06 October 2016

Online harms and law reform in Ireland

The Law Reform Commission of Ireland has released its report on Harmful Communications and Digital Safety.

 The Commission comments that its report
arises against the reality that we live in a truly interconnected digital and online world. The revolution in telecoms and digital media in the first two decades of the 21st century means that we can communicate with the world through social media on smart phones and other digital devices at virtually any time. This has brought enormous positive benefits, because it has facilitated a new form of online and digital consumer society and also allowed us to participate on a national and international level in civic society and in public discourse generally. This has greatly expanded the capacity to enjoy freedom of expression and of opinions in this jurisdiction and in comparable States.
This freedom has, however, also brought some negative aspects, including a tendency for some online and digital users to engage in communications that cause significant harm to others, including by posting online intimate images without consent and which involve gross breaches of the right to privacy. Examples include the intentional victim- shaming of individuals (overwhelmingly women) sometimes referred to as “revenge porn” (an unhelpful shorthand because it appears to suggest it is “just porn”). Other negative developments include intimidating and threatening online messages directed at private persons and public figures. New forms of technology have also facilitated a new type of voyeurism, sometimes referred to as “upskirting” and “down blousing” in which intimate images are taken and then posted online. In addition, there have also been many instances of online and digital harassment and stalking, which also mirror to some extent the pre-digital versions of these harmful behaviours.
Harmful communications and digital safety: criminal offences and civil law oversight
This project and Report has identified that the existing criminal law already addresses some of the harmful communications described. Not surprisingly, however, it has also identified some gaps that require reform, notably where new forms of communication have been used in harmful ways that could not have been anticipated previously. The Report therefore proposes that the existing criminal law, together with the proposals intended to deal with the new forms of harmful communications, could usefully be consolidated into a single piece of legislation, reflected in Part 2 of the draft Harmful Communications and Digital Safety Bill in Appendix A of this Report.
In addition, the public consultation carried out by the Commission leading to this Report (including a public seminar in 2015 hosted by the Commission, and a 2 day workshop with young people in 2016 facilitated by the Department of Children and Youth Affairs) has also underlined the need to address harmful communications in a wider context, which would include a system of statutory oversight that promotes and supports positive digital safety.
The Report recommends that this should be done under a proposed Office of the Digital Safety Commissioner of Ireland, modelled on comparable offices in Australia and New Zealand, and which could build on the existing Office of Internet Safety located in the Department of Justice and Equality. The proposed Commissioner would have a general oversight and monitoring role, including functions aimed at promoting online and digital safety generally. In this respect the Commissioner would collaborate with other relevant State bodies such as the Ombudsman for Children in the development, with the Department of Education and Skills and the Department of Children and Youth Affairs, of guidance material for young people and schools on what it means to be a safe and responsible digital citizen.
The proposed Digital Safety Commissioner would also oversee and monitor an efficient and effective “take down” system so that harmful communications can be removed as quickly as possible from, for example, social media sites. This would include the publication of a statutory code of practice on take down procedures and associated national standards, which would build on the current non-statutory take down procedures and standards already developed by the online and digital sector, including social media sites. The proposed statutory model envisages that applications for take down of harmful communications would initially be made to the relevant digital or online service provider, such as a social media site. The Digital Safety Commissioner would become involved by way of appeal if the take down procedure did not operate in accordance with the statutory standards – and the Commissioner would also have a general monitoring and supervisory role, as is the case in the Australia and New Zealand systems. These standard-setting and oversight proposals are reflected in Part 3 of the draft Harmful Communications and Digital Safety Bill in Appendix A of the Report.
The Commission is conscious of the important position that Ireland occupies in the digital sector, including the significant presence in the State of many of the leading online and digital multinational firms. In that context, the proposals made in this Report may have an impact not only in Ireland but also some extra-territorial effect outside the State because of the reach of the firms headquartered in Ireland. In this respect, the Report begins in Chapter 1 by noting the increasing regulation internationally of aspects of online and digital communications. This includes through the Council of Europe and the case law of its European Courts of Human Rights, as well as through the European Union and the case law of its Court of Justice, as well as EU legislation that affects this area.
It may be that, ultimately, some aspects of harmful communications, such as the extra- territorial scope of criminal and civil law in this area, will be addressed through regional or global agreements or conventions. For the present, this Report makes recommendations on extra-territoriality that reflect existing law, both in the criminal law and civil law oversight areas. ...
Guiding Principles in the Report
... Chapter 1 of this Report describes the Commission’s general approach to reform in this area. It discusses how the Commission was guided by key principles, including:
• the wider context within which law reform proposals should be considered, in particular the need to have in place solutions that involve education and empowerment concerning harmful digital and online communications; 
• the need to take account of relevant rights and interests, including to ensure that the law contains an appropriate balance between the right to freedom of expression on the one hand and the right to privacy on the other hand; 
• the principle of technology neutrality, which requires a focus on regulating actions and behaviour rather than simply the means used; and 
• the requirement for a proportionate legal response that recognises the respective roles of criminal law and of civil law and regulatory oversight: namely, that criminal law is used only where activity causes significant harm, and that civil law and regulatory oversight includes an efficient and effective take down procedure and a suitable statutory framework.
The wider context for this Report was fully analysed in the 2014 Report of the Internet Content Governance Advisory Group (ICGAG Report), which examined the general policy setting and governance arrangements needed to address harmful online material. In preparing this Report, the Commission has had the benefit of the discussion in the ICGAG Report of this wider context.
In relation to the need to balance the rights to freedom of expression and privacy, the Report discusses their recognition in the Constitution of Ireland as well as in the European Convention on Human Rights (ECHR) and EU law.
As to technology neutrality, this requires that the form of regulation neither imposes, nor discriminates in favour of, the use of a particular type of technology. However, technology neutrality does not necessarily require the same rules online and offline, but rather that the rules in both contexts achieve the same effect. This may require technology specific laws in certain cases. 
With regard to proportionality, this Report applies the harm principle, which requires that responses based on policy, education and the civil law should be prioritised and that the criminal law should only be employed to deal with serious harm. The Report therefore recommends a three level hierarchy of responses to target harmful digital communications: 
• Education: to create user empowerment and foster safe and positive digital citizenship;   
• Civil law and regulatory oversight: where education and related responses are ineffective and the law needs to be employed, civil law should be favoured as it is less onerous than the criminal law; 
• Criminal law: only the most serious harm should be subject to the criminal law.
This hierarchical approach is particularly important in the context of harmful digital communications because the ease with which individuals can post content online means that much internet communication is spontaneous and impulsive, and thus a vast amount of content is posted every day. A hierarchical approach is also necessary because this type of harmful communication often involves children and young people for whom the criminal justice process should be seen as a last resort and only after other responses, such as education or suitable diversion programmes, have been applied.
Reform of Criminal Law Concerning Harmful Communications
Harassment should include online or digital means of communication, and indirect forms
Chapter 2 of the Report begins with a discussion of whether the harassment offence in section 10 of the Non-Fatal Offences Against the Person Act 1997 should be extended to incorporate a specific reference to harassment by online or digital means of communication.
Section 10 of the 1997 Act already applies to direct harassment of a person “by any means”. However, as the Report describes, while this probably applies to direct online or digital harassment, it does not clearly address other forms of online harassment about a person, such as posting fake social media profiles. The Commission therefore recommends that the harassment offence should be amended to include a specific reference to harassment of or about a person by online or digital means: this would offer important clarification as to the scope of the offence.
The Commission also recommends that section 10 of the Non-Fatal Offences Against the Person Act 1997 should be repealed and replaced with an harassment offence that expressly applies to harassment by all forms of communication including through digital and online communications such as through a social media site or other internet medium. As already noted, the Commission considers that this reformed harassment offence should be included in a single piece of legislation that also includes the other offences discussed in this Report ....
Specific offence of stalking
Stalking is an aggravated form of harassment characterised by repeated, unwanted contact that occurs as a result of fixation or obsession and causes alarm, distress or harm to the victim. This element of intense obsession or fixation, which creates an unwanted intimacy between the stalker and the victim, differentiates stalking from harassment.
The Report discusses developments in Scotland and England and Wales where specific stalking offences were introduced in 2010 and 2012 respectively. The experiences of these jurisdictions strongly suggest that the introduction of specific stalking offences led to an increase in reporting and prosecution of stalking. Specifically naming stalking as an offence also carries great significance for victims of stalking, because of the “hidden” nature of the crime as well as its aggravated nature compared to harassment. The Commission therefore recommends that a specific stalking offence should be enacted.
Need to address once-off harmful communications
The Report also considers whether offences are required to target once-off harmful communications. Section 10 of the Non-Fatal Offences Against the Person Act 1997 is limited to persistent behaviour and thus does not apply to a single act that seriously interferes with a person’s peace and privacy or causes him or her alarm, distress or harm. This gap has become particularly apparent with the advance of digital and online communication, because the internet enables instant communication to large audiences, often anonymously (actual or, in some cases, perceived). These features of the online and digital environment mean that even a single communication has the capacity to interfere seriously with a person’s peace and privacy or cause alarm, distress or harm, particularly as internet communications are also difficult to erase completely.
A number of offences other than the harassment offence can be applied to some forms of harmful once-off behaviour, such as sending threatening messages in section 13 of the Post Office (Amendment) Act 1951, misuse of personal data under the Data Protection Acts 1988 and 2003 or “hacking” under the Criminal Damage Act 1991. However, none of these offences deals comprehensively with, for example, non- consensual distribution of intimate images of adults where this is done on a once-off basis, as opposed to persistently.
The Report examines how other jurisdictions, such as Canada, England and Wales, Scotland and the Australian state of Victoria, have legislated for this type of criminal behaviour. This includes offences designed to target non-consensual distribution of intimate images with intent to cause harm (the victim-shaming offence often called “revenge porn”) and other offences designed to target once-off harmful communications (to address what is often referred to as “upskirting” and “down-blousing”).
One of the most significant challenges when legislating for harmful online behaviour is to ensure that any offences are drafted with sufficient precision so that they are not vulnerable to being found unconstitutional on grounds of vagueness. The Report explores how the vagueness doctrine has been applied in the Irish courts as well as discussing pertinent examples of legislation dealing with harmful internet communications that have been found to be unconstitutionally vague in Ireland and other jurisdictions.
Offence of sending or threatening or indecent messages should apply to online communications
The Commission reiterates the recommendation in the 2014 Report of the Internet Content Governance Advisory Group (ICGAG Report) that the offence of sending threatening or indecent messages, in section 13 of the Post Office (Amendment) Act 1951 (which is currently limited to communication by letter, phone and SMS text), should be extended to apply to online communications. The Report recommends that the section 13 offence should be repealed and replaced with an offence of distributing a threatening, false, indecent or obscene message by any means of communication and with the intent to cause alarm, distress of harm or being reckless as to this.
New offence to address once-off intentional online victim-shaming (“revenge porn”)
The Report recommends that there should be a new offence to target the non- consensual distribution of intimate images, including where this involves a once-off incident. This would deal with the victim-shaming behaviour where a person posts or otherwise distributes intimate images such as photos or videos with the intention of causing another person harm or distress (the so-called “revenge porn” cases). The Commission therefore recommends the enactment of an offence involving the distribution of intimate images without the consent of the person depicted in the image and where there is intent to cause alarm, distress of harm or being reckless as to this.
New offence to address other once-off posting of intimate images without consent (“upskirting”)
In some instances, including in the case of young people, intimate images obtained are shared spontaneously or without considering the impact on the person concerned, or are re-distributed by third parties without consent. These cases may not be capable of being prosecuted under the victim-shaming offence recommended above because the intent to cause alarm, distress or harm element may not be present. The Commission therefore recommends that a separate offence should be introduced to target the non-consensual taking and distribution of intimate images without intent to cause alarm, distress or harm. This would address the so-called “upskirting” and “down-blousing” behaviour, which is a form of voyeurism.
Protecting the privacy of victims
The distribution of intimate images has the potential to cause the persons depicted in such images significant harm in the form of distress, humiliation and shame. The victims of such activity may thus be discouraged to report to the Gardaí and pursue a prosecution for fear of generating more publicity for the images in question. The Commission therefore recommends that in any prosecution for a harmful communications offence provided for in the Report, the privacy of the person in respect of whom the offence is alleged to have been committed should be protected.
Consent of DPP for cases involving persons under 17
The Commission recommends that no prosecution for the offences discussed in the Report may be brought against children under the age of 17 except by or with the consent of the Director of Public Prosecutions. The procedural protection reflects the Commission’s strong view that it would be highly undesirable to criminalise children under the age of 17 years for behaviour undertaken as a result of their inherent immaturity and where there is no intention to cause serious distress. It also reflects one of the Commission’s guiding principles in this Report, that in the case of children and young people, the criminal justice process should be seen as a last resort and only after other responses, such as education or suitable diversion programmes, have been applied.
2 year time limit for summary prosecutions
The Commission recommends that the general 6 month time limit for bringing a summary prosecution (in the District Court), in section 10(4) of the Petty Sessions (Ireland) Act 1851, should not apply. Instead a 2 year time limit should apply for summary prosecution of harmful communications offences. Frequently, these cases require the collection of evidence from websites with servers located outside the jurisdiction. Such content can only be obtained through the use of the Mutual Legal Assistance Treaty procedure, which can take up to 18 months to be completed. This is a significant problem in summary proceedings because the 6 month time limit will have expired before the relevant content has been received and so extending this time limit for harmful communications offences to 2 years would ensure that summary prosecutions for such offences will not be prevented by a restrictive time limit. No specific time limit applies to prosecutions on indictment. 
Jurisdiction and extra-territoriality in criminal law 
In general, criminal jurisdiction is territorial, meaning that it is usually limited to offences committed within the territory of the State. Article 29.8 of the Constitution provides that the State may legislate with extra-territorial effect, which must be done expressly. There are a number of examples where the Oireachtas has expressly provided that offences have extra-territorial effect, including under the Criminal Damage Act 1991 and the Sexual Offences (Jurisdiction) Act 1996. The Report recommends extra-territorial effect should apply to the harmful communications offences discussed in the Report, and that the approach taken in the Criminal Justice (Offences Relating to Information Systems) Bill 2016, which concerns a comparable area, should be adopted. 
This would allow for extra-territorial jurisdiction for harmful communications offences where: (a) a harmful communications offence is committed by a person in the State in relation to a means of communication that is located outside the State, (b) a harmful communications offence is committed by a person outside the State in relation to a means of communication in the State or (c) a harmful communications offence is committed by a person outside the State if the person is an Irish citizen, a person ordinarily resident in the State, an undertaking established under the law of the State, a company formed and registered under the Companies Act 2014 or an existing company within the meaning of the Companies Act 2014 and the offence is an offence under the law of the place where the act was committed.
Penalties on conviction
The Report outlines the current penalties that apply on conviction for offences relating to harmful digital communications and makes recommendations for the penalties that should accompany the offences provided for in the Report.
The Commission considers that the maximum penalties for the harassment offence under section 10 of the Non-Fatal Offences Against the Person Act 1997 are sufficient and provide a suitable upper level for penalties that should apply to the reformed harassment offence and to the other 3 intent-based offences proposed in the Report. The Commission therefore recommends that the intent-based offences in the Report should carry, on summary conviction, maximum penalties of a Class A fine (currently, a fine not exceeding €5,000) and/or up to 12 months imprisonment, and on conviction on indictment, an unlimited fine and/or up to 7 years imprisonment.
The Commission recommends that the fifth offence dealt with in the Report, of taking or distributing an intimate image without consent (to deal with so-called “upskirting” and “down-blousing”), should be a summary offence only, and that the maximum penalties on conviction under this offence should be a Class A fine and/or up to 6 months imprisonment.
Intersection with hate crime
The Report has also explored the extent to which the current law on hate crime intersects or overlaps with harmful online and digital communications.
The main legislation designed to deal with hate crime is the Prohibition of Incitement to Hatred Act 1989. The 1989 Act prohibits incitement to hatred against a group of persons on account of their “race, colour, nationality, religion, ethnic or national origins, membership of the travelling community or sexual orientation.” Incitement includes publication, broadcast and preparation of materials. The 1989 Act is not limited to offline behaviour as it extends to words used, behaviour or material displayed in “any place other than inside a private residence.” However, the 1989 Act has been subject to significant criticism for its perceived inefficacy, illustrated by the limited number of prosecutions that have been taken under it.
Ireland intends to ratify the Council of Europe Convention on Cybercrime, and has been encouraged to ratify the Additional Protocol to the Convention concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems. Ireland is also obliged to implement the 2008 EU Framework Decision on combating racism and xenophobia.
In this respect it is clear that comprehensive reform of hate crime legislation is due to be enacted in the future, and the Commission considers that it would not therefore be appropriate to address separately, in this Report, online hate speech only. Because wide-ranging reform of hate speech is outside of the scope of this project, the Commission recommends that online hate speech should be addressed as part of the general reform of hate crime law.
Digital Safety Oversight, Take Down Procedure and Civil Law
Absence of effective oversight system or civil remedies
Chapter 3 of the Report addresses the need for an oversight system to promote digital safety, including an efficient take down procedure for harmful digital communications.
The chapter begins by describing the existing, non-statutory, content and conduct policies of social media companies and their reporting and takedown processes. The Report then discusses the existing civil remedies that apply in relation to harmful digital communications including the remedies available under the Defamation Act 2009 and remedies for breach of the constitutional right to privacy. The remedies under the Data Protection Acts 1988 and 2003 are also considered as well as the developments that have taken place in EU law on data protection and privacy, including case law of the EU Court of Justice and the 2016 General Data Protection Regulation.
The Report acknowledges that available processes and remedies may not be effective, and that the potential cost, complexity and length of civil proceedings may prevent victims of harmful digital communications from obtaining redress in court. A victim of harmful communications should be able to have a readily accessible and effective take down procedure available to him or her.
(Digital Safety Commissioner would promote internet safety and oversee take down procedures
The Report describes the enactment of New Zealand’s Harmful Digital Communications Act 2015 and Australia’s Enhancing Online Safety for Children Act 2015, which have established statutory bodies to promote online and digital safety and to provide oversight of take down procedures operated by online service providers such as social media sites. 
The Report recommends that an Office of the Digital Safety Commissioner of Ireland should be established on a statutory basis, broadly modelled on the Australian approach. The Digital Safety Commissioner would have functions related to promoting online safety as well as overseeing and monitoring an efficient and effective procedure for takedown of harmful digital communications. 
The Commission considers that the Office of Internet Safety, which was established in the Department of Justice and Equality to take a lead role for internet safety in Ireland, may be a suitable body to take on the role of the Digital Safety Commissioner. The Report notes that this would require decisions by the Government and Oireachtas on the necessary funding and staffing of the Office of the Commissioner, and that these are matters outside the scope of this Commission’s role.
The Commissioner’s educational and promotional roles
The Report recommends that the Digital Safety Commissioner’s functions should include an educational and promotional role concerning digital safety in collaboration with relevant Government Departments and State bodies. In the specific context of internet safety for children and young people, the Report envisages that the Commissioner would liaise with the Ombudsman for Children in the development, with the Department of Education and Skills and the Department of Children and Youth Affairs, of guidance material for young people and schools on what it means to be a safe and responsible digital citizen. It would also include guidance on the use of mediation and restorative processes.
The Commissioner’s oversight and supervision functions
The oversight and supervision functions of the Commissioner would operate in a similar way to the Australian e-Safety Commissioner, requiring digital service undertakings to comply with a statutory code of practice, developed after suitable consultation by the Digital Safety Commissioner. The statutory framework would also include National Digital Safety Standards, which would require the digital service undertaking to have in place a provision prohibiting the posting of harmful digital communications, a complaints scheme whereby users can request free of charge the removal of harmful digital communications, a timeline for responding to complaints and a contact person to engage with the Commissioner.
If the Commissioner were to be satisfied that a digital service undertaking complied with the code of practice and the National Digital Safety Standards, the Commissioner would be empowered to issue a certificate of compliance, which would have the presumptive effect that the digital service undertaking was in compliance with the code and the standards. The Report proposes that the Digital Safety Commissioner should have responsibility for harmful content involving all individuals, adults and children.
Proposed take down procedure
The proposed take down procedure would require a user initially to make his or her complaint directly to the relevant digital service undertaking, such as a social media site. If the content was not taken down in accordance with the time specified in the code of practice, the user could make a complaint to the Commissioner. The Commissioner would then investigate the complaint and if the complaint were to be upheld, the Commissioner would direct the digital service undertaking to remove the specified communication and would revoke the certificate of compliance issued to the provider. If the digital service undertaking were to refuse to comply with the direction of the Commissioner to remove the communication, the Commissioner could apply to the Circuit Court for an order requiring compliance by the undertaking.
Civil restraining orders for harmful communications
Section 10 of the Non-Fatal Offences Against the Person Act 1997, unlike the English and Welsh Protection from Harassment Act 1997, does not allow separate civil proceedings to be brought based on its provisions. However, section 10(3) of the 1997 Act empowers a court to make a restraining order restricting a person from communicating and/or approaching the victim where the person has been convicted of harassment. Section 10(5) of the 1997 Act also allows restraining orders to be made where a person has been acquitted of harassment.
The Report recommends that, in cases involving the harmful communications discussed in this Report, restraining orders should be available without the need to initiate criminal proceedings. This would provide victims with a valuable remedy in cases where criminal proceedings may be unsuitable or undesirable from the perspective of the victim.
Court powers in intended civil proceedings: Norwich Pharmacal orders 
Norwich Pharmacal orders allow for the disclosure of the name and IP address of parties unknown to the plaintiff against whom the plaintiff intends to issue civil proceedings for alleged wrongful conduct.
At present, Norwich Pharmacal orders are not provided for in legislation, and only the High Court can issue them as part of its inherent jurisdiction. This means that the cost of obtaining such orders is high and the remedy is not available to many individuals. The 2014 Report of the Internet Content Governance Advisory Group recommended that the power to make such orders should be placed on a statutory basis and extended to the Circuit Court. The Commission agrees with this recommendation.
Currently, Norwich Pharmacal orders usually involve a two-step mechanism whereby an individual has to first seek an order against the relevant website to disclose user and IP details. Once furnished, these details may lead to data held by a telecoms company, many of whom require a second Norwich Pharmacal order before agreeing to disclosure. The Commission therefore recommends that a one-step procedure be adopted for such orders whereby only one application would be required which would apply to both the relevant website and the telecoms company.
The Commission also recommends that the person alleged to have posted the harmful communication should be given the opportunity of appearing and making representations before the court makes a Norwich Pharmacal order, because at present such orders are granted on an ex parte basis (without notice to the affected party), which may infringe the right to fair procedures and to anonymous speech.
Jurisdiction and extra-territoriality in civil law
The Report also makes recommendations in relation to the extra-territorial role of the proposed Digital Safety Commissioner and in connection with the civil remedies discussed above.
The Report recommends that the territorial scope of these civil aspects of harmful communications should, in general, apply to harmful communications where: (a) such harmful communications affect an Irish citizen or a person ordinarily resident in the State, and (b) the means of communication used in connection with such harmful communications are within the control of an undertaking or company established under the law of the State.
The Commission also recommends that they should have some extra-territorial effect in connection with an Irish citizen or a person ordinarily resident in the State. This should reflect the approach taken in connection with the extra-territorial enforcement of civil proceedings generally, including under the “service out” procedures in the Rules of the Superior Courts 1986. 
The Report therefore recommends that this extra-territorial effect would be where the means of communication used in connection with harmful communications are within the control of an undertaking established under the law of another State but where an Irish court would have jurisdiction to give notice of service outside the State in respect of civil proceedings to which such harmful communications refer.