Monday 16 July 2012

Irish Data Protection Commissioner fails to halt GR

The Irish High Court recently applied CJEU jurisprudence to quash a direction of the Data Protection Commissioner that sought to prevent ISP Eircom operating a voluntary Graduated Response scheme. This continues the trend of judicial disregard for the fulminations of the Article 29 Group and their lay followers.

In January 2009, the Irish Recorded Music Association, representing record labels, settled an injunction claim against Eircom, the leading Irish ISP, on the basis that the latter would implement a Graduated Response scheme. The compatibility of the scheme was tested in proceedings before the High Court (EMI Records & Ors -v- Eircom PLC [2010] IEHC 108 (16 April 2010)). However, it was subsequently held that there was no jurisdiction under the Irish Copyright and Related Rights Act 2000 to issue an injunction against an ISP requiring the prevention of infringements by subscribers (EMI Records [Ireland] Ltd & Ors -v- UPC Communications Ireland Ltd [2010] IEHC 377 (10 November 2010)). Eircom said that it would continue, however, to perform the terms of its compromise agreement and apply the Graduated Response in the case of detected infringements (Eircom press release, 8 December 2010). (The Irish Government has recently amended the 2000 Act to correct this gap in its implementation of Article 8(3) of the 2001 Directive on Copyright in the Information Society.)

On 11 January 2012, however, the Irish Data Protection Commissioner issued a direction to Eircom instructing it to desist from operating its graduated response scheme, citing violations of data processing law. This provoked an application for judicial review by the record companies party to the scheme (EMI Records (Ireland) Ltd v Data Protection Commissioner [2012] IEHC 264). On 27 June 2012, Mr Justice Charleton, granted the application, quashing the direction. Charleton J held that the Commissioner’s sketchy reasons for issuing the direction were misconceived. Reviewing recent decisions of the Court of Justice of the European Union, he held that the operation of a Graduated Response scheme did not per se violate data protection law, and that to the limited extent the Commissioner had given reasons for his direction, he had misunderstood the law.

It seems that the judges, both national and supra-national, continue to upset the assumptions of the online privacy lobby.





Sunday 8 April 2012

Online piracy declines in France - but by how much?

HADOPI, the High Authority responsible for implementing the Graduated Response in France, has marked its first 18 months in operation by publishing a report on the changing level of online infringement. Although the downward trend is clear, the report offers four different measurements of the decline. Using panel surveys, the fall in P2P infringement over the 12 months of 2011 was either 17% (Neilson) or 29% (Médiamétrie). Studies based on the analysis of actual network traffic, on the other hand, indicated a fall of 43% (Peer Media Technologies) or 66% (ALPA - the French anti-piracy association for film).

This divergence may not be as perplexing as it first seems. The user surveys indicate the number of visitors to pirate sites, not the number of downloads per visitor. In relation to the network surveys, the Peer Media figure of 43% represents initiated downloads of a rolling slate of the top 200 to 300 films. The ALPA figure of 66% represents completed downloads of the top ten films (also a rolling slate). Many downloads are not completed; and the top 10 titles are much more in demand than the top 300, so a decline in the overall level of P2P infringement would be expected to have a proportionately greater effect on the most popular (and profitable) titles.

Coupled with the recent academic analysis of Dr Danaher and colleagues (a recent video presentation from Canada Music Week here), this evidence tends to support the proposition that HADOPI is succeeding. Its leadership may relieved that they have been able to reach such a point before the presidential election, the first vote in which takes place on 22 April. Under a Président Hollande, HADOPI's continued existence would surely be in question, even if the candidate of the Partie Socialiste has become increasingly nuanced on the subject.

Tuesday 6 March 2012

English Court of Appeal upholds the Digital Economy Act; slaps down the European Data Protection Supervisor

Today the English Court of Appeal handed down its judgment in British Telecommunications plc and TalkTalk Telecom Group plc v Secretary of State for Culture, Olympics, Media and Sport [2012] EWCA Civ 232. BT and TalkTalk had sought judicial review of the Graduated Response provisions of the Digital Economy Act 2010 (DEA) and the statutory instrument dealing with the costs of the process. On 20 April 2011, Mr Justice Kenneth Parker had handed down a judgment rejecting all the ISPs' complaints about the DEA, but striking down part of the costs order (see my post of that date). Today the Court of Appeal dismissed the ISPs' appeal in respect of the DEA, but struck down a slightly wider portion of the costs order. In the course of doing so, they made some important observations about the consistency of Graduated Response with the EU's data processing rules, giving a no doubt unintentional sideswipe to Peter Hustinx, the ubiquitous European Data Protection Supervisor.

The ISPs' challenge to the DEA on appeal was as follows:

(1) the DEA was a "draft technical regulation" that should have been notified to the European Commission under the Technical Standards Directive 98/34/EC. Rejecting this, the Court of Appeal held that it was the Code of Initial Obligations, on which Ofcom has been working, that was the "technical regulation". The DEA itself was more in the nature of enabling legislation which did not produce binding legal effects on individuals.

(2) the DEA was incompatible with the Electronic Commerce Directive 2000/31/EC, because (a) it would render ISPs potentially "liable for the information transmitted", contrary to the "safe harbour" in Article 12; and (b) it amounted to a restriction on the freedom to provide information society services from other Member States within the field exclusively governed by the Directive. The Court of Appeal held that the DEA did not make the ISPs liable for the "information transmitted" - that referred to liability arising from the "information", such as copyright infringement liability, not regulatory obligations. In any case, the Directive explicitly provided that it did not "affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement". That was exactly what the DEA did. On the preemption point, the Court observed that the Annex to the Directive explicitly excluded "copyright" from the exclusive field of the Directive.

(3) the DEA was incompatible with the Data Protection Directive 95/46/EC (DPD) and the Privacy and Electronic Communications Directive 2002/58/EC (PECD). As to the DPD, right holders using the procedure would violate the data processing rights of subscribers by gathering their IP addresses and information about their allegedly infringing activity. However, the Court of Appeal rejected the proposition that there would be any illegality in such evidence collection, as processing is permitted under the DPD if it "is necessary for the establishment, exercise or defence of legal claims" (Article 8(2)(e)) - which was the present case. As for the PECD, which regulates the processing of "traffic data", any processing fell within an exception under Article 15. Referring to the ECJ decision in Productores de Musica de España (Promusicae) v Telefonica de España Case C-275/06, the Court of Appeal held that the processing of traffic data was permitted for the purpose of the protection of the rights and freedoms of others, including the protection of the right to property. The DEA was enacted for that purpose and its operation entailed no impermissible data processing.

(4) the DEA was inconsistent with the Authorisation Directive 2002/20/EC (as amended in 2009) on the freedom to operate in the telecommunications sector. The ISPs contended that the copyright protection provisions fell within the Directive's definition of a "general authorisation" and so should have been included in the general licensing arrangements for ISPs, not in separate legislation; and that in any case the copyright protection provisions were conditions attached to the ISPs' general authorisation that fell outside the list of conditions permitted under the Directive. The Court of Appeal held that there was no obligation to include all authorisation provisions in the "general authorisation", at least in relation to national measures intended "to pursue general interest objectives, in particular relating to content regulation and audio-visual policy" (referring to Article 1(3) of the Framework Directive 2002/21/EC on telecoms regulation); and in any case the DEA fell within the list of permitted conditions set out in the Annex to the Authorisation Directive, being " Restrictions in relation to the transmission of illegal content, in accordance with [the Electronic Commerce] Directive 2000/31/EC". BT and TalkTalk also attempted to argue that it was discriminatory and disproportionate to exclude smaller ISPs and mobile providers from the scheme. The ISPs affected have some 93.4% of the market, so the Court gave this short shrift.

The Court of Appeal therefore rejected all the ISPs' arguments relating to the substance of the DEA. On the question of the costs of operating the procedure, they agreed with the ISPs that it was inconsistent with the Authorisation Directive to impose on them any of the costs of the appeals body set up to handle subscriber appeals. It had been intended that ISPs would bear 25% of those costs. Now right holders will presumably be expected to fund 100%. 

And what about the European Data Protection Supervisor, Peter Hustinx? The EDPS, a crusader for ever-widening application of data privacy rules, issues Opinions on matters of public policy, whether requested to do so or not. In June 2010 he saw fit to issue an Opinion "on the current negotiations by the European Union of an Anti-Counterfeiting Trade Agreement (ACTA)". 

The Opinion recites that "the EDPS particularly regrets that he was not consulted by the European Commission on the content of such an agreement." Nothing daunted, Mr Hustinx issued his Opinion anyway, expatiating on the data privacy and human rights evils of the Graduated Response, which at that time some thought might be included in the treaty (it was not, as it turned out). 

The judicial view is one of the many hardships that data privacy officials have to bear in the course of their important work. In the BT case, the Court of Appeal did refer to the Opinion of the EDPS. Suffice it to say, it did not carry the day:

"I should mention for completeness that the appellants placed reliance in this context on an Opinion dated 22 February 2010 of the European Data Protection Supervisor ("the EDPS") on then current negotiations by the EU of an Anti-Counterfeiting Trade Agreement with third countries. We were told by [Counsel] that the Opinion was provided by the EDPS of his own motion and was based on the EDPS's own understanding of what was then proposed. At paragraph 52 of the Opinion, in relation to the possible imposition on ISPs of a "three strikes internet disconnection policy", the EDPS acknowledged that the collection of targeted, specific evidence, particularly in cases of serious infringements, might be necessary to establish and exercise a legal claim, but he cast doubt on the legitimacy of wide-scale investigations involving the processing of massive amounts of data of internet users. It is not clear that he had Article 8(2)(e) of the DPD specifically in mind, but if he did it is difficult to see why the applicability of that provision should depend on the scale of the operation. In any event the view expressed by the EDPS is not binding on us and it does not cause me to alter my own view that the processing in this case would fall within Article 8(2)(e)."



Tuesday 31 January 2012

HADOPI boosts legitimate sales

On 23 January 2012, the International Federation of the Phonographic Industry published its Digital Music Report 2012. Alongside news about the state of the online music business, the report referred to new research on the effect of the French HADOPI laws. In "The Effect of Graduated Response Anti-Piracy Laws on Music Sales: Evidence from an Event Study in France", US academics Brett Danaher and others examine iTunes sales data in France in the context of the enactment of the HADOPI laws. In a rather persuasive analysis, they find that HADOPI resulted in an increase in iTunes sales of some 22.5% for individual songs and 25% for albums. 

This research is unusual in that, on the basis of a powerful dataset, the academics were able to estimate the effect of enforcement measures on revenues. Almost all the prior research focused on the less immediate question whether illegal file sharing damaged legitimate sales.  Apart from oft-quoted (but discredited) papers by Oberholzer-Gee and Strumpf (2005 version), that research generally found a substantial effect on legal sales. However, unless enforcement makes a difference to sales, the question of damage is merely of academic interest to business people. The Danaher paper points out that its conclusions probably represent a minimum effect on the legitimate market, as there are legal music services other than iTunes which could be expected also to have benefited from HADOPI.

It will be interesting to see whether this transparent research will have any impact on the debate about online piracy, which has a theological, rather than a scientific, character. 

AG Szpunar extends a generous hand to foreign authors

In her IPKat article of yesterday, Pr of. Eleanor Rosati explains the Opinion of AG Szpunar, published on 5 September 2024, in the pending C...