Alert October 01, 2008

Combating Piracy and Protecting Privacy: A European Perspective

Around the world, the entertainment industry remains vexed by the challenge of combating illegal downloading and file-sharing. Members of the recording industry and various special  interest groups have approached this problem in a number of ways, including by lobbying for tougher infringement penalties, launching public service campaigns, and using local police and court systems to find and prosecute alleged infringers. The industry has also attempted to secure aid and cooperation of Internet service providers (ISPs), both to help identify and apprehend infringers and to implement safeguards that would make potentially infringing behavior more difficult. Pro-privacy groups, for their part, rebuff attempts to monitor or make public the online  activity of individual users. And the quest to strike a proper balance between combating piracy and protecting privacy remains challenging.

The Role of ISPs in Detecting Infringement

In order to pursue remedies against illegal downloaders, the individuals doing the allegedly infringing act must first be identified. Often Internet users, particularly those engaging in activities that may be considered illegal, are only identifiable by a fake username or by their Internet Protocol (“IP”) address, which is essentially a string of numbers that distinguishes the virtual location of a particular computer. All Internet users have an IP address when they are online, since no data can be received without one. Most ISPs maintain a pool of dynamic IP addresses which are allocated to users as needed, rather than provide to each user a never-changing static IP address. Therefore, although it is easy to look up the registered owner of an IP address, the actual identity of the user is often obscured because the IP address will simply be registered to the ISP. This makes it extremely difficult for a copyright holder to figure out the identity of a suspected infringer without the help of the ISP.

Strategies for Uncovering Infringers Can Raise Privacy Concerns

Industry groups approach this problem in different ways in different countries. In the United States the industry has relied in large part on a strategy of mass litigation, filing thousands of civil suits against suspected infringers.

In Europe, recording industry representatives have also been using litigation to identify potential infringers through ISP subscriber information. There, too, they have encountered resistance from ISPs and some courts have not been hospitable to their strategies. In the 2005 case Foundation v. UPC Nederland, a Dutch court ruled against the Dutch counterpart of the RIAA, BREIN, and ordered ISPs not to divulge subscriber information because of the way the industry group had collected the IP addresses. BREIN had employed the U.S. firm MediaSentry, which is also used by the RIAA in the United States, to identify possible infringers. The Dutch court ruled that, due to stringent privacy laws in force in Europe, using an overseas party to collect the data made the collection unlawful, and the fruits of the investigation could not be used to obtain subscriber information from ISPs.

In 2006, using different collection tactics, BREIN was able to obtain subscriber information from an ISP. However the requirements for data collection in the Netherlands are strict: ISPs can only be ordered to provide personal data if it is plausible that an unlawful act occurred and if it is shown beyond a reasonable doubt that the subscriber information will identify the person who committed the infringing act.

As the UPC Nederland case illustrates, civil suits have been less successful in Europe than in the United States. Consequently, the recording industry is more focused on trying to force ISP cooperation through governmental pressure and new legislation. Recording industry representatives have engaged in significant lobbying to require ISPs to provide information about their users and/or to install filtering technology.

Germany exemplifies this attempt to overcome judicial protection of privacy rights through legislative means. In March 2008 the German Federal Constitutional Court ruled that an ISP could only give out IP address subscription information in a serious criminal investigation, and determined that copyright violation was not a serious enough offense to qualify. Just one month later the German Parliament approved a new law requiring ISPs to divulge the identity of suspected infringers who infringe on a commercial scale. Although this measure removes privacy safeguards for some suspected infringers, it is not the win the German recording industry had hoped for. In return for curtailing IP address privacy protection, the fine for each copyright violation was significantly reduced. Under the new law the maximum fine is 100 euros per violation, about one-tenth of the previous penalty.

The new German law is an attempt to facilitate a fair compromise. Not all other European countries are approaching the issue as fairly. A number of nations are considering a three strikes system that would result in cutting off Internet access for users who illegally download or file-share protected material. France and Britain are both seriously considering this option.

A recent draft of the French three strikes proposal, backed by President Nicolas Sarkozy, calls for a “graduated response.”  Through ISP monitoring, users will receive e-mail and registered letter notifications that material was illegally downloaded by the IP address allocated to their accounts. Finally they could be subject to a one-year broadband service suspension. All ISPs would be required to comply with the suspension plan, so a chastised user could not simply switch providers to escape penalty. The plan creates a “High Authority” to oversee the notification process and possible broadband termination. This Authority would be able to obtain one year’s worth of Internet-use records based just on accusations of suspected infringement. The ultimate penalty, discontinuation of service and being placed on a banned user list, would be administered without a trial.

The British have not yet drafted a three strikes policy and are instead leaning towards voluntary deals between ISPs and the recording industry. British ISPs have reluctantly agreed to cooperate, perhaps because of the British government’s stated willingness to step in if a voluntary system cannot be quickly agreed upon. In the first British deal, recently reached, between an ISP and the recording industry, Virgin Media will begin sending warning letters to users. The agreement with the British Phonographic Industry (BPI) requires only notification to alleged infringers; Virgin Media does not yet have any plans to disconnect users.

In response to these three strikes proposals, the European Parliament recently voted to condemn policies that might result in termination of Internet access. In a close vote in April 2008, the Parliament passed a resolution admonishing laws that would require ISPs to disconnect their users and would keep individuals from acquiring broadband access. The resolution is non-binding, however, and despite the censure, adoption of three-strikes policy seems increasingly likely.

Critics of both three strikes laws and RIAA litigation tactics assert that such campaigns can easily target the wrong person. The person named on the account may not be the infringer. A friend or family member could be using the computer for the problematic activity, not the subscriber. With the prevalence of wireless access, it is also possible for a stranger to piggyback off the connection or to mimic another’s IP address.

Not all European countries have been so quick to make ISP subscriber records accessible. In addition to the Dutch requirements described earlier, Spain also protects Internet users. In 2004, the Spanish Data Protection Agency (AEPD) determined that IP addresses are considered “personal data” and are protected under the country’s Data Protection Act. In the civil context the Spanish Supreme Court recently considered an argument in Productores de Música de España v. Telefónica de España SAU  that personal data associated with an IP address could only be disclosed in the course of a criminal investigation or for public safety reasons. The court sought input from the European Court of Justice, which determined that an EU member state is not required to obligate ISPs to provide personal data information in civil copyright cases (although it may do so). In a recent criminal case the Spanish Supreme Court allowed the collection of IP addresses and a subsequent court order to obtain subscriber information. In May the AEPD announced its intention to draft regulations that would govern obtaining IP subscriber information. In the P2P sphere the agency stated that access to subscriber information must come “in a way that is compatible with the fundamental right to data protection.”

In Italy, too, recent events provide privacy protection for Internet users. One is not criminally liable in Italy for file sharing copyrighted material, as long as it is not done for commercial gain. One can be civilly liable, however, and Italian courts can order ISPs to provide personal data associated with IP addresses. So when a court issued such an order in 2007 to Peppermint Jam Records, a German record company that had employed a third party to collect IP addresses of suspected infringers, it sparked a controversy not about the legality of the order, but about what sort of data collection might violate data protection laws. In February 2008, the Italian Data Protection Authority settled the issue by decreeing that one could not systematically monitor P2P activities for the purpose of detecting copyright infringers and suing them.

Conclusion

The entertainment industry is dealing with challenging times. Technology has dramatically altered the ways in which consumers access music, movies and other entertainment. Just as technology has and will likely continue to alter the distribution means for entertainment, it has and will likely continue to provide new means for users to access entertainment media by unauthorized methods. As the entertainment industry and consumers pursue their respective interests, legislators and policymakers continue to struggle to develop solutions that strike a proper balance between protecting commercial property interests and protecting individual privacy rights and freedoms. With the huge stakes at issue, it seems unlikely that these issues will be resolved definitively any time soon.