Criminal histories and the boundaries of privacy
The recent case of CG illustrates clearly Facebook's liabilities where individuals publish online details of others' offences, writes Richard Easton
The state’s disclosure of criminal records has in recent years produced a plethora of case law. But when should the law prevent private individuals from publishing the details of others’ offences? And when ought social media companies to be liable for their users’ posts? The Northern Irish Court of Appeal (NICA) recently wrestled with these thorny questions in CG v Facebook  NICA 54.
CG was sentenced to ten years’ imprisonment in 2007 for a series of child sex offences. He was released on licence in 2012. In April 2013, Joseph McCloskey posted on his Facebook page, ‘Keeping Our Kids Safe from Predators 2’, a 2007 Irish News report of CG’s conviction. The posting of CG’s offences, his name, and photograph attracted comments that included violent threats and the identification of where the sex offender was living.
After Facebook’s removal of the ‘Predators 2’ page, RS – the father of one of CG’s victims – published a similar page to McCloskey’s in November 2013. RS’s page elicited similar threats against CG. RS’s November 2013 posting was removed at some point on 4 or 5 December 2013 by Facebook. RS responded by uploading CG’s conviction and photograph on 23 December 2013.
In 2015, the Northern Irish (NI) High Court accepted CG’s claims that McCloskey had harassed him and misused private information: CG v Facebook & McCloskey  NIQB 11. Unlike the USA, where released sex offenders’ crimes are often widely publicised in the community, the UK has public protection arrangements that strictly regulate the disclosure of information concerning sex offenders to support rehabilitative efforts. McCloskey’s page devoted to the ‘outing’ of paedophiles ran counter to this policy objective and could not be said to be in the public interest, according to the NI High Court.
CG’s claim against Facebook Ireland Ltd encompassed both McCloskey’s and RS’s postings. The NI High Court concluded that Facebook was liable for the misuse of CG’s private information by failing to delete expeditiously McCloskey’s April 2013 posting and RS’s November and December 2013 postings after being notified of their inflammatory content. Facebook was not, however, a ‘data controller’ established in the UK and was not subject to the Data Protection Act 1998.
Facebook appealed to the NICA. First, the company disputed that the data posted by McCloskey and RS constituted private information. Second, Facebook disputed that it had received sufficient notice of the men’s offensive publications. McCloskey abandoned his appeal (which may have centred on the curtailment of his free expression), while CG cross-appealed the NI High Court’s decision that Facebook was not subject to the Data Protection Act 1998.
The NIAC held that CG’s name, image, and offences could not be considered private information in themselves (his conviction was, after all, one which will never be spent). However, the publications, which included his address, were part of a ‘campaign of harassment’. The data were, therefore, ‘cumulatively information in respect of which [CG] had a reasonable expectation of privacy because of the risk that those who wished to do him harm could have established his whereabouts in order to do so’ (at ). McCloskey’s April 2013 and RS’s November 2013 postings had been a misuse of CG’s private information. The mere publication of CG’s convictions and image by RS in December 2013 was not, however, sufficient for there to be a reasonable expectation of privacy; Facebook was, therefore, not liable for that particular posting.
Knowledge of unlawfulness
The NICA then turned to the issue of whether Facebook had had adequate notice of McCloskey’s and RS’s tortious publications. Facebook, as an information society service (ISS) within the meaning of Directive 2000/31/EC (the e-Commerce Directive) and the implementing Electronic Commerce (EC Directive) Regulations 2002, was protected from liability if it had no actual knowledge of the unlawful information or if, after gaining such knowledge, it had acted swiftly to remove, or disable access to, that data.
The NI High Court erred, according to the NICA, when it concluded that Facebook had had actual knowledge of the unlawfulness of McCloskey’s page. The burden lay on CG to adduce prima facie evidence of Facebook’s awareness. CG’s misconceived letter before claim referred to defamation (the ‘Predators 2’ page’s content was, however unpleasantly worded, true) and an allegation that there was an immediate risk to his life; harassment and privacy were not mentioned and could not be easily inferred by Facebook.
Moreover, the mere existence of an interim injunction in 2012 concerning McCloskey’s defunct page ‘Keeping Our Kids Safe from Predators’ and another sex offender’s claims of harassment and violation of article 3 (see XY v Facebook  NIQB 96) did not fix Facebook with knowledge of the substance of CG’s claim a year later. By concluding that Facebook had actual knowledge of CG’s complaint, the NI High Court had effectively placed the appellant ISS under an obligation to monitor the vast quantities of data it handled, a burden anathema to the eCommerce Directive’s and 2002 Regulations’ promotion of the social and economic benefits to be derived from the free flow of information.
Facebook did, however, have knowledge of the unlawfulness of RS’s November 2013 posting because CG had clearly complained of the publication of the general area he was living in and the threat he faced from loyalist paramilitaries. Facebook was, therefore, liable for failing to remove RS’s first posting expeditiously.
‘Established’ in the UK
This left CG’s cross-appeal on whether Facebook Ireland Ltd was ‘established’ in the UK for the purposes of the Data Protection Act 1998. The NICA swiftly concluded that the Court of Justice of the European Union’s decisions in Google Spain v AEPD and Gonzalez C-131/12 and Weltimmo v Nemzeti Adatvedelmi C-230/14 supported the view that the Data Protection Directive (and consequently the 1998 Act) had a broad territorial scope. Although operating in Eire, Facebook Ireland Ltd’s stable relationship with the data-processing marketing company Facebook (UK) Ltd gave it a sufficient foothold in the UK to be considered as ‘established’ in this country.
The decision in CG is thus of monumental significance for Facebook. CG illustrates clearly Facebook’s liabilities if it becomes aware of, but fails to delete swiftly, posts ranging from abusive rants to revenge porn. The NICA in CG is also the first court in the UK to hold that Facebook is subject to the Data Protection Act 1998’s strictures. Facebook will undoubtedly take some comfort, though, from the NICA’s rejection of CG’s argument that the protections from liability afforded by the e-Commerce Directive and 2002 Regulations did not extend to the Data Protection Directive or 1998 Act. Had the NICA held otherwise, Facebook would be required to monitor the billions of postings, comments, images, and ‘likes’ passing through its servers for possible data protection violations.
CG’s importance also lies in its confirmation that even records of unspent convictions for heinous offences already in the public domain can now be considered ‘private’ in certain circumstances.
But does the Northern Irish case also point to increased protections for those with spent convictions for sexual offences, or indeed any other form of offence?
CG’s convictions were unspent; his privacy was only at stake because of the harassment he faced. Were his convictions spent (and were he in England), he would have been protected by section 8 of the Rehabilitation of Offenders Act 1974, which permits defamation actions for the malicious publication of an individual’s spent conviction. The hurdle of establishing ‘malice’ by showing that the ‘dominant motive of injuring the claimant’s reputation’ lies behind the publication of a spent conviction is, however, high: see Silkman v Heard (2001) WL 415495.
CG appears, though, to confirm a drift in the law on privacy that might not require a person with a spent conviction to demonstrate ‘malice’ or a ‘harassing context’ to prevent others from divulging his crimes.
When refusing summary judgment to a nephew attempting to prevent his uncle from informing potential employers of his spent conviction for forgery, Mr Justice Eady opined in KJO v XIM  EWHC 1768 that ‘the boundaries’ hemming in private individuals from releasing details of others’ criminal histories were ‘unclear and developing’. Since KJO, a series of authorities has confirmed that the right to privacy is clearly engaged, and potentially violated, by the state’s disclosure of individuals’ long-spent offences: see, for instance, R (T) v Chief Constable of Greater Manchester  UKSC 35. Lord Wilson expressed the view in T that a criminal record would come within the ambit of one’s private life ‘usually [at] the point at which [the conviction] becomes spent’ (at ).
Rather than requiring claimants to prove malice to establish defamatory publication of their spent crimes, might the law now require the publisher to justify broadcasting another’s stale offence? And might article 8, the tort of breach of privacy, and the Data Protection Act 1998 together provide greater protection for those with spent (and in certain circumstances unspent) convictions in the information age than the now 43-year-old Rehabilitation of Offenders Act? Perhaps the unclear and developing ‘boundaries’ on the publication of others’ old crimes have, in the light of CG, come closer to being demarcated.
Richard Easton is a solicitor at Sonn Macmillan Walker