Safe harbour scheme for internet intermediaries

11.100 Internet intermediaries[125] should not be liable under the tort for invasions of privacy committed by third parties using their services, where they have no knowledge of the invasion of privacy. Where they do have knowledge, there does not seem to be any justification to provide a complete exemption from liability. The ALRC therefore sees no need to recommend the enactment of a ‘safe harbour’ scheme, to protect internet intermediaries from liability under the tort.

11.101 There are two reasons why intermediaries are unlikely to be liable under this tort. First, the tort is targeted at positive conduct on the part of the defendant. It is difficult to characterise a failure to act as an ‘invasion’ of privacy. It is not intended to impose liability for mere omissions—that is, failing to act to stop an invasion of privacy by a third party.[126] Secondly, the tort is confined to intentional or reckless invasions of privacy.

11.102 A mere intermediary will rarely have this level of intent, when third parties use their service to invade someone’s privacy. The operators of a social networking platform, for example, do not intend to invade someone’s privacy, when one of its customers posts private information about another person on the platform.

11.103 In some circumstances, an intermediary may be found to have the requisite fault after they have been given notice of an invasion of privacy. They may be found to have intended an invasion of privacy, or been reckless, if they know that their service has been used to invade someone’s privacy, and they are reasonably able to stop the invasion of privacy, but they choose not to do so.[127]

11.104 Considering these two reasons, the ALRC does not think it necessary to recommend that safe harbour schemes for internet intermediaries be extended to protect intermediaries from liability under the new tort.

11.105 However, if such a scheme were necessary, amending cl 91 of sch 5 of the Broadcasting Services Act 1991 (Cth) may be one way of protecting intermediaries from liability under the tort. Clause 91 does not currently refer to laws under Commonwealth statutes. It provides that any law of a state or territory, or a rule of common law or equity has no effect to the extent to which it subjects an internet content host to liability in respect of hosting particular internet content.[128]

11.106 In copyright law, s 116AG of the Copyright Act 1968 (Cth) limits the remedies a court may grant against carriage service providers for infringements of copyright that relate to their carrying out certain online activities. In order to access this scheme, a carriage service provider must meet conditions in s 116AH.

11.107 In the Discussion Paper, the ALRC proposed the introduction of a safe harbour scheme, to protect internet intermediaries from liability under the new tort for which a third party was primarily responsible.[129] To rely on the defence, the intermediary might be required to meet certain conditions. The defence would not apply to invasions of privacy that intermediaries themselves intentionally or recklessly commit.

11.108 In the US, § 230 of the Communications Decency Act 1996 (US) contains a broad safe harbour scheme.[130] The scheme exempts ‘interactive computer services’ from civil liability under US state and federal law where

(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

(B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1). [131]

11.109 The provision also imposes a series of obligations on interactive computer service providers:

A provider of an interactive computer service shall, at the time of entering an agreement with a customer for the provision of interactive computer service and in a manner deemed appropriate by the provider, notify such customer that parental control protections (such as computer hardware, software, or filtering services) are commercially available that may assist the customer in limiting access to material that is harmful to minors. Such notice shall identify, or provide the customer with access to information identifying, current providers of such protections.[132]

11.110 The EU safe harbour scheme provides that service providers are not under any ‘general obligation to monitor’ for illegal content.[133] Services will not be liable for third party content where the internet intermediary had no ‘actual knowledge of illegal activity or information knowledge’ and, ‘upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information’.[134]

11.111 In the UK, the Defamation Act 2013 (UK) provides a defence for ‘operators of websites’.[135] It is a defence for the operator to show that it was not the operator who posted the statement on the website.[136] An operator of a website is understood as a person with effective control over the content of a website who is not the author, editor or publisher of the matter. There are differing degrees of control depending on the form and size of a platform.

11.112 Section 5(12) provides that the act of merely ‘moderating’ a site is not, in and of itself, sufficient to defeat the defence.

11.113 The defence is defeated if the claimant shows that

(a) it was not possible for the claimant to identify the person who posted the statement,

(b) the claimant gave the operator a notice of complaint in relation to the statement, and

(c) the operator failed to respond to the notice of complaint in accordance with any provision contained in regulations.

11.114 The provision sets out in some detail the scope of UK privacy regulations[137] that an internet service provider must adhere to, as well as the nature of a complaints system.[138]

11.115 This detailed defence is complemented by s 10 which provides that a court does not have jurisdiction to hear and determine an action for defamation brought against a person who was not the author, editor or publisher of the statement complained of unless the court is satisfied that it is not reasonably practicable for an action to be brought against the author, editor or publisher.


11.116 If a safe harbour scheme were enacted, internet intermediaries should be required to comply with certain conditions to rely on the defence. Examples of such conditions might include requiring internet intermediaries to

  • remove, or take reasonable steps to remove, material that invades a person’s privacy, when given notice;

  • provide consumer privacy education or awareness functions, such as warnings about the risk of posting private information; and

  • comply with relevant industry codes and obligations under the Privacy Act 1988 (Cth).

11.117 Stakeholders suggested other conditions, including requiring internet intermediaries to

  • reasonably cooperate with and assist the relevant regulator with locating and pursuing a wrongdoer;[139]

  • take action against individuals who are found liable for serious invasion of privacy, such as blocking their social media accounts;[140]

  • block users who contravene these terms and conditions from uploading future content;[141] and

  • show warnings about the risks and potential consequences of posting private information.[142]

11.118 While the ALRC recommends that a safe harbour scheme is unnecessary, if such a defence were to be enacted consideration should be given to these conditions.