UK’s New Defamation Law May Accelerate the Death of Anonymous User-Generated Content Internationally (Forbes Cross-Post)
By Eric Goldman
Historically, United Kingdom defamation law has been victim-favorable. In an effort to modernize its defamation law, the UK Parliament recently enacted the Defamation Act 2013 (royal assent was given on April 25). The act generally makes it harder for plaintiffs to win defamation lawsuits, but I’ll focus on the effects of Section 5 of the act, entitled “Operators of websites.”
Section 5 sets up a “notice-and-takedown” system for defamation from user-generated content (UGC). A web host or other online service provider isn’t liable for defamatory UGC unless it receives a takedown notice (containing specific information required by the act) and fails to remove the content on a timely basis. Moderating user content doesn’t disqualify the website operator from the act’s protection, but the act excludes when the website operator acts with “malice”–a proviso that might prove nettlesome in practice. All told, in theory, a defamation victim cannot sue a UK-based UGC website without first sending a takedown notice and giving the website the opportunity to remove the content.
Notice-and-takedown schemes create predictable problems. It’s easy enough for anyone to send a takedown notice, especially because the UK act apparently doesn’t impose any adverse consequence for sending bogus notices; and if a website faces liability only if it ignores the notice, it will reflexively remove content in response to takedown notices, irrespective of the notice’s legitimacy. So surely the act’s notice-and-takedown will be abused, as inevitably happens with all notice-and-takedown systems.
However, what’s really interesting about Section 5 is its bonus requirement for UGC websites to avoid defamation liability: they qualify for the act’s protection only if the defamation victim can find the user to sue him/her. The act doesn’t explicitly say what information about its users the website operator must give a defamation victim or when (and some of these requirements will be spelled out in regulations that are being developed), but to me the implication seems clear: if the website operator can’t provide authenticated identifying information about its users, the website operator will lose the act’s protection (unauthenticated information is useless to plaintiffs if falsified).
The requirement that website operators help plaintiffs find their users represents a major new development in the law applicable to UGC. In particular, I think the rest of the act’s notice-and-takedown scheme effectively codifies existing UK law. For example, a February ruling (Tamiz v. Google, Inc.,  EWCA Civ 68) basically adopted a notice-and-takedown rule for defamatory UGC on Google’s Blogger.com platform; and the European Union’s Electronic Commerce Directive (2000/31/EC, Article 14–apparently adopted by the UK) establishes a notice-and-takedown scheme for all types of UGC, not just defamatory content. So I believe the act’s most change to existing law is creating a user-identification obligation.
(Note 1: I don’t know EU law well enough to understand if UK imposing this additional requirement violates the EU E-Commerce Directive and, if so, what consequences that has. If you have thoughts about that, please let me know).
(Note 2: some UGC websites, including Facebook and Google+, have voluntarily adopted policies that require users to provide their real names. This law likely won’t change their behavior, though it might make those sites feel like they don’t have discretion to repeal their policies).
So while we expected the UK Defamation Act to provide additional legal comfort to website operators, instead it creates an apparent dilemma for them. If UGC websites want the legal protection of a notice-and-takedown system, they have to authenticate and identify their users. If they don’t, then they lose the act’s protection, exposing them to potential liability for defamatory UGC even if they never receive a takedown notice.
Faced with this dilemma, UGC website operators in UK surely will prevent users from publicly posting any content until the website operator has authenticated the user’s identity and contact information. (For example, simply having a user’s IP address doesn’t seem to satisfy the act, nor will websites rely on the fact that it’s hard to publish truly anonymous UGC). As a result, even if a user publishes online content “anonymously” or “pseudonymously,” their words still will be attributable to them if legally challenged.
Although the act only applies to defamatory UGC, website operators won’t authenticate users only when users are writing potentially defamatory content. Instead, website operators will collect and authenticate users’ identifying information universally, meaning that data will be available for anyone who submits a qualifying subpoena–including governments and plaintiffs pursuing non-defamation claims. The act could have restricted third party access to this user data when it isn’t being sought by a defamation victim, but it didn’t.
Further, I expect more legislatures throughout the world will follow this template: conditioning website operator protection (whether based on notice-and-takedown or some other system) on the ability to getting identifiable information about the bad user. So not only will UK websites authenticate all users before allowing them to post UGC, but eventually UGC websites in other countries will do so as well.
All of this reinforces how the United States’ Internet Law differs from the rest of the world. The United States does have a notice-and-takedown scheme for copyright infringing UGC (17 U.S.C. 512(c), a provision that’s proven somewhat problematic), but the safe harbor doesn’t require websites to authenticate users or attribute their content. (Per 17 U.S.C. 512(h), websites must turn over information about their users on request, but they aren’t required to collect or keep information about their users). Otherwise, websites generally aren’t liable for UGC, whether or not potential plaintiffs can find the users to sue (see 47 U.S.C. 230). Occasionally we’ve seen proposals in the United States to link website protection with user attribution (see, e.g., New York and Illinois), but (1) those proposals have gone nowhere, (2) they are probably unconstitutional, and (3) when done at the state level, they are preempted by Section 230 (see, e.g., this ruling involving Backpage).
Thus, while anonymous online content appears imperiled globally, websites in the United States should be able to preserve anonymous online content for the foreseeable future. I’ll leave it up to you to figure out which approach you like better.
[Photo credit: The Houses of Parliament and Big Ben at night // ShutterStock]