“To each cow its calf and to every book its copy” – three strikes passes privacy muster in Ireland

Privacy issues raised by the settlement of the Irish peer-to-peer copyright litigation were dismissed by the Irish High Court in a decision made on 16 April.  This cleared the way to the implementation of the settlement between the music industry and Eircom, one of Ireland’s largest ISPs.

The settlement involves a so-called graduated response to suspected infringement by customers of ISPs.  The copyright owners use software to monitor peer-to-peer swarms and identify IP addresses of computers seeding or downloading files suspected to be infringing.  Those IP addresses are then provided to the ISP, who reconciles them to one of their customers.  On the first occasion the IP address is notified to the ISP, the ISP will send a warning notice to the customer on the next invoice.  On the second occasion a formal letter will be sent, in stronger terms than the initial warning.  Both these notices would be sent automatically without any human intervention by the ISP.  If there is a third occasion (which must be at least 14 days after the second occasion, to allow the customer time to change their conduct), an employee of the ISP would review the available evidence before a notice of intention to terminate is sent giving the customer 14 days in which to make representations as to why termination is inappropriate.  The user’s representation (if any) is considered by the ISP, not in consultation with the copyright owners.  Private matters involving extenuating circumstances, or material whereby it is claimed as a matter of fact that the infringement has not taken place at all, must be considered by the ISP.  Then, if that does not cause the consequences of the protocol to be diverted or postponed, the customer is cut-off from receiving internet service.

The Irish Data Protection Commissioner raised concerns that the graduated response model may contravene Irish privacy law (the Data Protection Act).  The court considered the 3 issues identified by the Commissioner (each of which is discussed below), and held that implementation of the settlement would not contravene the provisions of the Data Protection Act identified by the Commissioner, and may lawfully be implemented by the parties.

1. The IP addresses identified by the copyright owners were held not to be “personal data” for the purposes of the Data Protection Act, with the result that the legislation did not apply to the processing of those addresses by the copyright owners and their agents.  “Personal data” means “data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come to into, the possession of the data controller.”  The critical passage of the judgment is as follows:

“[N]one of the plaintiffs have any interest in personally identifying any living person who is infringing their copyright by means of the settlement and protocol.  I do not regard it as at all likely that they will attempt in any way to use the IP address as supplied to them by [the software used to identify the IP addresses] of those engaged in illegal downloading in order to find out their names and addresses.  Further, since, on the affidavit evidence before me, the plaintiffs had previously engaged in expensive litigation against [the ISP] in order to find out who they are, there seems no legal avenue open to them to get that information apart from an application for the names and addresses of the copyright thieves to the internet service provider.  It is proved to me to be close to impossible that they could have recovered them by any easier or less pricey means.  Nor do any of the plaintiffs have any intention of engaging in any illegal activity.  Rather, the entire purpose of this litigation is to uphold the law.”

2.         The court also held that the use by the ISP of the customer details when sending the termination notice did not contravene section 2A of the Act and, in particular, was not “unwarranted [processing] by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject”.  There is no equivalent concept in Australia’s Privacy Act.  Here, Charleton J took the opportunity to discuss the importance of copyright in the Irish legal system.  He said that there was a fundamental right to copyright, and that the rights now enshrined in the Irish copyright legislation had a “pre-legislative origin and super-legislative effectiveness as part of the unenumerated fundamental rights under the Constitution”.  Against that backdrop, it is not surprising that he found that the use of customer information by the ISP was not “unwarranted”.

3.         The final issue considered by the court was whether the transmission of the IP addresses from the copyright owners to the ISP, and the subsequent use of the ISP to, potentially, terminate the customer’s account involved the processing of “sensitive personal data” for the reason that the data being processed concerned information about the commission of an offence or an alleged offence.  The Commissioner’s concern was that the termination of a customer’s account would be predicated on the customer in question having committed an offence (i.e. the uploading of copyright-protected material to a third party by means of a peer-to-peer application) but without any such offence having been the subject of investigation by an authorised body; and, further, without any determination having been made by a court of competent jurisdiction, following the conduct of a fair and impartial hearing, to the effect that an offence had in fact been committed.  Charleton J was not persuaded that this concern was valid.  The court’s view was that:

“in reality, no one is accusing anyone of an offence.  There is no issue as to anything beyond civil copyright infringement.  To accuse them of the criminal offence it would have to be copyright infringement together with the mental element expressly required by the crime.”

Accordingly, there was no “sensitive personal data” being handled by the copyright owners or the ISP.

[The quoted portion of this post’s title is an aphorism credited by Charleton J to Saint Columba (aka Saint Colmcille), who was apparently involved in a battle in which several people died sometime around AD 560 over the right to keep a copy of a book of psalms he had transcribed.]

Leave a Reply

Your email address will not be published. Required fields are marked *

10 + 16 =