data protection vs. copyright

Dan Jerker B. Svantesson & Stanley Greenstein (editors)

Nordic Yearbook of Law and Informatics 2010-2012

Internationalisation of Law in the Digital InformationSociety

Electronic copy available at: http://ssrn.com/

abstract=2350131

Dan Jerker B. Svantesson & Stanley Greenstein (editors) Internationalisation of Law in the Digital Information Society: Nordic Yearbook of Law and Informatics 2010-2012 First edition, first impression

Published by: Ex Tuto Publishing A/S Toldbodgade 551253 Copenhagen, Denmark www.extuto.com

ISBN 978-87-92598-22-6

© 2013 the authors

Printed in Denmark by Narayana Press, Gylling Typeset and layout: MERE.INFO A/S, Copenhagen, Denmark

Photo: www.travelphotography.dk.

Electronic copy available at: http://ssrn.com/

abstract=2350131

4. Data Protectionvs. CopyrightDr. Lee Bygrave*

This paper charts changes in the relationship of copyright and data protection brought about by the evolution of technological-organisational meas-ures for enforcing copyright in the digital world. It assesses the impact of such measures on privacy and related interests, particularly in light of data protection legislation and case law of the European Court of Justice.

4.1. Copyright and data protection as collaborative rights Current discourse on copyright and data protectionis littered with meta- phors of conflict. This paper is no exception. As elaborated below, har- mony between copyright and data protection is at an all-time low. Yet just as it is important to remember times of peace in times of war, so too is it important to remember that copyright along with intellectual property rights (IPR) more generally are not intrinsically in tension with data protection rights. For many years, they have been friends. At a basic level, both sets of rights are aimed

essentially at regulating the flow of information in order to preserve certain values and interests. Indeed, one of the most influential definitions of privacy—and one often used to sum up the basic ideal of data protection1—can be repeated with only minor amendment to describe the broad thrust of copyright. This is

Alan Westin's definition of privacy as 'the claim ofindividuals, groups, or

* Norwegian Research Center for Computers and Law, Oslo University. 1 I am here using 'data protection' in the European sense—that is, as denoting a set

of norms that specifically govern the processing of data relating to persons (i.e., personal data) in order to protect, at least partly, the privacy and related interests of those persons. Outside Europe, the more common nomenclature for such norms is in terms of protecting 'privacy', 'information privacy', or increasingly, 'data privacy': Lee A Bygrave, 'Privacy and Data Protection in an International Perspect- ive' (2010) 56 Scandinavian Studies in Law 166.

55

CHAPTER 4. DATA PROTECTION VS. COPYRIGHT

institutions to determine for themselves when, how, and to what extent information about them is communicated to others'.2 If we simply replace the phrase 'information about themselves' with the phrase 'information created by themselves', Westin'sdefinition can function reasonably well to define copyright.3

More significantly, copyright and data protection share common ground in their origins. Doctrines on personality rights have provided a seedbed for both.4 Common law doctrines on copyright have been used to help ground a right to privacy, and privacy doctrines have been used to help ground aspects of copyright.5 The two sets of rights have also workedhand in hand on a more practical plane. For instance, the publication of certain film materialin which persons are portrayed is often restrictedunder copyright law.6 Additionally, through application of its 'private use' and 'fair use' exemptions, copyright law has helped to ensure that neither copyright nor copyright-holders impinge upon the private sphere of consumers of material in which copyright inheres.7

2 Alan F Westin, Privacy and Freedom (Atheneum 1970) 7. 3 I received this insight from Jan Kabel at a meeting onElectronic Copyright Man-

agement Systems, held at the Institute for InformationLaw, University of Amster- dam on 23 May 1998.

4 See e.g. Justin Hughes, 'The Philosophy of Intellectual Property' (1988) 77 The

Georgetown Law Journal 287, 355. 5 Famous examples on point being Samuel Warren and Louis Brandeis, 'The Right to

Privacy' (1890) 4 Harvard Law Review, 193, 198 (arguing, inter alia, that common law protection of intellectual, artistic and literary property is based upon a broader principle of protection of privacy and personality); Josef Kohler,

'Das Autorrecht' (1880) 18 Jherings Jahrbücher für die Dogmatik des Bürgerliches Rechts 128 (basing authors' moral rights partly on the notion that the authors' works originate within their private sphere). Cf. Paul E Geller, 'Must Copyright Be Forever Caught Between Marketplace and Authorship Norms?' in Brad Sherman and Alain Strowel (eds), Of Authors and Origins (Clarendon 1994) 159, 166-169, 178ff and references cited therein.

6 See e.g. section 85(1) of the UK Copyright, Designs and Patents Act 1988 (as

amended); section 35(5) of Australia's federal Copyright Act 1968 (as amended); and section 45c of Norway's Intellectual Property Act 1961 (lov om opphavsrett til åndsverk mv 12 mai 1961 nr 2)(as amended).

7 See further Lee A Bygrave and Kamiel J Koelman, 'Privacy, Data Protection and

Copyright: Their Interaction in the Context of Electronic Copyright Management Systems' in P Bernt Hugenholtz (ed), Copyright and Electronic Commerce (Kluwer Law International 2000) 59, 98 et seq.

56

COPYRIGHT AND DATA PROTECTION AS COLLABORATIVE RIGHTS

Yet fundamental differences exist between the respective concerns of the two sets of rights. Broadly conceived, copyright is aimed at safeguarding the incentive to produce original works and contribute to societal progress by assuring the creators an economic benefit of theircreative activity.8 By contrast, data protection law is an attempt to maintain the incentive to participate in a democratic, pluralist society by securing the privacy, autonomy and integrity of individuals.9 Nor should we overplay the extent to which copyright law has been made taking consciousaccount of data protection concerns, and vice versa. Such consideration has tended to be fairly incidental and ad hoc. And in the big picture, copyright law has played a marginal role in assuring the privacy of consumers of material in which copyright inheres. Technological and market mechanisms have played a much more important role:10 privacy has predominantly been assured because offline consumption of copyrighted works hasusually been able to be carried out as anonymous transactions (eg through cash pay- ment).

4.2. Tension in cyberspace: from DRM topiracy surveillance Having enjoyed a predominantly peaceful co-existence for the early periods of their respective lives, the relationship of copyright and data protection has grown far less cordial over the last 15 years. The tension ariseschiefly from a combination of two developments. Thefirst is computer networks' facilitation of relatively cheap, large-scale copying, retrieval and distribu-

8 9

10

See e.g. JAL Sterling, World Copyright Law (3rd edn, Sweet& Maxwell 2008) 70- 73. This is not the sole concern but an important one, particularly in common law jurisdictions. The precise character of the 'balance' that is and ought to be struck between the public interest and private interest and between incentives and mono- polies is a matter of extensive controversy,but falls largely outside the scope of this paper. See generally Lee A Bygrave, Data Protection Law: ApproachingIts Rationale, Logic and Limits (Kluwer Law International 2002)chapter 7 and references cited therein. For an overview of these factors, see Graham Greenleaf, '"IP, Phone Home": ECMS,-Tech, and Protecting Privacy against Surveillance by Digital Works' in Proceedings of the 21st International Conference on Privacy and Data Protection (Office of the Hong Kong Privacy Commissioner for Personal Data 1999) 281, 282-283.

57


tion of digital material to which copyright attaches, without respect for IPR. The second development, which is largely a reaction to the first, is IPR-holders' push to secure their rightsover such material by applying various technological, organisational and legal mechanisms.Put somewhat brutally and simplistically, this push can be seen as old money employing new means to save old business models. Central to this push has been repeated attempts to

harness 'lex informat- ica' (Reidenberg) for the benefit of IPR-holders—in other words, to exploit the regulatory potential of information systems architecture in the service of the rights that such architecture concurrently threatens. These efforts were predicated on recognition that the 'the answer to the machine is in the machine'—to quote Charles Clark's now worn adage.11 Manifest- ation of these efforts first went under the nomenclature 'Electronic Copy- right Management Systems' (ECMS);later, the term 'Digital Rights Man- agement Systems' (DRMS) took over, partly in recognition that the systems concerned have often had more than simply copyright enforcement as their remit. Such systems have typically been envisaged as providing for several overlapping functions: (i) controlling access to digital works; (ii) preventing unauthorised copying of digital works; (iii) identifying the works and the relevant IPR-holders; and (iv) ensuring that the latter identification data—often termed 'Rights Management Information' (RMI)—is authentic and not deleted or otherwise altered. A variety of technologies are employed to realise these functions. Examples are encryption (particularly for access control), steganography (digital watermarking for authen- tication of RMI) and electronic agents (e.g., web spiders/bots for monitoring usage of digital works).12

For the purposes of this paper, the monitoring

function is most notable. For DRMS present the possibility of monitoring what people privately read, listen to or view, in a manner that is both more fine-grained and automated than was typical for offline consumptionof information. The monitoring capacity comes through already in the mid-1990s, when ECMS were first on the drawing board. Significantly, Clarke's1996 article

11

12

Charles Clark, 'The Answer to the Machine is in the Machine' in P Bernt Hugen- holtz (ed), The Future of Copyright in a Digital Environment (Kluwer Law Interna- tional 1996) 139-145. See generally Eberhard Bekker and others (eds), Digital Rights Management: Tech- nological, Economic, Legal and Political Aspects (Springer 2003).

58

TENSION IN CYBERSPACE: FROM DRM TO PIRACY SURVEILLANCE

—mentioned above—begins with a quote from a 1994 report from the International Publishers Copyright Council:

'The question surrounding the electronic use of copyright materials is not so much "How shall we prevent access and use?" as "How shall we monitor access and use?" The real issue is to link identifying, monitoring, control and reward.'

The report goes on to acknowledge that an ideal system 'should provide some level of confidentiality or privacy for the user', but the privacyaspect is left largely hanging in the air. Shortly afterwards, scholars began to worry about

the considerable surveillance potential of ECMS/DRMS, noting that thispotential may not only weaken the privacy interests of information consumers to an unpre- cedented degree but also inhibit the expression of non-conformist opinions and preferences.13 In this perspective, the fear was that untrammelled development of such systems could lead them to functioning as a digital Panopticon with deleterious effects on the long-term vitality of pluralist, democratic society. The greater the compass of such systems—particularly through theirinterlinking—the more disturbing their implications would become. At the same time, it wasalso recognised that these concerns might end up being largely unsubstantiated. I warned in 2002 that 'we might be conjuring up a threatening mountain out of what proves to remain a mole- hill'.14

These cautionary words were due to the uncertainty then surrounding the modus operandi of DRMS and the direction of their development. Over a decade later, we are nowable to see the contours of DRMS development

more clearly: numerous such systems have been commercially applied, sometimes extensively. Nonetheless, their precise workings, including their monitoring capacity, are still sometimes difficult to ascer-

13

14

See especially Julie E Cohen, 'A Right to Read Anonymously: A Closer Look at "Copyright Management" in Cyberspace' (1996) 28 Connecticut Law Review 981- 1039; Bygrave and Koelman (n 7) 59-124; Lee A Bygrave,'The Technologisation of Copyright: Implications for Privacy and Related Interests' (2002) 24 European Intellectual Property Review 51-57 (reprinted in Brian Fitzgerald (ed), Cyberlaw, vol 2 (Ashgate 2006) 421-427; Greenleaf (n 10). Bygrave, 'The Technologisation of Copyright' (n 13) 57.

59


tain, at least by laypersons. Adding to the difficulty is that their sophistica- tion, ambition and commercial use are constantly in flux, as are the measures for circumventing them (or elements of them). Consider, for example, the considerable changes to Apple's digital distribution platform—with initially comprehensiveemployment of DRMS on iTunes followed by a reduction of such use in 2009 for music files,15 though not for videos and iBooks—together with thepersistent 'cat-and-mouse' struggle between Apple and developers of circumvention software,such as Requiem.16

Such difficulty aside, I would venture to claim that DRMS—at least as envisaged a decade ago—have not undermined privacyand related interests as much as some persons (including myself) conjectured. This is not to saythat those interests have remained free of DRM-related threat— remember, for instance, the Sony 'rootkit' scandal of 2005.17 As an aside, while thatscandal was initially shocking from a data protection perspective, the legal settlement in its wake ended with Sony BMG agreeing to institute data protection measures for use of CDs with 'Content Protection Software'.18 This was no more than a minor win for privacy, with such

15

16

17

18

'Appletoendmusicrestrictions', BBC News

, 7 January 2009, <http://news.b- bc.co.uk/2/hi/technology/7813527.stm>. See e.g. Bryan Bishop, 'Apple's FairPlay DRM for iBooks cracked by Requiem app', The Verge, 25 February2012, <http://www.theverge.com/2012/2/25/ 2823218/apples-fairplay-drm-ibooks-cracked-requiem-app>. For readers who do not remember, Sony BMG was discovered in 2005 to have been covertly spreading software containing a potentially harmful 'rootkit' that would render the computers into which the rootkitwas installed more vulnerable to infection by other 'malware'. Rootkit installation occurred by way of inserting an audio CD into the computer and playing it. The rootkit was alleged to enable col- lection of information about the computer (eg its IP address) andits usage, also when connected to the Internet. Lawsuits brought against the company in the wake of the scandal were ultimately settled out of court. See further e.g. Michael Geist, 'Sony's long-term rootkit CD woes', BBC News, 21 November2005, <http://news- .bbc.co.uk/2/hi/technology/4456970.stm>. More specifically, Sony agreed to '[e]nsure that [for]CDs with Content Protection Software, SONY BMG will, if such CDs are played on computers with active con- nections to the Internet and the CDs cause the computer to make a connection to the Internet, make a record only of the associated album title, artist, IP address from which the connection was made, and certain non-personally identifiable information; provided, however, that the foregoing shall not preclude SONY BMG from obtaining personally-identifiable information from the user upon consent': Inre SONY BMG CD Technologies Litigation, Settlement Agreement reached in the

60

TENSION IN CYBERSPACE: FROM DRM TO PIRACY SURVEILLANCE

CDs being increasingly consigned to the technologyscrapyard. My main point, though, is that the monitoring capacity of many of the really commercially significant digital distribution platforms seems to have been much less developed than feared. In other words, surveillance carried out as an integrated element of a discrete DRMS—that is, where a particular digital distribution platform monitors usage of content that is purchased through it—has not been as commercially prevalent as some persons pre- dicted. Apple's iTunes is again a case in point: as far as I can see, the main DRM technology for that platform—FairPlay—does not have an 'IP, Phone Home' functionality similar to that sketched by Greenleaf;19 Fair- Play simply restricts copying andformat shifting. The prevalence of such DRM-based surveillance

will decrease if there continues to be reduction in use of DRMS generally.We have already wit- nessed the music-recording industry scaling back technological controls for distribution of music. This development has been spurred partly by the emergence of commercially successful streaming services, such as Wimp and Spotify. In the near future, use of DRM controls in large-scale commercial distribution of other forms of digital content, like video and e- books, may well be reducedtoo.20

Nonetheless, the last decade has seen a massive amount of other online surveillance instigated in the name of protecting copyright. Powerful groups of IPR-holders, such asthe Motion Picture Association of America (MPAA), Record Industry Association of America (RIAA) and Interna- tional Federation of the Phonographic Industry (IFPI), are the chief instig- ators. As suggested above, the bulk of this surveillance has not been carried out as an integrated part of a discrete DRMS. Nor is it usually undertaken by IPR-holders themselves but by agents they hire

specifically for the task. The agents employ software tools to monitor online activity generally, in search of file-sharing arrangements that putatively breach copyright. Searches tend tobe directed at particular forms of peer-to-peer (P2P) file

US District Court for the Southern District of New York, 28 December 2005 para IV.B; available at www.girardgibbs.com/docs/cases/129_sonysettlementagree- ment.pdf.

1920

Greenleaf (n 10). Further on the problems facing DRMS as a regulatory tool, see Ian Brown and Christopher T Marsden, Regulating Code: Good Governance and Better Regulation in the Information Age (MIT Press 2013) ch 4.

61


sharing (such as those based on the BitTorrent protocol), but their sweep can be broad.21 The searches take place at the 'upper' level of the Internet —that is, at its application layer where digital content is hosted and dis- seminated; hence this 'piracy surveillance' (Katyal) is sometimes called 'over-the-top' (OTT) surveillance. These monitoring schemes are not, as such,

primarily pre-emptive in the sense of attempting to anticipate and prevent copyright infringement ex ante; rather they are primarily aimed at detecting evidence of such infringement ex post facto. Obviously, though, the publicity that the surveillance is given, along with the publicity given to subsequent prosecutionof alleged pirates, is aimed at deterring future copyright infringement.

4.3. IP vs I(S)P A major hindrance for IPR-holders' surveillance-based battle against digital piracy is that the evidence they initially captureof putative piracy is usually, on its face, linked only to Internet Protocol (IP) addresses, not persons. As elaborated below, IPR-holders have also struggled to acquire additional information enabling them to accurately identify the persons who are registered against IP addresses—that information being kept by Inter- net Service Providers (ISPs). These two layers of difficulty for IPR-holders translate into a form ofprivacy for Internet users. Not surprisingly, much of the 'copywrath' of IPR-

holders has ended up being directed at this form of privacy. Yet privacymore generally has come in the firing line too, notleast because the battle against digital piracy has engendered a tendency to conflagrate privacy and piracy. This is particularly unfortunate as it buttresses the disingenuous (yet persistently

common) argument that privacy does not matter ifone has nothing to hide.22 The conflagration is not just the responsibility of IPR-holders; it is, para- doxically, reinforced by the fact that one of the most vocal pro-privacy political movements of recent years calls itself the 'pirate' movement and

21

22

Further on the mechanics of this surveillance, see Sonia K Katyal, 'Privacy vs. Pir- acy' (2005) 7 Yale Journal of Law & Technology 222, 293-304. For an excellent debunking of the argument, see DanielJ Solove, '"I've Got Noth- ing to Hide" and Other Misunderstandings of Privacy' (2007) 44 San Diego Law Review 745; Daniel J Solove, Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale University Press 2011) ch 2.

62

IP VS I(S)P

its various parties call themselves 'pirate' parties. In adopting such nomenclature, the movement is not only shooting itself in the foot but also doing disservice to attempts to impart understanding of the true societal value of privacy. As indicated above, the conflict that has emerged

between copyright and data protection in recent years has increasingly centred around demands by IPR-holders and their agents to gain access to information as to the identities of the persons who, in their eyes, 'hide' behind the IP addresses that are assigned todevices connected to the Internet and that are engaged in file-sharing activities in purported breach of copyright. In this sense, IP (intellectual property) is pitted against IP (Internet protocol). More accurately, the formeris pitted against the lack of a detailed identity layer within the protocol suite made up by the Internet protocol and its 'partner', the Transmission Control Protocol (TCP). The absence of sophisticated identification capabilities in the TCP/IP suite reflects the 'end-to-end' (e2e) design principle that is fundamental to the Internet's current architecture. The principle posits that the medium for data transmission shouldbe kept simple and should focus only on moving data packets efficiently; 'intelli- gence' should be provided at the network 'endpoints'.23

To overcome this 'dumbness' in Internet architecture, IPR-holders have been forced to go to ISPs for information as to the identities of their cus- tomers. Yet ISPs havefrequently resisted disclosing that information, at least in the absence of a court order. For example, IKT Norge (the umbrella trade organisation for the Norwegian ICT industry) has strongly protested on behalf of major Norwegian ISPs against attempts to get them to disclose their

customer identities upon request by the law firm that has acted as the local agent of IFPI and otherIPR-holders.24 That law firm has been further frustrated by the requirement under Norway's Personal Data Act of 2000 that 'piracy surveillance' be licensed by the Norwegian Data Inspectorate (Datatilsynet). After initially granting the law firm temporary licenses to conductsuch surveillance, the Inspectorate changed tack, largely

23

24

For the seminal exposition of the principle, see JH Saltzer, DP Reed and DD Clark, 'End-to-end arguments in system design' (1984) 2 ACM Transactions on Computer Systems 277. IKT Norge, 'Internettleverandørene samlet mot urimeligkrav', 21 April 2008, http://ikt-norge.no/2008/04/internettleverand%c3%b8rene-samlet-mot-urime- lig-krav/.

63


on the basis of a legal technicality.25 The Inspectorate's refusal to renew the requisite license was appealed but upheld by a 5:2 majority of the Data Protection Tribunal (Personvernnemnda),26 thus bringing the law firm's registration of IP addresses to a halt. The struggle of 'IP vs IP' has accordingly been

also a struggle of 'IP vs ISP'. This is not the only front along which IPR-holders have battled to overcome e2e-based limitations on identification. Another front, for example, has been in relation to the 'Whois' service, which allows inter- ested parties to find information about domain name registrants. A long-running struggle has gone on between IPR-holders, their representatives and law enforcement agencieson the one side and privacy advocates and data protection authorities on the other over the amount of Whois data that is to be registered and the criteria for its disclosure. That struggle hasso far resulted in a stalemate over Whois policy development.27

4.4. IP vs I(S)P inlaw An extensive range of legislation and an extensive amount of case law shape the linked struggles of 'IP vs IP' and 'IP vs ISP'. The law on point revolves around the lawfulness of monitoring net usage, gaining access to end-user

25

26

27

Thistechnicalityisthatalicens

e may only be given to a data controller (behand- lingsansvarlig)—ie an entity which determines the means and purposes of the processing of personal data (see Personal Data Act section 2(4)). A controller is to be contrasted with a data processor (databehandler)—ie an entity which processes personal data on behalf of a controller (section 2(5)). As it carried out its monitoring work on the initiative of and at the direction of IPR-holder organisations, the law firm was regarded by the Data Inspectorate as simply a data processor. The Inspect- orate also took the view that a controller must have 'sivilprosessuell partsevne'—ie standing to bring a civil action for breach of its rights or to be sued for failing to observe its legal obligations—and that the law firm would not have this standing; rather it would be the IPR-holder organisations that do. Decision of 21 March 2012 in case 2011-10, www.personvernnemnda.no/ vedtak/2011_10.htm. Further on the functions, regulatory framework and principal policy issues associated with the service,see Milton Mueller and Mawaki Chango, 'Disrupting Global Governance: The Whois service, ICANN and privacy' (2008) 5 Journal of Informa- tion Technology & Politics 303-325; Dana Irina Cojocarasu, Legal Issues regarding WHOIS Databases(Unipub / Norwegian Research Center for Computers and Law 2009).

64

IP VS I(S)P IN LAW

identities, and ordering ISPs to block access to allegedly illegal file-sharing services. Data protection law figures centrally though is far from the only law on point. Remarkably, a large part of recent case law on data protection has been catalysed by IPR-holders. Who would have thought this would be the case back in the mid-1990s? As a privacy advocate, one can be disturbedby this litigation, but as a legal scholar or practitioner one can be grateful to IPR-holders forinstigating judicial clarification of how some of the central rules in data protection legislation are to be understood and how they relate to other legal rules. In the following, I canvass the basic bones of

relevant European Union (EU) legislation, along with the main lines of theattendant case law. I omit consideration of regulatory developments outside Europe. A more comprehensive account would be desirable but go well beyond the permitted length of this paper. Even with the restriction of focus to EU law it becomes readily apparent that the relevant regulatory framework is exceed- ingly dense, intricate and complex, with a jungle of intersecting rules.28 The jungle metaphor is particularly apt given that litigation on point often involves swinging between numerous legal 'limbs'. Provisions on fundamental human rights

constitute an increasingly important element of the EU legal framework governing the struggles in issue. They are important because they now often determine the outcomes of the litigation. In other words, they have not only 'symbolic' significance but are also operationalized by the judiciary. The key provisions are found in the EU Charter of Fundamental Rights,29 which recognises protection of personal data as a fundamental right in itself (see Article 8; see too Treaty on the Functioning

of the European Union Article 16), along with the more traditional right to respect for private and family life (Article 7). These rights reflect and build upon Article 8 of the European Convention on Human Rights and Fundamental Rights (ECHR),30 as construed and applied by the European Court of Human Rights (ECtHR). At the same time, Article 17(2) of the Charter stipulates that 'intellectual property shall

28

2930

See too Giancarlo F Frosio, 'Urban Guerilla & Piracy Surveillance: Accidental Cas- ualties in Fighting Piracy in P2P Networks in Europe' (2011) 37 Rutgers Computer & Technology Law Journal 1, 15 (describing the framework as 'chaotic'). [2000] OJ C364/1. Convention for the Protection of Human Rights and Fundamental Freedoms (opened for signature 4 November 1950; in force 3 September 1953) ETS 5.

65


be protected'. Thus, both the sets of rights at issue here have status as 'Grundnormer' in the EU's constitutional order.31

The EU Court of Justice (CJEU) has repeatedly made clear that neither set of rights is absolute nor to be given automatic priority over the other; rather, a 'fairbalance' must be struck between them.32 That balance involves respect for the principle of proportionality. In striking the balance, or assessing whether the balance has been correctly struck by others, the CJEU also takes account of other rights and interests. These include the freedom (of end-users) to receive and impart information (a right enshrined in Article 11 of the Charter) and the freedom (of ISPs) to conduct business (a right enshrined in Article16 of the Charter).33

The principle of proportionality is also manifestin EU legislation dealing directly with IPR enforcement. The Copyright Directive (2001/29/EC)34 permits injunctions to be ordered against ISPs to prevent copyright infringement (Article 8(3)) but requires sanctions to be 'proportionate' (Article 8(1)). Similarly,the IPR Enforcement Directive (2004/48/EC)35 stipulates that injunctions (permitted under Article 11) and other enforcement measures shall be, inter alia, 'fair and equitable and

31

32

33

34

35

Thesameapplieswithrespecttot

he ECHR framework, with the right to property enshrined in Article 1 of Protocol No 1 to the Convention. The ECtHR has made clear that this provision is also applicable to intellectual property:see its Grand Chamber judgment in Anheuser-Busch Incl v Portugal (2007) 45 EHRR 36, especially para 72. See e.g. Case C-275/06 Productores de Música de España (Promusicae) v Telefónica de España SAU [2008] ECR I-271 paras62-68; Case C-70/10 Scarlet Extended v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) [2011] ECR I-0000 paras 43-45; Case C-461/10 Bonnier Audio AB and Others v Perfect Communica- tion Sweden AB [2012] ECR I-0000 para 56. See e.g. Scarlet Extended paras 49-53 (elaborated further below). Compare too recent case law of the ECtHR holding that enforcement of copyright in material distributed on the Internet must respect the right to freedom of expression in ECHR Article 10, though giving domestic authorities a broad margin of appreci-ation in how enforcement occurs: Ashby Donald and others v France App no 36769/08 (10 January 2013) especially paras 34, 38, 41 and 42; Neij and Sunde Kolmisoppi v Sweden App no 40397/12 (19 February 2013). Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society [2001] OJ L167/10. Directive 2004/48/EC on the enforcement of intellectual property rights [2004] OJ L157/45 and OJ L195/16.

66

IP VS I(S)P IN LAW

not unnecessarily complicated or costly' (Article 3(1); they shall additionally be 'proportionate andapplied in such a manner as to avoid the creation of barriers to legitimate trade and to provide for safeguards against their abuse' (Article 3(2)). The E-Commerce Directive (2000/31/EC)36 provides

further insulation of ISPs from IPR-holders' demands, though the proportionality principle is not so obviously at work here. In effect, the Directive exempts ISPs from liability for transmitting or storing illegal content if they act as a mere con- duit or cache for such activity and have no actual or constructive knowledge of the illegality of the material, or if they act quickly to remove the material once they do acquire such knowledge (Articles 12-14). Particu- larly important in the present context is that ISPs are not required to monitor content or otherwise actively look for indications of illegality (Article 15). This limitation on monitoring, though, applies 'only with respect to obligations of a general nature'; it does 'not concern monitoring obligations in aspecific case and, in particular, does not affect orders by national authorities in accordance with national legislation' (recital 47 in the preamble). Data protection statutes constitute another

important category of rules shaping the 'IP vs I(S)P' struggle(s). The chief instruments here are the Data Protection Directive(95/46/EC)37 and Electronic Communications Privacy Directive (2002/58/EC)38, together with national legislation transposing their rules. A threshold issue for the application of these instruments is whether IP addresses may constitute 'personal data'—that is, whether the data can be linked, directly or indirectly, to an individual nat- ural/physical person. The issue is complex and involves addressing mul- tiple criteria.39 Legal scholars and data protection authorities have

generally taken the view that IP addresses are personal data,40 while courts have been

36

37

38

3940

Directive 2000/31/EC on certain legal aspects of information society services, in particular electroniccommerce, in the Internal Market [2000] OJ L178/1. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31. Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector [2002] OJ L201/37. See further Bygrave (n 9) 41-50, 210-215, 315-319. See e.g. Article 29 Working Party on the Protection ofIndividuals with regard to the Processing of Personal Data ('Article 29 Working Party'), 'Opinion 4/2007 on the concept of personal data' (20 June 2007) WP 136, 16,

67


divided. This division, though, partly reflects differences in statutory definitions of 'personal data'. For instance, the Irish High Court has ruled that, for the purposes of the Irish Data ProtectionAct 1988 (as amended), an IP address gathered on behalf of IPR-holders is not personal data in the hands of the latter when it is unlikely they will attempt to find the name and contact details of the person behind the address.41 The Act defines 'personal data' as '[d]ata relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to comeinto, the possession of the data controller' (section 1); in other words, the controller (in this context, an IPR-holder) is the only legally relevant agent of identification. This is in contrast to the equivalent definition in the Data Protection Directive which requires account to be taken of the means of identification likely reasonably to be used not just by the controller but by 'any other person' (recital 26 in the preamble; see too Article 2(a)). National courts applying the latter definition (or national legislation that faithfully transposes it) have often (though not always)42 regarded IP addresses in the hands of IPR-holders as 'personal data' if anISP can (without huge effort) make the necessary connection between the addresses and particular persons.43 The

http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf. Cf. Jean-Philippe Moiny, 'Are Internet Protocol Addresses Personal? The Fight Against Online CopyrightInfringement' (2011) 27 Computer Law & Security Review348-361 (arguing that while IP addresses will frequently qualify as 'personal data', they will notalways qualify as such, and that assessment of their status must ultimately involve a contextual analysis).

41

42

43

EMI Records and Others v Eircom Ltd [2010] IEHC 108 [24]-[25]. Here, the IPR- holders were seeking injunctive relief from an ISP whereby the latter was being requested to restrict Internet access for those of itscustomers who persistently infringe copyright. The judge noted that 'the plaintiffs have left behind whatthey reasonably regard as an expensive and futile pursuit of the identity of copyright tort- feasors in favour of injunctive relief that has been expressed as a protocol to choke off the problem in a three stage process that never involves the identification of any wrongdoer' [24]. See e.g. decision of 27 April 2007 by the Paris Courtof Appeal in Anthony G v Société Civile des Producteurs Phonographiques (SCPP) and its decision of 15 May 2007 inHenri S v SCPP; both decisions available via <http://www.legalis.net>. See e.g. decision of 8 September 2010 by Switzerland'sFederal Supreme Court (Bundesgericht) in Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB) v Logistep (case1C-285/2009)(available at <http://jumpcgi.bger.ch/cgi-

68

IP VS I(S)P IN LAW

CJEU has also repeatedly taken the line that IP addresses are personal data. In doing so, it has failed to clearly distinguish the status of IP addresses vis- à-vis IPR-holders and their status vis-à-vis ISPs—which arguably implies that the distinction is legally irrelevant.44

In addition to their status as 'personal data' under data protection legislation, IP addresses qualify as 'traffic data' for the purposes of the Elec- tronic Communications Privacy Directive. Article 5(1) of the Directive affords some protection of their confidentiality, while Article 6 places limits on their use and storage for purposes other than subscriber billingand interconnection payments. In some jurisdictions, these protections have had bite in frustrating IPR-holders' campaign against digital piracy.45 Yet broadly formulated derogations under Article 15(1) of the Directive and Article 13(1) of the Data Protection Directive may—and, in many jurisdictions, do—render these protections largely nugatory. The controversial Data RetentionDirective (2006/24/EC)46 is one manifestation of these derogations. It requires EU member states to ensure that providers of public electronic communications networks store traffic data for a minimum of 6 months and maximum of 2 years (Article6) in order to facilitate 'the investigation, detection and prosecution of serious crime' (Article 1(1)). However, at the time of writing, national transposition of the Directive has

bin/JumpCGI?id=08.09.2010_1C_285/2009>); decision of 8June 2007 by the Stockholm Administrative Court of Appeal (Kammarrätten) in Case 285/07— upheld by the Swedish Supreme Administrative Court (Regeringsrätten)in decision of 16 June 2009 (Case 3978-07)(both decisions available at <http://arkiv.idg.se/ it24/SthlmRRejpt_3978_07.pdf>).

4 4 45

46

See e.g. Promusicae para 45; Scarlet Extended para 51; Bonnier Audio para 52. See e.g. decision of 14 July 2009 by the Austrian Federal Supreme Court (Oberster Gerichtshof) in Case 4 Ob 41/09x; available at <http://www.internet4jurists.at/entscheidungen/ogh4_41_09x.htm>. Here the Court held that IP addresses, as traffic data, were subjected to special protection under Austria's Telecommunica- tions Act 2003 section 99 (which transposes Article 6 of the Electronic Communic- ations Privacy Directive) (see particularly para 5.4 of the judgment). Under Aus- trian criminal law at the time, copyright infringement was not sufficiently serious to permit disclosure of traffic data to IPR-holders. For further discussion, see Frosio (n 25) 27-30. Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC [2006] OJ L105/54.

69


been very uneven,47 with transposing legislation not yet in force in all EU Member States (or, indeed, in all Member States of the European Eco- nomic Area—Norway being an example here). The requirements under the Data Retention

Directive concern ISPs as providers of publicly available electronic communications services or networks. IP address retention may also be independently undertaken by 'information society service providers' (eg Facebook) more generally under their contractual terms of service. This possibility is reinforced by Article 15(2) of the E-Commerce Directive which stipulates that 'Member States may establish obligations for information society service providers to communicate to the competent authorities, at their request, information enabling the identification of recipients of theirservice with whom they have storage agreements'. The above presentation of legislation and case

law is far from exhaustive. Further, in some EU Member States, the 'IP vs I(S)P'struggle(s) will also be shaped by 'home-grown' rules. For example, in the common law jurisdictions of Ireland and the United Kingdom, ISPs may be required to disclose the names and addresses of Internet end-users suspected of piracy, pursuant to so-called 'Norwich Pharmacal Orders'.48 The Irish High Court, for instance, has applied such an order in a case dealing with prosecution of digital piracy.49 Some scholars argue that the practice fails to accord due respect to the right to privacy.50 However, courts have indic-ated that they will exercise caution before applying an order—'to make sure that privacy rights are invaded in the most minimal way'.51

47

48

49

5051

See further European Commission, 'Evaluation report onthe Data Retention Dir- ective (Directive 2006/24/EC)'COM (2011) 225 final. These are orders named after a judgment of the House of Lords (now Supreme Court) in Norwich Pharmacal Companyand Others v Customs and Excise Commis- sioners [1974] AC 133 which established the following principle: 'If throughno fault of his own a person gets mixed up in the tortious acts of others so as to facilitate their wrongdoing, he may incur no personal liability, but hecomes under a duty to assist the person who has been wronged by giving him full information and disclosing the identity of the wrongdoers' (per Lord Reid at 175). See e.g. the judgment of the Irish High Court in EMI Records (Ireland) Ltd and Others v Eircom Ltd and Another [2005] IEHC 233. See e.g. Frosio (n 25)52-55. See BMG Canada Inc v Doe (2005) FCA 193 [42] (per Sexton JA); cited with approval by Kelly J in EMI Records (n 46).

70

IP VS I(S)P IN LAW

From a privacy and data protection perspective, the highpoint in CJEU jurisprudence dealing with the 'IP vs I(S)P' conflict(s) is the Scarlet Exten- ded judgment. The case is also worth elaborating on as it pertinently exem- plifies the interplay of the multiplicity of rules outlined above. It deals withthe lawfulness of a requirement, sought for by IPR-holders, that an ISP introduce a system for systematically monitoring and filtering all of its cus- tomers' Internet usage, at its own expense andfor an unlimited period of time. In effect, the system called for the application of relatively fine- grained 'deep packet inspection' (DPI) whereby the ISP would be able to identify not just the presence of P2P file sharing but also the transfer of particular files containing works in which copyright inheres, and then to block such dissemination.52

In assessing the lawfulness of the required system, the CJEU reiterated its earlier decisions holding that protection of IPR, while a fundamental right, must be fairly balanced with other fundamental rights. It found that the required system would detrimentally affect not just end-user rights to privacy and data protection but also their rights to freedom of expression. Regarding the latter, the Court noted, inter alia, that the system might not adequately cater for statutory exceptions to copyright and national vari- ations in those exceptions; thus, the system 'might not distinguish adequately between unlawful content and lawful content, with the result that its introduction could lead to the blocking of lawful communications' (para 52). The court held too that the system seriously impinged on the ISP's freedomto conduct business as it necessitate the ISP 'to install a complicated, costly, permanent computer system at its own expense'. In so doing, the Court observed, the system would also breach Article

3(1) of Directive 2004/48 (requiring that IPR enforcement measures not be unnecessarily complicated or costly). The Court also found that the system would be contrary to Article 15(1) of the E-Commerce Directive (prohib- iting impositionof general monitoring obligations on ISPs). In light of all these considerations, the Court held that the required system did not strike a fair balance between the various rights concerned. A subsequent case

52

Further on the mechanics of DPI in the context of copyright enforcement, see Milton Mueller, Andreas Kuehn and Stephanie Michelle Santoso, 'Policing the Network: Using DPI for Copyright Enforcement' (2012) 9Surveillance & Society 348, 350-351 and references cited therein.

71


dealing with imposition of a similar system on theprovider of an online social networking service ended with the same result.53

The SABAM suite of cases is particularly strikingfor demonstrating pre- paredness on the part of the CJEU to make the proportionality principle bite. Rather than leaving the requisite proportionality assessment to the national authorities, the Court itself carried out the assessment and did so stringently.The judgments thus stand in marked contrast to earlier jurisprudence, such as the Promusicae decision, in which the Court took a backseat role in assessing proportionality.54

Some scholars have gone so far as to proclaim that the SABAM cases constitute 'the death sentence for the extreme, inside-the-network approach to network surveillance for copyright enforcement'.55 I harbourdoubts, though, as to the strength of the barrier that the CJEU has erected against DPI-based surveillance schemes. A less 'open-ended' scheme inwhich ISPs do not have to bear the bulk of costs might jump the barrier; a fortiori were the scheme also specifically authorised by a statute with clear, transparent and predictable rules. In his Opinion in Scarlet Extended, Advocate General Cruz Villalón emphasized the need for this sort of statutory basis before the system in question could be permitted.56 The CJEU did not address thispoint, though the necessity of clear and predictable legal authority for such a system follows from ECHR Articles 8(2) and 10(2) as construed by the ECtHR.57

535

4

55 56 57

Case C-360/10 SABAM v Net

log [2012] ECR I-0000. See too Charlotte Tranberg Bagger, 'Proportionality anddata protection in the case law of the European Court of Justice' (2011) 1 International Data Privacy Law 239 (describing a similar progression in CJEU jurisprudence in other areas of data protection). Mueller and others (n 52) 356. Opinion of 14 April 2011, paras 93ff. At the risk of spelling out the obvious, these provisions stipulate that interference with the rightsset out in their respective first paragraphs is only justified when, inter alia, they are 'in accordance with the law'. The latter criterion means that interference must have a basis in law and the legal measure concerned must satisfy the ideals of 'rule of law'—that is, be accessible to the person(s) concerned and sufficiently precise to allow the person(s) reasonably to foresee its consequences. See e.g. SundayTimes v United Kingdom (1979) 2 EHRR 245 para 49; Malone v United Kingdom (1984) 7 EHRR 14 paras 66-68. See too thecase references in the Opinion of Advocate General Cruz Villalón (n 52) paras 94ff.

72

THE FUTURE: IP + ISP (+ DPI?)

4.5. The future: IP + ISP (+DPI?) This paper has shown how the tension between copyright and data protection has gradually shifted focal point over the past fifteen years. Whereas a decade ago that focal point was the rollout of DRMS, it subsequently became piracy surveillance. With thisshift, the tension between copyright and data protection flowed over into the relationship between IPR-holders and ISPs. However, some of the heat in the latter relationship is dissipat- ing. We see in the USA clear manifestation of this

dissipation with the recent agreement between five major ISPs (AT&T, Comcast, Time Warner Cable, Verizon and Cablevision) and the RIAA and MPAA to set up a Center for CopyrightInformation (CCI) that operates a Copyright Alert System (CAS). The initiative establishes a 'graduated response' scheme for IPR enforcement whereby end-users suspected of engaging in copyright infringement are to receive a series of warnings to stop their apparently illi- cit behaviour and, in the event of recalcitrance, facemore serious sanctions.58 Of particular importance is that this sort of scheme presupposesa relatively cordial relationship between ISPs andIPR-holders—copyright enforcement becomes a shared effort between allies rather than adversaries. Thisis not to suggest that ISPs have or will embrace this alliance with wholehearted enthusiasm. The agreement forged in the USA was the result of considerable pressure being applied not just from IPR-holders but also from government.59 Further, 'it is a very soft agreement that gives ISPs near total discretion'.60 Yet it also reflects nascent corporate convergence of network providers and content providers—the merger of Comcast and NBC Universal being a case in point.61 In some jurisdictions, though, ISPs are in any case being

forced to cooperate pursuant to legislatively man-dated graduate response schemes—the case, for instance, in South Korea, New Zealand, UK and France.

58

596061

Further on the scheme, see Annemarie Bridy, 'Graduated Response American Style: "Six Strikes" Measured Against Five Norms' (2012) 23 Fordham Intellectual Prop- erty, Media & Entertainment Law Journal 1-66. Ibid 4-5. Mueller and others (n 52) 362. Bridy (n 58) 5.

73


These developments are likely to lead to a realignment of the relative strength of copyright and data protection in the years ahead. Besides the fact that graduated response schemes help to 'normalise' surveillance on the Internet,62 they weaken the privacy-protective role that ISPs have (incidentally or intentionally) played. Even in countries that have not (yet) embraced such schemes, moves are afoot to weaken barriers to piracy surveillance which arise from data protection law. The Norwegian Parlia- ment, for example, is currently considering a legislative bill aimed at circumventing the limitations imposed by data protection law on piracy surveillance. The bill proposes, inter alia, removing such surveillance from the licensing requirements of the Personal Data Act and providing a specific legal footing for it pursuant to proposed new provisions in the Intellectual Property Act of 1961.63

Yet advocates of strong data protection can continue to take some com- fort in the fact that DPI-based surveillance schemes seem still not to be widely used in the service of IPR enforcement, at least in Europe andthe USA; piracy surveillance' there continues to be 'over the top' rather than carried out by ISPs as part of their network management.64 While ISPs commonly use DPI-based 'traffic management practices' to regulate P2P traffic on their networks,65 these practices appear not to be harnessed to specifically target copyright infringement. This is due to a combination of economic and legal factors. Especially important has been the lack of any compelling commercial incentive for ISPs to conduct DPI for purposes other than management of their own network traffic, combined with dis- juncture between most ISPs' business interests and those of IPR-holders.66

Moreover, DPI use going further than what is necessary for their own operational needs risks

stripping ISPs of their immunity from legal liabilit-

62

63

6465

66

See Trisha Meyer and Leo Van Audenhove, 'Surveillance and Regulating Code: An Analysis of Graduated Responsein France' (2012) 9 Surveillance & Society 365, 375. Prop 65 L (2012-2013), Endringer i åndsverkloven (tiltak mot krenkelser av opphavsrett m.m. på Internett). See also Bridy (n 57) especially 44ff; Mueller and others (n 52) especially. See e.g. Body of European Regulators for Electronic Communications (BEREC), 'BEREC preliminary findings ontraffic management practices in Europe show that blocking of VoIP and P2P traffic is common, other practices vary widely', press release 6 March 2012; http://berec.europa.eu/doc/2012/TMI_press_release.pdf. For further elaboration of these and related factors,see Mueller and others (n 52).

74

THE FUTURE: IP + ISP (+ DPI?)

ies as intermediaries: in the words of Marsden, DPI is 'something of a Pan- dora's box—if they [ISPs] look inside, all liabilities flow to them, from child pornography to terrorism to copyright breaches to libel to privacy breaches'.67 The proportionality principle as applied in the SABAM suite of cases is yet another restraining factor, at least in Europe. However, as pointed out above, the barrier

erected by that suite of cases against DPI surveillance is far from insurmountable. If OTT surveillance fails to deliver satisfactory results for IPR-holders, they will probably bring their considerable resources to bear on legislators to introduce statutory, DPI-based control schemes. Such schemes are likely to pass judicial muster by the CJEU and ECtHR if their statutory framework meets the 'rule of law' requirements flowing from, inter alia, ECHR Articles 8(2) and 10(2), and does not require ISPs to bear the bulk of additional costs involved. That cost reduction will undoubtedly weaken ISPs' resistance to introdu- cing such a framework. Their resistance, at least as an industry group act- ingin unison, will further decrease if, as is probable, more of them have entered into the business of content production. Civil society groups cam- paigning for privacy and data protection are accordingly likely to fight their coming battles over DPI with significantly less ISPsupport.

67 Christopher T Marsden, Net Neutrality: Towards a Co-Regulatory Solution (Blooms-

bury Academic 2010) 72.

75

data protection vs. copyright

Documents