Safe harbour scheme for internet intermediaries

Proposal 10–7 The new Act should provide a safe harbour scheme to protect internet intermediaries from liability for serious invasions of privacy committed by third party users of their service.

Question 10–3 What conditions should internet intermediaries be required to meet in order to rely on this safe harbour scheme?

10.63 The ALRC proposes the introduction of a safe harbour scheme for internet intermediaries,[62] to protect them from liability for serious invasions of privacy committed by persons who use their services,[63] where the intermediary meets certain conditions. Where an intermediary meets these conditions, a plaintiff will only be able to pursue the third party, the primary tortfeasor. This defence will not apply to invasions of privacy that intermediaries themselves intentionally commit.

10.64 Special defences for internet intermediaries may be necessary for a number of reasons. Imposing liability on internet intermediaries for serious invasions of privacy by third parties may impose onerous obligations on platforms to review and moderate user-generated content. Given the quantity of material generated on these sites, and the instantaneous way in which online communications are sent and received, this may be oppressive and unreasonable. Facebook submitted that the cost to online businesses of reviewing third party content before it appears on their platforms would be prohibitive.[64]

10.65 While software may be used to detect pornography, using software to identify content that invades someone’s privacy may be more difficult. Peter Leonard has written that ‘such fact-based determinations require contextual analysis and, in many instances, additional facts’.[65]

10.66 Safe harbours are used in various contexts at Australian law including in classification and copyright law.[66] For instance, the Broadcasting Services Act 1992 (Cth) provides immunity for online content platforms where the host was not aware of the nature of the relevant content.[67] Online content platforms must show a lack of awareness or knowledge of the offending content hosted on their site in order to access this provision.

10.67 There are comparable safe harbours at US and European law.[68] Section 230 of Communications Decency Act 1996 (US) contains a particularly strong and broadly applicable[69] safe harbour scheme:

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider…No cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.[70]

10.68 Section 230 has been said to have ‘flourished’ in the United States.

It has been interpreted quite broadly to apply to any form of Internet intermediary, including employers or other companies who are not in the business of providing Internet access and even to individuals who post the content of another. And it has been uniformly held to create absolute immunity from liability for anyone who is not the author of the disputed content, even after they are made aware of the illegality of the posted material and even if they fail or refuse to remove it. The result is that Internet intermediaries need not worry about the legality of the content others post or send through their system, with one significant exception: section 230 does not apply to intellectual property claims.[71]

10.69 Electronic Frontiers Australia supported the adoption in Australia of a model similar section 230.[72]

10.70 In the US case of Barnes v Yahoo!,[73]a woman unsuccessfully sued Yahoo! for its failure to remove compromising photographs of her—posted by a third party—from a Yahoo! message board which a Yahoo! employee had agreed to remove from its website. The US court of Appeals for the Ninth Circuit ruled that Yahoo! could not be sued in tort for invasion of privacy[74] because of the operation of s 230 of the Communications Decency Act:[75]a website cannot be treated as the ‘publisher or speaker’ of material posted online by a third party.

10.71 Arguably, section 230 provides too much protection from liability. As discussed below, it may be appropriate to require internet intermediaries to take reasonable steps to remove material that invades a person’s privacy, when given notice. This might be a condition of relying on a safe harbour scheme.

10.72 Similarly, the UK’s Defamation Act 2013 provides a defence for ‘Operators of websites’.[76] The defence will be defeated if a claimant proves that: it was not possible for the claimant to identify the person who posted the statement; the claimant gave the operator a notice of complaint in relation to the statement; and the operator failed to respond to the notice of complaint in accordance with any provision contained in regulations. Given the proposal of a safe harbour exemption for internet intermediaries, the ALRC has not proposed a defence of innocent dissemination.

10.73 The defence of innocent dissemination may be considered a type of safe harbour.[77] Innocent dissemination is a defence to the publication of defamatory matter, available where a defendant proves that they published the defamatory material merely in the capacity of a ‘subordinate distributor’. This means that they neither knew, nor ought reasonably to have known, that the matter was defamatory, and that their lack of knowledge was not due to any negligence.[78] As noted above, a number of stakeholders submitted that there should be a defence of innocent dissemination to any new Australian cause of action for serious invasion of privacy.

10.74 However, unlike the safe harbour scheme proposed above, a defence of innocent dissemination does not impose any additional conditions on the defendant. The ALRC considers that such additional conditions may be justified.

10.75 A safe harbour scheme may not be necessary if, as the ALRC proposes, the new tort is only actionable where the defendant has intentionally or recklessly invaded the privacy of the plaintiff. Internet intermediaries may rarely have this requisite fault when third parties use their services to invade someone’s privacy.

10.76 However, argument may be raised as to whether they would be liable in some circumstances, for example, perhaps when given notice of a serious invasion of privacy that they have the power to prevent. The ALRC proposes the enactment of a safe harbour scheme to avoid doubt and provide the necessary certainty to internet intermediaries.


10.77 To rely on a safe harbour defence, internet intermediaries might be required to comply with certain conditions. For example, they might be required to do some or all of the following:

  • remove, or take reasonable steps to remove, material that invades a person’s privacy, when given notice;

  • provide consumer privacy education or awareness functions, such as warnings about the risk of posting private information;

  • comply with relevant industry codes and obligations under the Privacy Act 1988 (Cth);

  • provide individuals with a mechanism to remove private content they post on online platforms;and

  • provide a privacy complaints system where the intermediary responds in a reasonable time to consumer complainants.

10.78 The ALRC is interested in stakeholder views on what conditions should be imposed on internet intermediaries, in order for them to be able to rely on a safe harbour defence to serious invasions of privacy.