Ofcom consultation raises data protection problems

There’s a week and a half until Ofcom’s draft code finishes its consultation on the letter writing part of the Digital Economy Act. ORG is currently preparing a detailed response, and will also be helping you to send in your views.

One of the big issues we are looking at is data protection and retention. The scheme legitimises the collection of data without consent by agencies working for copyright holders – a kind of private surveillance. The European Data Protection Supervisor (EDPS) recently went into some detail analysing what this means for privacy, in relation to ACTA, which attempts to encourage ‘three strikes’ regimes – and came to some very strong conclusions.

Firstly, the EDPS is clear that IP addresses are ‘personal data’ when collected to identify people for copyright infringement. He extends that this may be ‘sensitive personal data’ if criminal proceedings might result. In the UK, if copyright infringement can be criminal if “Offering for sale or hire, publicly displaying or otherwise distributing infringing copies in the course of a business” or “Distributing a large enough number of copies to have a noticeable effect on the business of the copyright owner”. Both of these possibilities seem to be open under the Digital Economy Act, so some unknown portion of the data collected may be ‘sensitive personal data’.

Secondly, the EDPS is highly critical of wide-scale private monitoring. This aspect has not been priorly examined by either the ICO, government or Ofcom, in the case of the DEA. No privacy impact assessment was made when drafting this legislation.

Take a read of his views below:

In a nutshell, under three strikes Internet disconnection policies copyright holders using automated technical means, possibly provided by third parties, would identify alleged copyright infringement by engaging in monitoring of Internet users’ activities, for example, via the surveillance of forums, blogs or by posing as file sharers in peer-to-peer networks to identify file sharers who allegedly exchange copyright material.

After identifying Internet users alleged to be engaged in copyright violation by collecting their Internet Protocol addresses (IP addresses), copyright holders would send the IP addresses of those users to the relevant Internet service provider(s) who would warn the subscriber to whom the IP address belongs about his potential engagement in copyright infringement….

Three strikes Internet disconnection policies have to comply with the requirements stemming from the right to privacy, as laid down in Article 8 ECHR and Article 7 of the Charter of fundamental rights, and stemming from the right to data protection as laid down in Article 8 of the Charter of fundamental rights and Article 16 TFEU, and as elaborated in Directive 95/46/EC and Directive 2002/58/EC.

In the EDPS view, the monitoring of Internet user’s behaviour and further collection of their IP addresses amounts to an interference with their rights to respect for their private life and their correspondence; in other words, there is an interference with their right to private life. This view is in line with the case law of the European Court of Human Rights.

Directive 95/46/EC is applicable since the three strikes Internet disconnection policies involve the processing of IP addresses which — in any case under the relevant circumstances — should be considered as personal data. IP addresses are identifiers which look like a string of numbers separated by dots, such as 122.41.123.45. A subscription to an Internet access provider will give the subscriber access to the Internet. Every time the subscriber wishes to go onto the Internet, he will be attributed an IP address through the device he is using to access the Internet (a computer, for example).

If a user engages in a given activity, for example, uploads material onto the Internet, the user may be identified by third parties through the IP address he/she used. For example, the user holding IP address 122.41.123.45 uploaded allegedly copyright infringing material onto a P2P service at 3 p.m. on 1 January 2010. The ISP will then be able to connect such IP address to the name of the subscriber to whom it assigned this address and thus ascertain his/her identity.

If one considers the definition of personal data provided in Article 2 of Directive 95/46/EC, ‘any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number’, it is only possible to conclude that IP addresses and the information about the activities linked to such addresses constitutes personal data in all cases relevant here. Indeed, an IP address serves as an identification number which allows finding out the name of the subscriber to whom such IP address has been assigned. Furthermore, the information collected about the subscriber who holds such IP address (‘he/she uploaded certain material onto the Web site ZS at 3 p.m. on 1 January 2010’) relates to, i.e. is clearly about the activities of an identifiable individual (the holder of the IP address), and thus must also be considered personal data.

These views are fully shared by the Article 29 Working Party which, in a document on data protection issues related to intellectual property rights stated that IP addresses collected to enforce intellectual property rights, i.e. to identify Internet users who are alleged to have infringed intellectual property rights, are personal data insofar as they are used for the enforcement of such rights against a given individual.

Directive 2002/58/EC is applicable as well, as three strikes Internet disconnection policies entail the collection of traffic and communication data. Directive 2002/58/EC regulates the use of such data and provides for the principle of confidentiality of communications made over public communications networks and of the data inherent in those communications.

Article 8 ECHR sets forth the principle of necessity pursuant to which any measure that infringes the right to privacy of individuals is only allowed if it constitutes a necessary measure within a democratic society to the legitimate aim it pursues. The principle of necessity can also be found in Articles 7 and 13 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.

The principle requires an analysis of the proportionality of the measure, which must be assessed on the basis of a balance of the interests involved, which is placed in the context of the democratic society as a whole. It furthermore implies an assessment as to whether alternative measures exist which are less intrusive.

Although the EDPS acknowledges the importance of enforcing intellectual property rights, he takes the view that a three strikes Internet disconnection policy as currently known — involving certain elements of general application — constitutes a disproportionate measure and can therefore not be considered as a necessary measure. The EDPS is furthermore convinced that alternative, less intrusive solutions exist or that the envisaged policies can be performed in a less intrusive manner or with a more limited scope. Also on a more detailed legal level the three strikes approach poses problems. These conclusions will be explained below.

The EDPS wishes to emphasise the far-reaching nature of the imposed measures. The following elements must be mentioned in this regard: 

(i) the fact that the (unnoticed) monitoring would affect millions of individuals and all users, irrespective of whether they are under suspicion;

(ii) the monitoring would entail the systematic recording of data, some of which may cause people to be brought to civil or even criminal courts; furthermore, some of the information collected would therefore qualify as sensitive data under Article 8 of Directive 95/46/EC which requires stronger safeguards;

(iii) the monitoring is likely to trigger many cases of false positives. Copyright infringement is not a straight ‘yes’ or ‘no’ question. Often Courts have to examine a very significant quantity of technical and legal detail over dozens of pages in order to determine whether there is an infringement;

(iv) the potential effects of the monitoring, which could result in disconnection of Internet access. This would interfere with individuals’ right to freedom of expression, freedom of information and access to culture, e-Government applications, marketplaces, e- mail, and, in some cases, with work-related activities. In this context it is particularly important to realise that the effects will be felt not only on the alleged infringer, but all the family relatives that use the same Internet connection, including school children who use the Internet for their school activities;

(v) the fact that the entity making the assessment and taking the decision will typically be a private entity (i.e. the copyright holders or the ISP). The EDPS already stated in a previous opinion his concerns regarding the monitoring of individuals by the private sector (e.g. ISPs or copyright holders), in areas that are in principle under the competence of law enforcement authorities.

The EDPS is not convinced that the benefits of the measures outweigh the impact on the fundamental rights of individuals. The protection of copyright is an interest of right holders and of society. However, the limitations on the fundamental rights do not seem justified, if one balances the gravity of the interference, i.e. the scale of the privacy intrusion as highlighted by the above elements, with the expected benefits, deterring the infringement of intellectual property rights involving —  for a great part — small-scale intellectual property infringements. As indicated by the Opinion of Advocate General Kokott in Promusicae: ‘It is … not certain that private file sharing, in particular when it takes place without any intention to make a profit, threatens the protection of copyright sufficiently seriously to justify recourse to this exception. To what extent private file sharing causes genuine damage is in fact disputed’.

In this context, it is also worth recalling the European Parliament’s reaction to ‘three strikes schemes’ in the context of the review of the telecoms package, particularly Amendment 138 to the Framework Directive. In this amendment it was laid down that any restriction to fundamental rights or freedoms may only be imposed if they are appropriate, proportionate and necessary within a democratic society, and their implementation shall be subject to adequate procedural safeguards in conformity with the ECHR and with general principles of Community law, including effective judicial protection and due process.

In this view, the EDPS further underlines that any limitation to fundamental rights will be subject to careful scrutiny both at EU and national level. In this context, a parallel can be drawn with the Data Retention Directive 2006/24/EC, which derogates from the general data protection principle of deletion of data when they are no longer necessary for the purpose for which they were collected. This directive requires that traffic data are retained for the purpose of combating serious crime. It has to be noted that retention is only allowed for ‘serious crime’, that the retention is limited to ‘traffic data’ which in principle excludes information about the content of communications, and that stringent guarantees are adduced. Nevertheless, doubts have been raised on its compatibility with fundamental rights standards; the Romanian Constitutional Court decided that blanket retention is incompatible with fundamental rights, and there is currently a case pending before the German Constitutional Court.