Posted on July 9, 2011 by Winston Maxwell

Privacy v. Anti-Piracy: Content Owners Warned to Supervise Anti-Piracy Monitor to Ensure Privacy

The anti-piracy efforts of the content industry in France recently resulted in a warning from French authorities that, when policing online piracy through use of a third-party contractor, privacy must be respected and enforced. 

The French agency entrusted with fighting online copyright infringement, the HADOPI, sends warning letters to suspected online infringers after receiving IP addresses collected by right holders. Right holders use a service provider, TMG, to collect these IP addresses. Before putting the system in place, right holders obtained an authorization from the French data protection authority, the CNIL, allowing them to collect IP addresses for this purpose.

May 16, 2011, a third party notified the CNIL of a data security breach at TMG. This triggered a security audit by the CNIL, which vulnerabilities in the TMG system, including insufficient procedures for updating computer facilities, faulty physical security measures, and the absence of any formal procedure for ensuring that security rules are applied in practice. The CNIL also found that TMG had failed to comply with its obligations to make notifications to the CNIL and had not put into place procedures to limit the period of time during which data are retained.

The CNIL issued a formal warning, giving TMG three months to correct all the measures of non compliance identified during the audit. The CNIL issued a press release on July 6, 2011 announcing the TMG audit and security deficiencies. The CNIL indicated in its press release that it had also issued a formal warning to the right holders who had entered into the contract with TMG. The right holders are the “data controllers” and are responsible for ensuring that their subcontractor TMG complies with data security obligations under French law. The CNIL has substantially increased the number of audits it conducts, and  the audits are often triggered after a third party notifies the CNIL of security breaches.
Tags: , , , , , , ,
Posted on September 23, 2009 by Winston Maxwell

Amendment to French HADOPI "three strikes" law adopted by parliament

This past June France enacted an Internet anti-piracy law commonly known as the "HADOPI" or "three strikes" law, because after a certain number of warnings an online infringer's Internet access would be cut off.   On June 10th, the French Constitutional Court found a portion of the law unconstitutional.  Specifically, the court held that because terminating an individual's Internet access affects that individual's right to free expression, a fundamental right, a decision to terminate access must be made by a court after a careful balancing of interests.  Because the HADOPI law gave Internet access termination power to an agency, the court held that grant of authority unconsitutional.  Further background on this decision can be found in our update on the HADOPI law and the French Consitutional Court's decision .

On September 22, 2009, the French parliament passed a bill intended to remedy the enforcement gap left by the court's decision.  This bill, known as HADOPI 2,  empowers French courts, instead of the HADOPI administrative agency, with the authority to cut off the Internet access of copyright infringers or of individuals who are manifestly negligent in their duty to protect their broadband access line against illegal downloading.

The cornerstone of the new law is an affirmative duty imposed on French broadband subscribers to take measures to ensure that their broadband access is not used for infringing file sharing.  If the subscriber ignores this duty and the broadband access is used for illegal downloading, the subscriber of the line may have his or her Internet access cut off for a limited time.  If the subscriber installs certain approved protection technologies (and no one is yet sure what those technologies will be), the subscriber will be deemed to have fulfilled his or her duty of care.

The new law, like the first HADOPI law, will be scrutinized by the Constitutional Court, so the game's not over yet.  

Later this fall, the French government will publish several decrees intended to define how the new administrative authority authorized by HADOPI will operate, as well as how the privacy aspects of this law (for example, the handling of IP addresses) will be dealt with.  The French CNIL will need to authorize copyright societies to collect IP addresses and send them to the new administrative authority.

Further background reading on this topic can be found in the English translation of the French Constitutional Court's June 10, 2009 decision, which contains fascinating language on the appropriate balance between copyright, privacy and freedom of expression.  It is similar to the European Court of Justice's decision in the Promusicae case:  none of the rights is absolute, a balancing between copyright and privacy is permitted, but it has to be done with care.  For those of you wondering whether the right to privacy is part of the French constitution, it is, as set forth in paragraph 22 of the French Constitional Court's decision.

French speakers can read here the text of HADOPI 2 law, or watch the video of  French Minister of Culture, Frédéric Mittérand's opening statement before the National Assembly
Tags: , , , , , , ,