Jusletter IT

Improved law enforcement regulations, three-strikes tests and even network locks – despite these efforts the threat for copyrights through online piracy still is vital. A mixture of confusion and hasty zeal among different governments has been noticed since October 2011. The U.S. government, for example, has claimed in March 2012 that Google and other companies have to develop models how to exclude piracy sites from their ad networks.¹ But not only academics, politicians and practitioners in the U.S. find themselves in heated discussions. In Germany, at least since the trial against the content provider website kino.to, the issue definitely is on the plate.

This explains the rapidly emerging interest of the population in this discussion and the massive protests against the U.S. initiative «Stop Online Piracy Act» (SOPA)², a «descendant» of the stopped «Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act» (PIPA)³. An Internet blackout followed, Wikipedia turned off for one day, Google was wearing censor bars. SOPA is now on hold – for the time being.

Largely under the radar, however, the «Anti-Counterfeiting Trade Agreement» (ACTA)⁴ has been adopted unanimously in December 2011 by the Council⁵ and signed in January 2012 by the European Commission⁶. After massive protests by the Internet community policy makers finally recognized the problem. Several states, including Germany, suspended the ratification of the agreement. On 4 July 2012 the European Parliament decided not to ratify ACTA, thus it could not enter into force within the EU. A review of the legality of ACTA had previously been submitted to the European Court of Justice (ECJ).

On European and international stages of politics, policymakers still try to cast in a «regulation mould» the basic idea behind such legislative initiatives. Worth mentioning are the «Trans-Pacific Partnership Agreement» (TPPA)⁷, the «Canada-EU Comprehensive Economic and Trade Agreement» (CETA) and the «Intellectual Property Rights Enforcement Directive» (IPRED)⁸.

The latter exists since 2004 and will be revised as «IPRED2». Considerations on IPRED2 seem to be a sequel to ACTA. This brings even more brisance in the forthcoming ECJ´s legal opinion on ACTA, because the following scenario is at least conceivable: «The European Commission wants to get the hands on the European Court of Justice seal for the ACTA-locomotive and subsequently green light for the whole train. It would be disastrous if it would work that way»⁹.

National legislation such as the intra-U.S. legislative initiative, in particular the «Cyber Intelligence Sharing and Protection Act» (CISPA), are indeed very interesting for a discussion on a bigger scale. However, they have little direct impact on the European framework and cannot, also due to the scope of this paper, be covered.

The paper has to answer – inter alia – the following questions raised by Prof. Dr. Axel Metzger:

To what extent the legitimate access rights of Internet users are taken into account?¹⁰, Is the law-making well-rounded in this point and includes both interest groups?¹¹ What are the legal safeguards for the defendant?¹²

Abbildung 1: «The European Commission wants to get the hands on the European Court of Justice seal for the ACTA-locomotive and subsequently green light for the whole train. It would be disastrous if it would work that way.» – (Prantl, H., 2012) 

The development phase of ACTA already covers over five years and it has been said and written much about its objectives. In general it contains the staking of a framework that allows, first, intellectual property rights holders to enforce their rights and, second, consumers to protect their health from counterfeit products and – drugs. Particularly interesting for data protection is the chapter on digital environment¹³, which was inserted in a later draft.

In December 2011, the 27 EU heads of government have evaluated ACTA unanimously positive. In parallel, however, they have worked on several legal opinions, which – a possible paper topic on its own – affected the transparency of European parliamentary; no official German documents on these opinions were accessible. Opinion SJ-0501/11¹⁴ concerned the question of conformity of ACTA with European Law and applicable international obligations of the European Union (EU). The digital environment unfortunately was mentioned in only one sentence. During the presentation¹⁵ of this opinion several Members of the European Parliament (EP) broached the subject again and finally received an enlarged explanation of the Legal Service of the European Commission¹⁶. The legal opinion SJ-0661/11¹⁷, which had been requested by the Chairman of the Legal Committee of the EP treated the question of whether ACTA is compatible with the general principles of European Law, in particular with fundamental rights of the Treaty on European Union¹⁸ («conformity with fundamental rights»).¹⁹ The Legal Service of the European Commission stated: ACTA is not incompatible with fundamental rights. On the contrary, several provisions of ACTA require compliance with fundamental rights if the parties implement the agreement. The principle of proportionality of a measure is taken into account because it is expressly stated in Article 6 that each party shall ensure an appropriate balance between the infringement´s severity, the interests of third parties and the applicable measures, remedies and penalties. Section 5 of ACTA makes no reference to a graduated response (three-strikes model). Paragraphs 2 and 3 of Article 27 of ACTA provide procedures to be applied in order to avoid barriers to legitimate activities, e.g. within the e-commerce. These procedures are subjected to principles as freedom of expression, fair trial and the protection of privacy. Article 27 paragraph 4 states that information from an Internet Service Provider (ISP) has to be disclosed on the decision of authorized national authorities, which must be undertaken in accordance with the national laws of each agreement´s party.

Article 15 of Directive 2000/31/EC²⁰ provides that Member States cannot impose on intermediaries such as ISPs a general obligation to monitor information. This has been recently confirmed by the ECJ.²¹ Consequently, European Law prohibits the «general supervision» of the Internet but it says in Article 8 paragraph 1 of Directive 2004/48/EC that the judicial authorities may, within a clearly limited lawsuit for infringement of an intellectual property right, authorize the disclosure of certain information. This has also been confirmed by the ECJ, which noted that the possibility is not excluded that Member States may, according to Article 8 paragraph 1 of Directive 2004/48/EC, provide an obligation of disclosure to access providers.²² This is, despite the reassuring opinion of the Legal Service, the starting point for data protection concerns. It is not clear how this obligation to disclosure could be enforced without risking a general obligation to monitor. Both the text of the treaty and the legal opinion contain no details how to solve this conflict.

Article 4 paragraph 1 suggests that parties have no obligation to disclose personal information if this is contrary to their national data protection law. This restriction applies – according to the letter of the agreement – only to disclosure of data by the party, it does not extend to the disclosure of such data by private bodies (e.g. by ISPs) to third parties. Article 11 theoretically allows the enforcement of a very comprehensive disclosure of personal information and is inaccurate to such an extent that a large number of innocent people could undoubtedly be affected. This especially applies to the concepts of, first, «alleged infringer» and, second, «third parties», who were suspected of being involved in the production and distribution of such goods or services. Already the assertion of an infringement by the copyright owner seems to be sufficient. Malicious gossip has it that ACTA in practice provides a «step program»: To enforce first the finding of IP addresses that may have been used for the breach of intellectual property rights; second the disclosure of information about other IP addresses (and thus their owners), who then confirm the vague assumption of an infringement. Article 11 could thus support temporary injunctions that intend to monitor and analyze the Internet usage of all customers of an ISP, if only one of the right owners could prove that ISP customers have infringed his copyright. This idea is supported by the wording «for the purpose of collecting evidence.» This could also be interpreted in a way that the information to be disclosed even has not (yet) to be conclusive, but contributes to gather evidence. Also the question of «surrender this information to whom?» comes not without problems. Article 11 provides that the court shall order – on reasoned request – to disclose information for the purpose of gathering evidence 1) to the court or 2) to the right owner. Point 1) could already jeopardize the right to a fair trial, but certainly does so point 2). Article 27 paragraph 4 also lacks of a detailed explanation of what means «necessary evidence». It seems to be left to the individual parties (of ACTA) to define the scope of discretion which they wish to forward to their judicial authorities. This threatens the principle of a fair trial as it is easily conceivable that even in interlocutory proceedings requests for the disclosure of information could be enforced without notification of the respective data subjects or the public. Moreover, it is not clear what sort of «judicial authorities» and «process» are meant. Article 11 certainly applies to civil proceedings and therefore to civil courts; Article 27 is less clear, it refers only to the «competent authorities», neither whose independence nor impartiality could be guaranteed.

A view into Article 34 brings us to the question of cross-border data transfers. These can be divided into three forms: International cooperation between the ACTA parties and the disclosure of information (including personal information), the possibility of cross-border transfers of such data between private persons on the one and between private and public institutions one the other side, and vice versa. ACTA completely ignores that a data transfer to a receiver outside the EU / EEA (third countries) is subjected to strict regulations; Article 25 and Article 26 of the European Data Protection Directive (EU-DPD)²³ define its legal requisites. Article 25 allows such data transfers only to countries which ensure an adequate level of data protection, otherwise the transfer is prohibited. Most of the parties of ACTA are not on the list of countries assessed by the European Commission that recognizes on a case by case basis an adequate level of data protection. This means that these data receiving countries have to meet the provisions of Article 26 paragraph 1 EU-DPD or that the parties of the transmission have to guarantee safeguards in accordance with Article 26 paragraph 2 EU-DPD.

Because of these data protection concerns the Commission was wise to formally ask²⁴ the ECJ for an opinion on ACTA on the basis of Article 218 Paragraph 11 of the Treaty on the Functioning of the EU²⁵. The Commission asked the ECJ whether ACTA is compatible with the European Treaties and in particular the Charter of Fundamental Rights of the EU²⁶. The Commission then unsuccessfully expected the European Parliament to come up with its decision on ACTA after the opinion of the ECJ. Nevertheless, the opinion of the ECJ will give an important view and certainly a direction for other²⁷ legislative initiatives.

IPRED2, the revised version of IPRED, is already «lurking» behind ACTA. Within IPRED we find provisions regarding evidence (Article 7), right to information (Article 8) and provisional orders as well as precautionary measures (Article 9). The provisions of IPRED appear as imprecise as those in ACTA, thus IPRED2 was often called the «evil twin»²⁸ of ACTA. The European Commission started considering the amendment of IPRED in order to tackle²⁹ threats to intellectual property rights on the Internet, in particular websites with content that violates copyrights. The Commission´s proposal paper does not list specific measures for this purpose and merely refers to an initiative for a system of notification and action³⁰. Particularly affected are the scope of the Directive, the role of intermediaries, the extent of (temporary) orders, the right to information and the calculation of damages.³¹ From a data protection perspective IPRED2 signifies at least one step forward because the Commission has recognized the problem of the relationship between the right to information and the protection of privacy and proposes³² to clarify the rules for the disclosure of personal information by ISPs and the definition of «commercial scale» of infringements. That aims to ensure preliminary investigations to affect only professional counterfeiters rather than individual consumers. Civil recovery actions in summary trials are still part of the Directive, however without three-strikes-models and internet blocks, against which also the German government has argued. Right holders and collecting societies want to – in return – claim extended liability obligations of the ISPs. The Commission now intends to conduct an impact study and to review the proportionality of these approaches.³³

TPPA is an initiative that started two years after the ACTA process. It relates to the Pacific and its content is similar to the early ACTA drafts. It is known less about the TPPA content than that of ACTA. In a joint statement in 2012³⁴, EU Commissioner Viviane Reding and U.S. Secretary of Justice Eric Holder confirmed that the TPPA negotiations are to be continued. The actual negotiations on TPPA between the EU and U.S. have brought an internal document³⁵ to light, with which further plans of the EU Commission for a far-reaching intervention in the freedom of the internet have come to public attention. Several errors of ACTA are obviously to be repeated in TPPA:

The contents of TPPA are negotiated in secret meetings and lack of real transparency, an insight into the actual negotiation documents is still not possible. Consequently, only the competent committee of the Parliament of the negotiating EU Commission will be informed, while the public has to rely on the statements of the negotiators or on leaked documents. The «Die Grünen» MEP Jan Philipp Albrecht, called the procedure as undemocratic, mainly because of the dimension of the agreement, which also includes «non-tariff barriers to trade» ³⁶. Austrian Social Democrat MEP Martin Ehrenhauser complains that «the EU Parliament has learned nothing from the fiasco ACTA»³⁷. Similarly, with a shake of the head, answers the Austrian Social Democrat MEP Joseph Weidenholzer³⁸: Only the business community from the «Industry Advisory Committee» can get an insight into the contract drafts and comment on them, while the EU Parliament and representatives of civil society are left out in the cold. «Without transparency a second ACTA impends. ACTA ‹died› among other reasons, because of no acceptance by the public, and therefore could not be achieved in Parliament».

The restrictions of (digital) fundamental rights, justified by the intensified enforcement of copyright infringement, already would have doomed ACTA. Therefore, the subject of IP chapter should be excluded from the talks and negotiated separately, Ehrenhauser says. He criticizes: «Only one year after the rejection of ACTA there is a new attempt to cement outdated copyright via international treaties»³⁹. It also has to be highlighted that «TPPA would place greater Liability on Internet Intermediaries. For example, this would require Chile to rewrite its forward-looking 2010 copyright law that currently establishes a judicial notice-and-takedown regime, which provides greater protection to Internet users’ expression and privacy than the DMCA»⁴⁰.

The non-transparent negotiations could possibly allow the negotiators to make present any statutory provision as basis of the ongoing negotiations, especially provisions on Privacy wherein the approaches between the EU and the US differ widely. Thus, TPPA highlights again the tension between the US and the EU if it comes to the concept of Privacy. When it comes to Privacy then Americans and Europeans used the same words at the 7th European Data Protection Day in Berlin. But these words apparently have a very different meaning. U.S. diplomat John Rodgers warned in his speech⁴¹ against too strict rules because these might even «instigate a trade war». «We have the right to privacy in our constitution, but that is no fundamental right to privacy,» according to Rodgers. Especially the «right to be forgotten» would result in a global world of trouble, the deletion of personal information is not technically feasible. Ultimately, data means billions of euros that circulate between the continents. On the other hand, Martin Selmayr, Head of Cabinet of the EU Commissioner Viviane Reding explained⁴² that the «right to be forgotten» was not designed as an absolute right in the Commission´s proposal, but would apply only for the internal relationship between a provider and a user. If the latter want to «have back» its data from a service, the data must be deleted, but this will not concern a restriction of the freedom of expression or censorship of descriptions on third parties in the press. Leaked draft texts of the agreement show that the IP chapter would have extensive negative ramifications for users’ freedom of speech, right to privacy and due process, and hinder peoples’ abilities to innovate. TPPA e.g. will require signatory counties to adopt heightened copyright protection that advances the agenda of the US entertainment and pharmaceutical industries agendas, but omits the flexibilities and exceptions that protect Internet users´ privacy and technology innovators. Ehrenhauser says that «the Parliament has declared itself against the respect of European Data Protection regulations by the United States. Personal information of European citizens are threatened to be sold in favor of profits of large corporations. This approach is completely unacceptable and inappropriate to the mission of the Parliament»⁴³.

CETA is a planned European-Canadian trade agreement, whose negotiations proceeded almost secretly. Canadian lawyer Michael Geist says⁴⁴ that Canada had been negotiating with the European Commission on this agreement since 2009, the responsible press office lately confirmed this.⁴⁵ The CETA draft and the final version of ACTA are very similar, the section on Copyright is taken over almost word for word. The question remains whether CETA contains an ACTA-similar chapter on digital environment. The EU Commission contradicts this⁴⁶ but gives no further indications how the current content looks like – the respective documents are confidential. Since the current status of the agreement´s wording has not yet been officially released, its impact on privacy and data protection rights still cannot be judged. However, there are provisions similar to those in ACTA, e.g. Article 17 on the right of information.⁴⁷ Both CETA and ACTA speak of «cooperative efforts» between ISPs and rights holders. These efforts could be interpreted as an intention to introduce a system of three-strikes for copyright infringement and, in case of repetition, to react with Internet blocking penalties. Furthermore, provisions are planned to identify the alleged infringer behind an IP address. John Clancy, spokesman of EU Trade Commissioner Karel De Gucht tweeted, on 11 July 2012, that this plan is no longer part of the current CETA draft. On the same day, he stressed that the published⁴⁸ CETA version was of February 2012 and there have now been further changes to it; additional corrections could follow, because negotiations are still ongoing.⁴⁹ Albrecht states: «You have to first make it clear that not ACTA but CETA is having a comeback, which is a European-Canadian trade agreement and will be taken up again. However CETA adopts some of the substantive provisions of ACTA. That’s why it would be, from a democratic point of view, very questionable if the Commission should now try to direct negotiations with Canada in order to bypass decisions that have been taken by the Parliament through the back door. That would be an affront to the European Parliament.»

IPRED2, TPPA and CETA illustrate that the end of ACTA is far from being the end of the content of ACTA. Members of the European Commission apparently are still of the opinion that the failure of ACTA was an unhappy accident, but its contents were actually correct. Therefore it is important to highlight their «common denominator» from a data protection perspective. Given the fact of not fully available information it can be named – in its best case – a «foreseeability» of a common denominator. Net activist Markus Beckedahl says: «[...] even if ACTA is dead, the ideas behind it, as real-time monitoring of the Internet, network locks and three-strikes solutions will be constantly coming back at all levels.»⁵⁰ Although not in such dramatic way it must be feared that the impact of these legislative initiatives on data protection will be of our concern in the future. A quotation of a representative of the European Commission whilst a meeting of TRIPS⁵¹ expert group of the EU Council on 7 February 2012 underlines this: The main purpose of ACTA is that this agreement «in the medium term will become international standard».⁵²

Foreseeable is, inter alia, that a) lawyers and Internet community will disapprove of these initiatives as long as the wording regarding copyright enforcement and privacy controls is not specific enough and the steps, conditions and limits of legal guarantees within the enforcement of intellectual property rights remain inadequate; b) alleged infringers will suffer a defective right to a fair trial within civil prosecutions;⁵³ c) the enforcement of such claims will increasingly shift to private actors such as ISPs; enforcement activities of ISPs, which basically are under the jurisdiction of prosecuting authorities, will raise a number of concerns; d) enforcement measures will include the international sharing of personal information on alleged infringers by public authorities and private actors; data transfers must then be carried out in non-EU/EEA countries, transfers to third countries that are possibly illegitimate; e) these initiatives will come with a monitoring of consumer behavior and their electronic communication. These measures are currently disproportionately impacting on the right to privacy and breach⁵⁴ Article 7 and Article 8 of the ECHR⁵⁵; f) negotiations on these initiatives will be kept as opaque as possible as long as policy makers fear an essential disagreement of the population (in terms of privacy concerned persons).

Privacy- and data protection principles seem to be fulfilled and thus solutions attainable if future drafts ideally meet the following requirements, most of them presented by the European Data Protection Supervisor⁵⁶, demanding a) enforcement measures to be expressly limited to fighting the most serious offenses and not to allow a massive transfer of data relating to alleged violations of intellectual property rights, b) a precise definition of what means «reasoned request», «alleged infringer», «the purpose of gathering evidence», «relevant information», «people who were involved in the infringement or alleged infringement», «most serious offenses in a commercial scale», «information identifying the subscribers», «competent authorities» entitled to order interim measures and other⁵⁷ unclear definitions, c) precisely regulated conditions that must be fulfilled by the rights holders and a clarification of obligations for data controllers, d) that the parties and those affected of the data transfer are both precisely identifiable, e) that data transfers will only take place between directly responsible authorities and not between third parties such as private actors and other authorities, and that a retransmission to other recipients is not allowed if not required for a specific investigation, f) a determination of the safety conditions under which private actors can be involved in the collection of personal information as well as their interaction with authorities, g) specific conditions and safeguards for international data transfers, this includes whether the initial purpose of the collection is preserved during the data transfer, h) a clear specification of amount and type of personal information necessary to enforcement claims and the limitation of transferred personal information to the bare minimum needed, i) the anonymization of personal information during the investigation phase and otherwise an identification of an alleged infringer only in accordance with the law and subject to judicial review, j) the determination of the method whilst collecting and processing personal information, particularly whether a so-called «push system» or «pull system» will be used, k) a regulation of the retention period and purpose for which such retention is necessary and proportionate, l) to revise the conditions of «voluntary cooperation» within enforcement measures, m) provided mechanisms to allow individuals the right to appeal to an independent data protection authority and to an independent and impartial tribunal, so that legal safeguards for the defendants are precisely regulated, n) compliance with the requirement of transparency, particularly to inform data subjects about the purpose of data processing, as well as about their rights and how to exercise them.

Albrecht, P. (2013). Jan-Philipp Albrecht: «Damit ist ACTA vom Tisch». Retrieved October, 15th, 2013 from http://www.arte.tv/de/jan-philipp-albrecht-damit-ist-acta-vom-tisch/7377912,CmC=7377954.html.

Beuth, P. (2012). Nach Acta ist vor Ceta. Retrieved March, 17th, 2013 from http://www.zeit.de/digital/internet/2012-07/nach-acta-kommt-ceta-indect-ipred.

Clancy, J. (2012). Retrieved March, 17th, 2013 from https://twitter.com/EUJohnClancy/status/223024344757059584.

Ehrenhauser, M. (2013). M. Ehrenhauser zu TTIP: «Das EU-Parlament hat aus dem Fiasko um ACTA nichts gelernt». Retrieved October, 15th, 2013 from http://www.ehrenhauser.at/m-ehrenhauser-zu-ttip-das-eu-parlament-hat-aus-dem-fiasko-um-acta-nichts-gelernt.

Electronic Frontier Foundation, (2013). Trans-Pacific Partnership Agreement. Retrieved October, 15th, 2013 from https://www.eff.org/issues/tpp.

Geist, M. (2012). ACTA Lives: How the EU & Canada Are Using CETA as Backdoor Mechanism To Revive ACTA. Retrieved March, 17th, 2013 from http://www.michaelgeist.ca/content/view/6580/135/.

Leichtfried, J. / Weidenholzer, J., (2013). Leichtfried/Weidenholzer zu EU-USA-Freihandelsabkommen: Chancen nutzen und BürgerInnen-Interessen vertreten. Retrieved October, 15th, 2013 from http://www.ots.at/presseaussendung/OTS_20130523_OTS0183 /leichtfriedweidenholzer-zu-eu-usa-freihandelsabkommen-chancen-nutzen-und-buergerinnen-interessen-vertreten.

Metzger, A. (2012). ARD Tagesschau of 2 February 2012. Retrieved March, 17th, 2013 from http://www.tagesschau.de/multimedia/video/video1055572.html.

Metzger, A. (2012). WDR 5 Politikum of 29 February 2012. Retrieved March, 17th, 2013 from http://gffstream-5.vo.llnwd.net/c1/m/1330541227/radio/politikum/ wdr5_politikum_20120229.mp3.

Moechel, E. (2012). ACTA soll Weltstandard werden. Retrieved March, 17th, 2013 from http://fm4.orf.at/stories/1694499/.

Moechel, E. (2012). Die Köpfe hinter ACTA in der EU-Kommission. Retrieved March, 17th, 2013 from http://fm4.orf.at/stories/1694349/.

Prantl, H. (2012). Warum der Europäische Gerichtshof Acta stoppen muss. Retrieved March, 17th, 2013 from http://www.sueddeutsche.de/digital/anti-piraterie-abkommen-warum-der-europaeische-gerichtshof-acta-stoppen-muss-1.1291038.

Rodgers, J. (2013). Speech at 7th European Data Protection Day in Germany in Berlin. Retrieved October, 15th, 2013 from http://www.heise.de/newsticker/meldung/US-Diplomat-warnt-vor-Handelskrieg-wegen-EU-Datenschutzreform-1792765.html?from-mobi=1.

Selmayr, M. (2013). Speech at 7th European Data Protection Day in Germany in Berlin. Retrieved October, 15th, 2013 from http://www.heise.de/newsticker/meldung/US-Diplomat-warnt-vor-Handelskrieg-wegen-EU-Datenschutzreform-1792765.html?from-mobi=1.

Spiegel Online (2012). Umstrittene Handelsabkommen: Auf Acta folgt Ceta. Retrieved March, 17th, 2013 from http://www.spiegel.de/netzwelt/netzpolitik/abkommen-ceta-gleicht-acta-wortwoertlich-a-843826.html.

U.S. Intellectual Property Enforcement Coordinator (2012). 2011 Annual Report on Intellectual Property Enforcement. Retrieved March, 17th, 2013 from http://www.whitehouse.gov/sites/default/files/omb/IPEC/ipec_annual_report‌_mar2012.pdf.

---

 

Philipp E. Fischer

Ph.D. cand. (Barcelona), Information and Knowledge Society Doctoral Programme, Internet Interdisciplinary Institute; LL.M. in Intellectual Property Law (London / Dresden); Data Protection Officer & -Auditor (TÜV)

research@philippfischer.de, http://www.philippfischer.de

Chief Compliance Officer & Chief Privacy Officer, SuiGenerisData GmbH

Münchner Straße 18, 85774 Unterföhring, DE

pfischer@suigenerisdata.com, http://www.suigenerisdata.com

 

---