Jusletter IT

How to protect users’ personal data and enforce copyright on the Internet – Is there an alternative to cyber-surveillance?

  • Author: Michal Czerniawski
  • Category: Articles
  • Region: Poland
  • Field of law: Data Protection
  • Collection: Tagungsband IRIS 2014
  • Citation: Michal Czerniawski, How to protect users’ personal data and enforce copyright on the Internet – Is there an alternative to cyber-surveillance?, in: Jusletter IT 20 February 2014
For the last few years, we have been witnessing a long and unsuccessful fight of copyright holders against online copyright infringement. During this time, by establishing the so-called graduated response mechanisms, for the first time some state legislators have legalised a widespread use of surveillance measures on the Internet for private purposes. Under the graduated response system, copyright holders monitor Internet users’ activities in order to identify those who potentially infringe copyrights, in particular by uploading or downloading copyrighted content. In many cases the actions of the copyright holders are not transparent and are characterised by a lack of proportionality. This paper argues that graduated response systems do not guarantee a balance between copyright enforcement and privacy. Online surveillance should be considered a threat to Internet users’ fundamental rights to privacy and the protection of personal data. Graduated response systems, based on private monitoring, do not contribute to the development of an open transparent Internet and the information society, but may become its undoing. It is true, however, that copyright holders need legal tools that will help them protect their interests and thereby support further creation. This paper analyses instruments developed by privacy advocates and scholars, such as public interest information, aimed at dealing with online piracy and allowing effective enforcement of copyright law on the Internet. These solutions may contribute to combating massive online copyright infringement, without having a negative impact on Internet users’ right to protection of personal data and without imposing online surveillance measures. However, for some reasons, these instruments still seem to be ignored by copyright holders and legislators worldwide.

Inhaltsverzeichnis

  • 1. The graduated response system and online surveillance
  • 2. Foundations of the graduated response system
  • 2.1. Monitoring of users’ online behaviour
  • 2.2. Capture of users’ IP addresses
  • 2.3. Collection of users’ data
  • 3. Less intrusive measures and alternatives to graduated response
  • 3.1. Public interest information
  • 3.2. Notice-and-notice
  • 3.3. Targeted monitoring
  • 4. Conclusions
  • 5. References
[1]
Copyright has always been a form of control1; a form that evolves and responds to technological changes. For the last few years, we have been witnessing a worldwide shift in laws and policies aimed at fighting illegal file sharing on the Internet. The most controversial development is the so-called graduated response – a surveillance-based solution that may even result in cutting an Internet user off from the web. Although supported by governments and approved by independent courts2, it raises serious personal data protection concerns.

1.

The graduated response system and online surveillance ^

[2]
With the rapid development of the Internet and arrival of the digital market, copyright industries have started to perceive the web as a growing danger to their vested interests and established value chains. In fact, they would prefer to maintain their positions as gatekeepers that control all individual instances of accessing works online, as well as offline. Copyright holders, therefore describe the graduated response system as a useful and effective tool, enabling them to effectively control and enforce their rights. That is the rationale behind their push forward for solutions based on online surveillance3. The open question is how far legislators, supported by the rights holders, may go in creating new monitoring systems. This question is very up-to-date as legislations introducing the graduated response system were passed in the last few years in countries such as New Zealand4, France5, Ireland6 (private ordering), Taiwan7 and South Korea8 and are being considered in other countries, for example in the United Kingdom9.
[3]

Under the graduated response policy, there are two basic surveillance methods. First, copyright holders may cooperate directly with Internet Service Providers (ISPs) in monitoring of their subscribers activities – this type of monitoring involves deep packet inspection (DPI)10. In case where such cooperation is not possible, a less intrusive solution is being used – copyright holders hire third party entities to monitor the Internet, usually selected webpages or file sharing networks. In 2011, the Court of Justice of the European Union confirmed that in the European Union ISPs cannot be required to adopt general filtering systems on their networks in order to prevent copyright infringement11. Currently the European graduated response systems are based on the second model, the American «six-strike» policy does not involve DPI-based surveillance either. After obtaining an Internet Protocol (IP) address of a user allegedly infringing copyright, copyright holders are able to establish which ISP provides services to a particular user. The ISP is capable of identifying the user of the particular address at a particular time, who otherwise would remain anonymous for a copyright holder. The principle underlying the graduated response system is that sanctions should escalate as infractions increase12 or persist.

[4]
An internet user allegedly infringing copyright laws usually receives at least two notices («strikes») from a copyright holder, commonly forwarded to the user by his/her ISP, without disclosure of the subscriber’s personal data to the holder. The first one normally consists of the information about copyright law. The second one, sent after a certain time since the first notice (for example under Hadopi law13 it used to be six months), only if the user did not cease to infringe copyrights, is a legal warning. The third «strike» initiates formal procedure and may ultimately effect in a suspension of the subscriber’s access to the Internet or other sanctions. Therefore, some researchers find the term «graduated response» too soft and inaccurate – for example William Patry argues that the term should be replaced with «digital guillotine»14.
[5]
Recently, much of the debate on Internet monitoring activities is being focused on voluntary agreements between ISPs and right holders. These schemes, usually developed by large companies under confidentiality and imposed on their subscribers contractually, raise significant transparency concerns. Such systems are enforceable through relevant provisions of ISPs’ terms of service, with no state action involved and no judicial review. The first country where an ISP agreed to implement graduated response on a contractual basis was Ireland15, but the brightest example of such an approach is the voluntary Copyright Alert System (the so called «six-strike» policy), introduced in 2013 in the United States as a result of a consensus reached between copyright holders and major American ISPs. The strikes, similar to other graduated response systems, start out in an educational manner, but may ultimately result in a temporary disconnection of a repeat infringer from the Internet. Due to the voluntary agreement form and private legal character, it is difficult for the public to obtain information whether the program meets its established goals16. Moreover, as pointed out by Annemarie Bridy, a contract law implementation of the graduated response is not subject to any kind of public scrutiny before it takes effect17.

2.

Foundations of the graduated response system ^

[6]
There are three factors necessary for the proper functioning of a graduated response policy: a) monitoring of users’ online behaviour; b) capture of users’ IP addresses and matching of a captured address to a particular subscriber’s account; c) collection of users’ data. All three factors create risks in the area of personal data protection. Without online surveillance, the possibility of identifying an Internet user on the basis of his/her IP address or user data collection, the system would not work.

2.1.

Monitoring of users’ online behaviour ^

[7]
All variants of graduated response systems rely, by necessity, on private online surveillance18. Moreover, graduated response polices stimulate the development of new technologies aimed at online monitoring. Copyright holders are willing to pay for new, sophisticated instruments that will allow them to pursuit copyright infringers in a more efficient way. Graduated response also encourages the development of regulatory instruments aimed at Internet filtering and blocking of content19.
[8]
Online surveillance, even in its less intrusive form, must not be taken at face value. Acceptance of online monitoring as something normal and needed, may lead in the future to the normalisation of surveillance. Thus, the graduated response system may constitute a template for similar solutions covering different areas of online activities to be implemented in the future20. During Hadopi law consultations only the French Commission for Information and Liberties (CNIL) and civil society representatives raised the issue of surveillance. The French government accepted this solution from the beginning21. In Ireland, the settlement between Eircom and members of the IRMA was unsuccessfully challenged by the Irish Data Protection Commissioner22. The graduated response system is difficult to accept also because online monitoring affects millions of law-abiding individuals that have nothing in common with online infringements. As long as an individual uses the Internet, there is no way he or she can be excluded from the monitoring. In the information society, the Internet plays a central role in most of aspects of our life. In order to participate in the information society, we reveal on the Internet data about various spheres of our personal life. Therefore, online surveillance affects personal lives and as Brian Solove stated, it can cause chilling effects on our activities and change the way we behave23. It makes us more willing to hide certain actions and act in a manner that is not transparent.

2.2.

Capture of users’ IP addresses ^

[9]
According to Peter Hustinx, the European Data Protection Supervisor, IP addresses and the information about the activities linked to such addresses constitute personal data in all cases relevant to graduated response24. Also the Article 29 Working Party states that IP addresses captured in order to enforce intellectual property rights are personal data if used for the enforcement of such rights against a given individual25. Therefore, there is no doubt that the collection of IP addresses of alleged infringers by copyright holders constitutes processing of personal data under European Union law.

2.3.

Collection of users’ data ^

[10]
A copyright holder, after obtaining an IP address, needs to prove that the infringement occurred, therefore the graduated response leads to the systematic recording of data. The data related to IP addresses may constitute a good transcript of our lives. Online surveillance creates a risk of collecting a significant amount of data beyond what was originally sought by private entities. Recorded data may show what types of movies are downloaded by particular user, what websites he or she visits on a regular basis, with whom he or she communicates. The information retrieved by copyright holders extends thereby beyond the purpose of their search. Moreover, it is not only the copyright holders that are in possession of the data related to a particular user. In order to collect evidence, right holders usually hire specialised entities. Again, contracts concluded with these companies are usually subject to confidentiality. Most of them derive direct financial benefit from finding as much evidence related to copyright infringement as possible. Therefore, there is a risk that the application in practice of the graduated response policy will ultimately lead to massive collection of personal data by various parties in an absolutely non-transparent manner.

3.

Less intrusive measures and alternatives to graduated response ^

[11]
There are several alternatives to private surveillance of Internet users’ activities, which guarantee proper protection of Internet users’ personal data. The alternatives ensure the maintenance of appropriate balance26 between copyright enforcement and personal data protection. However, for some reasons they seem to be ignored by copyright holders.

3.1.

Public interest information ^

[12]
Some concepts aimed at dealing with online piracy are based on the assumption that Internet users are often not aware that they infringe copyrights. Several privacy advocates argue that there is no need for cyber-surveillance or the identification of users as it would be enough to raise Internet users’ awareness about copyrights. For example, the European Data Protection Supervisor as a less intrusive measure, an alternative to the graduated response system, suggests an obligation for the EU Member States to produce standardised public interest information on infringements of copyright and related rights and their legal consequences. According to the EDPS, the Member States can request ISPs to distribute such information to their customers27. The law that gives basis for such an obligation to be imposed on ISPs already exists in the European Union. According to the Directive 2009/136/EC28 Member States may require ISPs to distribute public interest information free of charge to existing and new subscribers by the same means as those ordinarily used by them in communications with subscribers. Such information shall be provided by the relevant public authorities in a standardised format and shall cover topics related to «the most common uses of electronic communications services to engage in unlawful activities or to disseminate harmful content, particularly where it may prejudice respect for the rights and freedoms of others, including infringements of copyright and related rights, and their legal consequences»29. This instrument not only would help in combating massive online copyright infringement but also would have an important educational aspect.

3.2.

Notice-and-notice ^

[13]
Some privacy advocates find certain cyber-surveillance based measures that ensure high data protection standards acceptable. An example of such a measure is a notice-and-notice system30. Under the notice-and-notice system, copyright holders monitor Internet activities, as in the graduated response, in order to identify those users who infringe copyrights, in particular by uploading or downloading copyrighted content. This system also requires a copyright holder to file a notification containing the IP address of an alleged infringer. Then, it is the ISP that forwards the notification to the subscriber, but it takes no other action and does not pass along subscriber’s personal data. The data remains with the ISP – the entity that obtained the subscriber’s freely given consent to the processing of personal data. The ISP does not take any action other than passing the notice.
[14]
The idea underlying the notice-and-notice policy is something legislators often forget about – that the vast majority of the Internet users do not want to infringe copyrights. The system is based on the very simple idea that individuals will stop downloading or uploading copyrighted content if they become aware that copyright holders have knowledge of their actions. No enforcement actions will be needed. A survey made by the New Zealand Federation Against Copyright Theft proved that more than 70% of New Zealand youth would stop accessing illegal versions of copyright material if they received a notice from their ISP31. In 2010 one of the biggest Canadian32 ISPs, Rogers, tested notice-and-notice solution and also proved its efficiency33. Of course it would be naive to imagine that persistent infringers, being aware that the notice will not be followed by any kind of sanction, will stop copyright infringing activities. But the issue of persistent copyright infringers is also the weakness of all solutions proposed by copyright holders, including the graduated response system (the graduated response is ineffective for example against individuals using virtual private networks or routing systems that obscure IP addresses, such as TOR). Persistent copyright infringers, in particular those with some technical knowledge, will be always able to find ways to illegally share content with legal impunity.

3.3.

Targeted monitoring ^

[15]
Another less intrusive measure, supported by some privacy advocates and the European Data Protection Supervisor, is targeted monitoring. It is based on the belief that copyrights may be successfully enforced by monitoring of only a limited number of individuals34. The supporters of this concept state that by observing selected websites (for example online forums dedicated to file-sharing) or by posing as file sharers in peer-to-peer networks, copyright holders may identify a small group of users that is responsible for the majority of uploading and file-sharing of copyrighted content in the Internet and that derive commercial benefits from copyright infringement. The idea behind the targeted monitoring is to limit the scope of online surveillance and not direct it at other Internet users, including those who commit trivial copyright infringements. Under the targeted monitoring system copyright holders are allowed to engage in monitoring of certain IP addresses if its purpose is to verify the scale of the infringement. If they cannot prove that in particular case an infringement on commercial scale took place, they shall cease their actions. In accordance with this concept, all copyright holders’ operations and procedures related to data processing aimed at gathering evidences of infringement shall be authorised by national data protection authorities. The approval of an authority shall be granted prior to the processing of any data. This requirement shall constitute an additional guarantee that data protection laws and privacy of Internet users are properly respected.

4.

Conclusions ^

[16]
The currently popular concept of graduated response, based on private monitoring, is not contributing to the development of an open Internet and the information society, but may become its undoing. It creates a dangerous precedent, which may result in the introduction of online surveillance covering all spheres of Internet activities. Therefore, the debate around the graduated response policy is not only about copyright or digital market. It is about the type of Internet we will have in the future.
[17]
Copyright holders definitely need a tool that will help them in protecting their interests. Many of them would like to act as gatekeepers that control access to works online. However, online surveillance will not eliminate copyright infringements, but as a side effect it might eliminate privacy on the Internet. The notion of graduated response is evolving – Hadopi law in France was revoked and will be replaced, the graduated response schemes in Ireland and USA were implemented not as a law but through private ordering, which also means they lack judicial review and sufficient transparency. It is clear that the main aim of the system is to meet the needs of copyright holders, not Internet users. However, there are various alternatives to graduated response which are worth considering. Privacy advocates and scholars have developed measures, such as public interest information, notice-and-notice policy or targeted monitoring, aimed at dealing with online piracy and allowing effective enforcement of copyright law on the Internet. These solutions may contribute to combating massive online copyright infringement, without having a negative impact on users’ right to protection of personal data and without imposing intrusive online surveillance measures. However, for some reasons, these instruments still continue to be ignored by copyright holders and legislators35 worldwide.

5.

References ^

Article 29 Working Party, Working document on data protection issues related to intellectual property rights (WP 104) adopted on 18 January 2005.

Bendrath, Ralf, Global technology trends and national regulation: Explaining Variation in the Governance of Deep Packet Inspectionhttp://userpage.fu-berlin.de/~bendrath/Paper_Ralf-Bendrath_DPI_v1-5.pdflast accessed 20 December 2013 (2009).

Bridy, Annemarie, Graduated Response American Style: «Six Strikes» Measured Against Five Norms, Fordham Intellectual Property, Media & Entertainment Law Journal, Vol. 23, No. 1 (2012).

Bridy, Annemarie, Graduated Response and the Turn to Private Ordering In Online Copyright Enforcement, Oregon Law Review no. 89 (2010).

European Data Protection Supervisor, Opinion of the European Data Protection Supervisor on the current negotiations by the European Union of an Anti-Counterfeiting Trade Agreement (ACTA) – 2010/C 147/01 adopted on 22 February 2010.

European Data Protection Supervisor, Opinion of the European Data Protection Supervisor on the proposal for a Council Decision on the Conclusion of the Anti-Counterfeiting Trade Agreement between the European Union and its Member States, Australia, Canada, Japan, the Republic of Korea, the United Mexican States, the Kingdom of Morocco, New Zealand, the Republic of Singapore, the Swiss Confederation and the United States of America – 2012/C 215/08 adopted on 24 April 2012.

Geist, Michael, Rogers Provides New Evidence on Effectiveness of Notice-and-Notice System, http://www.michaelgeist.ca/content/view/5703/125/ last accessed 20 December 2013 (2011).

Geist, Michael, Web privacy vs. identifying infringers, Toronto Star, http://www.michaelgeist.ca‌/resc/html_bkup/oct62003.html last accessed 20 December 2013 (2003).

Karaganis, Joe, and Renkema, Lennart, Copy Culture in the US & Germany (2013).

Lessig, Lawrence, Code 2.0, Basic Books, New York (2006).

Lyon, David, Editorial. Surveillance Studies: Understanding visibility, mobility and the phenetic fix, Surveillance and Society no. 1 (2002).

Lyon, David, Surveillance Society: Monitoring Everyday Life, Open University Press, Philadelphia (2001).

Meyer, David, Europe will not accept three strikes in ACTA Treaty, http://www.zdnet.com/europe-will-not-accept-three-strikes-in-acta-treaty-3040057434/ last accessed 20 December 2013 (2010).

Meyer, Trisha, and Van Audenhove, Leo, Surveillance and regulating code: an analysis of graduated response in France, Surveillance and Society no. 9 (2012).

New Zealand’s Office of the Minister of Commerce, Cabinet Economic Growth and Infrastructure Committee, Illegal Peer-to-Peer File Sharing (Cabinet Paper).

Patry, William, Moral Panics and the Copyright Wars, Oxford University Press US, Oxford (2009).

Serbin, Danielle, The Graduated Response: Digital Guillotine or a Reasonable Plan for Combating Online Piracy?, Intellectual Property Brief no. 3 (2012).

Solove, Daniel J, A Taxonomy of Privacy, University of Pennsylvania Law Review no. 3 (2006).

Strowel, Alain, Internet Piracy as a Wake-up Call for Copyright Law Makers – Is the «Graduated Response» a Good Reply?, WIPO Journal no. 1 (2009).

Strowel, Alain, The «Graduated Response» in France: Is It the Good Reply to Online Copyright Infringements? In: Copyright Enforcement and the Internet, edited by Stamatoudi, Irini, Kluwer Law International, Alphen aan den Rijn (2010).

 

Michal Czerniawski

Ph.D. researcher, University of Warsaw, Faculty of Law and Administration

Krakowskie Przedmiescie 26/28, 00-927 Warsaw, PL

m.czerniawski@student.uw.edu.pl; http://www.wpia.uw.edu.pl

 

  1. 1 Strowel, Alain, Internet Piracy as a Wake-up Call for Copyright Law Makers – Is the «Graduated Response» a Good Reply?, WIPO Journal no. 1, p. 84 (2009).
  2. 2 Hadopi law (its revised version) and Irish private ordering were validated by courts.
  3. 3 Following David Lyon, surveillance refers to «the collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered» Lyon, David, Surveillance Society: Monitoring Everyday Life, p. 2, Open University Press, Philadelphia (2001). Data surveillance «tries to make visible the identities or the behaviours of people of interest to the agency in question» Lyon, David, Editorial. Surveillance Studies: Understanding visibility, mobility and the phenetic fix, Surveillance and Society no. 1, p. 2 (2002).
  4. 4 Copyright (Infringing File Sharing) Amendment Act, 2011.
  5. 5 FrenchLoi n°2009-669 du 12 juin 2009 favorisant la diffusion et la protection de la création sur internet, JORF n°0135 du 13 juin 2009 p. 9666, known as «Hadopi law».
  6. 6 See EMI Records & Ors v. Eircom Ltd. [2010] IEHC 108. Eircom is the first ISP in Europe to voluntarily introduce the graduated response procedure. Under its policy, subscribers who download music illegally can end up losing their Internet connection. The ISP agreed to this solution in order to avoid legal sanctions under a lawsuit brought by the Irish Recorded Music Association.
  7. 7 Copyright Act of Taiwan, article 90 (2007).
  8. 8 Copyright Act of South Korea, article 133bis (2007).
  9. 9 Under section 124G of the Digital Economy Act, the Secretary of State can request OFCOM,an independent regulator and competition authority for the British communications industries, to assess whether technical obligations should be imposed on ISPs. A technical obligation is an obligation to take technical measures against a subscriber that infringes copyright which include suspension of the service provided to a subscriber.
  10. 10 Lawrence Lessig described the role of ISPs in the Internet using the example of a daydreaming postal worker, who only moves the data and leaves interpretation of the data to the applications at either end – Lessig, Lawrence, Code 2.0, Basic Books, New York, p. 44 (2006). Ralf Bendrath, basing on Lessig’s postal worker example, describes DPI technology as follows: «Imagine a postal worker who is not just daydreaming and moving packets from one point to another in the transportation chain. Imagine the postal worker: opens up all packets and letters, inspects and even reads the content, checks it against databases of illegal material and if finding a match, sends a copy to the police authorities, destroys letters he finds having prohibited or immoral content…», Bendrath, Ralf, Global technology trends and national regulation: Explaining Variation in the Governance of Deep Packet Inspection, http://userpage.fu-berlin.de/~bendrath/Paper_Ralf-Bendrath_DPI_v1-5.pdf, last accessed 20 December 2013 (2009).
  11. 11 CJEU’s ruling in Case C-70/10 Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM). See also Case C -360/10 Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v Netlog NV and Case C -461/10 Bonnier Audio AB and Others v Perfect Communication Sweden AB.
  12. 12 Bridy, Annemarie, Graduated Response and the Turn to Private Ordering In Online Copyright Enforcement, Oregon Law Review no. 89, p. 128 (2010).
  13. 13 Hadopi law was ultimately revoked by the French Government on 8 July 2013 by Décret n° 2013-596 du 8 juillet 2013 supprimant la peine contraventionnelle complémentaire de suspension de l’accès à un service de communication au public en ligne et relatif aux modalités de transmission des informations prévue à l’article L. 331-21 du code de la propriété intellectuelle, however French government did not resign from a system based on graduated response.
  14. 14 Patry, William, Moral Panics and the Copyright Wars, Oxford University Press US, Oxford, p. 14 (2009). See also Serbin, Danielle, The Graduated Response: Digital Guillotine or a Reasonable Plan for Combating Online Piracy?, Intellectual Property Brief no. 3, pp. 42-52 (2012).
  15. 15 The system was introduced as a result of a settlement between the largest ISP in the Ireland, Eircom, and members of the Irish Recorded Music Association (IRMA). According to IRMA, Eircom agreed that it will implement a graduated process in which it will: (i) inform its broadband subscriber that the subscriber’s IP address has been detected infringing copyright; (ii) warn the subscriber that unless the infringement ceases the subscriber will be disconnected; (iii) in default of compliance by the subscriber with the warning it will disconnect the subscriber – see statement of the International Federation of the Phonographic Industry, http://www.ifpi.org/content/section_news/20090129a.html, last accessed 20 December 2013 (2009).
  16. 16 Bridy, Annemarie, Graduated Response American Style: «Six Strikes» Measured Against Five Norms, Fordham Intellectual Property, Media & Entertainment Law Journal, Vol. 23, No. 1, p. 66 (2012). 
  17. 17 Op.cit., p. 17.
  18. 18 As Alain Strowel wrote «… solution that would eliminate all piracy, if at all possible, would seem dangerous or at least dubious for both individual liberties and technological innovation», Strowel, Alain, The «Graduated Response» in France: Is It the Good Reply to Online Copyright Infringements? In: Copyright Enforcement and the Internet, edited by Stamatoudi, Irini, Kluwer Law International, Alphen aan den Rijn, p. 160 (2010).
  19. 19 SeeMeyer, Trisha, and Van Audenhove, Leo, Surveillance and regulating code: an analysis of graduated response in France, Surveillance and Society no. 9, p. 365 (2012).
  20. 20 The graduated response was also discussed during the Anti-Counterfeiting Trade Agreement (ACTA) negotiations. It seems that initial intention of ACTA’s creators was to include in the agreement provisions allowing the graduated response to be implemented. It, however, did not happen – probably because the European Union expressed its reluctance to include the graduated response in the treaty – Meyer, David, Europe will not accept three strikes in ACTA Treaty, http://www.zdnet.com/europe-will-not-accept-three-strikes-in-acta-treaty-3040057434/ last accessed 20 December 2013 (2010).
  21. 21 Meyer, Trisha, and Van Audenhove, Leo, op.cit. p. 372.
  22. 22 See EMI Records (Ireland) Ltd & Ors -v- Eircom Ltd, [2010] IEHC 108 and EMI Records (Ireland) Ltd & Ors -v- The Data Protection Commissioner & Anor, [2012] IEHC 264.
  23. 23 Solove, Daniel J, A Taxonomy of Privacy, University of Pennsylvania Law Review no. 3, p. 487 (2006).
  24. 24 Opinion of the European Data Protection Supervisor on the current negotiations by the European Union of an Anti-Counterfeiting Trade Agreement (ACTA) – 2010/C 147/01 adopted on 22 February 2010, at 27 and Opinion of the European Data Protection Supervisor on the proposal for a Council Decision on the Conclusion of the Anti-Counterfeiting Trade Agreement between the European Union and its Member States, Australia, Canada, Japan, the Republic of Korea, the United Mexican States, the Kingdom of Morocco, New Zealand, the Republic of Singapore, the Swiss Confederation and the United States of America – 2012/C 215/08 adopted on 24 April 2012, at 19.
  25. 25 Article 29 Working Party, Working document on data protection issues related to intellectual property rights (WP 104) adopted on 18 January 2005.
  26. 26 The need of establishing a fair balance between these two rights was mentioned in the CJEU’s ruling in Case 275/06 Promusicae v. Telefonica de Espana.
  27. 27 Opinion of the European Data Protection Supervisor on the current negotiations by the European Union of an Anti-Counterfeiting Trade Agreement (ACTA) – 2010/C 147/01 adopted on 22 February 2010, at 37.
  28. 28 Directive2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.
  29. 29 Article 21.4 (a) of the Directive 2009/136/EC.
  30. 30 According to Michael Geist «As privacy advocates began to react to the gradual deterioration of privacy protections in the name of security, they realized that it was necessary to promote a policy agenda that sought to protect both privacy and security. With a similar trend emerging in the intellectual property field, the privacy community must consider how it can promote a balanced approach that ensures respect for both intellectual property rights and personal privacy», Geist, Michael, Web privacy vs. identifying infringers, Toronto Star, http://www.michaelgeist.ca/resc/html_bkup/oct62003.html last accessed 20 December 2013 (2003).
  31. 31 New Zealand’s Office of the Minister of Commerce, Cabinet Economic Growth and Infrastructure Committee, Illegal Peer-to-Peer File Sharing, at 29.
  32. 32 Notice-and-notice system shall be soon implemented in Canada on the basis of Bill C-11 (Copyright Modernization Act), the copyright reform bill enacted in June 2012.
  33. 33 According to Karaganis, Joe, and Renkema, Lennart, Copy Culture in the US & Germany, pp. 45-46 (2013), who analysed situation in Germany, due to various other factors, such as free streaming services, it is unclear how notifications affect illegal music downloading. On the other hand, Michael Geist stated that the data reported by Rogers (Canadian ISP) shows that «67% of recipients (…) do not repeat infringe after receiving a notice and 89% cease allegedly infringing activity after a second notice», Geist, Michael, Rogers Provides New Evidence on Effectiveness of Notice-and-Notice System, http://www.michaelgeist.ca/content/view/5703/125/ last accessed 20 December 2013 (2011).
  34. 34 Opinion of the European Data Protection Supervisor on the current negotiations by the European Union of an Anti-Counterfeiting Trade Agreement (ACTA) – 2010/C 147/01, at 43.
  35. 35 With a single exception – see supra note 32.