Friday, March 09, 2012

BT, TalkTalk lose DEA appeal Part 2

I've been thinking further on the BT DEA Court of Appeal decision, BT Plc and TalkTalk Telecom Group Plc -v- Secretary of State for Culture, Olympics, Media and Sport and others on Tuesday. This post will focus primarily on the data protection element of the case.

In my previous post I mentioned the Court's questionable assumption of balance in the text of the legislation and the associated lack of understanding of the technology. The other thing that concerns me about the decision was the selective perspective on legislative histories of the relevant legal instruments.

Then Secretary of State for Business, Innovation and Skills Peter Mandelson's road to Damascus like revelation, following a holiday with some rich friends and including a meeting with a well known entertainment mogul, that the UK 'needed' a 3 strikes regime, quickly led to the ill thought out Digital Economy Bill. This got rushed through parliament in the wash up of legislation before the last election becoming the controversial Digital Economy Act (DEA). The possibility of balance in the final text of the statute was effectively blown out of the water by the unseemly, unprecedented haste with which it was rushed through, the almost complete lack of parliamentary scrutiny of the bill and the universal lack of understanding amongst parliamentary representatives about what it was all about.

Let's look at some of the detail of that in the context of the data protection element of the case. As previously mentioned BT and TalkTalk challenged the act on four grounds.  Firstly in relation to the technical standards directive and secondly the ecommerce directive. These aspects of the case I covered in my first post. Ground 3 of the challenge was based on the data protection directive and the privacy and electronic communications directive.

On the data protection directive the Court focuses on Article 8(1) and 8(2)(e)
Article 8
The processing of special categories of data
1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
2. Paragraph 1 shall not apply where: ...
(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims. "
In High Court last year judge Parker originally concentrated his analysis of the data protection directive angle on the processing of personal data by copyright owners. As explained by Lord Justice Richards in the Court of Appeal decision this week:
"75. For reasons given at [152]-[157], the judge concentrated on the processing of data by the copyright owners, i.e. the processing involved in their identifying apparent infringements, together with relevant IP addresses and subscriber details, for the purpose of compiling copyright infringement reports: it was accepted that subsequent processing by the ISPs, including the sending of notifications and the completion of copyright infringement lists, would be compatible with the directive. The judge proceeded on the basis that the data processed by the copyright owners would be “personal data” and that, because of what might be revealed by the nature of the unlawfully copied digital material identified by the exercise, some of it would be special category data falling within Article 8(1). He held at [159]-[161], however, that such processing would fall within the exception in Article 8(2)(e). In particular:
“159. The Defendant and the Interested Parties rely on Article 8(2)(e) …: the processing is necessary for ‘the establishment, exercise or defence of legal claims’. That would appear to be the precise purpose of the contested provisions of the DEA: the copyright owner will be able, through the procedures under the DEA, to establish not only that there has been an infringement of copyright but also who is responsible for the infringement.”
So the judge bypassed the ISP processing of the personal data and concentrated on that done by copyright owners.  He then concluded the data at the heart of the case was covered by article 8(1) privacy protection provisions but that article 8(2)(e), the right to pursue legal claims, was an absolute get out clause which facilitates fishing expeditions to detect copyright infringement via mass invasion of privacy.  Contrary to European Court of Justice recommendations in the Promusicae case in 2008 (which I'll get to a little later in the context of the privacy and electronic communications directive) Judge Parker effectively decided that copyright protection trumps privacy.

BT argued that a substantial number of cases triggered by the DEA would not involve legal claims because it was estimated that 70% of ISP customers receiving warning letters would act to stop infringement associated with their account at that point.
"76. The appellants’ essential submission is that the judge lost sight of the fact that in a substantial proportion of cases the scheme established by the DEA 2010 is not intended to involve legal claims at all... assumption in the Government’s impact assessment for the statute that 70% of infringers would stop once and for all upon receiving a single notification from their ISP... if that is right, those cases will not get as far as inclusion in a copyright infringement list and there will be no prospect of a legal claim... “a principal aim of the measures is educational (so obviating legal action)”. In the light of those matters, Mr White submitted that the scheme would operate for the most part as an extra-judicial curtailment of copyright infringement, and he submitted that in those circumstances the processing could not be said to be necessary for the establishment, exercise or defence of legal claims and could not therefore fall within the exemption in Article 8(2)(e)."
Quite clever that - 70% of suspects will never get involved in legal proceedings so the personal data processing exception, article 8(2)(e) can't apply to these. The surveillance and processing of personal data in the case of the 70% cannot be considered to be necessary for the establishment, exercise or defence of legal claims.

Lord Richards sadly completely rejected that argument.  His explanation feels a bit like saying the ends justify the means:
"77. I do not accept that submission. In my view the processing is plainly necessary for the establishment, exercise or defence of legal claims even if the beneficial consequence of the sending of a notification by the ISP pursuant to a copyright information request will be that in the majority of cases the infringing activity ceases and no further action is required. As Mr Saini QC observed on behalf of the Interested Parties, the fact that the scheme seeks to educate users about the legal rights of copyright owners and to encourage them to desist without the need for legal action does not mean that the copyright owners are not establishing, exercising or defending their legal rights. It no more has that effect than does the sending of a letter before action to an infringer in the hope that he will desist. In my view, therefore, the judge was right to find that the processing in question in this case would fall within the exception in Article 8(2)(e)."
The mass processing, he suggests, is necessary and 8(2)(e) applies because it facilitates the sending of warnings equivalent to cease and desist letters. It's a defensible perspective but I think it avoids addressing the fishing expedition issue. I'm wondering if there is Supreme Court (doubtful) or ECJ guidance on the specific interpretation of 8(2)(e) in this kind of context that would help here?

Lord Richards then concludes his assessment of the data protection directive's impact on the case by mentioning the European Data Protection Supervisor's (EDPS) clear opinion (relating to ACTA negotiations) that mass personal data processing for 3 strikes regimes was disproportionate and in breach of EU data protection laws; but the noble Lord rounds off by stating that EDPS opinion is not binding on the Court so does not alter his view on article 8(2)(e).
"78. I should mention for completeness that the appellants placed reliance in this context on an Opinion dated 22 February 2010 of the European Data Protection Supervisor (“the EDPS”) on then current negotiations by the EU of an Anti-Counterfeiting Trade Agreement with third countries. We were told by Mr Saini that the Opinion was provided by the EDPS of his own motion and was based on the EDPS’s own understanding of what was then proposed. At paragraph 52 of the Opinion, in relation to the possible imposition on ISPs of a “three strikes internet disconnection policy”, the EDPS acknowledged that the collection of targeted, specific evidence, particularly in cases of serious infringements, might be necessary to establish and exercise a legal claim, but he cast doubt on the legitimacy of wide-scale investigations involving the processing of massive amounts of data of internet users. It is not clear that he had Article 8(2)(e) of the DPD specifically in mind, but if he did it is difficult to see why the applicability of that provision should depend on the scale of the operation. In any event the view expressed by the EDPS is not binding on us and it does not cause me to alter my own view that the processing in this case would fall within Article 8(2)(e)."
Whereas it is true that the EDPS's opinion is not binding on the UK, Lord Justice Richards casual dismissal of the scale factor here is rather worrying: "it is difficult to see why the applicability of that provision should depend on the scale of the operation". Seriously?  If the judiciary can’t understand that scale changes everything we have a potentially insurmountable problem. Yet I'm flummoxed on how to get that through to a distinguished judge in terms he would understand.

Possibly what we have here is a Court seeing a problem through the lens of the strongest possible contrast of the false privacy  v security dichotomy. When the problem is constructed as the balancing of the privacy of a single individual against the security of a whole nation or society, then the needs of the many outweigh the needs of the few.  In this case, the privacy of the individual (remember scale doesn't matter according to Lord Richards), especially a suspected pirate hiding his nefarious copyright infringing deeds and therefore unworthy of the rights of decent law abiding citizens, has to be weighed against the interests of an important industry. Do we want to protect the dirty pirate - the underlying unspoken assumption being that privacy is fundamentally about concealing bad behaviour - or the livelihoods of thousands of people dependent on that industry?  Again it's a no contest.  The greater good favours protecting the many by protecting the industry.  The abstract societal value of protecting the privacy of the individual is incalculable but nebulous. And the absence of evidence to the effect that this mass privacy invasion will help the industry is not even a factor that remotely touches the cognitive radar of the learned judge. Routine copyright warning notices or the 3 strikes regime almost inevitably bound to emerge from the DEA will not solve the industry's internet copyright infringement problem. Machines, transmission pipes and storage are getting faster, bigger and cheaper and copying is only going to increase in volume.

I got a little side-tracked there but the scale and the framing of the problem are critical when it comes to protecting privacy and finding sustainable business models for the >entertainment industry. Lord Richards took slightly less space to dispose of the BT challenge based on the privacy and electronic commerce directive than he did in the two pages of the decision dealing with the data protection directive.

The privacy and electronic commerce directive articles 5 and 6 impose obligations regarding the confidentiality of communications and traffic data.  Article 15(1) is the universal get out clause here and provides for bypassing confidentiality when it is:
"a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph."
Note that copyright protection is not included in that list of reasons to ignore privacy. However, in paragraph 80 of the judgment, Lord Richards uses the Promusicae decision from the European Court of Justice to conclude that protection of copyright can be used as an excuse to bypass privacy obligations imposed by the directive.  It is true that the ECJ in Promusicae said that article 15 could provide a route around privacy obligations when it involved "the protection of the rights and freedoms of others." The ECJ indeed clearly stated that music labels had the right to protect their copyrights. The fundamental foundation of the Promusicae decision, though, was that copyright owners rights must be balanced with the basic human rights of users of the Net. Having access to the Net is now a basic part of nearly everyone's life in the developed world and it relates to basic rights to
  • free expression
  • freedom of association
  • education
  • and employment
and the ECHR and every other serious international charter of rights says that if a law is not proportionate it is not legal.  Copyright does not trump privacy according to the ECJ.  Even with the legitimate aim of defending or protecting copyrights, the ECJ clearly instructed member state governments that they are not to endanger human rights or proportionality. Professor Lilian Edwards of Strathclyde University actually thinks that the Promusicae decision was a clear warning from the court aimed directly at the kind of 3 strikes notice and disconnect schemes the French have implemented and that might emerge from the DEA.  That Promusicae, therefore, should be used in defence of the position that protection of copyright does trump privacy is something of an anomaly.

BT's final shot on the privacy and electronic communications directive was that the the recent judgement of the European Court of Justice in Scarlet v SABAM (Case C-70/10, November 2011), negating the demand that the ISP install a copyright filtering system, supported their argument that article 15 could not be an excuse for copyright trumping privacy. Lord Richards simply responded that the Scarlet case was effectively not relevant here and rejected that argument.

I'm not going to spend a lot of time on the fourth and final ground on which BT brought the case, the Authorisation Directive, (2002/20/EC), save to say that both BT, the original judge made some fair points. Though I would question the semantic hair splitting of both sides in paragraph 97; and the concluding implicit value judgment in that same paragraph that the DEA strikes "a proportionate balance between the free market and the protection of copyright."

Now just three final points to note on the authorisation directive.  Firstly at paragraph 95, Lord Richards says:
"95...  the Commission’s comments on the French legislation which permits  measures to be taken against internet users who commit copyright infringement  online. In those comments the Commission recognised that copyright protection is a general interest objective of a kind referred to in Article 1(3). As to the  Commission’s comments on the draft Costs Order, the fact is that the United  Kingdom persisted in its reliance on Article 1(3) but the Commission took no further action, which is at least consistent with an acceptance by the Commission that Article 1(3) is applicable."
This sounds a little like deciding to take the legislative history of the directive into account when it supports the Court's perspective on the case but ignore it when it doesn't.

Secondly, Lord Richards does agree with BT's counsel, Mr White, that: "all costs and charges under the DEA regime, including “relevant costs”, are to be regarded as “administrative charges” within Article 12.
What matters is substance, not form:" So the ISPs had a partial win on the authorisation directive.

Thirdly, I predict that Lord Richards final paragraph on the authorisation directive where he says:
111... I do not think that anything material is added by recourse to the principle of  non-discrimination or the desirability of technological neutrality. "
will be repeatedly taken out of context.  I confess I can't resist the temptation to be the first to do so.  This statement on its own is a simple example of the learned judge's lack of understanding of the technology.

So there you have it.  The decision was predictable though questionable in the underlying assumption of balance in the text of the legislation.  It's disappointing that that judiciary continue to have a problem understanding the technology and the difference that the scale of surveillance and data processing has on this whole landscape. We techies have to get better at explaining it to them.

What we have here is a clash of values even more than of law or of vested economic actors like telcos and the entertainment companies.  Perhaps we need a modern day Samuel D. Warren or Louis D. Brandeis to create a navigation blueprint, internet constitutional framework or just a base level equivalent understanding of the impact of the technology of the information society on our fundamental right to privacy.

Wednesday, March 07, 2012

BT, TalkTalk lose DEA appeal

The Court of Appeal (Civil Division) issued its judgment in the case of BT Plc and TalkTalk Telecom Group Plc -v- Secretary of State for Culture, Olympics, Media and Sport and others yesterday.

They rejected BT's and TalkTalk's challenge of the Digital Economy Act (DEA), as did Justice Parker in the High Court last April.

In many ways it was a predictable outcome but nevertheless frustrating, both for the lack of understanding of the technology displayed by the Court and the underlying assumption of "balance" in the wording of the key legal instruments on display.

The contested provisions of the DEA impose "initial obligations on ISPs to notify (s124a) customers of copyright infringement reports (CIRs) received from copyright owners; and to provide (s124b) copyright infringement lists (CILs) to content owners if an "initial obligations code" is in force. The initial obligations code could be self regulatory (s124c) - worked out between the telcos and copyright owners - or imposed by Ofcom (s124d) in the event the relevant agents can't agree amongst themselves. S124e gives a fairly detailed list of the things that the initial obligations code is supposed to cover eg CIRs, CILs, what suspect identification has to be expedited, who pays what, administrative specifics, proportionality, transparency, non discrimination and other provisions. The DEA also empowers the Secretary of State to decide rules about the relative responsibilities for costs arising from the initial obligations code.

The DEA also allows the future introduction of blocking measures or a 3 strikes regime or, more accurately, future "technical obligations" on ISPs to police copyright infringement.  The case was not concerned with these technical obligations - only the initial obligations code and the relative costs provisions.

The ISPs are exorcised by the demands the DEA initial obligations code is imposing on them.  They appealed Justice Parker's rejection of their challenge on 4 grounds.

Firstly they content the obligations (sections 124 a to e of the DEA) should have been notified to the EU Commission under the requirements of article 8(1) of the Technical Standards Directive. Lord Justice Richards (in para 24 to 45 of the judgment) rejects the claim on the basis of European Court of Justice precedents (Case C-317/92 Commission v Germany 1994 and Case C-194/94 CIA Security SA v Signalson SA and Securitel SORL 1994) which suggest that the initial obligations code, once the details are worked out, will be notifiable to the Commission under the directive, but the primary legislation from which the code is derived is not notifiable, since it's not detailed enough to be a technical standard.

BT made some sound detailed arguments on this eg when (para 34) they suggest the original judge might have been mistaken in saying "that the ISP would not be liable to receive or take action on a copyright infringement report “unless” a code was in force: “unless” suggests that there might not be a code, whereas the statute requires there to be one." This is a very fair point but on the substance of the precedents they lost the overall argument on points in relation to the technical standards directive.

Secondly they challenged on the basis of a perceived twofold breach of the Electronic Commerce Directive.
"(1) that the effect of the contested provisions is to render ISPs potentially “liable for the information transmitted”, contrary to Article 12, and (2) that the contested provisions amount to restrictions on the freedom to provide information society services from other Member States, “for reasons falling within the coordinated field”, contrary to Article 3."
Lord Richards quotes liberally from the original High Court judgement of Justice Parker here.  Justice Parker basically liberally praised the balance of the legislation (eg. he explained he was concerned about "doing violence" to the language and thereby "upsetting the careful balance represented by the text"); whilst saying that making an ISP police copyright infringement is not the same as making them liable directly or vicariously for copyright infringement.  So forcing ISP into incurring costs of policing does not trigger making them liable as "mere conduits" and therefore article 12 of the directive doesn't apply. It's a defensible and possibly even clever position but the notion that it is "balanced" is too deferential to the legislature and a long way out of sync with such evidence as is available regarding the proportionality of the mass surveillance the DEA facilitates. Lord Richards uses paras 46 to 60 of the judgment to do little more than agree with that position.

The argument in relation to article 3 of the ecommerce directive, which excludes copyright from its scope, was slightly more convoluted. Basically BT argued that the DEA was not a copyright statute so therefore not excluded from section 3. The government argued and the judges agreed that it was a law related to copyright and therefore excluded. There was an argument too about whether the copyright and related rights directive provided an upper limit on what member states could do with copyright law (BT's position) or whether it was a baseline ("a minimum harmonising measure") and didn't prevent the enactment of more restrictive measures. BT lost that one too.
"70. At the time when the Electronic Commerce Directive was adopted, “copyright” in the Annex to the directive must in my view have had its normal meaning, encompassing all aspects of the law of copyright under national laws, and cannot have had the elaborate meaning attributed to it by the appellants. At that time there was no harmonising directive at the Community level in the field of copyright protection. It would be unrealistic to impute to the Community legislature, at least in the absence of clear, express language to this effect, an intention to give “copyright” a meaning related to provisions of a copyright directive that had not yet been adopted. But if “copyright” did not have the appellants’ meaning at the outset, I do not see how it can have come to acquire that meaning subsequently. The later adoption of the Copyright Directive cannot of itself have had the effect of changing the meaning of the expression. It would have needed an express amendment of the Electronic Commerce Directive to achieve that result, but no such amendment has ever been made.
71. In my judgment, that is sufficient to dispose of the appellants’ case under Article 3 of the Electronic Commerce Directive."
Ground three of the appeal was on the basis of the data protection directive and the privacy and electronic communications directive. My perspective on that central element of the case and ground 4 in relation to the authorisation directive will be the subject of a later post.