Today the English Court of Appeal handed down its judgment in British Telecommunications plc and TalkTalk Telecom Group plc v Secretary of State for Culture, Olympics, Media and Sport  EWCA Civ 232. BT and TalkTalk had sought judicial review of the Graduated Response provisions of the Digital Economy Act 2010 (DEA) and the statutory instrument dealing with the costs of the process. On 20 April 2011, Mr Justice Kenneth Parker had handed down a judgment rejecting all the ISPs' complaints about the DEA, but striking down part of the costs order (see my post of that date). Today the Court of Appeal dismissed the ISPs' appeal in respect of the DEA, but struck down a slightly wider portion of the costs order. In the course of doing so, they made some important observations about the consistency of Graduated Response with the EU's data processing rules, giving a no doubt unintentional sideswipe to Peter Hustinx, the ubiquitous European Data Protection Supervisor.
The ISPs' challenge to the DEA on appeal was as follows:
(1) the DEA was a "draft technical regulation" that should have been notified to the European Commission under the Technical Standards Directive 98/34/EC. Rejecting this, the Court of Appeal held that it was the Code of Initial Obligations, on which Ofcom has been working, that was the "technical regulation". The DEA itself was more in the nature of enabling legislation which did not produce binding legal effects on individuals.
(2) the DEA was incompatible with the Electronic Commerce Directive 2000/31/EC, because (a) it would render ISPs potentially "liable for the information transmitted", contrary to the "safe harbour" in Article 12; and (b) it amounted to a restriction on the freedom to provide information society services from other Member States within the field exclusively governed by the Directive. The Court of Appeal held that the DEA did not make the ISPs liable for the "information transmitted" - that referred to liability arising from the "information", such as copyright infringement liability, not regulatory obligations. In any case, the Directive explicitly provided that it did not "affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement". That was exactly what the DEA did. On the preemption point, the Court observed that the Annex to the Directive explicitly excluded "copyright" from the exclusive field of the Directive.
(3) the DEA was incompatible with the Data Protection Directive 95/46/EC (DPD) and the Privacy and Electronic Communications Directive 2002/58/EC (PECD). As to the DPD, right holders using the procedure would violate the data processing rights of subscribers by gathering their IP addresses and information about their allegedly infringing activity. However, the Court of Appeal rejected the proposition that there would be any illegality in such evidence collection, as processing is permitted under the DPD if it "is necessary for the establishment, exercise or defence of legal claims" (Article 8(2)(e)) - which was the present case. As for the PECD, which regulates the processing of "traffic data", any processing fell within an exception under Article 15. Referring to the ECJ decision in Productores de Musica de España (Promusicae) v Telefonica de España Case C-275/06, the Court of Appeal held that the processing of traffic data was permitted for the purpose of the protection of the rights and freedoms of others, including the protection of the right to property. The DEA was enacted for that purpose and its operation entailed no impermissible data processing.
(4) the DEA was inconsistent with the Authorisation Directive 2002/20/EC (as amended in 2009) on the freedom to operate in the telecommunications sector. The ISPs contended that the copyright protection provisions fell within the Directive's definition of a "general authorisation" and so should have been included in the general licensing arrangements for ISPs, not in separate legislation; and that in any case the copyright protection provisions were conditions attached to the ISPs' general authorisation that fell outside the list of conditions permitted under the Directive. The Court of Appeal held that there was no obligation to include all authorisation provisions in the "general authorisation", at least in relation to national measures intended "to pursue general interest objectives, in particular relating to content regulation and audio-visual policy" (referring to Article 1(3) of the Framework Directive 2002/21/EC on telecoms regulation); and in any case the DEA fell within the list of permitted conditions set out in the Annex to the Authorisation Directive, being " Restrictions in relation to the transmission of illegal content, in accordance with [the Electronic Commerce] Directive 2000/31/EC". BT and TalkTalk also attempted to argue that it was discriminatory and disproportionate to exclude smaller ISPs and mobile providers from the scheme. The ISPs affected have some 93.4% of the market, so the Court gave this short shrift.
The Court of Appeal therefore rejected all the ISPs' arguments relating to the substance of the DEA. On the question of the costs of operating the procedure, they agreed with the ISPs that it was inconsistent with the Authorisation Directive to impose on them any of the costs of the appeals body set up to handle subscriber appeals. It had been intended that ISPs would bear 25% of those costs. Now right holders will presumably be expected to fund 100%.
And what about the European Data Protection Supervisor, Peter Hustinx? The EDPS, a crusader for ever-widening application of data privacy rules, issues Opinions on matters of public policy, whether requested to do so or not. In June 2010 he saw fit to issue an Opinion "on the current negotiations by the European Union of an Anti-Counterfeiting Trade Agreement (ACTA)".
The Opinion recites that "the EDPS particularly regrets that he was not consulted by the European Commission on the content of such an agreement." Nothing daunted, Mr Hustinx issued his Opinion anyway, expatiating on the data privacy and human rights evils of the Graduated Response, which at that time some thought might be included in the treaty (it was not, as it turned out).
The judicial view is one of the many hardships that data privacy officials have to bear in the course of their important work. In the BT case, the Court of Appeal did refer to the Opinion of the EDPS. Suffice it to say, it did not carry the day:
"I should mention for completeness that the appellants placed reliance in this context on an Opinion dated 22 February 2010 of the European Data Protection Supervisor ("the EDPS") on then current negotiations by the EU of an Anti-Counterfeiting Trade Agreement with third countries. We were told by [Counsel] that the Opinion was provided by the EDPS of his own motion and was based on the EDPS's own understanding of what was then proposed. At paragraph 52 of the Opinion, in relation to the possible imposition on ISPs of a "three strikes internet disconnection policy", the EDPS acknowledged that the collection of targeted, specific evidence, particularly in cases of serious infringements, might be necessary to establish and exercise a legal claim, but he cast doubt on the legitimacy of wide-scale investigations involving the processing of massive amounts of data of internet users. It is not clear that he had Article 8(2)(e) of the DPD specifically in mind, but if he did it is difficult to see why the applicability of that provision should depend on the scale of the operation. In any event the view expressed by the EDPS is not binding on us and it does not cause me to alter my own view that the processing in this case would fall within Article 8(2)(e)."