¹ See further Reed, C Internet Law: Text and Materials (Cambridge: Cambridge University Press, 2nd edn, 2004) ch 7CrossRefGoogle Scholar; Kohl, U Jurisdiction and the Internet (Cambridge: Cambridge University Press 2007)CrossRefGoogle Scholar; Hörnle, J ‘The jurisdictional challenge of the internet’ in Edwards, L and Waelde, C (eds) Law and the Internet (Oxford: Hart, 3rd edn, 2009) ch 3Google Scholar.

² 666 F Supp 2d 415 (D Del 2009).

³ As was decided on similar facts in Kernal Records Oy v Mosley 694 F 3d 1294 (11^th Cir 2012). See Section 3(a), below, for the author's explanation of the difference between these two judgments.

⁴ [2000] EWHC (Ch) 453.

⁵ See the contradictory decision in the US, Euromarket Designs Inc v Crate & Barrel Ltd 96 F Supp 2d 824 (ND Ill 2000).

⁶ The CJEU decision in Case C-131/12 26 Google Spain v AEPD & Costeja González November 2014 did not go quite so far as to state this expressly when holding that the display of personal data in search results was subject to Spanish data protection law when it occurred ‘in the context of’ the commercial relationship between Google Inc and its Spanish advertising subsidiary, and that the Spanish data protection authority thus had power to make orders against Google Inc, a US corporation (paras 54–60). However, the Article 29 Working Party's Guidelines on the Implementation of the Court of Justice of the European Union Judgment on ‘Google Spain and Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González’ C-131/12, WP255 26 November 2014 specifically assert that the law applies to protect all individuals, world-wide (para 19), and that Google Inc must comply in relation to searches via its US-based .com search service as well as in its EU-domain denominated services (para 20).

⁷ For an analysis of the defects of this approach see Gillen, M ‘Lawyers and cyberspace: seeing the elephant?’ (2012) 9 SCRIPTed 130 at 136–138CrossRefGoogle Scholar.

⁸ Hart, HLA The Concept of Law (Oxford: Oxford University Press, 2nd edn, 1994) chs V–VIIGoogle Scholar.

⁹ Although Hart recognises that there is a potential problem about the scope of a state's lawmaking authority: ‘We may be doubtful in certain circumstances whether one legal system or another applies to a particular person’ – he assumes that these are ‘questions of law which arise within some system of law (municipal or international) and are settled by reference to the rules or principles of that system’ and can therefore be resolved by those internal rules and principles (ibid, p 216).

¹⁰ Ibid, pp 82–91.

¹¹ Luhmann, N (Hawkins, K, ed) Law as a Social System (Oxford: Oxford University Press, 2004) p 407 ffGoogle Scholar.

¹² Buchanan, A and Keohane, RO ‘The Legitimacy of Global Governance Institutions’ (2006) 20 Ethics & International Affairs 405CrossRefGoogle Scholar.

¹³ ‘Such an observer is content merely to record the regularities of observable behaviour in which conformity with the rules partly consists and those further regularities, in the form of the hostile reaction, reproofs, or punishments, with which deviations from the rules are met. After a time the external observer may … be able to predict with a fair measure of success, and to assess the chances that a deviation from the group's normal behaviour will meet with hostile reaction or punishment’: Hart, above n 8, p 89.

¹⁴ R Cotterell ‘Legal authority in a transnational world/ Autotytet prawa w świecie transnarodym’ The Leon Petrazycki Lecture, University of Warsaw, 22 May 2014 (Warsaw: University of Warsaw Faculty of Law and Administration, 2014) 43.

¹⁵ Jackson, J et al. ‘Why do people comply with the law? Legitimacy and the influence of legal institutions’ (2012) 52 British Journal of Criminology 1051 at 1051CrossRefGoogle Scholar.

¹⁶ Devaux, C ‘The role of experts in the elaboration of the Cape Town Convention: between authority and legitimacy’ (2103) 19 European Law Journal 843 at 845Google Scholar.

¹⁷ Paiement, P ‘Paradox and legitimacy in transnational legal pluralism’ (2013) 4 Transnational Legal Theory 197 at 213–215CrossRefGoogle Scholar.

¹⁸ Fuller, L The Morality of Law (New Haven: Yale University Press, Revised edn, 1969)Google Scholar. The application of Fuller's argument to cyberspace is explored more fully in Reed, C ‘How to make bad law: lessons from cyberspace’ (2010) 73 MLR 903 at 914–919CrossRefGoogle Scholar and Reed, C Making Laws for Cyberspace (Oxford University Press: Oxford, 2012) ch 10Google Scholar.

¹⁹ Ibid, pp 33–38, under the heading ‘Eight ways to fail to make law’.

²⁰ Ibid, p 41.

²¹ Ibid, p 96.

²² Black, J ‘Critical reflections on regulation’ (2002) 27 Austl J Leg Phil 1 at 25Google Scholar.

²³ J Garthoff ‘Legitimacy is not authority’ (2010) Law & Philosophy 669 at 681.

²⁴ SFS 1998:204, the Swedish data protection law which implemented the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, [1995] OJ L 281/31 (Data Protection Directive)).

²⁵ Case C-101/01 Lindqvist 6 November 2003. The ECJ also held that merely uploading personal data to a website without more did not amount to the export of that data outside the EEA, even though it was potentially accessible by persons outside the EEA, but this is not directly relevant to the discussion here and so is not considered further.

²⁶ In particular in relation to the meaning of ‘personal and household activity’ (D Erdos ‘Data protection and the right to reputation: filling the “gaps” after the Defamation Act 2013’ (2014) CLJ 536; DB Garrie and R Wong ‘Social networking: opening the floodgates to “personal data”’ (2010) CTLR 167); meanings of the terms ‘personal data’ and ‘processing’ (H Crowther ‘Remember to forget me: the recent ruling in Google v AEPD and Costeja’ (2014) CTLR 163 at 173; P Gryffroy ‘Delisting as a part of the decay of information in the digital age: a critical evaluation of Google Spain (C-131/12) and the right to delist it has created’ (2016) CTLR 149); meaning of the Directive's data export provisions (D Kamarinou ‘International transfers of personal data and corporate compliance under Directive 95/46/EC, the draft Regulation and the international community: Part 1’ (2013) Comms Law 49).

²⁷ D Erdos ‘Data protection confronts freedom of expression on the “new media” internet: the stance of European regulatory authorities’ (2015) EL Review 531; D Mac Sithigh ‘“I'd tell you everything if you'd pick up that telephone”: political expression and data protection’ (2011) EHRLR 166.

²⁸ Though the Swedish Data Act (Datalagen, 1973:289), the predecessor legislation to the Personuppgiftslag, had been in force for 25 years and, at least in the UK, data protection issues were widely reported in the general press during that period (see eg ‘First data protection conviction’ (The Times 16 December 1987); ‘Protecting the people – The Data Protection Act works in the public interest, says its registrar’ (The Guardian 13 December 1990); ‘Pressing questions over personal rights’ (The Times 1 September 1994)).

²⁹ English translation from http://www.ub.uio.no/ujur/ulovdata/lov-19020522-010-eng.pdf. Unfortunately no translation of the Swedish Penal Code more recent than 1999 is available, so neighbouring Norway has been used as the comparator for addressing.

³⁰ To give some idea of the level of detailed lawmaking, in Release 6 of May 2016 the Glossary alone ran to 538 pages. The Conduct of Business Sourcebook section (a small part of the whole) was 522 pages long. The full Handbook amounts to many thousands of pages and is constantly growing in size. Each part of the Handbook contains cross-references to other parts, so that a full understanding of any part requires some mastery of the whole.

³¹ Black, J Rules and Regulators (Oxford: Clarendon Press, 1997) pp 30–37CrossRefGoogle Scholar.

³² J Black ‘Talking about regulation’ (1998) Public Law 77.

³³ Sparrow, M The Regulatory Craft (Washington: The Brookings Institution, 2000)Google Scholar.

³⁴ Available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm.

³⁵ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L119/1, 4 May 2016 (General Data Protection Regulation).

³⁶ The International Association of Privacy Professionals has more than 12,000 members in 78 countries (https://www.privacyassociation.org/about_iapp) and accreditation for data protection professionals has been introduced (eg the British Computer Society's Certificate in Data Protection, http://certifications.bcs.org/content/conCertification/8). Most, perhaps all, organisations of any size recognise the need to employ such professionals to assist them in complying with the law, and Art 37 of the Regulation will require all enterprises which engage in large-scale processing of personal data to appoint such a person.

³⁷ Lindqvist, above n 25, paras 46–47.

³⁸ Ibid, para 47.

³⁹ Moberg v 33T LLC 666 F Supp 2d 415 (D Del 2009).

⁴⁰ Kernal Records Oy v Mosley 694 F 3d 1294 (11^th Cir 2012).

⁴¹ Moberg, above n 39, at 420.

⁴² 17 USC §410(c), at §412.

⁴³ ‘We will not ascribe bad faith to Plaintiff for failing to seek registration earlier in the case. Plaintiff made a calculated decision not to do so even though the issue was contested. Plaintiff's decision to hedge its bet supports our conclusion that Plaintiff has not met the good cause standard … for a tardy amendment of the pleadings’: Kernal Records, above n 40, at 1370.

⁴⁴ Lessig, L Code Version 2.0 (New York: Basic Books, 2006)Google Scholar.

⁴⁵ See Reed, C Making Laws for Cyberspace (Oxford: Oxford University Press, 2012) ch 7Google Scholar, ‘Community norms and copyright’.

⁴⁶ Data Protection Directive, above n 24, Art 25; General Data Protection Regulation, above n 35, Art 44.

⁴⁷ Data protection law does not apply to personal data processed ‘in the course of a purely personal or household activity’: Data Protection Directive, Art 3(2); General Data Protection Regulation, Art 2(2)(c), but most mobile phone users also store their professional contacts on the phone, thus losing the benefit of the exception.

⁴⁸ In Lindqvist the web page was hosted on a server in Sweden, and it seems likely that the court would have decided that an export occurred had the server been situated outside the EEA. Although Facebook adheres to the US Privacy Shield (see https://www.facebook.com/about/privacyshield) its Data Policy (see https://www.facebook.com/policy.php) is unclear about whether information uploaded by users falls within the scope of the Privacy Shield.

⁴⁹ Defined in Data Protection Directive, above n 24, Art 8 as ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and … data concerning health or sex life’. See now GDPR, above n 35, Art 9, replacing the concept of sensitive data with ‘special categories of personal data’.

⁵⁰ ‘In the new data protection landscape, the state criminalises activities which are in other contexts perfectly lawful and community-oriented’: P Leith ‘The socio-legal context of privacy’ (2006) Int JLC 105 at 128, 129.

⁵¹ See Kubler, D ‘On the regulation of social norms’ (2001) 17 JL Econ & Org 449 at 452–453Google Scholar; Tyler, TR ‘Compliance with intellectual property laws: a psychological perspective’ (1997) 29 NYU J Int'l L & Pol 219 at 234Google Scholar.

⁵² See C Reed ‘How to make bad law: lessons from cyberspace’, above n 18, at 915–916 for examples.

⁵³ See eg Gutnick v Dow Jones [2002] HCA 56.

⁵⁴ First enunciated in the Bonn Ministerial Conference Declaration of 6–8 July 1997, which declared in its principle 22:

Ministers stress that the general legal frameworks should be applied on-line as they are off-line. In view of the speed at which new technologies are developing, they will strive to frame regulations which are technology-neutral, whilst bearing in mind the need to avoid unnecessary regulation: http://europa.eu.int/ISPO/bonn/Min_declaration/i_finalen.html.

⁵⁵ See eg Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions, Principles and guidelines for the Community's audiovisual policy in the digital age COM (1999) 0657 final, note 17: ‘identical services should in principle be regulated in the same way, regardless of their means of transmission’.

⁵⁶ See further Reed, above n 45, ch 7, ‘Transposing offline legal norms to cyberspace’.

⁵⁷ A well-documented example is the degree of aggression and casual abuse that many users of online discussion sites engage in, which they would not show in face-to-face conversations. See A Sengupta and A Chaudhuri ‘Are social networking sites a source of online harassment for teens? Evidence from survey data’, NET Institute Working Paper #08-17 (September 2008, http://www.NETinst.org); T Byron SaferChildren in a Digital World: Report of the Byron Review (2008) para 3.63 (http://www.dcsf.gov.uk/byronreview/).

⁵⁸ For a useful review of the early history see Edwards, L ‘Defamation and the internet’ in Edwards, L and Waelde, C (eds) Law and the Internet: A Framework for Electronic Commerce (Oxford: Hart, 2000)Google Scholar.

⁵⁹ It is worth noting that these judges had alternative conceptions available within the existing offline rules, such as conceptualising ISPs and content hosts as mere distributors whose liability would depend on knowledge of the content.

⁶⁰ For an example from the UK, see Godfrey v Demon Internet Ltd [1999] 4 All ER 342, though in that case the claim was carefully drafted to apply only to publication which occurred subsequent to the defendant receiving notice of the presence of the defamatory material in a newsgroup which it hosted.

⁶¹ See eg the judgment of Kirby J in Gutnick v Dow Jones [2002] HCA 56, at paras 164–166.

⁶² 47 USC § 230.

⁶³ 929 F Supp 824 at 830–838 (ED Pa, 1996), affirmed 117 S Ct 2329 (1997).

⁶⁴ See eg Zeran v America Online Inc 129 F 3d 327 (4^th Cir 1997). Those few cases where an intermediary was held liable had unusual facts – see eg Barnes v Yahoo!, 570 F3d 1096 (9th Cir 2009) where liability arose from breach of an oral contract to remove offending material.

⁶⁵ Tyler, above n 51, at 226.

⁶⁶ Ibid, at 228.

⁶⁷ Ibid, at 233.

⁶⁸ Jensen, C ‘The more things change, the more they stay the same: copyright, digital technology, and social norms’ (2003) 56 Stan L Rev 531Google Scholar.

⁶⁹ Ibid, at 540.

⁷⁰ Ibid, at 543.

⁷¹ 17 USC §512.

⁷² A DMCA notice is required to assert ‘that the complaining party has a good faith belief that the use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law’: 17 USC §512(c)(3).

⁷³ Each minute, 400 hours of video are uploaded to YouTube – https://www.blog.google/topics/google-europe/improving-our-brand-safety-controls/.

⁷⁴ 572 F Supp 2d 1150 (ND Cal 2008).

⁷⁵ 17 USC §107.

⁷⁶ 572 F Supp 2d 1150 at 1154–1155.

⁷⁷ Capitol Records v MP3Tunes 611 F Supp 2d 342 at 345 (SDNY 2009).

⁷⁸ Disney Enterprises v Hotfile 2013 WL 6336286 (SD Fla 2013).

⁷⁹ ‘We note, without passing judgment, that the implementation of computer algorithms appears to be a valid and good faith middle ground for processing a plethora of content while still meeting the DMCA's requirements to somehow consider fair use’: 801 F 3d 1126 at 1135 (9th Cir 2015).

⁸⁰ 337 F Supp 2d 1195 at 1203 ff (ND Cal 2004).

⁸¹ Bartholomew, TB ‘The death of fair use in cyberspace: YouTube and the problem with content ID’ (2015) 13 Duke L & Tech Rev 66Google Scholar; Perel, M and Elkin-Koren, N ‘Accountability in algorithmic copyright enforcement’ (2015) 19 Stan Tech L Rev 473Google Scholar.

⁸² Thus in 2014 a stop-motion video by a child using Lego figures received a Facebook notice which gave no details at all about the rights which were allegedly infringed – https://ip-appeals.com/take-down-abuse-from-harry-potter-to-legos/.

⁸³ Ligeri v Google, Complaint CA15-188M (District of Rhode Island 2015) – http://digitalcommons.law.scu.edu/historical/959/.

⁸⁴ Murray, A ‘Looking back at the law of the horse: why cyberlaw and the rule of law are important’ (2013) 10 SCRIPTed 310CrossRefGoogle Scholar. I am delighted to acknowledge this article as the inspiration for the line of inquiry set out in this piece.

⁸⁵ Ibid, at 317–319.