HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The ECJ ruling follows a request from the Brussels Appeal Court which had before it a case brought by the Belgian collecting society SABAM (Société Belge des Auteurs, Compositeurs et éditeurs) against Belgian ISP Scarlet Extended ("Scarlet").

The original case goes back a number of years now. In 2004, SABAM discovered that subscribers of Scarlet were using the ISP's services to illegally download, through P2P networks, protected works from its catalogue, without authorisation and without paying royalties.  SABAM thus requested that a Belgian Court issue an injunction against Scarlet forcing it to implement all necessary measures to block any such downloading or uploading of illegal files via P2P networks without authorisation.

On 29 June 2007, the Brussels Tribunal of First Instance agreed with SABAM and granted this injunction. Scarlet immediately lodged an appeal on the basis that the Court was in fact imposing an obligation to monitor on them and that as such it was incompatible with the E-Commerce directive and fundamental rights.

The Brussels Appeal Court  proceeded to ask the ECJ whether an injunction imposing such a filtering system was compliant with the provisions of various directives, namely the 2000 E-Commerce Directive[1], the 2001 Directive for Copyright harmonisation[2], the 2004 Directive on the Enforcement of Intellectual Property Rights[3], the 1995 Directive on Data Protection[4] and the 2002 Directive on Data Protection in the field of Electronic Communications[5].

In essence the Brussels Appeal Court sought guidance as to whether these directives could be interpreted as allowing a national court to order an ISP to implement a general filtering system as a preventive measure, at its own cost and for an indefinite period, thereby monitoring all electronic communications across its network between all its subscribers.

The ECJ found that the system as described would require the ISP in question to engage in an active observation of the entirety of the data traffic on its network and that a ruling imposing such an obligation would constitute a breach of article 15 of the 2000 E-Commerce directive which prohibits European Union Member States from imposing general monitoring obligations on ISPs.

In addition to this analysis, the ECJ underlined that whilst intellectual property rights had to be protected as part of the property right established by the Charter of Fundamental Rights of the European Union, a balance had to be struck between this and the preservation of other fundamental rights.

In this respect, the Court found that the implementation of a filtering system similar to the one requested by SABAM would restrict the freedom of the ISP concerned to conduct its business, and that the immense complexity and costs associated with the implementation of the system contradicted the provisions of the Directive on the Enforcement of Intellectual Property Rights.  In addition the ECJ also held that the effect would not be limited to the ISP but could also affect the fundamental rights of internet users' rights namely their right to the protection of their personal data and right to receive or impart information and communicate freely since the system would, in all likelihood, not allow for the necessary level of granularity sufficient to distinguish between files exchanged legally and illegally, catching in its net both categories of files, regardless of their status. The Court emphasized that users' freedom of expression rights were affected only insofar as the system might block lawful communications, such as exchanges of copyright-protected works that are legal under a statutory exception to copyright.  Right holders will applaud this decision for indirectly confirming that illegal file transfers are in no way protected by the fundamental right to freedom of expression.  While this principle seems obvious, it is often overlooked in the net neutrality debate.

Privacy law observers will be disappointed by how little attention the court pays to privacy law. The court simply states that users' privacy rights will be affected, and then moves on to discuss freedom of expression.  One of the most complex issues in the fight against illegal content is how to balance potential infringements of data protection and privacy rights against other fundamental rights such as the protection of property or the protection of human dignity.  A balance is possible, as the Court previously said in the Promusicae case.  But the Court here provides no guidance on how the balance should be struck.

Observers will also be disappointed that the Court did not address the fundamental defect raised by the Advocate General, ie. the absence in Belgium of a specific law targeting this kind of filtering.  According to the Advocate General, the absence of a specific law constitutes a fatal flaw in the Belgium system, and made it unnecessary to move on to the balancing test.

The decision is an important one as it clearly sets the principles applicable to the implementation of filtering measures in accordance with European legislation. In this respect, it underlines the impossibility for national legislators and jurisdictions to impose general rules or injunctions on ISPs to monitor the electronic communications traffic which they convey.  As such rights owners cannot necessarily look towards ISPs to provide a blanket against piracy – and indeed many would say this was clearly the intention of the E-Commerce Directive back in 2000.  Many experts recognize the limitations of ISP filtering[6], and policy makers[7] increasingly want to involve a variety of Internet intermediaries, including ISPs, payment service providers, Internet advertising networks, Internet addressing firms and search engines in the fight against illegal content online.

While the SABAM decision can be interpreted as a step forward in favour of "net neutrality", it should still be noted that the ECJ does not rule out all types of filtering systems in principle. Thus it is not the end of the story for rights owners and indeed, it appears that certain filtering systems, if clearly defined and limited in time and in scope, could well be regarded as compliant with European legislation.  Thus rights owners can and will continue to apply for and be granted injunctions under national law against intermediaries, such as ISPs, where their services are being misused by third parties to infringe.  However, any such injunctions clearly must comply with and respect the limitations arising under EU law.  Thus we can expect to see further litigation until we have clarity on the acceptability, scope and extent of filtering and monitoring in the EU.

The full judgment is available here

The Opinion concludes that a website can’t require consent to collect personal data from a user as a condition for subscribing “[g]iven that the Internet has become an essential tool both for work and for leisure purposes.” Thus, websites that condition entry on personal data are not allowed. Moreover, it opines that consent must be obtained from “all users” in a communication. Query whether and how this would apply to a data-mining free email account, where the subscriber has consented but her correspondent has not. 

The Opinion recognizes that consent to inspect a customer’s traffic or content data may not always be possible, or necessary, for all monitoring functions. But the Opinion is likely to be cited by those seeking to link privacy rights and personal data to the network neutrality cause; in the US, privacy has not been in the forefront of this debate. 

On Nov. 20 neutrality advocates in Europe inched their efforts forward when the Industry, Research and Energy Committee (ITRE) of the European Parliament voted to ask the EC to come up with more guidance on network neutrality. This step, too, marks a backing away from last spring’s “wait-and-see” stance.   Among other things, the resolution calls on the European Commission to ensure that ISPs “do not block, interfere with, discriminate against, impair, or degrade the ability of any person to use a broadband service to access, use, send, post, receive, or offer any lawful content, application, or service made available via the Internet.” This language actually goes farther than the FCC’s neutrality rules, which bars only “unreasonable” discrimination. There appears to be an E.U. carve-out for mobile Internet traffic, similar to the FCC’s reduced treatment for this presumably bandwidth-constricted technology.

 One reason the E.U. has lagged the U.S. in net neutrality regulation is that European telcos have generally been required to unbundle their last mile copper plant. Multiple ISPs, in theory anyway, can serve a residence. With ISP competition possible to every residence, a customer can switch if she doesn’t like the ISP’s terms and conditions. 

In the U.S., telcos were freed from unbundling in 2005, and cable networks were never generally subject to the requirement. Despite extensive head-to-head broadband competition in most of the country, competition is not universal in all 50 states. U.S. Regulatory proponents note this lack of competition in rejecting a market-based solution to issues of ISP conduct.

The Article 29 working party comes at this from the angle of protecting European citizens, and complains that the lack of harmonization creates different levels of protection of personal data between different Member States, defeating the Data Retention Directive’s objective of harmonization. In this particular case, however, the interests of communications providers and EU citizens converge, because different rules on data retention create additional costs for communications providers, as well as different risks for citizens. The directive currently allows Member States to apply data retention periods of between 6 and 24 months. Several of the large EU Member States have chosen a period of 12 months, and the Article 29 working party recommends that the directive be amended to impose a single harmonized period instead of giving Member States a choice. 

The legislation of Member States is fairly consistent regarding the kind of data to be retained for traditional voice communications, but for IP-based communications the practices vary. On this point, the Article 29 working party emphasizes that the only data that Member States can require service providers to retain are those listed in Article 5 of the Directive. In particular, the destination IP address and the URLs of web sites cannot be retained, because those data provide information on the content of the communication, which is prohibited. The working party deplores that many operators do not apply automatic erasure procedures at the end of the legally mandated retention period, and that many operators do not conduct security audits. Finally, the report complains that Member States have different definitions of what a “serious crime” is that would justify the communication of data to law enforcement personnel. The report recommends harmonization on this point too.

Although not specifically mentioned by the working party, the question of whether illegal downloading of copyrighted material is a “serious crime” is obviously a key issue, because several European countries are putting into place graduated response mechanisms that rely on the ISP communicating traffic data to a court or administrative body for the purpose of identifying the alleged infringer. On that front, BT and Talk Talk have lodged a complaint in the UK claiming that the Digital Economy Act, which allows OFCOM to send warning letters to individual infringers, violates fundamental privacy laws http://www.guardian.co.uk/technology/2010/jul/08/bt-talktalk-challenge-digital-economy-act . 

Some courts are also questioning the constitutionality of national data retention laws enacted to transpose the Data Retention Directive. Last March, the German Supreme Court held that the implementation of a German law on data retention violated fundamental privacy rights, and ordered that the application of the law be suspended until such time as the government narrows its scope http://news.cnet.com/8301-13578_3-10462117-38.html .

A group of record labels had evidence suggesting that specific IP addresses connected with the State University of New York at Albany (“SUNYA”) had been used to infringe on the record labels’ copyrights by sharing music on peer-to-peer networks. The record companies subpoenaed SUNYA for disclosure of the names and contact information of the individuals associated with the IP addresses. After being notified of the subpoena by SUNYA, the defendant moved to quash the subpoena, arguing that “the First Amendment affords a qualified right to use the Internet anonymously.” In the district court, both a magistrate judge and a district judge both rejected this argument and refused to quash the subpoena. 

In affirming, the Second Circuit held that “to the extent that anonymity is used to mask copyright infringement or to facilitate such infringement by other persons, it is unprotected by the First Amendment.” The court adopted a five-factor test set forth in a different case by the U.S. District Court for the Southern District of New York to determine whether an Internet user’s right to anonymity requires that a subpoena be quashed. These factors are:

(1) [the] concrete[ness of the plaintiff’s] showing of a prima facie claim of actionable harm, . . . (2) [the] specificity of the discovery request, . . . (3) the absence of alternative means to obtain the subpoenaed information, . . . (4) [the] need for subpoenaed information to advance the claim, . . . and (5) the [objecting] party’s expectation of privacy.

Sony Music Entertainment Inc. v. Does 1-40, 326 F.Supp.2d 556 (S.D.N.Y. 2004). The court found that all five factors weighed against the defendant and his right to anonymity.

The court also dismissed the defendant’s arguments that the record labels should be required to meet a heightened pleading standard in order to compel the identification of anonymous Internet users.  The court held that the facts in the complaint were sufficient to state plausible copyright infringement claims, and this was sufficient to compel SUNYA to reveal the defendant’s identity.

This opinion follows several other cases recently discussed in the Chronicle of Data Protection in which courts addressed whether an ISP is required to disclose the identities of Internet users. 

Last August, in Cohen v. Google, a New York court granted a motion forcing Google to reveal the identity of an anonymous blog poster who had allegedly defamed a Manhattan-based model on a blog entitled “Skanks of NYC.” Also last August, in Solers, Inc. v. Doe, the D.C. Court of Appeals articulated its own five-part test to determine whether to quash a subpoena seeking the identity of an anonymous defendant who had allegedly provided a tip to the Anti-Piracy Division of the Software & Information Industry Association that Solers, Inc., a software company, was using unlicensed software. The court granted leave for the plaintiff to amend its complaint to present evidence sufficient to meet these new standards.

Looking forward, the question will often not be whether a court will force an ISP to reveal the identity of an anonymous Internet user, but rather how strong a plaintiff’s pleadings must be before a court will allow for a subpoena to compel the identity of an anonymous Internet user.