The graduated response system to tackle unlawful filesharing online, agreed as part of an out-of-court settlement between the Irish recording industry and eircom, was approved by the Irish High Court last month. Mr. Justice Charleton’s judgment concluded that the “parties can … lawfully proceed to implement the settlement”, though his judgment relates only to the specific question of compatibility with the Data Protection Acts 1988 and 2003.
eircom has now implemented the graduated response system on a pilot basis and details are available on its website. The FAQs say that IRMA will supply eircom with IP addresses which eircom will match to its customers, who will then receive warnings about alleged unlawful downloading. If warnings are ignored, service may be suspended for 7 days and the customer will not be charged for those 7 days of lost service. On a subsequent alleged infringement, service will be withdrawn for 12 months. If a customer disputes an allegation that their service has been used for unlawful downloading, they can appeal to the eircom, who “will consider all customer appeals on a case by case basis.”
The concerns about graduated response primarily arise out of disconnection on the basis of complaint, rather than court order, and that the sanction affects an entire household, rather than the individual alleged infringer. The latter point has gathered steam as the internet has taken on utility status. IRMA’s attitude to this is clear:
The European Parliament has been talking about internet access as a basic human right. It absolutely is not.
Dick Doyle, IRMA Director General
eircom emphasises that customer data will not be shared by eircom with any other party.
Under no circumstances will eircom be handing over customer details to any third party.
It is also stated that eircom won’t monitor network usage and that “[t]here are strict privacy laws that prohibit eircom from monitoring the online activities of individual customers.” Monitoring will be done by DtecNet on behalf of IRMA.
However, in the overview, eircom states:
IRMA will send eircom notifications containing among other things the IP addresses of individuals they have detected as engaging in illegal file sharing in breach of copyright.
One wonders what those “other things” might be. Charleton J. said:
Neither DtecNet, or any similar service of detection, nor any of the plaintiffs whose copyright material is being infringed would ever know through this process that the infringer is a particular person living in a particular place in Ireland. What they do know is that a particular IP address has been involved in the downloading.
However, DtecNet’s website states:
DtecNet’s solutions will automatically secure evidence against the infringer(s) and generate Cease & Desist letters that can be sent to the infringer(s) asking for immediate removal of the content.
This is a capability of their systems, not a detail of the IRMA/eircom agreement. But nevertheless, it appears that IRMA may be capable of gathering more than just IP addresses of alleged infringers. eircom might not share customer data with any other party, but it is not clear what data will be shared with it.
A Clatter of the Law 
The European Commission’s Article 29 Working Party thinks that even partial IP addresses can be used by search engines in combination with other information that they hold including cookies and search histories to identify individuals.
Click to access 2010_05_26_letter_wp_google.pdf
Just reading back on the EMI judgment it did appear that the basis for the finding that the IP addresses were not personal information was that on their own they could not be used to identify an individual and that in any event the plaintiffs had no intention to identify individuals, and that it was merely ensuring that the law was being upheld in the most cost efficient way it could.
Given your observation that the IP address is only part of the information available to the rights holder and in light of the Commissions views, it does appear that this issue has not been adequately settled in Ireland.
Rossa: Is it not 4 strikes now ;0) ,,,
Dick might not be aware of this amendment to the EU Communications Framework Package:
“3a. Measures taken by Member States regarding end-users access’ to, or use of, services and applications through electronic communications networks shall respect the fundamental rights and freedoms of natural persons, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law.
Any of these measures regarding end-users’ access to, or use of, services and applications through electronic communications networks liable to restrict those fundamental rights or freedoms may only be imposed if they are appropriate, proportionate and necessary within a democratic society, and their implementation shall be subject to adequate procedural safeguards in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms and with general principles of Community law, including effective judicial protection and due process. Accordingly, these measures may only be taken with due respect for the principle of the presumption of innocence and the right to privacy. A prior, fair and impartial procedure shall be guaranteed, including the right to be heard of the person or persons concerned, subject to the need for appropriate conditions and procedural arrangements in duly substantiated cases of urgency in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms. The right to effective and timely judicial review shall be guaranteed.”
This is to be transposed into Irish Law by March 2011. This will be done by S.I. so that remark/quote, above is clearly misinformed.
I know I mentioned this to TJ and others when amendment 138 which became the above “Art 1 3a” became law.
Here is the FW: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0037:01:EN:HTML
Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorisation of electronic communications networks and services Text with EEA relevance.
The devil here is in the detail. The state seem to indicate that this section may not be regulated by ComReg ….
@Fred I think it’s remarkable that a High Court judgment addressing whether or not an IP address constitutes personal data was arrived at without reference to the Article 29 Working Party’s publications on the matter or without the views of the Data Protection Commissioner. Of course, the Court decided on the basis of what was put before him and that appears to have been the industry’s views.
It is baffling that the Commissioner neither appeared nor made submissions. One wonders what the Article 29 Working Party might make of the judgment.
@Ronan That’s what eircom calls it in their FAQs, but I think they see the information campaign as strike 1. Or is 12 month disconnection strike 4?
@Rossa: Indeed it is. Yes, I believe technically the now tied down 12 month disconnection is the forth strike. I guess we had to be uniquely Irish.
I also think we need to clarify that ‘3 strike’ legislation exists in other jurisdictions.
Wednesday, 24 June 2009 at 23:12 | Edit note | Delete
This note is a very brief scoresheet in relation to (in some cases overturned) legislative activity on the concept of IP addresses being personal data and Copyright enforcement in recent weeks and months. I set out some countries where infringements and IP addresses have been tested before the courts. Following that I set out verbatim, the eCommerce Directive Defence of mere conduit (with pertinent recitals) in force in the EU region and two sections of the WIPO – World Intellectual Property Rights Organisation, treaty in relation to Copyright.
I have mixed views on the categorisation of IP addresses as personal data, but I have very strong views about telco/ISPs handing personal or user data over to non-parties in commercial or post litigation agreements based on IP addresses trapped by use of sniffer, honeypot or netting technologies.
Country / Activity:-
France – HADOPI ‘3 Strikes’ Law forced through by Sarkozi. June 10, 2009 – Overruled by Constitutional Court as in breach of privacy rights.
Sweden – IP addresses ruled as formally being personal data by Supreme Court, no 234 Preliminary Reference to ECJ or leave to appeal, June 24, 2009.
Ireland – eircom case settles, ‘3 Strikes’ approach to Copyright infringements. Proceedings issue against UPC and BT (June 16, 2009 summons issued). DTechnet used as sampling software. Charleton J rules on settlement agreement, states that agreement is lawful however, IP addresses are not personal data in the context of scanning, but they may be in the hands of telcos.
Belgium – Sabam v Tiscali SPA (Scarlett) injunction issued in the case, the technical cost of deploying the Audible Magic fingerprinting system (incapable of blocking) was estimated at €6 per user per year. Injunctive relief lifted on appeal. ISPA Belgium received the latest outcome in the appeal procedure of the Scarlet-Sabam case in Belgium. The Belgium Court of Appeal is now referring the case to the ECJ for a preliminary ruling on the balance between the two fundamental rights, on the one hand the protection of privacy and, on the other hand, the protection of intellectual property, before going into any other arguments put forward by the parties. The Court refers two questions, based on Directives 2001/29 (harmonisation of certain aspects of copyright and related rights in the information society), 2004/48 (enforcement of intellectual property rights), 95/46 (on the protection of individuals with regard to the processing of personal data and on the free movement such data), 2000/31 (e-commerce) and 2002/58 (privacy and electronic communications).
· The first question asks whether a judge can order an ISP to implement filtering devices on its network to filter all electronic communications containing music, cinema or audiovisual files, blocking those on which the plaintiff claims to have rights.
· The second one is whether the judge, according to those directives must apply the proportionality principle when asked to rule on the effectiveness and deterrent effect of the measure.
Germany – IP addresses are classified as personal data.
Netherlands – IP addresses are classified as personal data.
UK – Digital Britain consults on the options: http://www.berr.gov.uk/files/file51703.pdf
Three options contained. If tested without legislation, there would be issues with privacy. Durrant v Financial Services Authority states that IP addresses would not necessarily be declared as personal data.
Unfortunately this nonsense passed during the WASH UP process. Ofcom acting as gatekeeper.
Italy – Italian Supreme Court‘s Recent Decision on File Sharing Practices. In the Peppermint’s case (Peppermint Jam Records GmbH), the Court did not take any positions on the legality of file sharing practices. According to a recent Italian Supreme Court’s decision, however, the copyright infringement deriving from file sharing – if not aimed at making profit – is not punishable.
USA – In MGM v Grokster (2005), the US Supreme Court distinguished Sony v Betamax for a second time. It held that in 1984 no evidence had been adduced against Betamax of stated or indicated intent to promote infringing copying, whereas Grokster had induced the infringements perpetrated by the users. The site was shut down.
New Zealand – Section 93 enacted ‘3 Strikes’ approach – untested by courts, as yet (likely to be a privacy infringement).
eCommerce Directive Framework Defence: (S.I. 68 of 2003 – Irish transposition)
ISPs are not required to monitor generally the content of information passing over its network when they function as a “mere conduit” within the meaning of Article 12 of the Electronic Commerce Directive 2000/31/EC (“the E-Commerce Directive”).
Article 12 “Mere conduit”:-
1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:
(a) does not initiate the transmission;
(b) does not select the receiver of the transmission; and
(c) does not select or modify the information contained in the transmission.
2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.
3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States’ legal systems, of requiring the service provider to terminate or prevent an infringement.
Recitals:
(41) This Directive strikes a balance between the different interests at stake and establishes principles upon which industry agreements and standards can be based.
(42) The exemptions from liability established in this Directive cover only cases where the activity of the information society service provider is limited to the technical process of operating and giving access to a communication network over which information made available by third parties is transmitted or temporarily stored, for the sole purpose of making the transmission more efficient; this activity is of a mere technical, automatic and passive nature, which implies that the information society service provider has neither knowledge of nor control over the information which is transmitted or stored.
(43) A service provider can benefit from the exemptions for “mere conduit” and for “caching” when he is in no way involved with the information transmitted; this requires among other things that he does not modify the information that he transmits; this requirement does not cover manipulations of a technical nature which take place in the course of the transmission as they do not alter the integrity of the information contained in the transmission.
(44) A service provider who deliberately collaborates with one of the recipients of his service in order to undertake illegal acts goes beyond the activities of “mere conduit” or “caching” and as a result cannot benefit from the liability exemptions established for these activities.
(45) The limitations of the liability of intermediary service providers established in this Directive do not affect the possibility of injunctions of different kinds; such injunctions can in particular consist of orders by courts or administrative authorities requiring the termination or prevention of any infringement, including the removal of illegal information or the disabling of access to it.
WIPO Copyright Treaty:-
Article 8 of the WIPO Copyright Treaty provides that:
“It is understood that the mere provision of physical facilities for enabling or making a communication does not in itself amount to communication within the meaning of this Treaty or the Berne Convention.”
Article 10 of the Treaty permits contracting parties to implement exceptions and limitations appropriate to the digital network environment. The combined effect of the Agreed Statements on Articles 8 and 10 is to permit parties to adopt limitations on the liability of ISPs and other mere facility providers, (such as the one contained in section 40(3) of the Irish Copyright Act).