Back to main site

    Key Concepts In Online Speech Litigation

    Module 1: Digital Rights and Emerging Challenges

    In cases where online speech has been restricted, or where an individual’s rights have been harmed as a consequence of an online publication, a range of different concepts have arisen. Most of those issues will be addressed in detail in the subsequent modules, so here they will only briefly be introduced. Other relevant concepts, such as net neutrality or the impact of artificial intelligence, will be considered here in more detail as they have not yet been the subject of extensive litigation in Europe.

    Intermediary Liability

    Intermediary liability occurs where governments or private litigants can hold technological intermediaries, such as ISPs and websites, liable for unlawful or harmful content created by users of those services.(1) This can occur in various circumstances, including copyright infringements, digital piracy, trademark disputes, network management, spamming and phishing, “cybercrime”, defamation, hate speech, child pornography, “illegal content”, offensive but legal content, censorship, broadcasting and telecommunications laws and regulations, and privacy protection.

    Notwithstanding that there is consensus among many freedom of expression advocates that insulating intermediaries from liability for content generated by others is a fundamental principle that protects the right to freedom of expression online, courts in Europe have taken a different view in a range of cases raising different factual considerations. This topic will be discussed in more detail in subsequent modules.

    Data Protection

    In Europe, the primary legislation governing protection of data is the GDPR, which took effect across all EU Member States from 25 May 2018. it replaced the 1995 EU Data Protection Directive. The GDPR is an ambitious piece of legislation which took over four years to agree. One of its key aims was to create a harmonised approach to data protection across the EU, with increased rights for individuals in an age of rapid technological advances.

    While the GDPR is primarily known for its effect on business, it has also brought about significant changes to data processing by media outlets, which are often overlooked in discussions about data protection. The GDPR recognises that data protection is not an absolute right. Regulators in different states are often asked to reconcile two fundamental rights: the right to data protection and freedom of expression, particularly in the context of journalism.

    The ‘journalistic exemption’ is found at Article 85 of the GDPR and it requires Member States to regulate the extent to which GDPR applies to journalists and others writing in the public interest. As discussed in more detail in other modules the journalistic exemption can be applied unevenly across Member States, and this raises serious concerns about the use of data claims as a new form of SLAPP against journalists.

    Social Media Blocking

    Unlike in other jurisdictions around the world, countries in Europe have been less prone to shutting down the internet when faced with protests or other challenges. There have however been a number of important cases in the region on the blocking of particular social media websites or online media outlets. The ECtHR has found in several cases that a wholesale blocking order against a website is an extreme measure, which has been compared by the UN Human Rights Committee and other international bodies to banning a newspaper or broadcaster. In the case of OOO Flavus and Others v. Russia, concerning the unjustified wholesale blocking of opposition online media outlets, the ECtHR considered that this measure, which deliberately ignored the distinction between illegal and illegal information, was arbitrary and manifestly unreasonable.(2)

    ‘The Right to be Forgotten’

    The ‘right to be forgotten’ is not an international legal standard. It came to the fore with the decision of the CJEU in Google Spain(3) in which the CJEU held that data protection principles apply to the publication of search results of search engines. It held that individuals should be able to ask search engines operating in the EU to delist search results obtained by a search of their name if the links were “inadequate, irrelevant or no longer relevant, or excessive.” The scope of the right to be forgotten was limited in a number of ways, including to search engines, and imposed the requirement to de-list search results associated with an individual’s name.(4) It has since been codified as the Right to Erasure under the EU’s General Data Protection Regulation (GDPR). According to the CJEU’s judgments it did not extend to the underlying content in issue, for example newspaper archives. The expansion of the right to be forgotten by the ECtHR will be discussed in a later module.

    Artificial Intelligence

    The recent development of Large Language Models (LLMs) and their use in chatbots and LLM-enabled software systems have become increasingly popular. Although the impact AI will have on freedom of expression online will develop in the face of rapid technological advancement concerns have been raised about, for example, how culpability for privacy defamation and data protection breaches can be determined. Absent any significant case law on this emerging area, the impact of AI on one recently developed concept, the right to be forgotten, is briefly considered here.

    Overall, LLMs have similar source data to search engines, and the datasets used to develop these models may contain personal data, causing similar concerns to those raised in the Google Spain case. That decision initially imposed an obligation on search engines to delist an impugned link, so that it would not appear in a search using particular terms. The ECtHR has endorsed the removal of the source – the impugned web page – containing the personal information.(5) Neither method works with LLMs. Efforts to remove personal data from training datasets in order to avoid publication of private information would almost certainly offend the requirement that such information be removed without “undue delay”, as required by the GDPR. Further, removing hallucinated data – that is, a response generated by AI which contains false or misleading information presented as fact – is difficult because such data are not contained in the training dataset of the model. Removing some hallucinated data could result in new hallucinations.

    Net Neutrality

    Net neutrality is primarily debated at the EU level. It refers to the way that Internet Service Providers (ISPs) manage the data or traffic carried on their networks when data is requested by broadband subscribers, referred to as end-users in EU law, from providers of content, applications, or services, as well as when traffic is exchanged between end-users. In the EU, this is dealt with by the Open Internet Regulation.(6)

    Under EU rules, ISPs are not permitted to block or slow down internet traffic, except where necessary. There are exceptions however, relating to: management of traffic to comply with a court order, to ensure the integrity of the network integrity and to ensure security, and to manage temporary network congestion or congestion which arises exceptionally, but only as long as equivalent categories of traffic are treated the same. EU law provide for an end-user’s right to be “free to access and distribute information and content, use and provide applications and services of their choice”.(7) Specific provisions ensure that national authorities can enforce this right. The ‘best effort’ internet is about the equal treatment of data traffic being transmitted over the internet. It envisages that ‘best efforts’ are made to carry data, no matter what it contains, which application transmits the data, or where it comes from.

    In the US, the Federal Communications Commission (FCC), which had voted in 2017 to repeal the laws on net neutrality, recently decided to restore it to, as they describe it, “ensure the internet is fast, open, and fair.” In so doing the FCC noted that it would be able to provide effective oversight over broadband service providers, giving it essential tools to: “Protect the Open Internet – Internet service providers will again be prohibited from blocking, throttling, or engaging in paid prioritization of lawful content …; Safeguard National Security – The Commission will have the ability to revoke the authorizations of foreign-owned entities who pose a threat to national security to operate broadband networks in the U.S. The Commission has previously exercised this authority under section 214 of the Communications Act to revoke the operating authorities of four Chinese state-owned carriers to provide voice services in the U.S.; and Monitor Internet Service Outages – When workers cannot telework, students cannot study, or businesses cannot market their products because their internet service is out, the FCC can now play an active role.”(8)

    Transnational violations of digital rights

    In Al-Skeini v United Kingdom the ECtHR Grand Chamber described the general principles relevant to the question of extraterritorial jurisdiction in the following terms: “A state’s jurisdictional competence under article 1 is primarily territorial. Jurisdiction is presumed to be exercised normally throughout the state’s territory. Conversely, acts of the contracting states performed, or producing effects, outside their territories can constitute an exercise of jurisdiction within the meaning of article 1 only in exceptional cases. To date, the Court in its case law has recognised a number of exceptional circumstances capable of giving rise to the exercise of jurisdiction by a contracting state outside its own territorial boundaries. In each case, the question whether exceptional circumstances exist which require and justify a finding by the Court that the state was exercising jurisdiction extra-territorially must be determined with reference to the particular facts.”(9)

    Many states have extended their cyber operations, including their surveillance capacity, beyond their territorial borders, increasing the risk that domestic legal restrictions will be evaded. This has important implications for press freedom, as such operations are capable of intercepting journalistic communications and related data that can identify journalistic sources. A cyber operation that facilitates state access to journalists’ communications and related data without adequate safeguards is more likely to affect public interest journalism due to the nature and content of that journalism.

    Until recently, the ECtHR had not considered the question of extraterritorial jurisdiction in situations involving state cyber operations. The decision in Wieder and anor. v United Kingdom provided that court with an opportunity to do so, but it instead decided it was not required to assess the case on extraterritoriality grounds. Instead, the ECtHR found that the UK had territorial jurisdiction in cases that concern the risk of bulk interception of the electronic communications of persons residing outside its territory. So, for guidance on how courts might consider extraterritoriality in this context we can look to a recent decision of the German Constitutional Court on extraterritorial cyber operations for guidance on how this question is considered.(10)

    The question before the Constitutional Court was whether the fundamental rights of the Basic Law are binding on the Federal Intelligence Service and the legislator that sets out its powers, regardless of whether the Federal Intelligence Service is operating within Germany or abroad, and whether the protection provided by Article 5, relating to freedom of expression, and Article 10, relating to privacy, applies to telecommunications surveillance of foreigners in other countries.(11) The challenge was brought against legislative provisions permitting the Federal Intelligence Service(12) to carry out surveillance of foreign telecommunications, to share that intelligence with domestic and foreign bodies, and to cooperate with foreign intelligence services in respect of that intelligence. It therefore raised very similar factual issues to the ones the Court must consider in these present cases.

    The relevance of the Constitutional Court’s analysis partly lies in its focus on the applicability of international human rights principles to that question. The Constitutional Court began by noting that the Basic Law provides that the authority of the state is bound by the fundamental rights contained within it and that no restrictive requirements that make that binding effect dependent on a territorial connection with Germany or on the exercise of specific sovereign powers can be inferred.(13) It specifically noted that this characterisation applies to freedom of expression and privacy, which require to be protected from surveillance measures.(14)

    The judgment emphasised the relationship between fundamental rights provided for in the Basic Law and international human rights law and noted that while “the Basic Law deliberately differentiates between human rights and rights afforded only to German citizens … this does not mean that human rights should also be limited to domestic matters or state action in Germany. There is nothing in the wording of the Basic Law to suggest such an understanding.”(15) Importantly, it found that restricting the application of the Basic Law to Germany’s territorial boundaries would undermine universal human rights.(16)

    One of the key factors in the Constitutional Court’s analysis, no doubt influenced by the range of methods available to the state when engaged in extraterritorial surveillance, was the importance of ensuring fundamental rights protections march in step with state behaviour, noting that a failure to do so would “[g]iven the realities of internationalised political action and the ever increasing involvement of states beyond their own borders … result in a situation where the fundamental rights protection of the Basic Law could not keep up with the expanding scope of action of German state authority and where it might – on the contrary – even be undermined through the interaction of different states. Yet the fact that the state as the politically legitimated and accountable actor is bound by fundamental rights ensures that fundamental rights protection keeps up with an international extension of state activities.”(17) This is particularly relevant in the context of states using technological and other advancements to evade their obligations under human rights law.

    A further important aspect of this case lies in the Constitutional Court’s recognition that the Basic Law is designed to “provide protection whenever the German state acts and might thereby create a need for protection – irrespective of where and towards whom it does so.”(18) This approach is consistent with recent developments on the international legal plane, notably with respect to the so-called ‘functional’ approach.footnote]See for example Yuval Shany, Taking Universality Seriously: A Functional Approach to Extraterritoriality in International Human Rights Law (28 August 2013), The Law & Ethics of Human Rights, vol. 7, no.1, pp 47-71[/footnote] In applying this approach the Constitutional Court expressly noted that the Convention “does not stand in the way” of Basic Law rights being applied abroad.(19) On that basis, an individual who is resident in London and who is the subject of a cyber operation conducted by German intelligence agents, would come within the jurisdiction of the German state.


    1. See Delfi AS v. Estonia [GC] [GC], no. 64569/09, ECHR 2015. Back
    2. OOO Flavus and Others v. Russia, 12468/15 and 2 others, § 34, 23 June 2020. Back
    3. CJEU, Google Spain v AEPD & Mario Costeja Gonzalez, 13 May 2014, C-131-12. ECLI:EU:C:2014:317. Back
    4. Since then, the Article 29 Working Party and Google’s Advisory Council have published guidelines on the way in which ‘right to be forgotten’ requests under Google Spain should be treated. The Article 29 Guidelines state that there is an exception to not delist pages “for particular reasons, such as the role played by the data subject in public life,” such that the data processing is justified by “the preponderant interest of the general public in having, on account of inclusion in the list of results, access to the information in question.” Back
    5. Biancardi v. Italy, no. 77419/16, 25 November 2021. Back
    6. Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and retail charges for regulated intra-EU communications and amending Directive 2002/22/EC and Regulation (EU) No 531/2012. Back
    7. Ibid. Back
    8. NPR, Net neutrality is back: U.S. promises fast, safe and reliable internet for all, (accessible at Back
    9. ECtHR, Al-Skeini and Others v the United Kingdom [GC], no. 55721/07, §§131-132, ECHR 2011; See also ECtHR, Georgia v Russia (II) [GC], no. 38263/08, §81, 21 January 2021. Back
    10. BVerfG, Urteil des Ersten Senats vom 19 Mai 2020 – 1 BvR 2835/17 -, Rn. 1-332 (accessible at Back
    11. While this case deals with the extraterritorial application of the constitution of a state, the Intervener would submit that broadly the same considerations apply in that regard as apply to the extraterritorial application of the Convention. Back
    12. The Bundesnachrichtendienst or BND. Back
    13. See Article 1(3) Basic Law for the Federal Republic of Germany (Grundgesetz – GG). See also, BVerfG, Judgment of the First Senate of 19 May 2020 – 1 BvR 2835/17, §88 (accessible at Back
    14. Article 5 and Article 1 Basic Law for the Federal Republic of Germany (Grundgesetz – GG). Back
    15. BVerfG, Judgment of the First Senate of 19 May 2020 – 1 BvR 2835/17, §94 (accessible at Back
    16. Id., §97. Back
    17. Id., §96. Back
    18. Id., §89. Back
    19. BVerfG, Judgment of the First Senate of 19 May 2020 – 1 BvR 2835/17, §99, (accessible at Back