Posted on July 19, 2010 by Timothy Tobin

EU Article 29 Working Party Report on ISP and Telecom Carrier Data Retention for Law Enforcement Purposes

Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry.

On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national laws on data retention. But according to the working party’s report, harmonization is seriously flawed in a number of respects.

 

The report confirms what we have heard from a number of our communications clients: each Member State has slightly different rules for retaining traffic data for law enforcement purposes, particularly when it comes to IP-based communications. The duration for retaining the data are different from country to country, and the kind of data to be retained are in many cases different. For a pan-European communications providers, this creates a real headache, because specific procedures and systems have to be created for each Member State where the communications provider does business. 

The Article 29 working party comes at this from the angle of protecting European citizens, and complains that the lack of harmonization creates different levels of protection of personal data between different Member States, defeating the Data Retention Directive’s objective of harmonization. In this particular case, however, the interests of communications providers and EU citizens converge, because different rules on data retention create additional costs for communications providers, as well as different risks for citizens. The directive currently allows Member States to apply data retention periods of between 6 and 24 months. Several of the large EU Member States have chosen a period of 12 months, and the Article 29 working party recommends that the directive be amended to impose a single harmonized period instead of giving Member States a choice. 

The legislation of Member States is fairly consistent regarding the kind of data to be retained for traditional voice communications, but for IP-based communications the practices vary. On this point, the Article 29 working party emphasizes that the only data that Member States can require service providers to retain are those listed in Article 5 of the Directive. In particular, the destination IP address and the URLs of web sites cannot be retained, because those data provide information on the content of the communication, which is prohibited. The working party deplores that many operators do not apply automatic erasure procedures at the end of the legally mandated retention period, and that many operators do not conduct security audits. Finally, the report complains that Member States have different definitions of what a “serious crime” is that would justify the communication of data to law enforcement personnel. The report recommends harmonization on this point too.

 

Although not specifically mentioned by the working party, the question of whether illegal downloading of copyrighted material is a “serious crime” is obviously a key issue, because several European countries are putting into place graduated response mechanisms that rely on the ISP communicating traffic data to a court or administrative body for the purpose of identifying the alleged infringer. On that front, BT and Talk Talk have lodged a complaint in the UK claiming that the Digital Economy Act, which allows OFCOM to send warning letters to individual infringers, violates fundamental privacy laws http://www.guardian.co.uk/technology/2010/jul/08/bt-talktalk-challenge-digital-economy-act

 

Some courts are also questioning the constitutionality of national data retention laws enacted to transpose the Data Retention Directive. Last March, the German Supreme Court held that the implementation of a German law on data retention violated fundamental privacy rights, and ordered that the application of the law be suspended until such time as the government narrows its scope http://news.cnet.com/8301-13578_3-10462117-38.html .
Tags: , , , , , , , , , , , , , , , , , , , , , ,
Posted on May 11, 2010 by Timothy Tobin

Second Circuit Rules Anonymity of Internet Users Not Protected by First Amendment

Thanks to Eric Bukstein in the Hogan Lovells privacy group for providing this report.

On May 3, 2010, in Arista Records v. Doe 3, a Second Circuit panel issued an opinion finding that an Internet user’s right to remain anonymous is not sufficient to prevent an ISP from revealing his identity in a copyright infringement dispute. The court held that a record label may subpoena information about Internet users connected to IP addresses if there is sufficient evidence that the IP addresses had been used to illegally share music. 

A group of record labels had evidence suggesting that specific IP addresses connected with the State University of New York at Albany (“SUNYA”) had been used to infringe on the record labels’ copyrights by sharing music on peer-to-peer networks. The record companies subpoenaed SUNYA for disclosure of the names and contact information of the individuals associated with the IP addresses. After being notified of the subpoena by SUNYA, the defendant moved to quash the subpoena, arguing that “the First Amendment affords a qualified right to use the Internet anonymously.” In the district court, both a magistrate judge and a district judge both rejected this argument and refused to quash the subpoena. 

In affirming, the Second Circuit held that “to the extent that anonymity is used to mask copyright infringement or to facilitate such infringement by other persons, it is unprotected by the First Amendment.” The court adopted a five-factor test set forth in a different case by the U.S. District Court for the Southern District of New York to determine whether an Internet user’s right to anonymity requires that a subpoena be quashed. These factors are:

           

(1) [the] concrete[ness of the plaintiff’s] showing of a prima facie claim of actionable harm, . . . (2) [the] specificity of the discovery request, . . . (3) the absence of alternative means to obtain the subpoenaed information, . . . (4) [the] need for subpoenaed information to advance the claim, . . . and (5) the [objecting] party’s expectation of privacy.

 

Sony Music Entertainment Inc. v. Does 1-40, 326 F.Supp.2d 556 (S.D.N.Y. 2004). The court found that all five factors weighed against the defendant and his right to anonymity.

The court also dismissed the defendant’s arguments that the record labels should be required to meet a heightened pleading standard in order to compel the identification of anonymous Internet users.  The court held that the facts in the complaint were sufficient to state plausible copyright infringement claims, and this was sufficient to compel SUNYA to reveal the defendant’s identity.

This opinion follows several other cases recently discussed in the Chronicle of Data Protection in which courts addressed whether an ISP is required to disclose the identities of Internet users. 

 

Last August, in Cohen v. Google, a New York court granted a motion forcing Google to reveal the identity of an anonymous blog poster who had allegedly defamed a Manhattan-based model on a blog entitled “Skanks of NYC.” Also last August, in Solers, Inc. v. Doe, the D.C. Court of Appeals articulated its own five-part test to determine whether to quash a subpoena seeking the identity of an anonymous defendant who had allegedly provided a tip to the Anti-Piracy Division of the Software & Information Industry Association that Solers, Inc., a software company, was using unlicensed software. The court granted leave for the plaintiff to amend its complaint to present evidence sufficient to meet these new standards.

 

Looking forward, the question will often not be whether a court will force an ISP to reveal the identity of an anonymous Internet user, but rather how strong a plaintiff’s pleadings must be before a court will allow for a subpoena to compel the identity of an anonymous Internet user. 
Tags: , , , , , , , , , , , ,
Posted on April 23, 2010 by Winston Maxwell

Irish Court: IP addresses not personal data

In an April 16, 2010 judgment, the High Court of Ireland decided that a settlement agreement entered into between Ireland's largest ISP Eircom and EMI, Sony Music, Universal Music, and Warner Music did not violate Ireland's data protection law.  The settlement agreement was signed after the record labels sued Eircom in connection with Eircom's failure to take action to discourage peer-to-peer copyright infringements on its network.  In the settlement, Eircom agreed to implement a graduated response mechanism with its customers, pursuant to which Eircom would send warnings to customers who had been detected as participating in unauthorized file sharing.  If the customers ignored Eircom's warnings, Eircom would cut off the subscriber's Internet access.  This sanction would be applied on a purely contractual basis, based on the subscriber's violation of Eircom's terms of use.  The subscribers' identity would never be shared with the record companies or with the police.  The detection of illegal file sharing would be conducted by a third party service provider, DetectNet, which would collect IP addresses and communicate them to Eircom.  

The Irish data protection authority believed that the settlement would violate Irish data protection laws.  The court was asked to answer three questions:

Whether the IP addresses collected by DetectNet are personal data before they are transferred to Eircom?

Whether Eircom's processing of personal data for implementation of the graduated response mechanism is legitimate?

Whether the personal data processed by Eircom are "sensitive" because they relate to a criminal offense.

For the first question, the court held that the IP addresses in the hands of DetectNet are not personal data because it is not "likely" that DetectNet would have the means or motivation to find out the names or addresses of the persons corresponding to the IP addresses.  The court said that the word "likely" as used in the Irish law means "probably."  

For the second question, the court found that the processing is justified because of the subscriber's consent to Eircom's terms of use, and also because the processing is necessary for the performance of a contract and for compliance with a legal obligation.  

For the third question, the court held that the graduated response mechanism deals solely with civil infringement, and not with alleged criminal infringement.  Alleged criminal infringement involves an intentional element that is absent from the mechanism implemented by Eircom.

On the IP address issue, I invite readers to look back at the Article 29 Working Party's opinion on the concept of personal data, particularly page 15.

Regarding "graduated response" in general I invite readers to review a previous update on the French Consitutional Court decision, and to Gerry Oberst's blog entry on Internet Freedom and Data Privacy.  

The Irish decision is creating controversy, particularly as European Member States are debating net neutrality and the proposed ACTA treaty.

Tags: , , , , , , ,
Posted on November 18, 2009 by Winston Maxwell

French Senators propose data breach legislation; restrictions on cookie use

On November 6, 2009, French Senators Détraigne and Escoffier introduced a bill that would impose new data breach obligations, as well as strengthen the sanctioning power of the French data protection authority, the CNIL.  Senators Détraigne and Escoffier delivered last May a report on privacy in the digital age on behalf of the Senate's committee on legislation, and the new bill is a follow-up on the measures recommended in the May report.  

The proposed new bill would:

  • State that "any address or number identifying terminal equipment connected to a communications network" is personal data.  This provision is intended to end the debate in France on whether IP addresses are personal data.  Unfortunately, the effect of the proposed provision could be that in the future IP addresses of any device or object connected to the Internet, even a box of cereal, will be viewed as personal data;
  • Require that government agencies and certain companies appoint a data protection officer;
  • Increase notification obligations of data controllers before they process personal data;
  • Impose an opt-in regime for cookies unless they are strictly needed for communication purposes or to permit access to an online service;
  • Impose a broad security obligation on data controllers and an obligation to inform the CNIL of any data breaches.  The proposed language contains no minimum threshold after which a breach would be deemed significant enough to warrant a notification;
  • Facilitate data subjects' ability to request deletion of personal data; and
  • Increase the CNIL's sanctioning powers, and allow victims of privacy violations to bring suit before their own local court  instead of being obligated to sue in the court where the data controller is located.

The provisions facilitating data subjects' ability to access and delete personal data are part of a broader French government campaign to create a citizen's "right to be forgotten" on digital networks.  French Digital Minister Nathalie Kosciusko-Morizet organized a roundtable on the "right to be forgotten" on November 12, 2009, and indicated that the French government would raise the issue in Sharm El-Sheikh and the Internet Governance Forum.

Debates on the text will begin in March 2010.  It is not clear whether the proposed bill will be supported by the French government, which may prefer to defer legislation on some of the issues until final adoption of the revised ePrivacy Directive.  Given the recent statements of Digital Minister Nathalie Koscuisko-Morizet on the "right to be forgotten" on the Internet, it is likely that the provisions facilitating a citizen's right to access and delete personal information on the Internet will receive the immediate support of the French government, and this could result in legislation fairly soon.

Tags: , , , , , , ,