This guide is based on UK law. It was last updated in October 2008.
ISPs play a central role in the development of e-commerce and use of the internet. Presently, the majority of people use an ISP to access the internet. The 2005 case of Bunt and Tilley settled the dispute over who is liable for unlawful third party content that passes through an ISP’s network. It is now accepted that ISPs have a qualified immunity provided they do not perform an editorial function. Despite this victory, the landscape of e-commerce is continuing to change. It is likely that advances in technology and new user profiling software will expose ISPs to new risks and increase their regulatory burden.
This guide is intended to provide an overview of some of the issues which face ISP s, V ISP s (Virtual ISP s) and web hosts in respect of their day to day business. For ease of reference this guide will only refer to ‘ ISP s’, although the same issues will apply to all three. The guide will look at issues relating to connectivity, an ISP’s relationship with its customers, third party content, spam, data protection and areas of increasing regulation. Where there are other related guides, you will find links to them within the text.
The main business of an ISP is to provide its customers with a connection to the internet. So far as the customer is concerned, he or she wants to be able to dial into the ISP and get connected without getting an engaged tone. They also want a fast service and will not necessarily recognise that the speed with which they can download information will be governed by their own connection and equipment.
No one can control all of the interconnections between the various networks, and any network failure may be outside the control of the ISP. An ISP needs to make sure that in its terms and conditions it makes it clear that it does not give any guarantee that the service it provides will be uninterrupted or error-free. Where the services are being provided to consumers free of charge or for only a relatively small fee, then such a clause will probably suffice.
When an ISP is hosting a commercial web site and is being paid to do so, its customers will often expect a more comprehensive guarantee in some form of service level agreement. Typically this will be expressed as being the percentage of time which the server on which the web site is hosted will be available for access via the internet.
When considering a service level agreement, it is particularly important to bear in mind two things. First, that allowance should be made for any planned downtime for maintenance of the server which should be excluded from the calculation of the time during which the server is unavailable. Second, it is not possible for anyone to guarantee a 100% connection success rate. However, depending on the period over which the availability is to be calculated, the percentage will most likely be in the range of 98%-99.9%. It is also necessary to consider what “teeth” (if any) the service level agreement is to have. An effective service level agreement will usually contain a provision for a rebate of part of the fees paid to the ISP and the right to terminate the agreement if the service levels are not achieved.
Another big issue for ISP s is that of bandwidth. At the moment bandwidth is very expensive. It is important that in its terms and conditions an ISP limits the amount of bandwidth that its customers can use at any one time. Where an ISP is providing a free service, it will want to be able to restrict the availability of bandwidth for any particular customer. Where a customer is paying an ISP to host its web site, it is essential that the ISP clearly sets out in its agreement how much bandwidth will be available for that customer and reserves the right to charge for any additional bandwidth which is used over and above that provided for in the agreement.
Dealing with customers
Most ISP s will have two distinct categories of customers, namely consumer and business customers. In many respects, the issues which arise in relation to each category are the same, although it should be borne in mind that consumers have additional layers of protection under English law, Scots law and European legislation. See our guide on Dealing with Consumers.
The basis of the relationship for doing business with a customer is contractual. It is important that the customer is made aware of the provisions of the relevant terms and conditions before the ISP begins providing its services. If no terms are agreed with a customer, then it may be possible to imply certain terms into the agreement. However, it is much better for all concerned for there to be certainty as to the terms upon which the services are to be provided.
A typical ISP will need to ensure that it has clear terms and conditions for one or more of the following services:
Dial-up accounts for consumers (this will often be a free service including the provision of e-mail services and free web hosting);
Dial-up accounts for businesses;
Leased line services for businesses; and/or
Web hosting services for businesses.
An ISP’s terms and conditions need to be clear, need to deal with all the necessary issues and be properly incorporated into any agreement that it enters into with its customers. For further information with regard to incorporation of contractual terms see our guide, Online Contract Formation.
In addition to provisions dealing with bandwidth and availability, you will also need to ensure that you have clear terms limiting your liability and also incorporating an authorised use policy. The purpose of the authorised use policy is to ensure that, so far as possible, all of the obligations to ensure that a site is lawful and complies with all necessary regulations are placed on the owner of the site. The authorised use policy will set out the basis upon which an ISP is willing to provide a service and will be used to protect the ISP against liability for third party material and for any loss of data. The authorised use policy will impose certain obligations on users, for example, to ensure that they have obtained all necessary third party consents and licences for the material which they include on their web site (see our guide on Branding and Intellectual Property) and to ensure that all the material on their site is lawful. With regard to the difficulties which an ISP may face with regard to unlawful material, see our guides on Defamation.
An ISP may wish to include terms relating to the e-mail accounts and, in particular, what those accounts can be used for and whether the ISP may remove emails stored on a server from time to time in order to free up space on that server.
As the world of the internet is moving so quickly, it is sensible for an ISP to include a provision in its terms and conditions allowing the ISP to amend its terms and conditions from time to time. However, a mechanism will need to be included so that any such amendments are clearly bought to the attention of the customer and are properly incorporated into the agreement with the ISP before taking effect.
Liability for third party content
ISPs need to ensure that they do not incur liability for any of the material which they host on their servers. There have been a number of cases over the years both in the UK and in the US where third parties have sought to make an ISP liable for material which has been hosted on its server. The case of Bunt and Tilley confirmed that, broadly speaking, an ISP will not be liable if it does not perform any editorial function. If an ISP monitors and removes unlawful material from its sites on its own initiative, then it will run the risk of being seen as a publisher of any material which remains on its servers.
For further information with regard to unlawful material, see our Guide on ISPs’ Liability for Third Party Content and also our guide on Defamation.
Spam is unsolicited commercial e-mail and has become an increasing problem over the years. ISPs claim that it accounts for between 50 and 80 percent of all internet traffic. E-crime using spam has also developed significantly. Attacks have become more sophisticated. The traditional phishing attacks and invitations to visit fake shopping sights which tempt you to enter your bank details have given way to more refined assaults using trojans to install key logger programs or malware on to your computer.
In the UK, our first spamming legislation was introduced in December 2003. The UK Privacy and Electronic Communications Regulations 2003 (PECR) prohibits spam being sent to individual subscribers without the prior consent of the recipient unless an exception applies. Regulation 22 (2) provides that “a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender. The exceptions under Regulation 22(2) dispense with the need for prior consent where:-
the spammer has obtained the contact details of the recipient in the course of the sale or negotiation for the sale of a product to that recipient;
the direct marketing is in respect of that person’s similar products and services only; and
the recipient has been given a simple means of refusing the use of his contact details for the purposes of such direct marketing when he was initially contacted, and for each subsequent communication.
In practice, this means that a customer does not have to complete a purchase to be lawfully contacted. It is sufficient that he has actively expressed an interest in a product or service and has not opted out of marketing when communications have been received. The safeguards are that the contact details are collected fairly and the individuals are clearly informed of the option to opt-out.
If a recipient suffers any damage as a result of contravention of the Regulations, they may bring an action for damages to recover loss under Regulation 30 of the PECR. In practice this provision favours ISPs as it is likely to be easier for ISPs to show that they have suffered loss as the result of spam. Where the Regulations have been contravened, the Information Commissioner’s Office (ICO) under the Data Protection Act 1998 (DPA), may issue a fine. The limit for fines is currently set at £5,000 however this is likely to increase as part of the data handling review being undertaken at Westminster.
Governments are increasingly looking to ISPs in their efforts to eliminate harmful and unlawful content on the internet and so it is likely that we will see more regulation in the following areas in the near future:
The Ministry of Justice has made it clear that they will continue to look at ways to keep people safe online. In September 2008 they announced plans to amend the 1961 Suicide Act which makes it illegal to promote suicide, to make it clear that it also applies to websites. It will be the responsibility of ISPs to remove these sites.
The Internet Watch Foundation (IWF), the online watchdog set up to combat child pornography, is responsible for maintaining a list of websites displaying these kinds of images. BT introduced a filtering system in June of this year which prevents access to sites containing child pornography. The BT system identifies and blocks access to sites identified by the IWF. Other ISPs are likely to monitor the success of this initiative to see whether or not they will employ a similar approach.
Peer 2 peer sharing
This issue has received a attention over recent years. The Government has reached agreement on the creation of a code of conduct with some of the major players in the music and film industry. It has admitted in its consultation however that it is unlikely that a voluntary agreement will be adopted industry wide. As a result they have proposed legislation which would enforce the adoption of this code across the ISP sector or force ISPs to introduce sufficient anti-piracy policies.
The advent of new software such as Phorm ‘s Webwise and OIX products is pushing the boundaries of online marketing. The user profiling program will pick up addresses and certain content of websites visited by the user by attaching to the ISP network and allow advertising to be matched to them for targeted marketing. The technology behind Phorm means that there is no need to keep a record of actual sites visited and there will be no way of knowing the identity of the user. Although trials have not yet been carried out (BT controversially carried out a trial in September/October 2006 but without users’ knowledge) the ICO has stated that it believes it is possible for this software to be operated in such a way that it will not contravene the DPA.
They have assured that their decision will be heavily influenced by the experience of users and so they will not take a view until the product has been trialed. In addition to the DPA, Phorm must also comply with the law contained in the Regulation of Investigatory Powers Act (RIPA) and the Privacy and the PECR. For a more in depth consideration of Phorm, you should see our editorial The Law of Phorm.
Data Protection legislation is a particularly important issue for an ISP. As an ISP will inevitably be dealing with personal data, it is essential that it has properly notified the ICO under the DPA, and that it trains its staff to ensure that personal information is kept confidential at all times. For further information, you should refer to our Data Protection guide.