Is a hosting provider liable for the content published by the hosting users?

The hosting provider’s liability for the actions of the hosting users is very limited. However, this does not mean that the hosting provider has immunity and can watch the illegal activities of the hosting users without taking any actions. To what extent is a hosting provider liable for the content published by the hosting users?

Who is this “hosting provider” anyway?

The term “hosting provider” is not specified in the EU nor Polish legal nomenclature. The provisions are quite vague and regulate hosting as service provision, where the service recipients may upload various content.

According to the Act of 18 July 2002 on the provision of services by electronic means (Journal of Laws 2002, No. 144, item 1204), a hosting provider is an “entity that makes available the resources of an ICT system for storage of data by a recipient of services”.

However, this definition includes also other entities, not only hosting providers. Among the business activities defined by the above Act are:

• provision of server and hosting services;
• provision of cloud services;
• social networks;
• platforms for rating products and places;
• platforms enabling file sharing between users (P2P).

It is worth noting that the entities providing colocation services are not included in the definition determining the activities of a hosting provider. This is because such an activity type does not make ICT systems resources available – this includes only localization, conditions and resources necessary for the physical work of the server.

All right, we know now what the hosting is. To what extent is the hosting provider liable for the activities of the users of the provided hosting?

An unaware hosting user is an innocent hosting user

The hosting users might violate the law by publicly insulting individuals and institutions, using the infrastructure provided to defraud or violate copyright laws.

How is the hosting provider liable for this? Usually, they are not. Unless they are aware of the practice and fails to notify the appropriate authorities.

The Polish and EU laws severely limit the hosting provider’s liability for the unlawful actions of their customers. According to Article 14 of the Act on Provision of Electronic Services (Journal of Laws of 2020, item 344), the hosting provider shall not be liable for the stored data regarding the person whose rights have been (or may have been) violated if the hosting provider has no knowledge of the unlawful nature of the data or related activities.

Therefore, as long as the hosting provider doesn’t know about given actions, they cannot be liable for the things that take place on the provided services. However, if the hosting provider becomes aware of such actions but won’t do anything about them, the situation becomes much worse.

How can a hosting provider find out about illegal activity? In two ways:

• by receiving an official notice that an offence may have been committed (from the court or the police);
• by receiving credible and reasonable information of the unlawful activity. It’s important to highlight that the notice must indicate the nature of the infringement, the injured party and the party involved along with a REASONABLE GROUNDING for the nature of the infringement. Note that even if a hosting provider blocks their services based on reliable information, any claim by the customer on this account remains unfounded.

How should the hosting provider react? Immediately!

Upon receipt of the official notice or credible information about illegal activities of the hosting user, the hosting provider should promptly delete the published illegal content or block the activity

It is worth noting that the regulations do not require the hosting provider to constantly monitor activities and control the content provided by the users. Therefore, the hosting provider does not have to do anything in particular unless they know about the violation. Besides, the hosting provider has no obligation to identify the violators.

This might interest you: Things your hosting won’t do for you

Is the hosting provider liable for the hosting user’s losses?

What if the hosting provider blocks access to the service or removes the content published by the hosting user so that the user incurs losses?

• If blocking the service or removing content will stem from an official notice, the hosting provider is not liable for the losses.
• If the hosting provider’s actions are taken on the basis of reliable information, they should inform the hosting user about their decision and then block the content or access to the service. In this case, the hosting provider is also not liable for the losses.

The hosting provider knew and did not say anything…

If despite knowing about illegal actions taking place, the hosting provider fails to react and blocks access to the content, then they may face legal action and may be “motivated” by a law enforcement authority to respond to the unlawful content or activity.

The court may decide that the hosting provider should verify the content published on their hosting in the future. This decision would certainly make it difficult for them to run their own business. Let’s not let that happen then.

A violation may occur as a result of:

• violation of personal interests (publication of damaging information about other entities or publication of classified information);
• infringement of copyrights (art. 79 of the Act on Copyright and Related Rights);
• unlawful use and distribution of images (art. 81 and 83 of the Act on Copyright and Related Rights).

Remember that the hosting provider is liable with limited liability for the actions of the hosting users. This means that the hosting provider cannot render liable to prosecution if the services provided by the hosting provider have been used illegally.

For this to happen, the hosting provider would have to commit the offence deliberately. Therefore, in order to hold the hosting provider accountable, one would have to prove they acted with actual malice. In practice, evidence of such deliberate actions could include ignoring requests to remove materials or assisting a client in illegal activity.

Can police require the hosting provider to disclose their customer’s information?

Of course, the hosting provider should, upon request of the police, provide the data of the hosting user and cooperate with the authority. Nevertheless, you should remember that the data provided by the hosting user may differ from the actual data.

Such data may include:

• name and surname of the hosting user;
• citizen identification number or the number of an identity card, passport or other document confirming the identity of the hosting user;
• registered address and mailing address (if different from the registered address);
• data to verify the user’s electronic signature;
• electronic addresses used by the customer using the hosting provider.

Copyright protection is becoming more effective

In 2019, the European Union adopted the provisions of the Directive on Copyright and Related Rights in the Digital Single Market (erroneously known as ACTA 2).

The Directive specifies that one should actively monitor and verify the content published by users to see whether it violates the copyright of other entities. Keep in mind that this obligation does not lie with the hosting providers, but directly with the providers of online content sharing – social networks or file sharing platforms.

EU member states are introducing specific legislation to comply with the new EU Directive. They have to do that before 07/06./2021. For now, our country is not preparing for the new EU regulations, as it has appealed to the EU Court of Justice.

Find out: How to check your DNS or DNS of a website?

Every user is fully liable for their own actions online

The above limitations of liability apply only to the hosting providers and do not apply to individuals and entities who infringe copyrights, publicity rights or personal rights.

Any user who commits an unlawful act may be sued and required to pay damages, compensation or issue a public apology. These are the most common incidents online subject to prosecution:

• defamation;
• insult;
• personal data processing without a legal basis;
• hacking into an ICT system.

Enforcing criminal liability in international incidents is more complicated, though certainly feasible. It is often the case that the user is a resident of one country, the victim of another, and the hosting provider provides its services in another country.

The victim must then verify which law the infringer is subject to and then sue the infringer in its country of residence.

Don’t forget to read: Why should you choose .eu domain? Because it’s really safe!

FBI, open up!

It’s worth knowing that US hosting providers are subject to their own laws, which grants them extensive rights in terms of the requests of law enforcement. These privileges are extensive enough that even if the server is located in the EU and operated by a European company that is a subsidiary of a U.S. entity, the U.S. entity can provide the data of the company and the hosting provider to the U.S. law enforcement authorities.

This is contrary to the GDPR regulations and makes life significantly more difficult for European service recipients who are customers of the US companies. Moreover, the CJEU judgement in Schrems II case indicated that the US legal system undermines the security of Europeans’ data stored on US servers and processed by US entities.