This post was also written by Nick Tyler.

In a decision with potentially far-reaching consequences for the UK data protection regulator, a High Court Judge, Tugendhat J., questioned the legal basis upon which the Information Commissioner’s Office (ICO) declined to take action to stop the publication of defamatory and offensive material on the website See, The Law Society and Others v Rick Kordowski [2011] EWHC 3185 (QB) (Judgment dated 7 December 2011).

The website was a forum for individuals to post comments about lawyers, most of which were libelous or defamatory, and could be posted anonymously without any moderation by the site’s publisher. The judge ordered that the site be taken down permanently and banned the web address from being transferred to anyone else.

Mr Kordowski failed to mount any credible defence to the raft of claims brought in the proceedings – the judge labelling him a “public nuisance”. The judge also highlighted the challenge faced by the administrative justice system by what he identified as a new breed of “vexatious litigant” – “defendants who mischievously provoke claims which they know they cannot defend”.

Tugendhat J. commented that he found it impossible reconcile the legal views of the ICO expressed in a letter to the Law Society with authoritative statements of the law, and found that the UK Data Protection Act 1998 (“DPA”) indeed envisages that the ICO should consider what is acceptable for one individual to say about another under the First Data Protection Principle since data must be processed lawfully.

The ICO based its position on the scope of the “domestic purposes” exemption in relation to individuals posting their views on third party websites. Section 36 of the DPA exempts all processing of personal data by an individual “only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)”. Even though the ICO had recognized “a growing social problem in individuals posting offensive material about each other”, the view expressed to the Law Society was that the DPA was both “out of step with technology” and “simply not designed to deal with [this] sort of problem”.

While the court did not review the ICO’s decision, the clear implication was that the ICO could, and perhaps should, have taken a more active role in exercising its regulatory powers. The court acknowledged that the ICO may often find itself in the difficult position of being asked to referee legal disputes which might better be resolved in the courts. In a clear-cut case, however, “where there is no room for argument that processing is unlawful [in this case defamatory and amounting to harassment]”, it is difficult to argue that the processing was not within the ICO’s enforcement powers.

The challenges faced by those charged with regulating the Internet are significant, and the court’s judgment aligns with the limited scope of the “domestic purposes exemption” set out in the draft EC Data Protection Regulation, which specifically carves out of the domestic purposes exemption instances when an individual posts personal data on the Internet that is “accessible to an indefinite number of individuals”.

Following this judgment, it will be interesting to see if the ICO follows the court’s interpretation of its ability to take a more robust view of its powers in relation to “lawful processing”. The ICO will certainly have to think twice about what qualifies as a “domestic” exemption, and there is a message in here to web site operators as well: they can no longer rely on the “domestic” use exception and will have to increase web site moderation and taken down obviously unlawful postings.