ACTA and the Enforcement of Copyrightin Cyberspace: the Impact on Privacy

Iryna Ievdokymova*

Abstract: As the reach of the Internet expands, governments increasingly seek to intro-duce initiatives aimed at controlling individuals’ online activity. One such initiative,aimed, inter alia, at introducing enhanced online copyright enforcement standards, is theAnti-Counterfeiting Trade Agreement (ACTA). The paper analyses a possible effect ofArt. 27(3) of the agreement on the data protection and privacy rights, as spelled out inthe EU legal order. Firstly, the EU legal framework on Internet surveillance for copy-right enforcement will be addressed. Next, the principles and safeguards applicable todata processing in the context of communications surveillance will be illustrated withreference to the jurisprudence of the European Court of Human Rights. It will be arguedthat ACTA, if interpreted broadly and implemented without safeguards, would providean incentive for graduated response systems, which, as it will be shown on the exampleof the French graduated response, may trump privacy rights on a massive scale.

I Introduction

Could cyberspace be considered a zone of liberty, for the most part unrestrained bygovernment regulation and intrusion into individual rights and freedoms? On the onehand, the Internet has served to expand the boundaries of information sharing to anunprecedented degree. However, as the dividing line between the online and ‘real’world is becoming ever vaguer, initiatives affecting individuals’ activities in cyber-space are intensified as well.

A recent such initiative, the Anti-Counterfeiting Trade Agreement (ACTA), has asone of its main goals the protection of intellectual property rights (IPR), inter aliacopyright, in cyberspace. This paper addresses the effect of ACTA from the perspec-tive of the conflict between copyright enforcement, on the one hand, and privacy andthe protection of personal data, on the other hand. Up until now, significant criticismhas been voiced of ACTA, with the agreement being characterised as severely ham-pering fundamental freedoms ‘competing’ with copyright. Does the agreement indeedincentify a large-scale surveillance of individuals on the Internet? Are ‘ACTA-compliant’ measures bound to curtail existing data protection safeguards?

The paper will address these questions, focusing on the effect of ACTA on theInternet surveillance of individuals and the processing of the latter’s personal data,

* PhD Candidate, Leiden Law School; email: i.ievdokymova@law.leidenuniv.nl. I would like to thank, fortheir helpful comments and feedback, Marga Groothuis, Eldar Haber, Francis Snyder and the partici-pants of the 9th International Workshop for Young Scholars, 29 November-1 December 2012,Schenzhen, China, where the first version of this paper was presented. All mistakes remain mine.

bs_bs_banner

European Law Journal, Vol. 19, No. 6, November 2013, pp. 759–778.© 2013 John Wiley & Sons Ltd., 9600 Garsington Road, Oxford, OX4 2DQ, UKand 350 Main Street, Malden, MA 02148, USA

instituted for the purpose of copyright enforcement. It will do so on the example ofthe conflict between Article 27(3) of ACTA’s ‘Digital chapter’ and the EU dataprotection and privacy framework. To that regard, firstly, the history of ACTA andthe main textual developments of the ‘Digital chapter’ will be outlined. An overviewof the EU legal framework on copyright enforcement, as well as privacy and theprotection of personal data will follow, while the application of data protectionsafeguards to the surveillance of communications will be further illustrated withreference to the case-law of the European Court of Human Rights (ECtHR). Basedon this analysis, it will be argued that Article 27(3) ACTA, if interpreted broadly andimplemented without safeguards, may provide an incentive for graduated responsepolicies, which, as it will be shown on the example of the French graduated response,may trump privacy and data protection rights of individuals on a massive scale.

II ACTA: A Brief History and Text Developments

Signed by the EU on 26 January 2012, ACTA was rejected by the European Parlia-ment (EP) some half a year later.1 The result of the vote, while disappointing for theindustry, was welcomed by NGOs and civil rights activists, hailing it as a victory forfundamental rights, inter alia on the Internet.2 While the possible impact of ACTA onprivacy and the protection of personal data will be addressed below, one can stateright away that the very atmosphere surrounding ACTA negotiations contributed toEU citizens’ concerns.

Indeed, ACTA talks appeared to give a feel of lack of transparency and of exclu-sivity.3 Aimed at establishing an enhanced international framework for IPR enforce-ment, the agreement was negotiated by mostly developed economies outside theframework of available international forums, such as World Trade Organization(WTO) or World Intellectual Property Organization (WIPO).4 The closed talkspointed to an IPR-oriented and exclusionary agenda of the developed economies,which, in its turn, appeared driven by tensions between the developed and developing

1 EP legislative resolution of 4 July 2012 on the draft Council decision on the conclusion of the Anti-Counterfeiting Trade Agreement between the EU and its Member States, Australia, Canada, Japan, theRepublic of Korea, the United Mexican States, the Kingdom of Morocco, New Zealand, the Republicof Singapore, the Swiss Confederation and the United States of America (12195/2011—C7-0027/2012-2011/0167(NLE)).

2 See, for mostly for the reaction of industry and MEPs, ‘Goodbye ACTA: EU Parliament rejectsanti-piracy treaty,’ EurActiv.Com, 5 July 2012, available at: http://www.euractiv.com/infosociety/goodbye-acta-meps-flex-muscles-a-news-513736. For the reaction of NGOs, see, eg ‘Thank you, SOPA,thank you, ACTA,’ European Digital Rights (EDRi) Newsletter, no. 10.13, 4 July 2012, available at:http://www.edri.org/edrigram/number10.13/good-bye-acta; J. Killock, ‘ACTA: You Won!,’ Open RightsGroup, 4 July 2012, available at: http://www.openrightsgroup.org/blog/2012/acta-you-won.

3 See, eg M.E. Kaminski, ‘An Overview and the Evolution of the Anti-Counterfeiting Trade Agreement,’(2011) 21 Albany Law Journal of Science and Technology 385–444, at 390–391; K.L. Port, ‘A Case againstthe ACTA,’ (2012) 33 Cardozo Law Review 1131–1183, at 1136–1137, 1156–1159, 1162 and A. Metzger,‘A Primer on ACTA: What Europeans Should Fear about the Anti-Counterfeiting Trade Agreement,’(2010) 1 Journal of Intellectual Property, Information Technology and E-Commerce Law 109–116, at109–110.

4 See A. Metzger, n. 3 supra, at 110; M. Kaminski, n. 3 supra, at eg 386, 390, 443 and further, indirectly,K. Port, n. 3 supra, at 1162, stating that ‘[. . .] the Agreement is insulated [. . .] from the internationalmultinational sphere by avoiding the treaty-making system contemplated by the TRIPS Agreementregime’.

European Law Journal Volume 19

760 © 2013 John Wiley & Sons Ltd.

countries in WTO and WIPO.5 As the European Commission argued, the EU’srationale for participating in ACTA negotiations was protecting jobs, innovation andcreativity in Europe, while the agreement would not adversely affect fundamentalrights of individuals.6 This reassurance, however, appeared to do little to dispelEuropean citizens’ concerns.

Indeed, little was disclosed from the EU preparatory documents on ACTA ornegotiations minutes, while the information that was provided did not give a clearpicture of IPR enforcement measures envisaged, and thus did not allow speculatingon how those would affect fundamental rights, such as privacy or the protection ofpersonal data.7 The first official draft of the agreement was made public in April 2010,followed by the finalised text of 3 December 2010 and its legally verified version,published in all official EU languages on 23 August 2011.8

While it has been argued that ACTA poses a number of challenges to individuals,such as possible reduced access to affordable medicines and border searches of per-sonal luggage for counterfeit goods, this paper will address those provisions of theagreement that appeared to have provoked some of the biggest citizens’ protests in theEU—namely, the enforcement of copyright on the Internet.9 To that regard, below, abrief comparison of ‘Digital chapters’ in April 2010 and August 2011 texts will beprovided, with the focus on the provisions addressing the role of online serviceproviders (OSPs) in copyright enforcement. Next, the main questions on the impact ofthe latest version of those provisions on privacy and data protection will be outlined.

Article 2.18 (3) of April 2010 ACTA text provided conditions under which OSPs,whose subscribers have been allegedly engaging in infringing activity, couldbe exempted from liability.10 Such liability was excluded under the two proposedoptions for subparagraphs a) and b). The first proposed option of subparagraph b)

5 See M. Kaminski, n. 3 supra, at 390; K. Port, n. 3 supra, at 1157, arguing that ‘The ACTA is set up asan “us versus them” proposition.’ Eg A. Metzger, n. 3 supra, at 110 and M. Kaminski, n. 3 supra, at 388,further point out that developing economies opposed an enhanced IPR enforcement initiative withinWTO and WIPO.

6 ‘What ACTA Is About’, European Commission—DG Trade, available at: http://trade.ec.europa.eu/doclib/docs/2012/january/tradoc_149003.pdf

7 See list of ACTA drafts and preparatory documents, available at the EDRi official website: http://www.edri.org/ACTA_transparency

8 April and October 2010 versions of ACTA can be accessed at the EDRi website: http://www.edri.org/ACTA_transparency. The text of 3 December 2010 can be accessed at the website of the EuropeanCommission, DG Trade: http://trade.ec.europa.eu/doclib/docs/2010/december/tradoc_147079.pdf and its23 August 2011 version—at the website of the Council of the European Union: http://register.consilium.europa.eu/pdf/en/11/st12/st12196.en11.pdf

9 On the alleged adverse effect of ACTA on access to generic medicines, see eg Oxfam Statement regardingACTA and public health, October 2011, available at Oxfam official website: http://www.oxfamsol.be/fr/IMG/pdf/Oxfam_ACTA_analysis_FINAL.pdf; see further, briefly, M. Kaminski, n. 3 supra, at 398.M. Kaminski, n. 3 supra, at 402–403, further points out that ACTA would allow the Parties to excludefrom the scope of the agreement travelers’ personal luggage. K. Port, n. 3 supra, at 1165, emphasizes thatexcluding personal luggage from the scope of ACTA is a mere possibility for the Parties, and thatcriminal measures could in principle apply to such luggage. On the protests in Europe against ACTAInternet provisions, see eg ‘Activists Rally to Give ACTA the Cold Shoulder’, Euronews, 11 February2012, available at: http://www.euronews.com/2012/02/11/activists-rally-to-give-acta-the-cold-shoulder/;D. Lee ‘ACTA Protests: Thousands Take to Streets across Europe’, BBC.Com, 11 February 2012,available at: http://www.bbc.co.uk/news/technology-16999497

10 For an analysis of provisions on OSP liability limitation under April 2010 ACTA draft, see A. Metzger,n. 3 supra, at 114. ‘Digital chapters’ of April 2010 and December 2010 ACTA text have been furtheranalyzed by M. Kaminski, n. 3 supra, at 410–414; 426–427; 432; 438–441.

November 2013 ACTA and the Enforcement of Copyright in Cyberspace

761© 2013 John Wiley & Sons Ltd.

conditioned the OSP liability exemption upon ‘adopting and reasonably implementinga policy11 to address the unauthorized storage or transmission of materials protectedby copyright.’ As A. Metzger pointed out, based on an earlier leaked ACTA draft,Parties would be allowed to interpret such ‘policy’ as ‘graduated response,’ whererepeat alleged infringers could be denied access to Internet.12 Article 2.18.3. quarterfurther required the Parties to ‘promote the development of mutually supportiverelationship between online service providers and rightholders,’ without specifying anyconcrete policies or measures that OSPs were expected to take.13

In August 2011 ACTA text, direct references to OSP liability for subscriber actionshave been excluded from the main text. Such liability is mentioned in the footnote toArticle 27(2) as an example of a procedure applicable to copyright infringements inthe digital environment14; however, the Parties are not required to provide for it.Neither is there a direct requirement for graduated response regimes. Article 27(3)states: ‘Each Party shall endeavor to promote cooperative efforts within the businesscommunity to effectively address trademark and copyright or related rightsinfringement’—there is, however, no precise indication of cooperative effortsexpected.15 Article 27(3) further provides that cooperative efforts are to ‘preservefundamental principles such as freedom of expression, fair process, and privacy.’ Theconsistency of this formulation with the European fundamental rights framework isdoubtful, among other concerns as the provision does not mention the right to theprotection of personal data or private life, the latter being broader than the right toprivacy and including further specific aspects that, as it will be argued in section V,ACTA-compliant measures might affect. Finally, Article 27(1), applying to the whole‘Digital chapter,’ provides for both civil and criminal measures, aimed at ‘permit[ting]effective action against an act of infringement of intellectual property rights whichtakes place in the digital environment.’ Thus, both preliminary and final injunctions(Articles 12 and 8 respectively), as well as criminal penalties (Article 23) could, whererelevant, be applicable to online copyright infringements.16

The above examples illustrate the vagueness of the latest ACTA text. While in thecontext of the ‘e-enforcement’17 of copyright, this uncertainty may result in ACTA

11 Hereinafter—emphasis added.12 A. Metzger, n. 3 supra, at 114; graduated response appears to have further been permitted under option

2 of Art. 2.18 (3) (b) (Ibid). See also E. Haber, n. 70 infra, at 303–304. In M. Kaminski’s opinion, n. 3supra, at 439–440, option 1 of Art. 2.18.3(b) rather referred to ‘notice-and-takedown’ measures, whileoption 2—to graduated response.

13 M. Kaminski, n. 3 supra, at 432, further notes that this formulation may have de-facto referred tograduated response.

14 As M. Kaminski, n. 3 supra, at 410, further argues, such liability mechanism could allow ‘notice-and-takedown’.

15 M. Kaminski, n. 3 supra, at 411 and 432, further argues that, in light of the language used in April 2010version of ACTA’s ‘Digital chapter’, graduated response could have remained the negotiators’ intentionfor December 2010 text.

16 For the discussion of civil and criminal enforcement measures in the digital environment, provided inDecember 2010 ACTA text, see M. Kaminski, n. 3 supra, at 398–399, 411, 431.

17 The term ‘e-enforcement’ appears to first have been used by Smith, McFadden and Passetti to describethe use of automated/electronic means to monitor traffic and cite motorists in breach of traffic regula-tions. See D. Smith, J. McFadden and K. Passetti ‘Automated Enforcement of Red Light RunningTechnology and Programs: a Review’, 2000 Transportation Research Record no. 1734, 29–37. Here, theterm is applied, by analogy, to the monitoring and identification of subscribers for the purposes ofcopyright enforcement in an online environment.

European Law Journal Volume 19

762 © 2013 John Wiley & Sons Ltd.

being interpreted in a way that impacts a number of individual rights and freedoms,inter alia the freedom to receive and impart information and the right to a fair trial,this paper will specifically address data protection and privacy issues, these being atthe forefront of copyright enforcement in cyberspace18. Indeed, the wider the scope ofmeasures that ‘track-and-trace’ subscribers and allow for subsequent processing oftheir personal data, the more real will become the threat of fast and simplifiedproceedings in absence of full fair trial guarantees, as well as the chilling effect on thefreedom of speech. Thus, within the copyright e-enforcement context, certain safe-guards and limitations need to be provided already at the stages where the surveil-lance of individual online activity takes place and communications content isprocessed for the purpose of establishing a possible copyright infringement.

This given, the paper will address the possible impact of measures introducedwithin the context of Article 27(3) ACTA ‘cooperative efforts within the businesscommunity’ on the European privacy and data protection safeguards. Before address-ing this question, the following section will, first, provide a classification of OSPs,based on the types of services they offer, and explain the focus on Internet AccessProviders’ (IAPs) activity. Next, it will give a brief overview of the EU legal frame-work on copyright enforcement, as well as the protection of personal data andprivacy, followed by an account, on the example of Scarlet v SABAM judgment, ofhow the balance between the competing interests has been struck, in the context ofcommunications monitoring, by the Court of Justice of the European Union (CJEU/Court of Justice).

III Copyright Enforcement and the Role of IAPs:The EU Legal Framework

While there exist various OSP classifications, this paper, focused on the EU perspectiveof balancing copyright enforcement against privacy and data protection, will adopt theone provided in the E-Commerce Directive.19 The latter distinguishes among threetypes of OSPs, namely the ‘mere conduits,’ caching providers and hosting serviceproviders.20 While the function of ‘mere conduits’ or IAPs, in most cases, is grantingsubscriber access to Internet and/or transmitting information over a digital network,caching providers (eg proxy servers) temporarily store the local copies of visitedwebpages, thus allowing for a faster retrieval if access to the same page is requestedagain.21 Hosting service providers, in their turn, allow for a (permanent) online storageof information selected and uploaded by a subscriber22—an example could be socialnetworking websites. This paper will focus on IAPs, as they not only have the potentialfor monitoring and identifying a large number of subscribers, but further, as discussed

18 For a possible effect of the graduated response regimes, which arguably could be implemented underACTA, on fair trial and privacy rights as well as freedom of expression, see eg E. Haber, n. 70 infra, at317–321.

19 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain aspectsof information society service, in particular electronic commerce, in the Internal Market, OJ L 178,17.7.2000, 1–16.

20 Arts. 12–14, E-Commerce Directive.21 DLA Piper, Legal analysis of a Single Market for the Information Society (European Commission Study

SMART 2007/0037), Chapter 6, ‘Liability of Online Intermediaries’, 7–8, available at: http://ec.europa.eu/information_society/newsroom/cf/item-detail-dae.cfm?item_id=7022

22 ibid.

November 2013 ACTA and the Enforcement of Copyright in Cyberspace

763© 2013 John Wiley & Sons Ltd.

below, for enforcing the most severe penalties based on the results of suchidentification.23 This focus being established, next, an overview of the EU legalframework regulating IAP activity for copyright enforcement purposes and providingfor the protection of subscriber privacy and personal data will be provided. First,relevant secondary legislation will be addressed, followed by a brief account of theinterrelationship between the EU Charter of Fundamental Rights (EUChFR/Charter)and the European Convention on Human Rights (ECHR/Convention).24

A EU Secondary Legislation and EUChFR

The general framework of IPR enforcement in secondary EU legislation is providedby the like-named Directive, while specific aspects of copyright enforcement areaddressed in the Information Society Directive.25 It appears, from the latter, that theinvolvement of IAPs in the enforcement of copyright is not an ‘ACTA-novelty,’ asArticle 8(3) of the Directive provides for injunctions against OSPs whose subscribershave been allegedly infringing copyright. On the other hand, measures taken by IAPsfor copyright enforcement purposes must not result in indiscriminate surveillance, asArticle 15(1) of the E-Commerce Directive precludes imposing on OSPs a generalobligation ‘to monitor the information which they transmit or store.’

While the E-Commerce Directive prohibits general surveillance by OSPs, aimed,inter alia, at copyright enforcement, the main limitations and safeguards applicable tothe processing of personal data of individuals affected are laid down in the DataProtection Directive.26 Of interest for the purposes of this paper are wide definitionsof personal data as ‘any information related to an identified or identifiable naturalperson’ and data processing ‘as any operation or set of operations performed uponpersonal data,’ including its collection, storage and disclosure by transmission.27

Further, the Directive provides safeguards applicable to the processing of personaldata, inter alia proportionality of data collection to the purpose pursued, limitationson data storage and a general prohibition of the processing of sensitive data, such aspolitical or religious views, health data and information on sexual life.28

Specific rules for subscriber privacy in the telecommunications sector are provided inthe E-Privacy Directive.29 While the confidentiality of communications is the general

23 The penalty referred to—Internet disconnection—appears to affect the right to receive and impartinformation to a greater extent than eg removal of infringing content and/or termination of accounts byhosting service providers—measures that would affect only a part of individuals’ digital environment.

24 Charter of Fundamental Rights of the European Union, OJ C 83, 30.03.2010, 389–403; EuropeanConvention for the Protection of Human Rights and Fundamental Freedoms, Rome, 4.11.1950.

25 Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforce-ment of the intellectual property rights, OJ L 195, 2.6.2004, 16–25 (hereinafter—IPR EnforcementDirective) and Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 onthe harmonization of certain aspects of copyright and related rights in the information society, OJ L 167,22.6.2001, 10–19, respectively.

26 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protectionof individuals with regard to the processing of personal data and the free movement of such data, OJ L281, 23.11.95, 31–50.

27 Art. 2(a) and (b), Data Protection Directive, respectively.28 Arts. 6(1)(c), 6(1)(e) and 8(1), Data Protection Directive, respectively.29 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the

processing of personal data and the protection of privacy in the electronic communications sector, OJ L201, 31.7.2002, 37–47.

European Law Journal Volume 19

764 © 2013 John Wiley & Sons Ltd.

rule under this Directive, exceptions—which must respect the general principles of EUlaw, and, thus, also the ECHR rights, as interpreted by ECtHR—are possible in theinterests of, inter alia, prevention, investigation and detection of criminal offenses.30

The list of derogations from the confidentiality principle further refers to Article 13(1)of the Data Protection Directive, which, among other legitimate aims, lists theprotection of the rights and freedoms of others—as the Promusicae judgmentconfirmed, this exception also covers copyright enforcement.31 As Articles 8(2)(e) and13(1)(d) and (g) of the Data Protection Directive, respectively, further provide,derogations from the general prohibition on the processing of sensitive data arepossible, inter alia, where the establishment of legal claims is at stake, and limitationson data collection and retention may further be relaxed where criminal offenses or theprotection of the rights of others (and, thus, also rightholders) are concerned.

As to EUChFR, the right to private life and data protection are provided for in itsArticles 7 and 8, respectively. Article 7 EUChFR provides that everyone has the rightto respect, inter alia, for their private life and communications. Article 8(1) EUChFRgrants the right to the protection of personal data, while Article 8(2), inter alia,mandates that any processing of personal data have a basis in law, as well as be fairand instituted for specified purposes. Article 8(3) subjects compliance to the aboverules to the control of an independent authority. Article 52(1) further provides thatany limitations to EUChFR rights, including private life and data protection, must,inter alia, respect the essence of those rights and be subject to the principles ofproportionality and necessity.

When assessing a possible impact of ACTA on the rights to data protection andprivacy, as laid down in the EU legal order, of significance is the interrelationshipbetween Articles 7 and 8 EUChFR and the guarantees of Article 8 ECHR, asinterpreted by ECtHR32. As the recent CJEU jurisprudence shows, Data Protectionand E-Privacy Directives are likely to be read in light of the EUChFR.33 This said, upuntil now the CJEU has not had much chance to provide guidance on what restric-tions could affect the ‘essence’ of the rights to privacy and data protection for thepurposes of Article 52(1) of the Charter.34 This given, and in view of the fact that

30 Arts. 5(1) and 15(1), E-Privacy Directive, respectively. At the time of publication of the Directive in theOJ, under Art. 6(2), and currently Art. 6(3) of Treaty on European Union (TEU; OJ C 83, 30.03.2010,13–45), fundamental rights, guaranteed under ECHR, constitute general principles of EU law.

31 Case C-275/06, Productores de Música de España (Promusicae) v Telefónica de España SAU [2008] ECRI-271, para. 53.

32 Art. 8 ECHR reads: ‘1. Everyone has the right to respect for his private and family life, his home andhis correspondence. 2. There shall be no interference by a public authority with the exercise of this rightexcept such as is in accordance with the law and is necessary in a democratic society in the interests ofnational security, public safety or the economic well-being of the country, for the prevention of disorderor crime, for the protection of health or morals, or for the protection of the rights and freedoms ofothers’.

33 Joined Cases C-468/10 and C-469/10, ASNEF and FECEMD v Administración del Estado [2011] ECRI-0000, paras. 39–49; Case C-543/09, Deutsche Telekom v Bundesrepublik Deutschland [2011] ECRI-03441, paras. 48–55; 66.

34 In Deutsche Telekom, CJEU stated that the passing of a subscriber’s data between two undertakingspublishing public subscriber directories, where the subscriber has given consent to such publication onlyby the first undertaking ‘is not capable of substantively impairing the right to protection of personaldata’ (para. 66). This might imply that such sharing does not affect the essence of the right to dataprotection for the purposes of Art. 52(1) EUChFR—yet the Court did not elaborate on the assessment.

November 2013 ACTA and the Enforcement of Copyright in Cyberspace

765© 2013 John Wiley & Sons Ltd.

Article 52(3) EUChFR provides that ECHR is to serve as a minimum level ofprotection for corresponding Charter rights, in this paper, the principles and safe-guards of Articles 7, 8 and 52(1) EUChFR, where relevant, will be addressed in lightof Article 8 ECHR.35

The qualification ‘where relevant’ is made as, at the moment, it is not absolutelyclear whether EUChFR would apply to criminal copyright enforcement measures inforce in the EU MS such as France, which will be referred to when illustrating apossible ACTA-effect on national copyright enforcement systems. Article 51(1)EUChFR states that ‘the provisions of th[e] Charter are addressed [. . .] to theMember States only when they are implementing Union law.’ As the CJEU recentlypronounced in the Fransson case, for the purposes of Charter applicability to the EUMS action, ‘implementing’ equals acting within the scope of the EU law.36 Criminalcopyright enforcement measures have not yet been subject to EU harmonisation, andneither do the E-Privacy or Data Protection Directives cover the processing of data bystate authorities, where criminal matters are concerned.37 However, Article 16(1)TFEU, granting the right to the protection of personal data, also applies to dataprocessing in criminal matters.38 This given, it would appear that, at this moment, theprocessing of personal data by public authorities within the context of nationalcriminal copyright enforcement measures may only fall within the scope of the Unionlaw via Article 16(1) TFEU. Given the rather broad CJEU approach in Fransson, itis, perhaps, to be expected that the Court will consider this provision sufficient totrigger EUChFR applicability to the above situation, yet the judgments that willprovide a definite answer to this are yet to come. This given, criminal copyrightenforcement measures in France, affecting data protection and privacy guarantees,will be assessed directly with reference to Article 8 ECHR, while, within the contextof a broader discussion, the Convention will be referred to when interpreting relevantEUChFR provisions.

This background given, below, firstly, the EU approach to the surveillance ofsubscriber online activity by IAPs will be addressed with reference to the CJEUjudgment Scarlet v SABAM.

35 Article 52(3) EUChFR reads: ‘In so far as this Charter contains rights which correspond to rightsguaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, themeaning and scope of those rights shall be the same as those laid down by the said Convention. Thisprovision shall not prevent Union law providing more extensive protection’. Note that CJEU has alreadyinterpreted Art. 8 EUChFR in light of Art. 8 ECHR safeguards- see eg Joined cases C-92/09 andC-93/09, Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen [2010] ECR I-11063, para.52, stating that: ‘[. . .]the right to respect for private life with regard to the processing of personal data,recognised by Articles 7 and 8 of the Charter, concerns any information relating to an identified oridentifiable individual [. . .] and the limitations which may lawfully be imposed on the right to theprotection of personal data correspond to those tolerated in relation to Article 8 of the Convention’.

36 Case C-617/10, Aklagaren v Hans Akerberg Fransson [2013] ECR I-0000, paras. 19–22.37 Art. 1(3), E-Privacy Directive and Art. 3(2), Data Protection Directive, respectively. Framework Deci-

sion 2008/977/JHA on the protection of personal data processed in the framework of police and judicialcooperation in criminal matters (OJ L 350, 30.12.2008, 60–71), on the other hand, does not apply to dataprocessing at the national level (Art. 1(2)).

38 Art. 16(1) TFEU provides: ‘Everyone has the right to the protection of personal data concerning them’.Based on Art. 16(2) TFEU, the Commission proposed a Directive regulating national processing of datawhere criminal matters are concerned (COM(2012) 10 final, 25.01.2012), yet it is not yet in force.

European Law Journal Volume 19

766 © 2013 John Wiley & Sons Ltd.

B General Monitoring by IAPs: Scarlet v SABAM

In order for infringements to be prevented or terminated, rightholders may demandthat IAPs filter out and block pirated content downloaded via their networks, whichentails the monitoring of subscriber online activity. At the EU level, such monitoringwas addressed in the 2011 case Scarlet v SABAM.39

In Scarlet v SABAM, Belgian Association of Authors, Composers and Editors(SABAM) sought an injunction against an IAP Scarlet Extended, alleging that certainScarlet subscribers were downloading protected works from the SABAM cataloguevia a peer-to-peer (P2P) network.40 As demanded by SABAM, such an injunctionwould oblige Scarlet, at its own cost and for an indefinite period of time, to system-atically filter and block access to the protected content.41 As far as subscriber rightswere concerned, the question before the CJEU was, in essence, whether such filteringsystem would be contrary to Article 15(1) of the E-Commerce Directive, as well asArticles 8 and 10 ECHR.42

The CJEU responded in the affirmative. It stated that the filtering system, in theform demanded by SABAM, would involve a several-steps screening aimed at locat-ing, first, the files related to P2P traffic, within those, the ones that rightholders claimto hold rights in, and yet within that category, the files that were shared unlawfully.43

Such filtering would, in the CJEU view, result in the monitoring of all communica-tions passing through Scarlet’s network, and thus the activity of all its subscribers,and would therefore go contrary to Article 15(1) of the E-Commerce Directive.44

Furthermore, the CJEU examined the filtering system in light of applicable funda-mental rights, balancing the interests of rightholders against those of IAPs andsubscribers. As far as subscriber rights were concerned, addressing, first, the right todata protection, the CJEU stated that Internet Protocol (IP) addresses, processed bythe monitoring system, allowed identifying subscribers and thus constituted personaldata.45 The Court concluded that a massive collection and processing of IP addresses,along with the analysis of communications content, would result in the breach of thesubscribers’ right to personal data protection.46 Furthermore, wary of the fact that thesystem might not distinguish between lawful and unlawful file sharing (ie all SABAMmembers’ works might be filtered out), the CJEU stated that the freedom to receiveand impart information may be encroached upon.47 In sum, it was ruled that thegeneral monitoring system as demanded by SABAM would disproportionately shiftthe balance of rights towards those of rightholders, and thus must be disallowed.48

39 Case C-70/10, Scarlet Extended v SABAM [2011] ECR I-0000.40 ibid, para. 17. Within a P2P network, files are transferred between user computers, rather than a user

computer and a central server.41 ibid, paras. 20 and 29.42 ibid, para. 28. Art. 10(1) ECHR provides: ‘Everyone has the right to freedom of expression. This right

shall include freedom to hold opinions and to receive and impart information and ideas withoutinterference by public authority and regardless of frontiers[. . .]’ CJEU, however, replied with referenceto EUChFR, rather than ECHR, rights—ibid, para. 51.

43 ibid, para. 38.44 ibid, paras. 39–40.45 ibid, para. 51.46 ibid, paras. 51, 53.47 ibid, para. 52–53.48 ibid, para. 53.

November 2013 ACTA and the Enforcement of Copyright in Cyberspace

767© 2013 John Wiley & Sons Ltd.

The outcome of Scarlet v SABAM is, thus, that no general monitoring by IAPs ofindividual online activity is allowed for the purposes of copyright enforcement.49 Thisis in line with Article 2(3) of the IPR Enforcement Directive, stating that the latter iswithout prejudice, inter alia, to the prohibition of general monitoring in Article 15 (1)of the E-Commerce Directive. The latter, however, does allow monitoring on specificoccasions. Recital 47 states:

Member States are prevented from imposing a monitoring obligation on service providers only withrespect to obligations of a general nature; this does not concern monitoring obligations in a specificcase and, in particular, does not affect orders by national authorities in accordance with nationallegislation.

What constitutes an acceptable ‘specific’ monitoring by IAPs for the purpose ofcopyright enforcement? Vital as it is for striking a fair balance between copyrightenforcement and privacy and the protection of personal data, the answer has not yetbeen provided at the EU level. As will be discussed in section V, this uncertainty mayprovide an incentive, also within the context of Article 27 (3) ACTA, to adoptmechanisms where a rather wide surveillance is conducted by rightholders, whereasIAPs are not required to monitor their subscribers, but ‘only’ to identify allegedrepeat infringers.

While Scarlet v SABAM mainly focuses on the limitations to the scope of subscribermonitoring, further applying the principles and safeguards of the Data ProtectionDirective and Article 8 EUChFR, it appears that, for such surveillance regimes not todisproportionately interfere with the right to data protection, they should presupposereasonable limitations to the retention and sharing of data and ensure an independentsupervision of data processing. While the CJEU has not had a chance to elaborate onthese safeguards within the context of communications monitoring, examples of theirapplication have been provided by the ECtHR jurisprudence.

IV The Guidelines of ECtHR Case-Law

Data protection safeguards applying to the monitoring of communications have beenaddressed by the ECtHR under Article 8 ECHR.50 The monitoring of subscriberactivity by IAPs for the purposes of copyright enforcement entails a horizontalconflict. While the classic ECtHR case-law on communications monitoring concernsconflicts between an individual and a state51, the challenges presented by, and safe-guards applicable to data processing by both private and public parties remain to agreat degree comparable, as, in both cases national legislation must be foreseeable,provide clear safeguards against the abuse of data and ensure a fair balance between

49 A similar conclusion, in relation to social networks, was reached by CJEU in Case C-360/10, SABAMv Netlog [2012] ECR I-0000.

50 For ECtHR case-law on the surveillance of communications, see eg ECtHR, Klass and Others v.Germany, Application no. 5029/71, Judgment of 6 September 1978; Weber and Saravia v. Germany,Application no. 54934/00, Decision of 29 June 2006; Copland v. United Kingdom, Application no.62617/00, Judgment of 3 April 2007; Liberty v. United Kingdom, Application no. 58243/00, Judgment of1 July 2008; Kennedy v. United Kingdom, Application no. 26839/05, Judgment of 18 May 2010. Notefurther that ECtHR recognized personal data as falling within the scope of the right to private life—seeeg ECtHR, Leander v. Sweden, Application no. 9248/81, Judgment of 26 March 1987, para. 48; Amannv. Switzerland, Application no. 27798/95, Judgment of 16 February 2000, paras. 65–67; Rotaru v.Romania, Application no. 28341/95, Judgment of 4 May 2000, paras. 43–44.

51 See eg Klass and Others; Weber and Saravia; Liberty; Kennedy, n. 50 supra.

European Law Journal Volume 19

768 © 2013 John Wiley & Sons Ltd.

the various interests involved52. Thus, the detailed safeguards applicable to ‘vertical’communications monitoring and data processing, developed in the ECtHR case-law,while clearly applicable to the processing of data by public bodies in charge ofenforcing copyright regimes, could as well, by analogy, apply to situations of privatemonitoring for copyright enforcement.

The surveillance of individual online activity first came to play in Copland v UK,where, upon a College Deputy Principal’s order, an employee’s Internet and emailusage was monitored for the period of several months. At the time of the application,there was no law in the UK laying down the basis for, and the limitations to suchsurveillance—thus, the measure was plainly not ‘in accordance with the law.’53 TheCourt further indicated that, once the necessary legislation was in place, it must beforeseeable ‘as to the circumstances in which and the conditions on which the author-ities are empowered to resort to any such [surveillance] measures.’54 Indeed, foresee-able legislation, clearly indicating how personal data will be collected, processed,stored and shared, is one of the main guarantees used by the ECtHR to shieldindividuals against the abuse of power and arbitrariness. While the Court did notelaborate on foreseeability in Copland, in cases of communications surveillance thistest was extensively applied in more recent judgments Liberty v UK and Kennedy vUK.55

First, it followed from Liberty that a national measure providing for communica-tions surveillance must not be all-encompassing. In Liberty, the Court examined thesituation where, for a period of several years, under the UK law a warrant could beissued with an effect that ‘any person who sent or received any form of telecommu-nication outside the British Islands [. . .] could have had such a communicationintercepted’.56 The domestic law further provided for an issue of a certificate, author-ising the processing, out of all intercepted communications, of those relevant for thepurposes of, for instance, national security.57 The very broad categories of interceptedcommunications and processed content led to a virtually indiscriminate scope of themeasure—one of the factors that led ECtHR to disallow it.58 The outcome wasdifferent in the case Kennedy v UK, where domestic legislation allowed communica-tions interception within the UK, aimed at safeguarding national security or prevent-ing crime, to a more limited extent. The ECtHR accepted this legislation, inter aliadue to the fact that the warrant issued for interception had to refer to a particularperson or premises concerned.59

52 See, for foreseeability: Liberty, Kennedy (vertical conflicts) and Copland (horizontal conflict); for pro-portionality: S. and Marper v UK, Application nos. 30562/04 and 30566/04, Judgment of 4 December2008 (vertical situation) and K.U. v Finland, Application no. 2872/02, Judgment of 2 December 2008(horizontal situation). While in Copland a conflict between a college official and employee was at stake,the ECtHR addressed it as a vertical one, due to the college being a public body—see para. 39. For thecomparability of the principles applicable to negative and positive State obligations under ECHR, seegenerally eg Hatton and Others v United Kingdom, Application no. 36022/97, Judgment of 2 October2001, para. 96.

53 Copland, n. 50 supra, paras. 47–48.54 ibid, para. 46.55 Note that foreseeability criteria were earlier laid down in Klass and Weber and Saravia, n. 50 supra.56 Liberty, n. 50 supra, para. 64.57 ibid, paras. 24, 65.58 ibid, paras. 64–65.59 Kennedy, n. 50 supra, paras. 40–41; 160; See also I. Ievdokymova, The EU-US SWIFT Agreement: which

Fate under the Lisbon Data Protection Framework? (Jongbloed, 2011) at 36–37.

November 2013 ACTA and the Enforcement of Copyright in Cyberspace

769© 2013 John Wiley & Sons Ltd.

The different outcomes in Liberty and Kennedy, however, did not depend solely on amore limited scope of surveillance in the latter case. In both judgments, the Courtattached importance to the safeguards against the abuse of data obtained throughinterception, which were applicable to the surveillance regime.60 In Kennedy, periodicreview of the necessity of data retention, destruction of data when it was no longernecessary for national security purposes, sharing data both within and outside theintercepting agency, when, inter alia, there was a ‘need to know’ for the personsconcerned, as well as the supervision by a Communications Commissioner and redressbefore the Investigative Powers Tribunal were deemed by the Court acceptablesafeguards under Article 8 ECHR.61 Due to the absence of concrete limitations on dataretention periods the specific outcome of Kennedy might be debatable.62 Nevertheless,this case points to the clear rules on data retention and destruction, sharing of datawhere there is a ‘need to know’, effective redress and independent supervision asgeneral safeguards that must be attached to the monitoring of communications, if themeasure providing for such monitoring is to be deemed foreseeable for the purposes ofArticle 8 ECHR.63

Besides foreseeability, another key test applied by the ECtHR in data protectioncases is the proportionality of the national measure involving the processing ofpersonal data to the aim pursued. In S. and Marper v UK, the ECtHR considereddisproportionate, and thus not necessary in a democratic society, indefinite retentionof DNA information and fingerprints of everyone ever suspected of committing acriminal offense, without any distinction, inter alia, based on the degree of gravity ofan offense concerned.64 As the Court had to weigh and balance the competing inter-ests, it took into account, inter alia, the objective pursued by interference on the onehand and the resulting degree of intrusion with the suspects’ right to private life on theother hand.65 One of the criteria in determining that degree was the sensitive nature ofDNA information. It was considered that such information, revealing ethnic back-ground, health data and family relationships, lies at the core of an individual’s privatelife, while its indiscriminate retention imposes an unacceptable limitation on thatright.66 Thus, also the nature of data collected and processed is to be taken intoaccount, where the societal importance of the legitimate aim of a measure is to beweighed against the resulting degree of private life intrusion.

Applying the said criteria to copyright enforcement, the monitoring would appearacceptable under Article 8 ECHR, if tailored to specific subscribers, rather thanapplying to the population in general or its large group. Furthermore, in order toprotect individuals against the abuse of their data by an interested party or public

60 See eg Liberty, n. 50 supra, paras. 62–63, citing Weber and Saravia; for the application of thesesafeguards in Liberty, see paras. 66–69.

61 Kennedy, n. 50 supra, paras. 46; 163–164; 166–167.62 See also I. Ievdokymova, n. 59 supra, at 38.63 In Kennedy, ECtHR examined foreseeability and necessity jointly—n. 50 supra, para. 155. In this paper,

in order to highlight the difference between the system’s compliance with foreseeability requirements, onthe one hand, and its far-reaching effect on individuals, on the other hand, it appears appropriate toexamine necessity jointly with proportionality.

64 S. and Marper, n. 52 supra, para. 119.65 ibid, para. 102.66 ibid, paras. 72–76, 103–104, 120; 125. On sensitive data, see further ECtHR, Dudgeon v UK, Application

no. 7525/76, Judgment of 22 October 1981, paras. 33 and 52. In para. 52, the ECtHR stated that ‘[t]hepresent case [relating to sexual orientation] concerns a most intimate aspect of private life’.

European Law Journal Volume 19

770 © 2013 John Wiley & Sons Ltd.

authority, entrusted with copyright enforcement, the measure authorizing the pro-cessing of communications content should provide for independent supervision andeffective redress, as well as be foreseeable. To that regard, clear limitations need to beprovided on the retention periods and circumstances of sharing of identifying dataand communications content, connected to a specific individual. Furthermore, inassessing the proportionality of a copyright enforcement measure, the societal impor-tance of the legitimate aim of protecting creative interests is to be weighed against theresulting degree of interference with subscribers’ private lives, the nature of dataprocessed being one of the key criteria to evaluate the latter. Where Articles 7, 8 and52(1) EUChFR are read in light of Article 8 ECHR requirements, a copyrightenforcement measure of a wide scope that involves the processing of sensitive dataand does not provide clear safeguards against its abuse would affect the very essenceof the right to respect for private life and communications and the right to dataprotection, as provided for in Articles 7 and 8(1) EUChFR. How does ACTA affectthese requirements? What policies could be adopted by EU IAPs pursuant to Article27(3) of the agreement? These questions will be addressed in the following section.

V ACTA and Communications Surveillance: The Road Towards‘Graduated Response’?

As stated previously, under Article 27 (3) ACTA the Parties must ‘endeavor to promotecooperative efforts within the business community,’ aimed, inter alia, at theenforcement of copyright. In the EU, ‘cooperative efforts’ in terms of subscribersurveillance must not result in the general preventive monitoring of communicationscontent by IAPs, which, as Scarlet showed, is triggered by large-scale filteringobligations.67 This given, such cooperation might result in IAPs installing, at right-holders’ request, more tailored filtering systems. Another option would be rightholdersengaging in a more tailored communications monitoring themselves, while the IAPs’role would be limited to identifying alleged infringers, so that a court action could bestarted against the latter.

Due to the uncertainty as to what constitutes, in the EU, ‘specific’ monitoring byIAPs for the purposes of copyright enforcement, IAPs will likely oppose the installationof filtering systems, demanded by rightholders, in courts. As this would lead tosignificant litigation costs, as well as delays in implementing filtering systems (if theoutcome of proceedings is at all in rightholders’ favour), it is most likely thatrightholders, rather than involving IAPs, would engage in communications monitoringthemselves.68 When rightholders get hold of alleged infringers’ IP addresses, IAPs’cooperation would be necessary to identify the latter. Thus, the scenario whererightholders monitor subscriber activity, while the IAPs’ role is limited to identifyingalleged infringers appears likely for the EU MS under Article 27(3) ACTA. Suchscenario would confirm, for the EU case, the view that ‘graduated response’ could bethe policy that this provision entails.69 Graduated response within the EU, however, isnot only a measure anticipated post-ACTA, but already a present-day reality for someMS.

67 Case C-70/10 Scarlet v SABAM, n. 39 supra, paras. 38–40.68 See further E. Haber, n. 70 infra, at 310 and 312, stating that graduated response may be less expensive

for IAPs to implement than monitoring obligations, as well as cheaper and faster than rightholders’ civillitigation against subscribers.

69 See M. Kaminski, n. 15 supra.

November 2013 ACTA and the Enforcement of Copyright in Cyberspace

771© 2013 John Wiley & Sons Ltd.

Graduated response, or a ‘three strikes’ approach, is aimed at tackling online piracythrough the cooperative efforts of rightholders and IAPs. In brief, it includes thefollowing steps: rightholders monitoring individuals’ online activity and detectingpossible infringements, identification of alleged infringers, a number (usually, three)warning notices being sent to the latter and, after the third notice, possible subscriberdisconnection from the Internet.70

Within the EU MS, a graduated response mechanism was adopted in France, wherecopyright infringement is a criminal offense of ‘contrefagon,’ and is widely knownunder the name of the public authority in charge of administering the regime—HADOPI (La Haute Autorité pour la diffusion des œuvres et la protection des droitssur Internet).71 Graduated response is further expected to be implemented in the UKunder the Digital Economy Act 2010.72 I will focus on the French HADOPI regime, asthe only functioning graduated response system, provided for under an EU MSlegislation.

In France, graduated response works as follows.73 First, Trident Media Guard(TMG), a company selected by the entertainment industry, monitors the sharing of

70 T. Rayna and L. Barbier, ‘Fighting Consumer Piracy with Graduated Response: an Evaluation of theFrench and British Implementations’, 2010 (6) International Journal of Foresight and Innovation Policy294–314, at 298; E. Haber, ‘The French Revolution 2.0: Copyright and the Three Strikes Policy’, 2011(2) Harvard Journal of Sports and Entertainment Law 297–339, at 299, 324. Within the EU, the possibilityfor graduated response appears to have been provided in Art. 1(1) of Directive 2009/136/EC, allowingOSPs to impose ‘conditions [. . .] limiting end-users’ access to, and/or use of, services and applications,where allowed under national law and in conformity with Community law’, as long as, inter alia, suchconditions respect individuals’ fundamental rights. Through its Art. 27(3), ACTA may provide a furtherincentive for EU MS to adopt graduated response regimes.

71 High Authority for Distribution of Works and Protection of Rights on the Internet. The closest Englishterm to ‘contrefaçon’ would be ‘counterfeiting’, yet the French term is broader and also includes copyrightinfringement—see eg Art. L335-3, Code de la propriété intellectuelle.Graduated response in France wasintroduced by Loi no. 2009-669 du 12 juin 2009 favorisant la diffusion et la protection de la création surinternet, JORF no. 0135 du 13 juin 2009, p. 9666. Certain provisions of the law, inter alia the impositionof Internet disconnection by HADOPI itself, rather than a judicial authority, were declaredunconstitutional by the French Constitutional Court, and the second law followed—Loi no. 2009-1311 du28 octobre 2009 relative à la protection pénale de la propriété littéraire et artistique sur internet, JORF no.0251 du 29 octobre 2009, p. 18290. This law provided for an Internet disconnection penalty to be imposedin a single-judge criminal procedure. See A. Strowel, ‘The Graduated Response in France: Is it the GoodReply to Online Copyright Infringements?’ in I. Stamatoudi (ed) Copyright Enforcement and the Internet(Kluwer Law International, 2010) 147–161, at 148–149; E.Haber, supra n. 70, at 305.

72 Digital Economy Act 2010 (c. 24). In the UK, an initial phase of graduated response—sending warningsby IAPs—has been delayed due to a discussion over cost allocation.

73 See T. Rayna and L. Barbier, n. 70 supra, at 301; A. Strowel, n. 71 supra, at 149–151, E. Haber, n. 70supra, at 306. A chart representing the workings of graduated response can further be accessed atthe HADOPI website: http://www.hadopi.fr/sites/default/files/page/images/Schema_Reponse_Graduee_0.png. As of 8 July 2013, Internet disconnection within the context of graduated response was abolishedin France, and the system will now be centered around fines. See Décret n° 2013-596 du 8 juillet 2013supprimant la peine contraventionnelle complémentaire de suspension de l’accès à un service de com-munication au public en ligne JORF no. 0157 du 9 juillet 2013, p. 11428. It has further been announcedthat HADOPI will be abolished as a separate body, the administration of graduated response now beingcarried out by Conseil supérieur de l’audiovisuel, and that the new system will mainly strive at targeting‘commercial piracy’ (eg websites streaming protected content), rather than individual users. See ‘Publi-cation du décret supprimant la peine complémentaire de la suspension d’accès à Internet’, Ministère dela culture et de la communication, 9 juillet 2013, available at: http://www.culturecommunication.gouv.fr/Espace-Presse/Communiques/Publication-du-decret-supprimant-la-peine-complementaire-de-la-suspension-d-acces-a-Internet While the directions set by the French government seem to indicate thatthe new system will be narrower in scope, the considerations on data retention and sharing under, as well

European Law Journal Volume 19

772 © 2013 John Wiley & Sons Ltd.

files on P2P networks and detects possible infringements. TMG then draws up andprovides to rightholders’ associations or collecting societies reports of allegedinfringements, containing information such as subscriber IP address and alias on P2Pnetwork, the name of file downloaded, date and time of alleged infringement, andname of the IAP concerned. The rightholders’ representatives refer those reports tothe Rights Protection Commission (RPC)—a special body within HADOPI in chargeof enforcing the graduated response mechanism. The RPC checks the facts related toan alleged infringement and forwards subscriber identification requests to the relevantIAPs, while the latter connect IP addresses to subscribers, allowing RPC to send outwarnings to the alleged infringers. After the third allegation of infringement emerges,RPC will conduct its own investigation into the case and, if appropriate, refer it to thepublic prosecutor. Based on the latter’s decision, a simplified (one-judge) or a regularcriminal procedure may follow, with a punishment of up to one-year disconnectionfrom the Internet, and, in a regular criminal procedure, a prison sentence of up tothree years and a fine of maximum € 300 000 for individuals acting alone.74

The stringent graduated response mechanism, provided under the HADOPI regime,relies on public enforcement. Within the context of this system, the rules governing theuse of data by the RPC, as the main body in charge of enforcing the regime, need to beassessed in light of the requirements of Article 8 ECHR. Indeed, is the system incompliance with the foreseeability criteria as to the retention and sharing of data, aswell as the supervision of the HADOPI regime? And just how tailored would the scopeof monitoring and data processing be under the French graduated response system?

To start with foreseeability, the procedures of data retention and sharing are laiddown in the Decree no. 2010-236, providing the details of data processing under theHADOPI regime75. As to the retention periods, subscriber data will be kept, first, fortwo months since the receipt of the first rightholders’ report, in case facts verificationdid not confirm the likelihood of an alleged infringement. If such likelihood wasconfirmed, subscriber data will be retained for fourteen months since the date ofsending out of the first warning. Should an allegedly illegal activity happen again,data will be retained for twenty-one months since the second warning was sent out.76

as the supervision and the impact on individuals of the current HADOPI regime would seem relevantforlarge-scale user-oriented copyright enforcement systems that may be developed elsewhere in thefuture.

74 The HADOPI system (Arts. L336-3 and L335-7-1, Code de la propriété intellectuelle) also provides fora disconnection of one month for a gross negligence of not securing one’s Internet access (and, thus,providing a means for others to download infringing content). Subscribing to other IAPs’ services duringthe pronounced disconnection period is prohibited (Arts. L335-7 and L335-7-1, Code de la propriétéintellectuelle). See T. Rayna and L. Barbier, n. 70 supra, at 301; E. Haber, supra n. 70, at 306.

75 In Kennedy, ECtHR took into account, in its analysis of a national communications surveillance system,not only the applicable legislation, but further the Interception of Communications Code of Practice,detailing and explaining relevant legislative provisions—n. 50 supra, paras. 156–157. By analogy, Décretno. 2010-236 will be referred to in this foreseeability assessment.

76 Initially, these retention periods were set out by Art. 3, Décret no. 2010-236 du 5 mars 2010 relatif autraitement automatisé de données à caractère personnel autorisé par l’article L. 331-29 du code de lapropriété intellectuelle dénommé ‘Système de gestion des mesures pour la protection des œuvres surinternet’, JORF no. 0056 du 7 mars 2010, p. 4680. A subsequent modifying decree extended the dataretention period after the second warning from twenty to twenty-one months. It further provided dataretention periods since the case referral to the public prosecutor, to a judicial authority and since thepronouncement of a final judicial decision (maximum one year for the first two cases and two years forthe last one)—see Décret no. 2011-264, JORF no. 0061 du 13 mars 2011, p. 4561. All references in themain text are made to the Décret no. 2010-236, as modified by the Décret no. 2011-264.

November 2013 ACTA and the Enforcement of Copyright in Cyberspace

773© 2013 John Wiley & Sons Ltd.

Alleged infringements will be detected within the period of six months after the firstwarning and a year after the second one.77 These periods are clear and precise, with noforeseeability concerns arising, yet, as it will be pointed to below, the period ofretaining data after the second warning might warrant proportionality concerns.

As to the extent of data sharing, as stated previously, RPC may refer case files (and,thus, both identifying data and communications content) to a public prosecutor, forhim to decide whether to refer the matter to court. Next, sworn public officials,assisting RPC in the infringement verification process, have access to all data thatallow confirming or disproving the likelihood of an infringement, including informa-tion relating to communications content concerned, as well as subscriber identity.78

The receipt of such data by both the public prosecutor and sworn officials is laiddown by Article 9(1) of the Data Protection Law and Article 4(1) of the Decree no.2010-236, respectively, and is directly necessary for the exercise of their official dutieswithin the HADOPI system, and, thus, appears foreseeable for the purposes of Article8 ECHR.79 Furthermore, as foreseen by Article 4(2) of the Decree, IAPs receivesubscriber data from RPC, yet those are limited to the technical data used forsubscriber identification, thus including an IP address and possibly the time and dateof an alleged infringement, and, again, are needed for the identification role that IAPsplay within the graduated response regime. The clear framework delimiting thesharing of data to the persons and entities that need to be aware of them, in order toexercise their official duties, appears to meet the Article 8 foreseeability standard. Yet,with the RPC itself, rather than a judicial authority, authorising subscriber identifi-cation, strong safeguards are needed in order to ensure that subscribers may scrutiniseand contest the way their personal data are used within the system.

Such safeguards are to be assessed, first and foremost, with reference to thesystem of individual remedies, applicable to data processing within the HADOPIregime. It needs to be noted, firstly, that no judicial review is possible for thewarning notices, the latter being considered reminders of subscribers’ obligations,having, per se, no legal effect.80 Individuals alleging misidentification may requestaccess to or rectification of personal data processed by RPC via its President.81 Inorder to ensure a full impartiality of the system, such intra-agency remedies,however, should be supplemented by an external system of control.82 The lattercould be provided, firstly, by courts—should an irregularity in data processing,retention or sharing by RPC seriously prejudice subscriber rights, possibilities for

77 Arts. L331-25 and L335-7-1, Code de la propriété intellectuelle, repsectively. For a timeline of infringe-ment detection after the first and second warnings and corresponding data retention periods, see alsoAnnexe 2, Circulaire du 6 août 2010 relative ?la présentation des lois no. 2009-669 du 12 juin 2009,favorisant la diffusion et la protection de la création sur Internet, et no. 2009-1311 du 28 octobre 2009,relative à la protection pénale de la propriétélittéraire et artistiquesur Internet, ainsique deleursdécretsd’application, NOR: JUSD1021268C, BOMJL no. 2010-06 du 31 août 2010.

78 Art. 4(1), Décret no. 2010-236 and Art. L331-21, Code de la propriété intellectuelle.79 See, for the processing of personal data by the public prosecutor, Art. 9(1), Loi no. 78-17 du 6 janvier

1978 relative à l’informatique, aux fichiers et aux libertés, telle que modifiée par la Loi no. 2004-801 du6 août 2004.

80 Art. L331-25, Code de la propriété intellectuelle.81 Art. 6, Décret no. 2010-236.82 See E. Haber, n.70 supra, at 319, arguing that proceedings in front of HADOPI would not be able to

satisfy the right to be heard, as the process in front of the latter could not be considered a proper judicialone.

European Law Journal Volume 19

774 © 2013 John Wiley & Sons Ltd.

both criminal proceedings and seeking compensation are open.83 Next, a key role isplayed by the Commission for Informatics and Libertés, the French DataProtection Authority, which, inter alia, accepts individual complaints relating to theprocessing of personal data and could further refer information on a possiblecriminal offense relating to such processing to the public prosecutor.84 Claimingmisidentification should be further possible on appeal of sanctions imposed uponsubscribers in both a simplified and regular criminal procedure.85 Appealing asanction imposed in a simplified procedure, however, would lead a subscriber to a‘regular,’ rather than a single-judge criminal court, where a prison sentence could bepronounced.86 This, in turn, could deter individuals from submitting such an appeal,inter alia based on a misidentification claim.

This overview suggests that the French graduated response system appears to belargely in accordance with Article 8 ECHR requirements on foreseeability and safe-guards against the abuse of data. The key concerns posed by the system, on the otherhand, pertain to proportionality issues.

The first such issue is the length of the data retention period after the secondsubscriber warning, in comparison with such period after the first notice. As statedabove, both periods are in line with the time spans used to detect alleged infringe-ments, the second one (one year) being twice longer than the first one. It could beargued that the presence of a repeat alleged infringement, linked to a subscriber’saccount, may justify a longer infringement detection and, thus, data retention periodafter the second warning. Yet it is also to be recalled, in line with S. and Marper, thata data retention period may be assessed in conjunction with the presumption ofinnocence—or absence thereof—which such data retention may point to.87 In thisconnection, it is to be taken into account, firstly, that the system is aimed not solelyat deterring and punishing repeat infringers, but also those who failed to secure theirInternet access, allowing the exchange of protected content.88 It would probably notbe an uncommon situation that a subscriber’s account has been used by a third partyto download infringing works without that subscriber’s consent or knowledge.89 Dueto a number of obstacles, such as family circumstances or state of health, a subscriber,however, may not have been able to secure his connection before the second warningarrived. Detecting the possibility of a repeat download over a twice longer period of

83 See, for criminal penalties pertaining to the retention of data beyond the periods prescribed by law, theuse of data outside the purpose of its collection, or its disclosure, for instance, to unauthorized thirdparties, Arts. 226-20–226-22, Code pénal, respectively. As to compensation, an individual may either joincriminal proceedings as a civil party or claim damages in a separate action—the latter, especially wherethere is a need for an urgent interim measure (eg where dissemination of sensitive data is concerned),could take place in summary (en référé) proceedings.

84 Arts. 11 (2) (c) and (e), Loi no. 78-17.85 Arts. 495-3 and 496, Code de procédure pénale, respectively. The simplified criminal procedure (ordon-

nance pénale) raises questions as to its compliance with Art. 6 ECHR. See eg E. Haber, n. 70 supra, at319, arguing that the simplified procedure, combined with the absence of the presumption of innocence,may lead to a number of false accusations and to a disproportionate graduated response implementationin France. As the paper discusses the HADOPI system from the angle of Art. 8 ECHR, the Art. 6 ECHRaspects of ordonnance pénale will not be addressed here, and the presumption of innocence will bediscussed within the context of data retention.

86 Art. 495-3, Code de procedure pénale.87 S. and Marper, n. 52 supra, para. 122.88 Arts. L336-3 and L335-7-1, Code de la propriété intellectuelle.89 An example could be the use of a neighbor’s Wi-Fi connection—see E. Haber, n. 70 supra, at 324, 328.

November 2013 ACTA and the Enforcement of Copyright in Cyberspace

775© 2013 John Wiley & Sons Ltd.

time after the second warning, however, points to a certain—and, indeed, growing—distrust on part of the authorities. The system appears to de-facto send the message:‘Allegedly illegal downloads occurred from this account, and it is likely to happenagain’ and to retain data for progressively longer periods in order to prove thisassumption. This given, it would appear that a twice longer time span for infringe-ment detection, and, consequently, a prolonged data retention period after the secondwarning does not appear proportionate or necessary for the purpose of copyrightenforcement under the HADOPI regime.

A more general proportionality concern is posed by the scope and effects ofsubscriber monitoring by TMG and, consequently, data processing by RPC. As theEuropean Data Protection Supervisor (EDPS) suggests, in order for such monitoringto be proportionate, the nature and seriousness of an alleged infringement (as far asP2P sharing is concerned, mostly personal-use oriented and insignificant90) must beweighed against the degree to which a copyright enforcement measure intrudes intothe private lives of persons affected, the latter being determined both with reference tothe scope of subscriber surveillance and its depth.91

As to the scope of surveillance, the monitoring of P2P networks, perhaps, could notbe equated with the Liberty-type situation where a much broader collection andscanning of communications content took place. Yet even as far as this sharing toolis concerned, figures point to a large number of persons affected by graduatedresponse in France,92 and this rather wide scope of monitoring is to be considered inconjunction with the nature of information that could be inferred from communica-tions content. What individuals exchange on P2P networks is not only neutral—theymay further want to have access to or share music, films and other artistic works thatrelate to the defining aspects of their selves. Scrutinising exchanged files is thus likelyto reveal personal information about an individual, which may point, inter alia, to hisstate of health or sexual orientation—information, which, as S. and Marper andDudgeon suggest, is at the core of the right to private life.93

The potentially sensitive nature of information at stake, combined with a largenumber of subscribers affected and weighed against mostly insignificant infringe-ments, already suggests a disproportionate effect of the HADOPI regime on individ-uals’ private lives.94 Yet, how can such surveillance further affect individuals? Article8 ECHR includes the right to personal identity, which entails the possibility for anindividual to obtain an answer to the key question ‘Who am I?’—arguably, withreference to the various aspects of his self. While the right to know or discover one’sidentity has been explicitly established within the context of parentage and family ties,given the wide scope of identity aspects covered under Article 8 ECHR, it wouldappear that this right could further extend to such facets of individuals’ lives as, for

90 See EDPS Opinion of 24 April 2012 on the proposal for a Council Decision on the Conclusion of theAnti-Counterfeiting Trade Agreement, para. 25, where the EDPS refers, generally, to online copyrightinfringements targeted by rightholders as ‘trivial, small-scale [and] not for profit’. The opinion isavailable at the EDPS website: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2012/12-04-24_ACTA_EN.pdf

91 ibid, para. 24.92 The annual HADOPI report 2011–2012 states that 2 081 971 IP addresses were identified within the

period of 1 July 2011–30 June 2012. The report is available at: http://www.hadopi.fr/actualites/rapport-annuel/rapport-annuel-2011-2012

93 N. 66 supra.94 See, generally, EDPS Opinion on ACTA, n. 90 supra, para. 25.

European Law Journal Volume 19

776 © 2013 John Wiley & Sons Ltd.

instance, political and religious views.95 Discovering and developing these aspects ofthe self should not, in the ECHR understanding, require a state of seclusion,96 butrather, it would seem, a confidence, in social contexts, that the information youexchange is not being tracked and traced. Awareness that such surveillance is alreadytaking, or likely to take place, may force individuals to stop exchanging information,which would, within the context of Article 8 ECHR, affect a deeper search of indi-viduals for who they are, thus impeding their right to identity discovery and personaldevelopment.97 Thus, further with reference to this potential harmful effect, the sur-veillance of individuals within the HADOPI regime must be deemed disproportionateand not necessary in a democratic society.

Thus, the HADOPI system, escaping an unclear definition of ‘specific’ IAP moni-toring under the E-Commerce Directive and appearing to be in compliance withArticle 8 ECHR requirements on foreseeability and safeguards against the abuse ofdata, poses proportionality concerns. In particular, the monitoring and processing ofexchanged file content has a wide scope and may reveal information belonging to thevery core of individuals’ private lives. Despite the fact that clear boundaries on dataretention and sharing, as well as certain safeguards against the abuse of data areprovided by the system, the wide collection and processing of such data, further inview of its potential effect on individuals’ right to identity discovery and personaldevelopment, appears to have a serious adverse effect on privacy and data protectionguarantees under Article 8 ECHR. The challenges posed by the HADOPI systemshould thus be an admonition to EU MS intending to implement graduated response,be it within or outside a framework of an international agreement such as ACTA.

VI Conclusion

‘You had to live [. . .] in the assumption that every sound you made was overheard,and, except in darkness, every movement scrutinized.’98 Such was the ‘Big Brother’surveillance, described by George Orwell in ‘1984.’ While the ‘Big Brother’ metaphorrefers to the all-seeing eye of a totalitarian regime, in the copyright enforcementmeasures in cyberspace, it is to a considerable extent private interests that onlinesurveillance benefits. Within this ‘e-enforcement’ context, rightholders may choose todetect infringing online activity themselves or seek injunctions, inter alia against IAPs,requiring those to install content filtering systems.

95 For the right to establish one’s identity, within the context of parentage and family ties, see eg ECtHR,Odièvre v France, Application no. 42326/98, Judgment of 13 February 2003, paras. 28–29; Mikulic v.Croatia, Application no. 53176/99, Judgment of 7 February 2002, paras. 53–54; Gaskin v UnitedKingdom, Application no. 10454/83, Judgment of 7 July 1989, para. 39. Yet Art. 8 ECHR, ratherbroadly, ‘can [. . .] embrace multiple aspects of the person’s physical and social identity’—see S. andMarper, n. 52 supra, para. 66.

96 The right to private life under Art. 8 ECHR covers not only a restrictive ‘inner circle’, where individualsmay live their lives in the manner of their own choosing, but further protects the establishment ofrelationships with the outside world—see ECtHR, Niemietz v Germany, Application no. 13710/88,Judgment of 16 December 1992, para. 29. Within this context, Art. 8 further protects the right to identityand personal development—see eg ECtHR, Gillan and Quinton v UK, Application no. 4158/05, Judgmentof 12 January 2010, para. 61.

97 See further, on the effect of the (HADOPI) graduated response regime on the right to preserve one’sthoughts, secrets, feelings and identity and fulfil oneself within the context of free speech, E. Haber, n.70 supra, at 318 and 320, respectively.

98 G. Orwell, Nineteen Eighty-Four: A Novel (1st Mariner ed, 2008), at 23.

November 2013 ACTA and the Enforcement of Copyright in Cyberspace

777© 2013 John Wiley & Sons Ltd.

While ACTA does not expressly require the Parties to provide for copyright sur-veillance regimes, concerns have been expressed that its vaguely formulated Article27(3) could be interpreted as allowing ‘graduated response’ measures, whererightholders monitor individuals’ Internet activity, whereas IAPs are expected toidentify alleged infringers and enforce the penalty of Internet disconnection. Gradu-ated response systems may adversely affect privacy and data protection rights ofindividuals. While both the EU and ECHR legal frameworks prohibit a wide-scalecollection and scrutinizing of potentially sensitive communications content, thealready adopted graduated response regime in France, despite being clearly regulatedand providing certain safeguards against the abuse of data, appears at odds with thisrequirement.

Wary of ensuing surveillance, many took to the streets of Europe to protest againstACTA. Their voices have been heard, as the agreement was rejected by the EP- andone would hope that, if its new version sees light, it will expressly exclude graduatedresponse measures. Should the agreement be adopted in a vaguer form and stringentcopyright enforcement policies introduced, individuals might choose not only to takepart in demonstrations, but protect their privacy with technological means. Using, forinstance, secure friend-to-friend networks and proxy servers, individuals would beable to hide their identity online and escape cybersurveillance efforts. Would ACTA-inspired copyright enforcement result in the expansion of this hidden layer of Internetactivity? Only future will tell.

First submission: October 2012Final draft accepted: May 2013

European Law Journal Volume 19

778 © 2013 John Wiley & Sons Ltd.