- European Union
- New Zealand
- South Korea
- United Kingdom
- United States of America
In January 2011, several Belgian members of the Parliament introduced the Proposition de loi favorisant la protection de la creation culturelle sur internet -- or “A Proposal to Foster the Protection of Cultural Creations on the Internet” (the Proposal). Mimicking the French HADOPI legislation, the Proposal would create a four-strikes policy for Internet users accused of copyright infringement. The Proposal, which has thus far not been adopted, includes troubling provisions for tasking ISPs to block sites that allegedly facilitate the sharing of copyrighted works, disclosing the personal data of alleged infringers, and shutting off the Internet access of repeat infringers.
In the first instance of infringement, users receive a warning (Article 17.1). The second time a user infringes on copyright results in a fine if the new violation takes place within six months of the initial warning (Article 17.2). On the third violation, a public prosecutor is notified, who then decides whether to bring the case to court or offer a financial settlement (Article 18). Once brought to court, a judge can impose a fine and/or restrict the user’s access to a public online communication service. At this point, only broadband Internet can be blocked, which renders downloading extremely difficult. Finally, in any case of repeated infringement (four or more times), access to the Internet can be completely severed and the fine can be doubled (Article 18.8).
Like the French Hadopi law, the Belgian Proposal plans to introduce a graduated response plan to copyright violations. The Belgian Proposal is slightly less severe than the French Hadopi law in that only broadband Internet is cut off at the third stage. Access to the Internet is entirely disconnected upon additional instances of infringement.
Two Belgian laws seem to suggest ways for filtering websites that host infringing content: the Intellectual Property Act (30th June 1994), and the Act Regarding Certain Judicial Aspects within the Information Society (11th March 2003).
The 1994 Act provides that, when an infringer uses the services of an intermediary to perpetrate copyright infringement, the rightsholder can petition the court to issue an order against that intermediary (Article 86ter). The main principle of the 2003 Act is that of “mere conduit”, exonerating ISP’s – under certain conditions – from liability for transmitting information (Articles 18-20). Whenever an ISP becomes aware of illegal activity (i.e. illegal file-sharing), it must immediately inform the Public Prosecutor and can block access as long as the prosecutor has not made a decision (Articles 20 §3, 21 §2).
Apart from the ISPs being obliged to notify the prosecutor of any infringement, Ministry officials can investigate possible infringements as well. Ministry officials can send a warning and/or propose a settlement fine to the user and, at a later state, notify the public prosecutor (Articles 22-24).
Recent case law developments, both in Belgium and in other Member States, indicate that ISPs may indeed be asked to render specific websites inaccessible to their subscribers when copyright infringements have taken place on these websites. The court will then rule upon the blocking procedure. In a recent case, the Court opted for DNS-blocking instead of IP-blocking, believing IP blocking would burden ISPs too heavily. The recent ECJ decision in the Scarlet v Sabam Case, however, will most likely put Belgian case law back on the right track. In this landmark case, a Brussels Court of Appeals had asked the European Court of Justice whether an ISP can be ordered to preventively filter and block electronic communications for copyrighted material. The ECJ ruled such filtering and blocking would be contrary to EU law and would violate fundamental civil liberties such as people’s privacy, freedom of information and free speech. For more information, see our page on EU law.
After having been notified about a copyright infringement, the public prosecutor could demand the ISP to collaborate by turning over all files in its possession or by allowing access to its customer database. Under the current proposal, the ISP would subsequently have to designate an internal “Judicial Coordination Cell” which would collaborate with the judicial authorities.
In some circumstances, the “Judicial Coordination Cell” would directly allow the NTSU-CTIF, an interception service of Belgian police, to consult the ISP’s databases.
The referrals would contain much personal data of the user, including timestamp, payment details, IP address and data to identify the computers of all parties involved. Originally a time limit of 24 months was proposed, but the Privacy Commission rightly advised a shorter period. Thus, if the proposal were to pass, the referrals would be stored for 12 months. Files would be automatically erased after this time. ISPs would receive compensation for additional costs associated with the storage of the files.
Facts and Figures
On May 4, 2010, Chile adopted a new law (ES) (EN) regulating Internet Service Providers’ liability for online copyright infringement. The law requires a judicial order before Internet service providers (ISPs) are required to take down allegedly copyright-infringing material from websites, block access to an allegedly infringing website, disclose customer information, or terminate customers’ Internet accounts.
The 2010 Intellectual Property Act implements Chile’s obligations regarding Internet Service Provider regulation in the 2004 U.S. – Chile Free Trade Agreement.
Notice and Takedown
In general terms, the Act mirrors the approach taken in the U.S. Digital Millennium Copyright Act. It creates four safe harbors for network service providers. If Internet service providers comply with the conditions set out in the legislation they are exempt from financial sanctions arising from copyright infringement claims. However, Internet intermediaries are still subject to injunctions, and other reasonable judicial measures aimed at blocking online access to particular alleged copyright-infringing content.
The law provides safe harbors for four types of activities of Internet service providers: providing data transmission, routing or connection services (Article 85 M); providing temporary data storage or caching (Article 85 N); storing data in their network or system at the request of users or on behalf of third parties (Article 85 Ñ); and performing searches, providing links or referring users to an online site by using information location tools, including hyperlinks and directories (Article 85 Ñ).
In order for a data hoster or location tool provider to qualify for the safe harbor from from liability, it has to comply with various conditions including that the ISP: (a) has no actual knowledge of the unlawful nature of the data, which is defined to mean that it has not received an order from a competent court directing it to remove or disable access to particular content; (b) does not receive a financial benefit directly attributable to the infringing activity, in circumstances where it has the right and ability to control such activity; (c) publicly designates a representative to receive the notifications as set forth in the regulation; and (d) expeditiously removes or disables access to the stored material upon receiving notice. In addition, these ISPs must also meet certain other conditions, including: (i) adopting a general public policy providing that it has the authority to terminate the agreements entered into with content providers *declared* repeat infringers by court resolutions; (ii) not interfering with technological and rights management measures relating to copyrighted material that are widely accepted and lawfully used; and (iii) not having initiated the transmission, nor having selected the material or its recipients. The Chilean Act exempts ISPs who perform searches or link or refer users to an online site by using information location tools from this last obligation.
Chile’s ISP law has a unique feature that sets it apart from other simllar regulatory frameworks in other countries (and in particular, in countries that have incurred obligations to regulate ISPs in a particular manner because of Free Trade Agreements with the United States). It’s notice and take down procedure is subject to a final review by a judge, rather than left to the individual ISP’s discretion. This framework is grounded in Chile’s human rights obligations as a signatory of the San Jose Pact and as a Member of the Organization of American States. (See the "Human Rights and Internet Intermediary Regulation in Chile" page for more in-depth analysis on this issue.)
Article 85 Q sets out the notice and takedown procedure that Chilean ISPs must follow in order to qualify for the safe harbors. Finally, Article 85 R of the Act sets out the preliminary measures that a court may order an ISP to take, including removing or disabling access to particular content; and the termination of accounts of declared repeat infringers. Article 85 Q expressly requires petitions for such orders to clearly and specifically identify the relevant content to minimize harm and the possibility of restricting access to legitimate content.
Internet service providers are only required to provide information about the identity of customers that they allege have engaged in copyright infringement on receipt of a court order. Article 85 S of the 2010 Act states that a judge may order an ISP to disclose the name and address of an alleged infringer to a rightsholder that has filed a lawsuit alleging infringement.
Processing of the data that is disclosed shall be subject to the existing 1999 data protection and privacy law. Although Chile is a member of the Organization of American States, protects privacy under Article 19 of its Constitution, and has existing laws governing privacy and protection of data, these have been criticized for the inadequate protection they provide.
Copyright holders can seek preliminary or permanent injunctions from courts, requiring ISPs who provide data transmission or connection services to "adopt reasonable measures" to block access to particular infringing content, provided that the blocking does not disable access to other legal content.
Article 85 R requires Chilean courts to decide these cases in a summary procedure, taking into account the relative burden of orders sought on the Service Provider, Internet users and subscribers; the potential harm to the copyright owner; the technical feasibility and effectiveness of the order sought; and whether a less burdensome enforcement mechanism is available. Courts can decide applications for preliminary injunctions without the affected content provider being present so long as the copyright holder posts a security bond to compensate for any losses inappropriately incurred to the blocked site. Courts must provide an affected content provider an opportunity to oppose a permanent injunction affecting its website.
On April 4th, 2011, German Vargas Lleras, Colombia’s Minister of Interior and Justice, proposed a bill before the Colombian Congress intended to regulate Internet intermediary liability for their users’ online copyright infringement and to legally fortify copyright laws. Called the Lleras Act, it was based on the U.S.’s Digital Millennium Copyright Act (DMCA) and a 2010 Chilean Intellectual Property Act, and it was a means for domestic regulation to comply with the Free Trade Agreement (FTA) (also known as the U.S.-Colombia Trade Promotion Agreement). The FTA, which relates to copyright, was signed between the United States of America and Colombia in 2006 and formally signed into U.S. law in October 2011.
Due to the vague language of the proposal and the unrealistically excessive penalties for alleged infringers, the Lleras Act would have effectively forced service providers to spy on, disconnect, and censor their users in the name of protecting copyright. The bill was framed as removing copyright liabilities from intermediaries, when it would have actually enforced strict measures on them to extra-judicially uphold copyrights.
The Lleras Act was controversial from the moment it was introduced. The bill did not go through a public debate period, denying Colombian civil society and citizens the right to study and discuss the implications of the bill before it was put forth to Congress . Many aspects of the bill were simply unrealistic. For example, Article 11 of the government’s first draft would have forced intermediaries to act upon the rightsholder’s reports of infringement within the very short timeframe of 72 hours of being notified. ISPs would have had to take down or block content immediately, while the proposal allowed a lax “reasonable period of time” for an ISP to address a user’s request to restore the disputed content. Article 17 of the initial government draft included text on criminal charges for copyright infringement, even though the FTA had already enacted harsh penalties - including a prison sentence for up to 8 years.
The Lleras Act created public outcry, and civil society activists heavily campaigned to challenge and defeat this proposal before it could pass. On November 2, 2011, responding to several months of widespread advocacy, the Senate archived the Lleras Act, thereby defeating it. However, there is speculation that the Ministry of Technologies will be drafting a new similar bill as soon as January 2012. Even though it was ultimately filed away into the legal archives, the Lleras Act was an important milestone for the copyright reform movement in Colombia.
What is notable about this proposal was how it rallied newfound fervor for the net freedom movement in Colombia and across Latin America. Amidst many recent socio-legal reforms, this kind of civil reaction to a proposed law has been uncommon. There had never been a bill introduced in Colombia that so explicitly targeted copyright in a way that posed such a threat to freedom of expression. Moreover, its defeat will most likely help to prevent similar models of excessive copyright enforcement from being duplicated elsewhere, especially in Latin America. While this was a victory for Internet users, there is sure to be similar legislation introduced in the near future that addresses the terms of the Colombian FTA.
The Lleras Act would have provided safe harbors for service providers, but in order for an intermediary to be exempt from liability it would need to comply with a series of requirements transcribed from the text of the FTA, and therefore from the DMCA. The first draft of the Lleras Act provided for the ISP to take down content, block access to a specific non-domestic online location, or to completely terminate specified users’ accounts.
It could sanction service providers accused of facilitating piracy, considering them co-infringers and therefore just as responsible for any copyright infringement. Intermediaries would effectively lose their safe harbor. Users charged with multiple instances of infringement were tagged as “repeat offenders,” which could result in blocked pages and even suspended user access to the Internet. It should be noted that these provisions were moderated in later versions of the bill.
Article 15 of the first government-proposed Act stated, upon a rightsholder’s request, a judge may order the intermediary to submit information in order to identify the possible infringer. The article also specifically stated that “confidential information” was included. Moreover, the cancellation of access for “repeat offenders” entails that the user’s data must be preserved somewhere for potential future prosecution.
Because the procedures described in the Act utilize intermediaries as the main policing force, it also implies that they will be holding these records for an indeterminate amount of time.
In two cases before the European Court of Justice (discussed further below), a copyright collecting management organization has asked an ISP and a social media platform to filter all network communications – inbound and outbound – for potential copyright infringing material. As the European Court of Justice ruled recently in one of those cases, such a broad network-level filtering injunction would threaten users’ privacy and fly in the face of the foundational principles underpinning many countries’ Internet intermediary laws – that mere conduit ISPs should not face liability for merely passing on packets, and the prohibition against requiring ISPs to monitor their customers’ communications as a condition for benefiting from limited liability regimes.
This page highlights both recent efforts to turn Internet intermediaries into copyright police, and several provisions of European Union law that were expressly intended to protect citizens’ rights in the context of online copyright enforcement. Because European Union law sets the parameters of legal rights and responsibilities in the 27 EU Member States and is highly influential in neighbouring countries and the members of the European Economic Area, looking at how the relevant EU Directives are interpreted at European Union level is vitally important.
A mesh of overlapping EU Directives set out the legal obligations of Internet intermediaries and Internet users’ rights of privacy and freedom of expression under European Union law. Each of these directives must, in turn, be implemented into EU member states’ national laws. As a result, the actual scope of Internet intermediaries’ obligations and Internet users’ rights depends on the national laws which implement this framework, and the way that national laws balance competing legal duties, such as enforcement of intellectual property rights, and protection for EU citizens’ privacy and personal data.
The primary provisions regulating liability of “Information Society Service Providers” are in Articles 12-15 of the EU e-Commerce Directive, 2000/31/EC (the ECD). It sets up a framework for limited liability for Information Society Service Providers that meet certain conditions for facilitating communications as a mere conduit (Article 12), caching (Article 13) and for hosting of others’ content (Article 14). The ECD framework is not limited to potential ISP liability for copyright infringement. It creates a horizontal framework that applies to other bases of liability, such as defamation. The ECD does not prevent courts from issuing far-reaching injunctions against ISPs. For copyright enforcement, Article 8(3) of the Harmonization of Certain Aspects of Copyright and Related Rights in the Information Society Directive (2001/29/EC) sets out what type of injunctions must be available to rightsholders under EU member states’ laws in relation to copyright. The actions that copyright owners can take against ISPs are set out in the IPR Enforcement Directive, 2004/48/EC. Amongst other things, it includes a right for IP rightsholders to obtain information about the identity of alleged infringers from any one in the chain of distribution, including Internet intermediaries.
The EU Personal Data Directive (1995/46/EC) and the EU Electronic Privacy and Communications Directive (2002/58/EC, as amended by Directives 2006/24/EC and 2009/136/EC) create the framework for protection of EU citizens’ privacy and personal data. In addition, Internet users’ rights to privacy and free expression are enshrined in the Charter of Fundamental Rights of the EU, which binds all EU member states on issues covered by EU law,came into force in December 2009. EU Member States must act and legislate in accordance with its provisions when implementing EU legislation or acting in an area covered by EU legislation. In addition, all EU Member States are party to the Council of Europe’s European Convention on Human Rights and Fundamental Freedoms, which also requires states to protect citizens’ fundamental rights and the Union itself is in the process of negotiating ratification of this instrument.
Finally, the propose Anti-Counterfeiting Trade Agreement includes a number of provisions governing Internet intermediary liability, including requirements for signatory countries to have laws allowing rightsholders to obtain broad injunctions against Internet intermediaries and other third parties (Arts 8, 12); requirements for signatory countries to “promote cooperative efforts within the business Community” for online copyright and trademark enforcement (Art. 27(3)) and mandatory disclosure of Internet users’ identities (Arts. 4, 27(4)). If the EU decides to accede to ACTA (which is by no means clear, particularly in light of pending questions about whether ACTA is compatible with EU law), these provisions will have a direct impact on current EU law – in particular interpretation of existing provisions and scope for revision/improvement.
The European Parliament has expressly rejected non-judicial Three Strikes automatic Internet disconnection policies on two occasions. In 2008 a parliamentary report on the Cultural Industries in Europe (European Parliament resolution of 10 April 2008 on Cultural Industries in Europe (2007/2153(INI)), Culture and Education Committee, CULT/6/40018, adopted 10/04/2008, paragraph 23) declared that:
“The Internet is a vast platform for cultural expression, access to knowledge, and democratic participation in European creativity, bringing generations together through the information society [and calls] on the Commission and the Member States, therefore, to avoid adopting measures conflicting with civil liberties and human rights and with the principles of proportionality, effectiveness and dissuasiveness, such as the interruption of Internet access.”
This was enshrined in European Union law in 2009 in the Telecoms Package framework revision agreed by the European Parliament, the European Council, and the European Commission. Although somewhat weaker than the original proposed amendment 138, the adopted Article 1(3a) of the Framework Directive on electronic communications states that EU Member States may only adopt measures interfering with citizens’ ability to access and use the Internet in limited circumstances (Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services, as amended by Directive 2009/140/EC):
“Measures taken by Member States regarding end-users’ access to or use of services and applications through electronic communications networks shall respect the fundamental rights and freedoms of natural persons, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law.
Any of these measures regarding end-users’ access to or use of services and applications through electronic communications networks liable to restrict those fundamental rights or freedoms may only be imposed if they are appropriate, proportionate and necessary within a democratic society, and their implementation shall be subject to adequate procedural safeguards in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law, including effective judicial protection and due process. Accordingly, these measures may only be taken with due respect for the principle of presumption of innocence and the right to privacy. A prior fair and impartial procedure shall be guaranteed, including the right to be heard of the person or persons concerned, subject to the need for appropriate conditions and procedural arrangements in duly substantiated cases of urgency in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms. The right to an effective and timely judicial review shall be guaranteed.”
It is worth noting that Member States were very keen to include text stating “measures taken by Member States” in the text – possibly with the view that “voluntary measures” that intermediaries have been coerced into would not be legally considered as measures taken by Member States.
Europe has been at the forefront of IP rightsholders’ efforts to impose filtering obligations on ISPs for many years.
In the European Parliament, a lobbyist memorandum produced by the International Federation of Phonographic Industries and circulated to European Parliament staffers in November 2007 called on the European Parliament to mandate that ISPs block communications using particular Internet protocols, install network-level filtering and block access to websites that facilitate copyright infringement.
In December 2007, a proposed amendment to a report from the European Parliament’s Cultural Affairs Committee would have required ISPs to filter their networks and customer communications in order to find evidence of potential infringement.
And in September 2010, the European Parliament adopted the controversial non-legislative Gallo Report on Enforcement of Intellectual Property Rights in the Internal Market, which called for voluntary agreements between rightsholders and ISPs to harmonize IP enforcement efforts across EU member states and “[s]tresses that all parties concerned, including Internet service providers, must join in the dialogue with stakeholders in order to find appropriate solutions” and failing that, called on the Commission to “submit a legislative proposal or to amend existing legislation, particularly Directive 2004/48/EC, so as to upgrade the Community legal framework in this field”.
Outside of European Parliament, the European Commission pressed for website blocking through voluntary agreements for several years. In 2009-10 the Commission’s Directorate General on Internal Market held stakeholder dialogues on “illegal uploading and downloading” – a set of informal meetings focused on “voluntary measures”. The first meeting between industry representatives to consider the specifics of voluntary agreements was held prior to the release of the European Commission’s September 2009 Communication on IPR Enforcement, which called for voluntary agreements and non-legislative measures to address online copyright infringement. Reports indicate that ISPs were compelled to join the discussions under the threat of legislation. Website blocking and DNS manipulation were discussed at another meeting in April 2010, where rightsholders argued that if ISPs can block child exploitation websites, they could also block websites for the purpose of copyright enforcement. Interestingly, when the EU institutions looked at the value of blocking child exploitation websites, they found that this was also unhelpful and rejected the Commission’s initial proposal to make EU-wide blocking mandatory.
Whether ISPs can be required to filter and block content for copyright enforcement at the network level has been a hotly contested issue in EU law. In 2010 two cases were referred to the European Court of Justice, asking for clarification on the scope of injunctions that can be issued against ISPs under EU law. In the first case, SABAM v. Scarlet, a Belgian court ordered ISP Scarlet to implement a filtering system to identify and block the transfer of music files for which Belgian collective management organization SABAM managed the copyright. The Court ordered Scarlet to install acoustic fingerprint software Audible Magic to filter inbound and outbound Internet communications within 6 months, under threat of a heavy daily fine. Scarlet objected, producing technical evidence showing that Audible Magic was not workable, and appealed on the grounds that the injunction violated the no general obligation to monitor principle in Article 15 of the eCommerce Directive. The same question is raised in the second case, SABAM v Netlog, still pending before the European Court of Justice, where the same collective management organization has sought a similar filtering injunction against social media platform Netlog.
In the first case, the European Court of Justice ruled in late November 2011 that “EU law precludes the imposition of an injunction by a national court which requires an internet service provider to install a filtering system with a view to preventing the illegal downloading of files. Such an injunction does not comply with the prohibition on imposing a general monitoring obligation on such a provider, or with the requirement to strike a fair balance between, on the one hand, the right to intellectual property, and, on the other, the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information.”
The Court found that while the Charter of Fundamental Rights of the European Union requires protection of intellectual property, that is not an absolute right, and must be balanced with the obligation to protect citizens’ personal data and the right to seek and impart information also enshrined in the Charter. Because the injunction required filtering and blocking of any copyright material, for all time, and irrespective of whether a copyright holder had complained, it would require systematic monitoring of all electronic communications on Scarlet’s network and amounted to a general obligation on Scarlet to monitor its customers’ communications, in violation of the fundamental principle enshrined in Article 15 of the eCommerce Directive. Article 15 prohibits imposing a general obligation on Internet intermediaries to monitor their networks and platforms and provides that Internet intermediaries do not have to look for evidence of potentially infringing content on their networks to get the benefit of the limitation on liability. This principle is necessary to protect citizens’ fundamental right to privacy, which underpins the rights of freedom of expression and association.
Since the filtering injunction could not distinguish between unlawful and lawful content, the Court found that it could block lawful communications and would undermine Internet users’ freedom of expression. It therefore failed to strike a fair balance between the need to protect rightsholders’ intellectual property rights and the obligation to protect citizens’ fundamental rights.
The European Court of Justice’s careful ruling has significant implications for the future of the global Internet. In countries around the world, IP rightsholders have sought to impose filtering, blocking and termination obligations on Internet intermediaries through injunctions. By precluding pre-emptive, network-level filtering and blocking injunctions, the SABAM v. Scarlet ruling sets an important limit on this strategy for EU countries.
Whether rightsholders can force ISPs to disclose the identity of subscribers on an allegation of copyright holders is a hot issue in the EU because of the strong protection given to Internet users’ privacy and personal data. Courts in EU member states have come to widely differing conclusions on this issue. It was the subject of a 2008 ruling by the European Court of Justice in the Productores de Música de España (Promusicae) v.
Telefónica de España SAU case and is the focus of another case currently pending before the European Court of Justice.
The Promusicae case involved a request made by a Spanish music rightsholder association (Promusicae) to Spain's leading ISP (Telefonica) for personal data about Telefonica subscribers using dynamic IP addresses, which Promusicae alleged were engaged in filesharing using KaZaA software. The European Court of Justice was asked to interpret a mesh of overlapping EU Union laws (the EU E-Commerce Directive 2000/31/EC; the Copyright Harmonization Directive 2001/29/EC; the right of information in Article 8 of the IPR Enforcement Directive 2004/48/EC; and the circumstances in which collection and processing of personal data can be permissible under the Electronic Privacy and Communications Directive 2002/58/EC).
The Court was asked to answer the question: does European Union law require EU Member States that are implementing this suite of EU directives to impose an obligation on ISPs to divulge their customers' personal data to rightsholders in a civil copyright lawsuit? The court ruled no. But while this is not required, the Court left open the possibility that countries could choose to do so in their national law. It emphasized that how the competing obligations in these Directives are balanced is a matter for national law, but stated that EU Member States must implement all of these competing directives in a way which “allows a fair balance to be struck between the various fundamental rights” protected under EU law, and that they cannot rely on “an interpretation of them which would be in conflict with those fundamental rights or with the other general principles of Community law, such as the principle of proportionality.”
While the Promusicae decision is clear, there have been concerted efforts to overturn this balance since then. In 2008, US IP rightsholders in their submissions to the US Trade Representative’s Office on ACTA asked for obligations to be imposed on Internet intermediaries to divulge the identities of alleged infringers and to “simplify” EU privacy laws. More recently, the key issue in the 2011 European Commission consultation on the review of the 2004 EU IPR Enforcement Directive was a call for information on whether the balance between copyright owners’ right to information for copyright enforcement under that Directive and the protection for personal data required under EU law should be redrawn in favor of disclosure to rightsholders.
Whether the collection and processing of personal data for a Three Strikes regime can ever comply with EU law is one of the questions raised in the pending appeal of the Judicial Review of the UK Digital Economy Act, and was considered in the prior EMI v UPC decision in Ireland.
In October 2009, France famously introduced a three strikes (graduated response) procedure in its IP code (Code de la Propriété Intellectuelle, art. L331-12 et seq.). The new law created an administrative agency (Haute Autorité pour la diffusion des œuvres et la protection des droits sur internet, in short: Hadopi), with a general mission of protecting copyrighted material on the Internet (Article L331-13). Its overall budget exceeds 12M€ (18M$) per year.
In May 2011, UN Rapporteur Frank La Rue explicitly disapproved of the French three strikes law. This law raises serious concerns that are necessarily connected to filtering and taking down of content.
In short, Internet subscribers whose connection is repeatedly used to share copyrighted material may be disconnected from the Internet and may have to continue paying for the service (so-called ‘double pain’), or pay a fine.
Active since mid-2010, Hadopi is authorized to initiate proceedings when rightsholders (represented by professional organizations) file a complaint. These organizations (such as Trident Media Guard) surveil public filesharing networks and collect ‘evidence’ of alleged infringements. Hadopi then has two months to contact the relevant Internet Access Provider (IAP) and issue a (first) warning to the suspected infringer. This initial warning is only sent to the email address known by the IAP (usually the default IAP address). When Hadopi is notified of another alleged infringement within 6 months after the first warning or within 1 year after a second warning, another warning can be issued (art. L331-25). The third warning clearly states the possibility of criminal liability which can result in a €1,500 fine and/or disconnecting the individual for up to one month (art. L335-7-1). Originally, Hadopi was issuing orders for disconnection itself, but the Constitutional Court struck down this measure. Now these sanctions can only be issued by a judge after Hadopi has notified the public prosecutor.
Besides the many questions a potential disconnection raises, several major issues have caused a lot of critique. First of all, under this new legal framework, it is the Internet access subscriber, and only him/her, that is held liable (even when he or she doesn’t know about the allegedly illegal activity) (Article L336-3). This has resulted in a new obligation to secure one’s Internet connection.Hadopi is supposed to provide security tools for individual subscribers in the initial infringement notice, but they have yet to do so.Secondly, the basic presumption of innocence is reversed. In other words, the Internet access subscriber is presumed guilty and has the burden to prove otherwise.Another concern is that the whole Hadopi process is based on evidence (IP addresses) collected by private actors acting as copyright police, who have a financial interest in the process.
So far, Hadopi hasn’t notified the public prosecutor after a third warning was issued and no one has appeared before a judge. As a result, no disconnection has been ordered.
Together with the provisions establishing Hadopi, another article was introduced in the French IP law (article L336-2).
Although the Senate removed the word ‘filtering’ in the final version, the provision still allows courts to order ‘any person capable of contributing … to take any measure appropriate to prevent or stop online copyright infringement’. A recent amendment to the law even allowed Hadopi to grant subsidies to private surveillance and filtering companies. Not much later, though, the Constitutional Court ruled the amendment unconstitutional.
Case law has yet to bring much clarity. According to article 15 of the European eCommerce Directive, member states cannot impose a ‘general obligation to monitor’ (read: filter out potentially infringing content a priori). Nevertheless, some judges in France have expanded the traditional ‘notice and take-down’ principle to a ‘notice and stay-down’ principle. This means that when a rightsholder has requested a takedown of his content, the intermediary should prevent anyone from ever uploading that same content again. This trend, however, seems to have been reversed in a February 2011 Supreme Court decision (DailyMotion Case). In short, content can only be taken down (‘filtered out’) after explicit and clear notification for each individual case. In May 2011 the notice and takedown principle was reaffirmed by a lower court (Google Images case).
Nevertheless, the exclusive focus on the notice and takedown debate and the growing collaboration between intermediaries and third parties (e.g. rightsholders) raise some important concerns as well. In order to avoid liability, intermediaries are increasingly taking down (‘filtering’) content at the slightest concern raised. Additionally, rightsholders are also implementing preventive measures to match online content to copyrighted materials (such as ‘video identification’ or ‘acoustic fingerprinting’ technologies). All these trends have only increased the amount of ‘preventive’ filtering by intermediaries.
Hadopi does not collect personal data a priori, as a preventive measure. When a company hired by a rightsholder (Trident Media Guard is the only known company acting as such a private copyright police) believes he has found content that infringes on his copyright, he communicates the relevant information to Hadopi. These referrals include the date and time, the IP address, information on the relevant copyrighted material, and the name of the Internet Access Provider.
When Hadopi decides to initiate the graduated response procedure, the access provider has to communicate the necessary subscriber information (name, phone number, address, etc.) within eight days after having received the required technical information by Hadopi. Only direct administrative agents of Hadopi (sworn in by its president) have access to the personal data. Data is supposed to be erased 2 months after it is provided to Hadopi, 14 months after the first warning, and 21 months after a second warning (except, of course, when a new warning is issued). When the infringement has been sent to the public prosecutor, data has to be removed from Hadopi’s databases after one year or whenever a court decides not to issue a disconnection order (article 3, Décret n°2010-236).
Facts and Figures
Making available (or the mere incitement to use) software that is consciously and obviously meant to illegally make available copyrighted material, is punished with 3 years in prison and €300.000 fines (art.L335-2-1)
Similar to the DMCA, technical protection measures are protected as well : €3750 fine for circumvention and €30000 plus six months imprisonment for procuring the software or knowingly proposing the use of it (art.L335-3-1).
In its first activity report (October 2011), Hadopi stated that 60 people have already received a third warning. As mentioned earlier, their cases did not make it to court yet. A year earlier 650,000 ‘first warnings’ were issued. 44,000 people have received 2nd warning.
In Ireland, IP rightsholders’ efforts to turn Internet intermediaries into copyright police of their networks have taken a different form: one ISP has adopted a Three Strikes Internet disconnection policy as part of a “voluntary” agreement, not as a requirement of a law.
Ireland’s largest ISP, Eircom, has been following a Three Strikes Internet disconnection policy since May 2010, as the result of an agreement it entered into to settle a copyright infringement lawsuit brought against it by the Irish Recorded Music Association (IRMA). In addition to Internet disconnection, the agreement requires Eircom to block access to websites identified by IRMA and its members, including The Pirate Bay and “similar websites”, without any further judicial review.
Agreements by ISPs such as Eircom to adopt Three Strikes policies and other “voluntary measures” not required by national law raise serious concerns for transparency, due process and accountability. As IP rightsholders’ efforts to get more countries to adopt Three Strikes laws meet with increasing resistance, efforts to have ISPs adopt such “voluntary measures” are now being discussed in global policy venues and enshrined in instruments from WIPO to the Anti-counterfeiting Trade Agreement, in the OECD’s June 2011 Communique on Internet Policy-Making Principles, and in recent European Commission proposals. Given the importance of “voluntary measures” to citizens’ rights of online privacy and freedom of expression and the future of the open Internet, Global Chokepoints includes a detailed description of recent developments in Ireland.
Although the IRMA-Eircom agreement applies only to Eircom, IRMA sued  other ISPs in an attempt to force their agreement to adopt similar “voluntary measures”. One of those ISPs, UPC, subsequently brought a legal challenge that resulted in the key ruling that ISPs could not be subject to injunctions requiring them to filter, block websites and terminate Internet access under Irish law.
Ireland is also at the vanguard of challenges to three strikes systems based on privacy and personal data protection. In June 2011, the Irish Data Protection Commissioner announced that it was opening an inquiry into whether the data processing and identification obligations under the IRMA-Eircom agreement are consistent with Irish data protection law. This could result in Irish courts reconsidering whether the type of data processing required for Three Strikes regimes violates Irish and EU data protection and privacy laws, and accordingly, is being closely watched across the world.
Ireland’s largest ISP, Eircom, has been following a Three Strikes policy since May 2010 under which it suspends Internet users’ Internet access after receiving three rightsholder allegations of copyright infringement. Since December 2010 Eircom has been disconnecting Internet users for up to 12 months on a 4th allegation of copyright infringement.
This policy arises from an agreement between the Irish Recorded Music Association (IRMA) and Eircom, which settled a 2009 lawsuit brought by IRMA. In the lawsuit, IRMA demanded Eircom filter for potential copyright-infringing material over Eircom’s entire network. Eircom challenged this request. Before the court ruled on IRMA’s demand, however, Eircom and the IP rightsholders reached an out of court settlement in February of 2009 with different terms. Although this agreement only applies to Eircom, IRMA has sued  other Irish ISPs, seeking to obtain a similar agreement
As part of the settlement agreement Eircom agreed to adopt and follow a three strikes Internet disconnection policy. In May 2010, Eircom launched a pilot Graduated Response program, under which it agreed to identify and forward successive copyright infringement notices to relevant subscribers. These notices would be sent out after IRMA supplied Eircom with the IP addresses that IRMA or its agents identified as having uploaded copyrighted works.
In December 2010 Eircom formally launched a Graduated Response regime as part of its new MusicHub service. In the current version, Eircom issues notices to subscribers which it matches to the relevant IP addresses, advising them that they have been identified as having uploaded or downloaded copyrighted material on a P2P network. If Eircom receives a third copyright infringement allegation, it suspends the relevant non-business subscribers’ Internet accounts for seven days. Eircom disconnects access for 12 months on receipt of a fourth copyright infringement allegation for the same IP address.
The Eircom Graduated Response process is described in a set of FAQs on Eircom’s website:
“How will the graduated response work?
IRMA will provide eircom with notifications containing the IP addresses of the people they detect illegally uploading or downloading music content. Once eircom identifies the eircom account holder through their IP address eircom will:
- Contact the customer in writing to inform them that their IP address has been detected by IRMA, as infringing copyright. eircom will clearly advise the customer that such acts are illegal and will provide information on how the customer can avoid repeating the infringement.
- If the customer continues to engage in the illegal uploading or downloading of music content, eircom will issue a second warning letter to the customer indicating that unless the infringement ceases the customer will have their service withdrawn.
- Write to the customer for a third time to advise them that their service will be withdrawn for a seven day period as they continue to engage in the illegal uploading or downloading of music content. If the customer infringes a fourth time then the broadband service will be disconnected for a 12 month period.
As well as contacting customers via letter, eircom will also attempt to contact customers via telephone and a browser based pop up to advise them of the infringement and to assist them in ensuring their computers are not a source of copyright infringement.
eircom has set up a dedicated team to support customers through this process.”
Subscribers who feel that they have been incorrectly identified or who are not responsible for the alleged illegal downloading can advise Eircom’s technical team at the time of notification.
In its original lawsuit against Eircom, IRMA sought an injunction requiring Eircom to filter its subscribers’ communications for potential copyright-infringing material. At around the same time, in 2007, a Belgian music collecting organization had obtained an injunction against Belgian ISP Tiscali (now Scarlet), requiring it to filter all communications on its network for potential copyright-infringing material.
At around the same time, in 2007, a Belgian music collecting organization had obtained an injunction against Belgian ISP Tiscali (now Scarlet), requiring it to filter all communications on its network for potential copyright-infringing material. The European Court of Justice has since ruled that such a broad pre-emptive injunction violates EU law. The Irish court did not rule on whether this was legal under EU and Irish law because the lawsuit was settled by the out of court agreement on different terms.
Whether ISPs are required to disclose customers’ identity and contact information to rightsholders on an allegation of copyright infringement has been a hotly contested issue in Irish law, and the subject of a 2005 lawsuit against Eircom (more details below). As a member of the EU, Ireland has obligations to protect citizens’ privacy and personal data under a set of EU directives that have been transposed into Irish law.
At the same time, Article 8 of the EU IPR Enforcement Directive (2004/48/EC), establishes a right of information for copyright holders to obtain information from intermediaries (including ISPs) about those in the chain of distribution of infringing material. How the obligations under these various EU directives fit together was the subject of the 2008 European Court of Justice decision in Telefonica v Promusicae and is the focus of another case currently pending before the European Court of Justice.
Eircom’s data collection and IP matching obligations under its agreement with IRMA are particularly interesting because the Irish Data Protection Commissioner had previously expressed concerns about whether data processing for three strikes regimes complies with Irish data protection law, which were effectively sidestepped by judicial approval of the agreement (see below). Then, in June 2011 the Irish Data Protection Commissioner announced that it had opened a further inquiry into whether the agreement’s data processing and identification requirements violates Irish data protection law. This was triggered by a complaint filed by an aggrieved customer who had received a first strike notice after Eircom misidentified and mistakenly sent first strike notices to 300 of its customers when a server failed to update correctly after daylight savings time change in October 2010.
As Law Lecturer TJ McIntyre notes if the Irish Data Protection Commissioner finds, as it did previously, that using IP addresses to terminate subscribers’ Internet access is disproportionate and is not fair use of personal information, the Commissioner could issue an enforcement notice preventing Eircom from using customers’ personal data for this purpose. This could require Irish courts to reconsider the legality of the agreement under EU and Irish law. The inquiry is taking place at a particularly interesting time. Whether data collection and processing for Three Strikes systems is permissible under EU law is one of the questions raised in the pending appeal of the judicial review of the UK Digital Economy Act [LINK TO UK page].
Under its agreement with IRMA, Eircom is required to match its customers’ account names with the IP addresses provided to it by IRMA to send notices and to suspend or terminate the relevant accounts after three copyright infringement allegations. Eircom has said that it will not share customer information with IRMA or any other party. Eircom’s FAQ states that IRMA is using a third party (Dtecnet) to obtain IP addresses that are allegedly engaged in illegal downloading and sharing of music.
In light of the concerns raised by the Irish Data Protection Commissioner, the FAQ also states that "Eircom has sought and received assurance from IRMA that the process is fully legal and approved by the High Court. The Court has confirmed that the process is in their view in accordance with Data Protection Legislation." However, given the June 2011 inquiry, the matter is not as settled at the FAQ suggests.
Identifying users by IP address matching gives rise to several public policy concerns. As a thoughtful editorial by TJ McIntyre and Dr. Richard Tynan explains, IP addresses can’t necessarily be reliably linked to individuals. Recorded music companies made this mistake when they accused wireless printers of file sharing. Second, the Eircom-IRMA agreement effectively creates liability for operating a non-secured open wireless network. This is particularly problematic because Eircom has apparently supplied up to 250,000 of its subscribers with modems that cannot be easily secured.
Third, it may have disproportionate results. The Eircom-IRMA agreement means that the actions of one member of a household or premises can result in termination of Internet access to the entire family or set of individuals using the connection. In Ireland a parent is not legally liable for the actions of their child in most cases; nor is a husband legally liable for the actions of his wife. Imposing legal sanctions on the inhabitants of an entire household, even if those parties did not engage in copyright infringement, completely changes the way in which the law currently assigns liability.
Background: Data Protection and Copyright Enforcement in Ireland
In 2005, IRMA sued Eircom and a few other ISP’s for refusing to turn over the IP addresses of 16 individuals suspected of copyright infringement on the basis that it would violate Ireland’s data protection laws. The court ordered Eircom to turn over "the name, postal address and telephone number" of the users registered to those IP address. The court reasoned that although privity of contract would normally dictate a duty of privacy between ISP and subscriber, privity could not be used to protect a subscriber who committed illegal acts.
One of the stipulations of the agreement between IRMA and Eircom was that Eircom would only comply with the settlement if it complied with EU data protection legislation. In February of 2010, the office of the Data Protection Commissioner claimed that using IP addresses of consumers to cut them off the Internet is not "fair use" of personal information, and therefore the settlement was unenforceable.
Eircom and IRMA found themselves in court once again to see if the settlement agreement complied with Ireland’s data protection laws. At the crux of the case was whether IP addresses were personally identifiable information, and if so, whether complying with the settlement would be unlawful ""under Irish data protection law. Unfortunately, the Office of the Irish Data Protection Commissioner did not make an appearance at the Eircom hearing due to cost concerns. Because the Commissioner was not present, the only evidence was presented by rightsholder EMI, leaving no one to raise the fundamental concerns about protection of Irish citizens’ personal data.
In April of 2010, Justice Charleton ruled that the settlement agreement did comply with Irish data protection laws. Justice Charleton answered three questions posed by the Data Protection Commissioner. First, does the collection of IP addresses by Eircom to provide to EMI constitute personal data under the1988 Irish Data Protection Act? Second if an IP address constitutes "personal data," is using that data "necessary for the purposes of the legitimate interests pursued by [Eircom]" or does it instead result in a violation of fundamental rights? Third, is the personal data "sensitive" because it is involved in the prosecution of a criminal offense?
In answer to the first question, Justice Charleton determined that an IP address was not "personal data" under the Irish Data Protection Act of 1988 because it does not identify a living individual. Moreover, even if it did, at no time would Eircom disclose that information to IRMA in violation of the Act. Interestingly, the European Court of Justice found that an IP address is personal data in its subsequent SABAM v. Scarlet decision.
Second, even though an IP address is not considered personal data, Justice Charlton determined that Eircom’s use of IP addresses to identify which users’ Internet connection to disconnect is lawful. He reasoned that infringement of copyright is a violation of Ericom’s terms of service, and using an IP address to terminate the service of infringing users is necessary for the legitimate purpose of enforcing Eircom’s contract.
Third, Justice Charleton found that although violating copyright law can result in criminal penalties, neither Eircom nor IRMA were pursuing criminal charges against copyright infringers. Just because personal information is related to something that could result in criminal charges, it is insufficient to invoke the extra protections granted by the Data Protection Act of 1988 to "sensitive personal data." Since the data would only be used for civil law purposes, its use for this process did not violate Irish data protection law.
The agreement between IRMA and Eircom went beyond merely imposing a three strikes policy. Under the agreement, "Eircom has agreed that it will not oppose any application our client may make seeking the blocking of access from their network to the Pirate Bay or similar websites." As technology journalist Adrian Weckler notes, this is particularly problematic:
“Irma is drawing up a list of websites it doesn't like and Eircom will block them to all of its customers. And Irma is demanding that other ISPs do likewise, on pain of being sued.
Eircom says that it will only block a website if a court order requests it to. But it has undertaken not to oppose any application to a court, meaning the order is automatically granted. It's a technical way of getting out of taking responsibility for it.”
IRMA has already used this clause of the settlement agreement to have Eircom block the Pirate Bay on its network. Although the blocking of a site that openly flouts copyright law might not inherently seem problematic, blogger Damien Mulley points out just how far reaching this settlement could be:
“So first they’ll start with the Pirate Bay. Then comes Mininova, IsoHunt, then comes YouTube (they have dodgy stuff, right?), how long before we haveBoards.ie because someone quoted a newspaper article or a section of a book? And don’t think they’ll stop there too, any site that links to The Pirate Bay and the others on the hate list will probably be added to the list too[…]
I’m sure the business case for Eircom was they didn’t want any more costly High Court actions […] but this is going to open up a can of worms with IRMA demanding more and more attacks on how people surf the net, this is what it is in my view an attack on our freedom to read, our freedom to write, our freedom to move around the web. […]
And of course the costs of communications with IRMA and of the filtering is going to be passed on to the consumer. The cost of blocking a single site will be almost nothing I suppose but as more sites get added and as the arms race between the pirates and the ISPs escalates, then it’ll become complicated and complicated costs more. So again the majority get to pay[…]”
The Irish government has also become involved in filtering web traffic. The Irish police force has recently been sending out letters to ISP’s asking them to block certain web pages that contain child porn. As Digital Rights Ireland points out in a blog post there are major problems with this policy because it "require[s] ISPs to take additional steps to monitor users, resulting in real risks to privacy. These risks are amplified in the case of the Garda proposals which – incredibly – would require ISPs to report details of web browsing without any legislative basis whatsoever."
Impact of the Settlement on Other ISPs
IRMA has sued [eight] another Irish ISPs to try to impose similar agreements to filter and adopt Three Strikes regimes.
UPC, an Irish cable network, refused to enter into an agreement with IRMA. In July of 2009, IRMA sued UPC claiming that UPC was liable for infringement because their network facilitated illegal file sharing.
In October of 2010, Justice Charleton denied IRMA’s request for an injunction against UPC. Although the court was sympathetic towards the music industry’s concerns, the judge ultimately concluded that the remedies sought for termination, filtering and blocking, could not be granted because Ireland had not fully implemented its obligations under the 2000 EU e-Commerce and EU Directive 2002/21/EC into Irish law. In short, Irish law did not include provisions for "the blocking, diverting or interrupting of internet communications" for violations of copyright law.
Following that decision, the Irish government has indicated that it intends to legislate to allow injunctions to be granted against ISPs requiring them to engage in filtering. A consultation process was carried out concluding in July 2011, but no proposals have yet been published.
Facts and Figures
300 Eircom subscribers mistakenly received a “first strike” notice after a server failed to update correctly after daylight savings time went into effect in October 2010.
Since Eircom implemented its three strikes policy, it has apparently seen its customers depart to other competitors at an escalating rate. Some have estimated departures at 1000 subscribers per month. By comparison, UPC (which challenged the lawsuit brought against it by IRMA) has seen its subscriber base increase by 60% during the same time period. Although it is unclear what drives consumer choice of broadband providers in Ireland, some have speculated that the observed changes demonstrate the impact impact of the respective companies’ three strike policies in a competitive market for ISP services.
Acknowledgements: EFF thanks Santa Clara University Law student and former EFF legal intern Teri Karobonik for her detailed research and significant contribution to this analysis
In April 2011, after several controversial and widely-opposed attempts (here, here, and here), New Zealand lawmakers eventually enacted one of the first “graduated response” or “three strikes laws” to punish P2P file-sharing. Tacked onto a larger bill providing relief for the City of Christchurch, which had sustained a series of devastating earthquakes, the Copyright (Infringing File Sharing) Amendment Act [HTML, PDF] was rushed through Parliament under a fast-track legislative procedure called “urgency.”
The three strikes law went into force on 1 September 2011. Under the law, Internet account holders can be fined up to $15,000 NZD by the Copyright Tribunal after being caught file-sharing three times. If Section 122P of the law is brought into force, then account holders could be disconnected by their ISP for up to six months under order by the District Court.
That the three strikes law came to pass in New Zealand is particularly striking, given that the country was one of forty that endorsed a Cross-Regional Statement on Freedom of Expression on the Internet, delivered by Sweden at the United Nations’ Human Rights Council on 10 June 2011. That statement said that "cutting off users from access to the Internet is generally not a proportionate sanction."
New Zealand’s Telecommunication Carriers Forum, an ISP industry body, has published several useful flowcharts explaining the process. Prior to the enactment of the three strikes law, the TCF had sought unsuccessfully to broker an industry code with the film and music industries dealing with file sharing but, like what happens in many jurisdictions, the ISPs and the entertainment industry could not agree on terms for a “private” graduated response and legislation was subsequently drafted.
Upon receiving information from a rights owner about alleged copyright infringement at a particular IP address, "Internet Protocol Address Providers" (IPAPs) are required to match that address to the name of an account holder and send them an infringement notice. Three notices - “strikes” - for infringement are issued over a certain time period. The notices are called detection, warning and enforcement notices. After the account holder receives the enforcement notice, he or she faces legal action by the rights owner as explained below.
The notices must contain certain information (e.g. identifying when the alleged infringement occurred or explaining how the account holder can challenge the notice) or else they are invalid. Warning Notices and Enforcement Notices must reference the preceding notice and explain the consequences if further alleged infringement occurs. Notices expire after 9 months, except for the Enforcement Notice, which expires 35 days after it was issued. If that happens, all other notices expire with it.
At the moment, the law does not require IPAPs to send notices to cellular mobile network service customers. This exemption automatically expires on 30 September 2013, unless Parliament decides to delay, repeal or modify the relevant provision.
Like the similar ISP notice-forwarding obligations under the UK Digital Economy Act, the costs of implementing New Zealand’s three strikes law are shared by ISPs and rights owners through a "notice fee" regime. Set by the regulations, ISPs can charge rights owners a $25 notice fee (at most) for identifying subscribers and sending them notices.
Disconnection Orders and Financial Penalties
As mentioned previously, disconnection orders are not currently available, but the three strikes law provides that they can be brought into force with relatively little procedural effort. In this case, the rights owner can seek a court order requiring an IPAP to suspend the account of the account holder for any period up to 6 months. To do so, the court must be satisfied that copyright infringement occurred at the account holder’s IP address, and that suspension is "justified and appropriate in the circumstances, given the seriousness of the infringing." (section 122P, should it come into force). The court is required to consider the following:
- the degree of the account holder’s reliance on access to the Internet;
- whether it would be manifestly unjust to suspend the account holder’s account; and
- any other matters specified in regulations (section 122P(4)).
Rights owners can at current apply to the Copyright Tribunal for a financial penalty of up to $15,000. When applying for a Tribunal order, rights owners have to pay a $200 application fee. To date there have been three Copyright Tribunal decisions, as explained below.
The three strikes law requires both the Tribunal and the District Court to order IPAPs to disclose account holder information.
If a rights owner applies to the Tribunal for financial penalties then the Tribunal can order the IPAP to disclose the account holder’s information — to the Tribunal, not to the rights owner. The Tribunal need only be satisfied that the IPAP sent a valid Enforcement Notice (i.e. it contains the correct information, is not expired, etc).
If section 122P of the law comes into force, a rights owner can obtain the account holder's identity by applying to the District Court for an order terminating Internet access for up to 6 months. The Court will force the IPAP to disclose account holder information if, like the Tribunal, it is satisfied that the IPAP sent a valid Enforcement Notice and the rights owner promises it won’t use the account holder’s information for anything else except to have their Internet cut off.
IPAPs must retain data on the allocation of IP addresses to each of its account holders for a minimum of 40 days (no expiration date is specified).
IPAPs must also retain the following data for a minimum of 1 year (again, no expiration date is specified):
- infringement information received by copyright owners,
- infringement notices sent,
- challenges to infringement notices receieved from the account holder, and
- Internet disconnection orders.
Facts and Figures
The three strikes law requires IPAPs to publish annual reports about their compliance with their new obligations. Unfortunately, the law isn’t specific about what has to be reported, so some IPAPs have merely “confirmed” that they are compliant with the regime, while others have provided more detailed information. The yearly deadline for ISPs to report back is New Year’s Eve. To date, a number of ISPs still have not reported on their three strikes activity.
Several NZ ISPs reported reduced Internet traffic immediately after the law came into force, while other ISPs have reported no change to Internet traffic on their networks. Research from the University of Waikato shows that use of tunnelling has shot up, suggesting that people are taking steps to avoid being detected when file-sharing.
Copyright Tribunal Activity
As of March 2013, the Copyright Tribunal has issued three decisions since the three strikes law came into effect in September 2011. The recording industry is the only industry to participate in the regime and therefore the only industry to have brought account holders before the Tribunal. (The film industry refuses to participate in the regime, stating that the $25 fee it must pay to IPAPs for notice processing is too high.) In each case the account holder was punished for uploading songs, or ‘communicating them to the public’ — a “restricted act” under s 16(1)(f) of the Copyright Act 1994.
The substance of the Tribunal decisions can largely be divided into two parts: a finding of infringement and the calculation of damages. One of the most striking aspects of the law is that there is a presumption built in that the account holder has infringed. Not one account holder in each of the three decisions challenged this presumption in the form specified by the law. Without account holder rebuttal, the Tribunal must find that infringement occurred and accordingly award damages (unless doing so would be “manifestly unjust”).
There are four types of damages: the reasonable cost of the infringement, a contribution towards the fees paid to IPAPs ($25/notice), reimbursement of the $200 Tribunal application fee and, lastly, a deterrent amount.
In each of the cases, the Tribunal awarded the retail value of the songs as the reasonable cost of infringement ($6 to $7), $50 towards the IPAP fees, the full $200 application fee and a deterrent sum ranging $100 to $180 per song. The recording industry unsuccessfully sought to have the Tribunal speculate on the number of downloads inuring from each of the account holders’ illegal uploads. Citing a 2008 UK study commissioned by the International Federation of the Phonographic Industry, the rights holder alleged that on average 90 downloads results from one upload and asked for the retail value of the song x 90. Thankfully the Tribunal refused to enter into this guessing game. It did, however, chose the deterrent sums arbitrarily.
InternetNZ will continue to maintain a watch over Tribunal precedent as it evolves. For more information, visit www.3strikes.net.nz.
South Korea enacted a Three Strikes copyright law in April 2009, which came into force in July 2009. South Korea was the first country to disconnect Internet users under a three strikes law. 11 Internet users’ accounts were temporarily terminated by order of the Korean Minister of Culture, Sport and Tourism, in November 2010, and 17 users’ accounts were suspended in 2011.
Internet users can be disconnected in several ways under South Korea’s three strike law:
- The Korean Minister of Culture, Sport and Tourism can order online service providers to suspend Internet users’ accounts for up to 6 months, after giving three warnings to remove or block allegedly infringing content.
- The Minister can issue orders to online service providers to suspend part or all of an online bulletin board or service (such as a webhard/ cyberlocker) which has received three orders directing it to delete or suspend transmission of particular content;
- The Korean Copyright Commission can make recommendations to online service providers to suspend particular users’ accounts for a non-defined period.
Suspension of Internet Users’ Accounts
Article 133-2 (1) of the Korean law empowers the Korean Minister of Culture, Sports and Tourism (the MCST) to order online service providers to:
(a) issue warnings to “reproducers and interactive transmitters” of infringing copies of copyrighted works and information about circumvention of technological protection measures that is sent through “information and telecommunication networks”: and
(b) delete or suspend interactive transmission of that material
If an alleged copier or transmitter that has received three of these warnings transmits a further allegedly infringing copy or TPM circumvention information, the MCST can order the online service provider to suspend the account for a period of up to 6 months (Article 133-2(2)). The law exempts email exclusive accounts from suspension. The Minister issued such warnings to 749 users’ accounts in 2010 and 220 users’ accounts during the first half of 2011.
In addition, the MCST can order online service providers to suspend part or all of a bulletin board established on an information and telecommunications network which has received three or more orders to delete or block particular online transmissions within a 6 month period, if it is considered to “seriously damage sound use of works, etc. in light of the format of the corresponding bulletin board, and the amount or nature of reproductions posted on it” (Article 133-2(4).
Before issuing a suspension order, the MCST must ask the Korea Copyright Commission to deliberate on various factors set out in Presidential Decree No. 21676 including the Internet user’s recidivism, the quantities of works allegedly reproduced or transmitted, the kinds of infringement, the possibility of market substitution, and the influence of infringing reproductions on the distribution order of works.
On receiving a MCST order to suspend an individual’s Internet access, online service providers must give the Internet user at least seven days’ notice of the impending suspension of their Internet account. On receiving a MCST order to suspend a bulletin board service, the OSP must give at least 10 days’ notices of the impending shutdown or part or all of the bulletin board notice by posting a notice on the bulletin board’s website.
The Presidential Decree prescribes the periods of suspension for Ministerial orders:
- Less than one month for a first suspension;
- Not less than one month and less than three months for a second suspension; and
- Not less than three months and less than six months for a third or subsequent suspension.
Suspension on Recommendation of Korea Copyright Commission
Perhaps more worryingly, individuals’ Internet and online services accounts can also be suspended for an indeterminate time period on the recommendation of the Korea Copyright Commission. Article 133-3 of the Korean law authorizes the Korea Copyright Commission to recommend to online service providers that they take corrective measures, in accordance with Presidential Decree No. 21676, including:
- Issuing a warning to an alleged reproducer/ transmitter;
- Deleting or blocking the transmission of allegedly copyright infringing material; and
- Suspending the account of an Internet user that has repeatedly reproduced or transmitted an allegedly infringing copy or TPM circumvention information.
The text of this Article leaves open the possibility of a KCC recommendation for suspension of users’ Internet access or online services account even where the account holder has not received a previous “strike” or warning. However, at the moment, the KCC follows a bylaw issued by the KCC that requires suspension recommendations only for accounts that have received three prior warnings or ”strikes”. (See clarification provided by Heesob Nam.)
According to the Korea Copyright Commission (http://www.copy112.or.kr), the Commission issued 42,794 warnings in 2010 and 54,268 warnings during the first half of 2011. Further, the Commission has recommended the suspension of 91 users’ accounts in 2010 and 54 accounts in 2011 (first half).
Created by: law
Article 104 of the Korea law provides that online service providers whose main purpose is to transmit information to one another using computers ("special online service providers", or what might be understood as ‘mere conduit ISPs’) shall, upon a rights-holder's request, implement technical measures blocking illegal transmission of the materials and other necessary measures. Details of what measures can be taken and requirements for valid rightsholder requests are set out in the Presidential Decree.
Facts and Figures
On 3 November 2010, the Korean Minister ordered the suspension of 11 Internet users’ accounts. This followed the publication in the Korean Government’s Official Gazette on 4 October 2010 of the names of the 11 users who had received three copyright infringement notices. Under the law, they had 24 days to file an appeal against suspension (none did).
As at 1 October 2010, 31 Internet users’ accounts had been suspended on the recommendation of the Korea Copyright Commission for a period of up to 1 month.
During the period from 23 July 2009 to 1 July 2010, the KCC issued 32,209 recommendations to OSPs to delete or suspend transmission of particular content, and 32,878 recommendations to OSPs to issue copyright infringement warnings.
Although the KCC is only empowered to make recommendations, according to South Korean legal scholar, and former Chair of NGO IP Left, Heesob Nam, almost all Korean OSPs acted on the recommendation. OSPs followed every KCC suspension recommendation; all but 40 recommendations for warning notices were followed, and all but 20 recommendations for deletion or suspension of particular transmissions were followed.
The Korea law includes various reporting requirements for OSPs, which should provide a useful source of future information about whether these sort of measures have any measurable impact in curbing online copyright infringement, as was claimed when they were enacted. Within five days from receiving an order from the Korea MCST to warn users or suspend or block a particular transmission, within ten days from receiving an order to suspend a user’s account, and within 15 days from receiving an order to suspend part or all of an online bulletin board service under Article 133-2(4), online service providers are required to notify the MCST of “the consequences of carrying out the order” as prescribed by the Presidential Decree.
Spain was historically home to sensible copyright enforcement – balancing the needs of creators against users’ innovative approaches to sharing through new technology. But pressure from the U.S. government to enact intellectual property enforcement has jeopardized Spain's pragmatic approach.
The Spanish Congress enacted copyright enforcement provisions in 2011 as part of a larger economic modernization act. The proposals create a fast-track method for removing would-be infringing content from the Internet. ISPs are incentivized to block access to infringing content as soon as it is reported, thereby avoiding further hassle related to the quick procedures.
The good news is that the legislation does not require ISPs to adopt Three Strikes Internet disconnection of individuals. However, the bad news is that it follows the recent trend of imposing obligations on Internet intermediaries to block content and raises concerns for user privacy.
Even as the copyright laws in Spain threaten digital rights, Spanish courts are taking affirmative steps to narrow copyright enforcement. In particular, a recent ruling by a top Spanish court indicates that the judicial branch is not inclined to hold websites that host links to copyright-infringing materials liable for violating copyright law. This contradicts efforts of the executive branch and the U.S. government to enforce intermediary liability through overbroad copyright legislation. It is not yet clear which branch of government will prevail.
Ley Sinde – Online Service Providers Liability Act
The Sustainable Economy Act ("SEA" -- Statute 2/2011, March 4th) had its origins in a legal initiative approved by the Spanish Cabinet on November 27, 2009. Its main objective was to modernize the Spanish economy in financial, corporate, and environmental matters in order to respond to an economic crisis. The original version of SEA included the so-called Sinde Act ("Ley Sinde"), named after Spain's Ministry of Culture, Angeles Gonzales-Sinde. Ley Sinde was intended to shut down websites that host links to copyright-infringing material. From the beginning, Ley Sinde raised serious concerns for Spanish citizens' rights of due process, privacy, and freedom of expression
According to cables released by WikiLeaks and reported on by El Pais, the U.S. government played a key role in architecting Spain's copyright enforcement initiatives. El Pais reported that in 2008 the U.S. government threatened to put Spain on the annual Special 301 Watch List issued by the Office of the U.S. Trade Representative unless the new Spanish government announced new measures to address Internet piracy. The U.S. made good on its threat to add Spain to the Watch List in 2008 and 2009. The Spanish government responded by proposing Ley Sinde as part of the SEA in 2009.
Perhaps due to the revelations in the WikiLeaks cables, Ley Sinde was highly controversial and was defeated in 2010. However, the bill was reinstated within months, and the SEA -- including Ley Sinde -- was approved by the Spanish Congress on February 15, 2011. The Spanish executive office deferred to fully enact the copyright law due to its wide unpopularity. In reaction, the U.S. raised the stakes and stated that they would elevate Spain in the USTR's annual Section 301 report that year by listing it in the “Priority Watch List”. This threat was the final trick. On December 30 2011, the newly elected executive government passed Ley Sinde by approving the regulation that dictated the application of the law. In the 2012 Special 301 Report, the USTR no longer listed Spain.
Ley Sinde works to block or or close down websites hosting infringing material or even providing links to infringing content. It has been labeled as "anti-P2P" legislation aimed at shutting down file-sharing sites.
The law is directed against allegedly copyright violations by "information society services providers" (ISSP). This concept (taken from the EU Directive on E-Commerce) includes not only intermediaries (transmission services, hosting, caching and linking) but content providers as well (and thus websites of any kind, as long as they are run as an economic activity).
Under Ley Sinde, the Ministry of Culture creates the Intellectual Property Commission ("Commission") to act as arbitrator in intellectual property disputes. This means that an administrative body within the executive branch, and not a court, is provided authority to issue decisions on digital copyright infringement.
Ley Sinde establishes that service providers hosting infringing content can voluntarily restrict or delete infringing content within 48 hours of being notified. In cases where the infringing content is not deleted or blocked, a process begins that gives each party a brief period of time to present evidence, after which the Commission issues a decision on whether the website should be blocked, though it will not rule on damages. If the Commission orders the site blocked, the decision requires a judge’s formal ratification. However, the court is only allowed to rule on whether there’s a constitutional violation in the ruling, not on the actual merits of the case. Read more about the process here.
Content blocking may involve content stored in servers abroad, i.e. outside of Spanish territory.
Created by: law
Ley Sinde also includes a troubling provision that allows affected parties to seek the identity of those believed to have infringed on copyright. The parties must request this data through a legal process, and a judge must issue an order to reveal the data necessary to identify infringers.
Facts and Figures
Economists have criticized Ley Sinde. In a report published by FEDEA, an economic research center, the proposal was called
useless and an ineffective way to defend the artists because it is already an ancient form of fighting piracy.
The UK has been at the forefront of IP rightsholders’ global efforts to enlist Internet intermediaries to police Internet communications for several years. Since 2005, there have been several government-sponsored efforts to encourage Internet intermediaries to “cooperate” with rightsholders in online copyright enforcement. This culminated in the Digital Economy Act (the DEA), which passed through the UK Parliament in a controversial expedited process in April 2010.
Although it is often described as a Three Strikes law, the DEA does not presently require British ISPs to disconnect subscribers on repeat allegations of copyright infringement. Instead, the DEA requires ISPs to forward rightsholders’ copyright infringement allegations to their subscribers, and to maintain an anonymized blacklist of accounts that have received multiple copyright infringement reports. These obligations were due to come into force in June 2010, but have been delayed by an ongoing legal challenge and pending reviews by UK government departments tasked with setting up various parts of this complex framework. “Three Strikes” disconnection of users’ Internet access could still become the law in the UK, as described below. But even if it doesn’t the DEA will increase the cost of Internet access for UK citizens, and could create strong incentives for restricting open wifi networks run by citizens, libraries, and community organizations.
Apart from potential disconnection of Internet users, the DEA also creates sweeping new powers that could require ISPs to implement extensive website blocking. In addition, IP rightsholders have recently used existing provisions in UK law to require British Telecom to block UK Internet users’ access to the Newzbin2 website and to payment intermediaries that facilitate its operations. The Government recently announced it would drop the blocking powers from the DEA, although the powers remain written in the law. Even if the DEA website blocking provisions do not come into operation, IP rightsholders will use this precedent and existing law to force ISPs to block access to parts of the global Internet in the service of copyright enforcement.
Stage One: ISP Notice Forwarding
The DEA has several phases. In the first phase, ISPs are required to send copyright notifications to subscribers at identified IP addresses on receiving “Copyright Infringement Reports” (CIRs) from copyright holders. The details of how this will work and what ISPs must include in these notifications are set out in a draft Initial Obligations Code produced by the UK telecoms regulator, OfCom.
When a “Qualifying Copyright Owner” sends a valid Copyright Infringement Report to an ISP to whom the Code applies, the ISP must match the IP address in the report with the name of the relevant account holder, and send a first notification to that subscriber. CIRs must include the date, time and duration of the alleged infringement, the IP address used for the alleged infringement, the name of the copyrighted material involved, indicate what part of it was made available, and provide a hash of the copyrighted material.
The draft Code provides for three escalating notifications to Internet users. ISPs are required to send successive notices to identified subscribers when they receive a valid CIR at least one month after the previous one. If an ISP receives three notices within a 12-month period, it is required to put that account on a blacklist – the “Copyright Infringement List.” At present, ISPs are not required to take the next step and disconnect users’ accounts. This policy decision reflects empirical surveys conducted by the UK government indicating that around 70% of Internet users would refrain from further copyright-infringing filesharing after receiving a first notice alleging copyright infringement. It also reflects British ISPs’ long-standing resistance to Internet disconnection obligations.
The DEA puts the burden on copyright holders to bring lawsuits to enforce their rights. On request from a rightsholder, ISPs are required to provide an anonymized version of the Copyright Infringement List. Copyright owners can then apply to a court for a “Norwich Pharmacal” order directing the ISP to unmask the subscribers that used the identified IP addresses. Rightsholders can then file copyright infringement lawsuits directly against them.
ISPs are only required to take action on valid CIRs that include all specified information, and only for copyright owners that have paid their notification fees to ISPs (see Facts and Figures below) and certified to Ofcom that their system complies with relevant data protection laws (Qualifying Copyright Owners). Finally, the Code provides an appeals process before an independent appeals body for subscribers who wish to challenge copyright infringement notifications.
In its initial phase, the Initial Obligations Code will only apply to fixed line broadband Internet service providers with more than 400,000 subscribers. This captures the seven largest ISPs (BT, O2, Orange, Post Office, the Talk Talk Group, Sky, and Virgin Media) , which account for about 96% of the UK broadband market. It excludes smaller ISPs, in recognition of the burden that costs of compliance would impose on them. The Code also excludes mobile network providers, which allocate IP addresses differently from fixed broadband providers, making subscriber identification from IP address more costly.
Both libraries and citizens who provide open wifi to downstream Internet users seem to fall within the ambit of the DEA. While they are not currently required to send notifications under the Code, they could receive CIRs for actions taken by their downstream users. The DEA essentially creates a new duty to secure open wifi connections against possible misuse for copyright infringement. CIRs will contain information on how to do so. This puts the onus on providers to explain why they should not be held responsible for infringements of downstream users using their Internet connection, and creates unfortunate incentives to restrict or eliminate downstream open wifi use.
The Initial Obligations Code has not yet taken effect. OfCom released a draft in May 2010. The UK Department of Culture, Media and Sports has announced its intention to move forward with implementation of the DEA. A final version of the Code was expected in Autumn 2011. However, in October 2011 the UK Court of Appeal granted an appeal of the judicial review of the DEA sought by UK ISPs British Telecom and Talk Talk. As a result, the timeframe for full operation is now unclear. Ofcom recently estimated that the first letters to alleged infringers will not be sent until the summer of 2013.
Stage Two: Technical Measures
In its second phase, the DEA empowers the UK Secretary of State to make an order requiring ISPs to adopt “technical measures” – including disconnection of subscribers’ accounts – if he or she determines after 12 months that the current notice forwarding regime has not been successful at curbing online copyright infringement. If the order is approved by Parliament, it would result in a Three Strikes Internet disconnection regime.
Technical measures that ISPs can use against infringers include (section 124G):
(a) limiting the speed or other capacity of the service provided to a subscriber;
(b) preventing a subscriber from using the service to gain access to particular material, or limiting such use;
(c) suspending (i.e. disconnecting) the service provided to a subscriber; or
(d) limiting the service provided to a subscriber in another way.
While there has been much recent discussion about the proposed US website blocking legislation, the Protect IP Bill and the Stop Online Piracy Act, this policy debate has been fought longest in the UK.
Section 17 of the DEA
UK rightsholders, led by the British Phonographic Industry, pressed for the inclusion of expansive new website blocking provisions in section 17 of the DEA.
Section 17 empowers the Secretary of State to create regulations (through secondary legislation) for courts to issue “blocking injunctions” to ISPs on request of rightsholders. These regulations would require ISPs to block websites and online locations that are “being or [are] likely to be used for or in connection with an activity that infringes copyright.”
Before the Secretary of State can use the blocking regulation power, he must be satisfied that:
(a) use of the Internet for copyright infringing activities is having a serious adverse effect on businesses or consumers;
(b) making the regulations is a proportionate way to address this; and
(c) the regulations won’t prejudice national security, or the prevention or detection of crimes.
The DEA also sets out conditions on the court’s ability to grant such broad injunctions. It must be satisfied that the website is:
(i) a location from which a substantial amount of material has been, is being or is likely to be obtained in infringement of copyright,
(ii) a location at which a substantial amount of material has been, is being or is likely to be made available in infringement of copyright, or
(ii) a location which has been, is being or is likely to be used to facilitate access to a location within paragraph (a) or (b).
In addition, courts must take account of various factors, including the importance of freedom of expression and whether the injunction would be likely to have a disproportionate effect on any person's legitimate interests.
In February 2011, the UK Minister of Culture Ofocm to review the workability of the DEA’s website blocking provisions. In August 2011, the Department of Culture, Media and Sports announced that it would not go ahead with the DEA website blocking mechanism, at least for the time being. It based its decision on the Ofcom’s May 2011 report. It found that the website blocking provisions were not workable in their current format, but did not reject use of website-blocking altogether. Instead, it concluded that website blocking could form ”part of a broader package of measures to tackle infringement.”
Ofcom’s report considered the technical feasibility of four techniques that Internet intermediaries could use to block sites: Internet Protocol blocking, Domain Name System alteration, URL blocking, and Packet Inspection of network traffic. Ofcom weighed these measures against seven criteria: speed of implementation; cost, blocking effectiveness; difficulty of circumvention by users and counter measures ISPs could take; ease of administrative or judicial process; the integrity of network performance; and the level of granularity of blocking that is possible and its corresponding impact on legitimate services.
Ofcom concluded that while it is feasible to “constrain access to prohibited locations on the Internet” using these techniques alone or in combination, “none of the techniques is 100% effective; each carries different costs and has a different impact on network performance and the risk of over-blocking” and that “[f]or all blocking methods circumvention by site operators and Internet users is technically possible and would be relatively straightforward by determined users.” However, it found that:
Although imperfect and technically challenging, site blocking could nevertheless raise the costs and undermine the viability of at least some infringing sites, while also introducing barriers for users wishing to infringe. Site blocking is likely to deter casual and unintentional infringers and by requiring some degree of active circumvention raise the threshold even for determined infringers.
Ofcom concluded that if blocking is to be implemented, DNS blocking is the preferable approach because it would cause the least delay and cost – two of the key concerns voiced by copyright holders. It also recommended supplementing that with a requirement for search engines to delist websites. Ofcom acknowledged that DNS blocking is at best a short-term solution because implementation of DNS Security Extensions (DNSSEC) will shortly make DNS blocking more transparent and less effective. It recommended Packet Inspection as a longer-term solution, but emphasized that it is technically complicated and raises a number of complex legal questions – such as whether DPI is compatible with UK privacy and data protection law.
Ofcom concluded in their assessment of the Digital Economy Act blocking provisions that the approach set out in the DEA is unlikely to be effective. The Government, in response, said they would not bring forward the blocking measures 'at this time'. The powers remain written in the law.
Section 97A of the Copyright, Designs and Patents Act
Apart from the expansive potential new enforcement powers in the DEA, rightsholders can get broad blocking injunctions against ISPs and online payment intermediaries under existing section 97A of the 1988 UK Copyright, Designs and Patents Act. As a result, UK IP rightsholders can require ISPs to block vast parts of the global Internet, even if the DEA website blocking provisions never come into operation.
Section 97A implements the UK’s obligations under Article 8(3) of the EU e-Commerce directive (2001/31/EC), which requires EU member states to “ensure that rightsholders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe a copyright or related right.” Section 97A permits rightsholders to seek injunctions where a service provider has actual knowledge of another person using its service to infringe copyright.
In a key test case brought by the six major Hollywood Studios in July 2011, the UK High Court ordered British Telecom to block its UK subscribers from accessing the Newzbin2 website. Under the terms of the injunction issued in October 2011, BT was required within 14 days to block or attempt to block access to www.newzbin.com, its domains and sub-domains. This includes payments.newzbin.com and “any other IP address or URL whose sole or predominant purpose is to enable or facilitate access to the Newzbin2 website.”
The court required BT to utilize: (i) IP address re-routing in respect of each and every IP address from which the website operates and which is notified in writing to the Respondent by the Applicants or their agents; and (ii) DPI-based URL blocking utilizing at least summary analysis in respect of every URL available at the Newzbin2 website and its domains and sub-domains. The Newzbin2 case is widely seen as setting a precedent that will result in a flood of IP rightsholder requests for blocking of a broad range of websites. Indeed, shortly afterwards, in November 2011, the British Phonographic Industry asked BT to voluntarily block access to The Pirate Bay under threat of a lawsuit for a section 97A injunction.
Rightsholders’ Proposed Voluntary Blocking Code
In addition to legislation and recent litigation, rightsholders have sought a Voluntary Code in closed-door meetings held by the Minister for Culture, Communications and the Creative Industries, Ed Vaizey, in June 2011. The aim of this Code would be to speed up the process of getting sites blocked. Under this, ISPs would be required to “inhibit.. access to websites that are substantially focused on infringement of copyright.” This would be overseen by a “neutral expert body” which would make recommendations to ISPs on measures that they can implement and “technical enhancements” that ISPs may need to keep pace with online copyright infringement. This body would also review evidence, and after notification to the identified site, certify rightsholder applications for injunctions to streamline the judicial process for obtaining blocking injunctions at the Applications Court of the High Court. The Proposed Voluntary Code would apply to websites “mainly hosted overseas, which make available, facilitate the making available of, or otherwise authorize the infringement of copyright content in the UK.” This would require changes to how the legal process works. The body would review the evidence, and after notification to the identified site, it would certify rightsholder applications for injunctions to streamline the judicial process for obtaining blocking injunctions at the Applications Court of the High Court.
The DEA requires ISPs to build systems that gather and retain logs and data necessary for identification via IP address matching, and to keep track of valid CIRs sent by rightsholders.
This raises significant concerns for Internet users’ privacy, and the obligations of ISPs under UK data protection law. This is one of the grounds of the legal challenge to the DEA brought by UK ISPs British Telecom and Talk Talk, in which the digital rights, consumer and human rights groups, Open Rights Group, Consumer Focus and Article 19 have intervened. At first instance, Justice Kenneth Parker in the High Court of Justice, Queen’s Bench Division (Administrative Court) found that the proposed data processing was permissible under EU law. However, in October 2011, the UK Court of Appeal granted BT and Talk Talk the right to appeal on this ground. The appeal hearing will take place on January 16th 2012.
As the UK data protection law implements the UK’s obligations under the EU Data Protection Directive (95/46/EC) and the EU Privacy and Electronic Communications Directive (2002/58/EC), observers across Europe are closely watching the UK challenge. Interest in the UK challenge is also particularly high in light of the European Court of Justice’s 2008 ruling in Promusicae v. Telefonica, the recent ECJ decision in the SABAM v. Scarlet case , and the 2011 European Commission consultation on the EU IPR Enforcement Directive (2004/48/EC).
Following the previous experience in Ireland, the DEA and the draft Ofcom Code include various features intended to provide Internet intermediaries with protection against liability for disclosure of Internet users’ personal data. ISPs are required to disclose the identity of subscribers who have received three CIRs to rightsholders only upon receipt of a Norwich Pharmacal order from a court directing it to do so.
In addition, the DEA framework includes several procedural protections for Internet users. First, Qualifying Copyright Owners are required to submit a Quality Assurance Report to Ofcom before sending its first CIR to an ISP. Copyright owner reports must describe the processes and systems used by copyright owners and the agents acting on its behalf (such as Dtec) to gather evidence about alleged infringements. Ofcom are required under section 7 of the Digital Economy Act to set out the standard of evidence required of copyright owners, although the draft Initial Obligations Code only outlined a 'quality assurance process'. Qualifying Copyright Owners must also certify to Ofcom that their processes comply with relevant data protection laws. Second, participating ISPs are also required to submit their own Quality Assurance Report to Ofcom, certifying that their systems comply with relevant data protection and privacy laws.
Third, ISP notifications to subscribers must include a statement that subscribers have the right, under data protection legislation, to any information held about them, including CIRs sent by copyright owners to ISPs. Fourth, ISPs are only required to retain information about subscribers generated under the DEA for limited time. ISP notifications must inform subscribers that ISPs are required to destroy CIRs and other information held about the subscribers after 12 months, as far as is reasonably practicable.
Facts and Figures
Costs of Implementation
The UK government estimated that the costs of implementing the copyright enforcement provisions of the DEA would be £290 – 500 million. This includes the costs of notifying infringers, capital costs to ISPs, costs of setting up and running a call centre, and the annual capital and operating costs to mobile network operators.
UK ISPs noted that this would add 25 GBP per broadband subscriber per year. The costs will be passed on to consumers, as the government’s own initial and revised impact assessments foresaw. The UK Parliament estimated that this would result in 40,000 households having to give up their Internet connection.
Actual expenditure figures were made public in June 2011 in response to a Freedom of Information Act request. Ofcom spent £1.8m investigating the filesharing measures and preparing the draft Initial Obligations Code last year. It expects to spend a further £4m in the financial year up until March, 2012, researching a base level of copyright infringement, setting up an appeals body, and assessing a nationwide education campaign run by IP rights holders. Accordingly, by the time that the DEA’s first phase is operational in 2012, Ofcom will have spent around £5.8m. In addition, Ofcom revealed that it has spent £100,000 since February 2011, investigating the practical feasibility of the DEA’s website blocking provisions.
Who pays for the data tracking and notification infrastructure has been the subject of much controversy. The Code and a statutory instrument set up a framework for cost sharing. Copyright owners are required to pay ISPs a flat fee for sending notifications (the amount of which is yet to be determined). Copyright owners are also required to notify ISPs in advance of the volume of CIRs that they expect to send in the upcoming notification period, so that ISPs can plan accordingly.
The UK government decided in 2010 that the costs of implementing the ISP notice-forwarding regime would be divided 25:75 between ISPs and copyright holders. This was incorporated in the draft Statutory Instrument on Cost-Sharing laid before the U.K. Parliament on 18 January 2011. Following the successful challenge to the 25% contribution required of qualifying ISPs in the 2011 Judicial Review, this cost sharing arrangement is being revised.
Currently, U.S. copyright policy on the Internet is handled through a series of laws, principally: the Copyright Act of 1976, and Section 512 of the Digital Millennium Copyright Act (DMCA), which which provides four safe harbors to liability for Internet Service Providers (ISPs). It also governs how rightholders can challenge copyright infractions and go after the alleged infringers. While far from perfect, these laws provide important protections for fair use of copyrighted works and create legal safe harbors to shield third party intermediaries from liability (e.g., sites that host content generate by Internet users).
In 2011, Congress proposed legislation that would have reduced or eliminated these safe harbors and provided more tools to bolster accusations of infringement. The bills, known as PROTECT IP in the Senate and the Stop Online Piracy Act (SOPA) in the House of Representatives, were supported by powerful industry trade groups like the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA). But online communities, including Wikipedia and the social news site Reddit, recognized the threat these bills posed to the Internet and on January 18, 2012, these sites and thousands of others joined in an online "blackout" protest of unprecedented scale. After millions of e-mails and tens of thousands of phone calls to legislators, the bills' supporters agreed to shelve both of proposals.
The U.S. does not have a formal disconnection policy for ISPs, although under Section 512 of the DMCA, individual websites must cancel the accounts of "repeat infringers." There is no strict definition of “repeat infringers” and is usually determined by individual company policy.
However, in July of 2011, major telecom companies and ISPs struck a deal with big content providers to help them police online infringement, "educate" allegedly infringing subscribers and, if subscribers resist such education, take various steps including restricting their Internet access. A lengthy “Memorandum of Understanding" (MOU) was released laying out the details of the agreement.
The MOU calls for the creation of a new organization, called the Center for Copyright Information (CCI), to administrate the six-strikes system. CCI will be governed by a six-person executive committee comprised of representatives from content owners and Internet access providers. A three-person advisory board will include members "from relevant subject matter and consumer interest communities," who will be given the chance to speak up whenever the executive committee asks.
Internet access providers can punish accused subscribers by interfering with the subscribers’ connectivity, including by slowing transmission speeds, temporarily restricting web access for "some reasonable period of time," and conditioning web access on completing a "meaningful copyright education program." These mitigation measures can be imposed solely on the basis of the content owners’ assertions, without a judge ever determining that the subscriber did anything wrong.
The MOU does create a process designed to protect subscribers from unfounded accusations and punishment, but it’s hardly due process, and can be read about in more detail here
Currently, there are no U.S. laws mandating large-scale filtering or blocking of websites. Federal laws requiring ISPs to filter material to the general public have been ruled unconstitutional, though none have dealt directly with copyright.
However, the Department of Homeland Security has asserted authority to seize specific domain names.
Under the proposed Stop Online Piracy Act, the U.S government would be given more power to force DNS providers to block domain names and blacklist websites. In essence, the Attorney General can force the domain name provider, servers, search engines, payment processors, and advertisers to stop doing business with alleged infringing websites—essentially “disappearing” the site off the web.
SOPA would also allow rightsholders to directly force payment processors and advertising networks to cut ties with a site simply by sending a notice alleging the site (or a portion of it) is enabling, facilitating, or taking steps to “avoid confirming” infringement. Rightsholders can also enforce these notices through court orders. In addition, payment processors and advertisers would be given immunity if they voluntarily stop doing business with a website as long as they had a “reasonable belief” that the website was engaging in infringing activity.
This type of action acts as indirect censorship; without a revenue source, the alleged infringing site will starve to death.
Section 512 of the DMCA lays out the takedown and notice procedure copyright holders must comply with to compel websites to take down alleged infringing material.
When issuing a takedown notice to a website, rightsholders can also get a subpoena to unmask the alleged infringer. To comply with the statute, the rightsholder must go to court and provide a copy of the takedown notice, identify the alleged infringing material, and where the ISP can find the material on its site. If the website is properly served with the subpoena when it receives the takedown notice, it must hand over the identifying information to rightsholder.
When unmasking users of peer-to-peer services, rightsholders have generally followed the model of those filed by the RIAA starting in 2003. Rightsholders begin by suing unnamed “John Does” then seek to subpoena the ISPs of users in order to obtain their identities. They can then sue the individuals themselves.