future of Virtual Pillories and
Hyperlinks
The line that was chosen with respect to stopkindersex.com is
understandable and seems to be correct. On virtual pillories such
as these people are stigmatized and there is a clear threat that
people will take the law into their own hands. Furthermore, there
is a large risk that innocent people who wrongfully end up on a
list will at some stage suffer harm, with a long-lasting effect
because data do not disappear from the Internet easily, not even
after the information is removed from the original website. What
happens here is of a different order than the right as formulated,
inter alia, in the Telegraaf judgment (Dutch
Supreme Court 27 January 1984, NJ 1984/804), of the press to
publish about "the existence of accusations of criminal
offenses against persons who occupy important (and/or public)
positions in society (..) without it being established at the time
of publication that these accusations are true and/or may be
considered as being true by the press".
Also the opinion that the hyperlink is unlawful is
understandable with respect to a virtual pillory. The same outcome
could also have been reached if not the PDPA, but an
'ordinary' unlawful act in connection with an intrusion on
individual privacy would have been used as a basis. After all, in
that case the starting point is that hyperlinks are not unlawful,
except if the person placing the hyperlink knew or had to
understand that the hyperlink leads to unlawful publications, but
does not take any measures to prevent it (cf. Court of Amsterdam in
preliminary relief proceedings, 20 June 2002, LJN AE4427,
Indymedia/Deutsche Bahn). Whichever of the two routes is
taken, subsequently it will still have to be considered whether the
freedom of expression does not prevail and thus removes the
unlawfulness and liability. This remains a crucial consideration
which, in my opinion, could have the same result in both routes. In
this respect hyperlinks should only be deemed unlawful in
exceptional circumstances, such as intentional references to
virtual pillories that provide serious allegations and sabotage
manuals for (German) railways.
This article has also been
published in the magazine Privacy & Informatie, 2009/3.