Wednesday, April 20, 2011

BT and TalkTalk lose challenge to DEA

The High Court has effectively completely rejected BT and TalkTalk's challenge to the Digital Economy Act. Typically it's come through when I'm having a few days off and today fixing the garden wall (now done though it's probably just as well I don't make my living as a bricklayer) and I've only had the chance to scan the decision but surprisingly they've lost on the 5 key arguments they've presented to the court.
"5.The Claimants advance five grounds of challenge in respect of the contested provisions. They contend that:

i) The provisions constitute a technical regulation and/or a rule on services within the meaning of the Technical Standards Directive (Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations, OJ [1998] L No 204, as amended by Directive 98/48/EC of the European Parliament and of the Council of 20 July 1998, OJ [1998] L No 217). The provisions, it is said, should have been notified to the EU Commission in draft, but were not. The provisions are accordingly unenforceable.
ii) They are incompatible with certain provisions of the Electronic Commerce Directive ("the E-Commerce Directive") (Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, OJ 2000 L No 178).
iii) They are incompatible with certain provisions of the Privacy and Electronic Communications Directive ("the PEC Directive") (Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ [2002] L No 201).
iv) They are disproportionate in their impact on ISPs, consumers, business subscribers and public intermediaries. The requirement for the legislation to be proportionate in its impact on ISPs, businesses and consumers is said to be derived from a number of sources, including Articles 7, 8, 11 and 52 of the Charter of Fundamental Rights and/or general principles of EU law, pursuant to Article 6 TEU and the Human Rights Act 1998 and Articles 8 and/or 10 of the European Convention on Human Rights.
v) They infringe the Authorisation Directive (Directive 2002/20/EC of the European Parliament and of the Council on the authorisation of electronic communications networks and services OJ [2002] L No 108, as amended by European Parliament and EC Council Directive 2009/140, OJ [2009] L 337)."
From my brief scan they've lost i), ii) and v) on technicalities and iv) and v) through Mr Justice Baker's deference to parliament.  He rejects the notion that the DEA will lead to mass surveillance, for example:
  1. In case C-236/08 Google France v Louis Vuitton Advocate General Maduro observed in his Opinion:
  2. "142. To my mind, the aim of [the ECD] is to create a free and open public domain on the internet. It seeks to do so by limiting the liability of those which transmit or store information, under its Articles 12 to 14, to instances where they were aware of an illegality.
    143. Key to that aim is Article 15 of [the EC], which prevents Member States from imposing on information society service providers an obligation to monitor the information carried or hosted or actively to verify its legality. I construe Article 15 of that directive not merely as imposing a negative obligation on Member States, but as the very expression of the principle that service providers which seek to benefit from a liability exemption should remain neutral as regards the information they carry or host."
  3. In my judgment, there is nothing in this further material which would tend to suggest that "monitor" (or in French, "surveiller") has other than its ordinary and natural meaning, that is, to inspect or examine some phenomenon. In the context of information society services, that means inspecting or examining the information that is being, or has been, transmitted, with a view to checking whether the information may lawfully be transmitted, or whether the transmission complies or complied with some other norm regulating the nature of information that may be transmitted. A "general" obligation refers to a systematic arrangement whereby the putative "monitor" is inspecting or examining information randomly, or by reference to particular classes of information or subscribers, and is not focusing on a specific instance that has for apparently good reason been brought to its attention.
  4. The DEA does not require ISPs to monitor information in the above sense. The DEA may impose general obligations on ISPs, but these obligations cannot accurately be called "monitoring". Nothing in the DEA requires ISPs to inspect or examine the information transmitted for any purpose, including the purpose mentioned earlier concerning the legality of the information transmitted. Copyright owners may well monitor information that is being transmitted, to check whether there is an apparent copyright infringement, but they are not ISPs and they are under no duty by virtue of the DEA to carry out any "monitoring".
  5. For present purposes, the role of the ISP under the DEA is essentially passive. It receives reports from those who have, in the relevant sense, "monitored" information that has been transmitted. It is the copyright owners who must show (according to substantive criteria and standards of evidence to be set out in the Code) that the information transmitted infringed the owners' rights. The ISP has itself no general obligation to inspect or examine the information to see whether the transmission might infringe, or has infringed, the rights of any copyright owner. When the ISPISP sends a CIL to a copyright owner, it is not "monitoring" any information. It is simply reporting to the copyright owner that, according to information held by the ISP, a particular subscriber, identified through the IP address or addresses, has infringed the owner's rights on a number of occasions (to be specified in the code). The fact that the ISP may by that stage know what kind of information the relevant subscriber is prone to download in breach of the copyright owner's rights (it may, for example, be lawful pornography) does not, in my view, convert the ISP's activity into one of "monitoring" that information. The knowledge acquired is no more than a by-product of the different non-monitoring role that I have set out above.
  6. Mr White relied strongly on the Opinion dated 22 February 2010 of the European Data Protection Supervisor ("EDPS") who, in describing "three strikes Internet disconnection policies" stated that they entailed "generalised monitoring of Internet users' activities" (see paragraphs 16, 17 and also 21 and 22). In my view, this Opinion adds nothing. It is clear from the context that the EDPS was describing "monitoring" by copyright holders of internet usage with a view to discovering copyright infringement. He was not stating that ISPs under such arrangements were "monitoring" the information transmitted through their services; he was not offering a legal interpretation of Article 15 of the ECD (which would in any event appear to be outside his remit); and he was not saying that anything done by ISPs under the arrangements in question would constitute "monitoring" under that Article.
  7. Mr White also argued that the DEA imposed on ISPs "a general obligation to seek facts or circumstances indicating illegal activity", contrary to the second part of Article 15(1) ECD. However, it is the copyright owner who actively seeks such facts and circumstances and reports them to the ISP. The ISP itself has no such active role, either when it communicates a CIR to a subscriber or reports a CIL to a copyright owner: the CIR is already the work product of another person who has conducted an active investigation, and the CIL is simply a compilation of such reports in respect of a relevant subscriber. In the present context, the essential function of the ISP is not to investigate facts or circumstances, but to identify the wrongdoer. If a police officer observes a motor car passing through a red light, and asks an official at the vehicle licensing authority to disclose the name and address of the registered keeper (and presumed driver) of the car, that official, in responding, would not actively be "seeking facts or circumstances indicating illegal activity". She would be doing no more than identifying, in response to a specific request, the person who, according to the investigation already completed by the police officer, had infringed the traffic code...
  1. In my view, the logical elegance of Mr Beal's submission faces serious practical difficulties. First, the central premise is that, through the Copyright Directive, the law of copyright has now been entirely or at least sufficiently harmonised so that within the EU the exclusion found in the Annex to the ECD in relation to copyright has simply vanished, no longer buttressed by an extant rationale. But all references to the Copyright Directive, including its very title, speak of harmonising "certain aspects" of copyright law, indicating that complete harmonisation lies somewhere in the future. Whether or not the degree of harmonisation achieved at any point is sufficient to undermine the rationale for exclusion in the current text of the ECD for copyright would, in my view, require a fine exercise of legislative judgment, and is not a matter appropriate for judicial adjudication. I was referred to no authority that harmonisation in this field is complete (and my own researches simply confirm that the view of learned commentators is that it remains partial), or that harmonisation had advanced to such an extent that the rationale for the relevant exclusion could no longer be supported.
  2. Furthermore, it seems to me that Mr Beal's interpretation would create intolerable legal uncertainty in a system of law (namely EU law) where the principle of legal certainty has been accorded great weight. It must be remembered that the relevant exclusion remains in the legislative text of the ECD: the Community legislation did not remove that exclusion, either at the time that the Copyright Directive came into force (in May 2001), or at the time by which Member States had to implement the Copyright Directive (22 December 2001), or at any subsequent time. In my judgment, if the Community legislator had wished to abrogate the relevant exclusion, it would, in the interests of legal certainty, expressly have removed the exclusion by an appropriate amendment of the ECD, and would not have left the matter in the air, susceptible to competing and conflicting interpretation.
  3. Finally, on Mr Beal's approach, the relevant exclusion would have had a relatively short shelf-life: after 17 January 2002 (the implementation date for the ECD) Member States could have retained provisions on copyright that otherwise fell within Article 3(1), relying on the relevant exclusion. However, by 22 December 2002 (that is, less than a year later) such provisions could no longer be invoked against ISPs established in other Member States unless, following Mr Beal's argument, the Copyright Directive expressly authorised them. Short shelf lives generally need prominent signposting. If such a result had been intended, an express provision in the Copyright Directive abolishing the relevant exclusion, with an appropriate explanatory recital, could have been expected, with the proverbial red hand pointing at it...
  1. I shall, therefore, proceed on the basis that the relevant data which would be processed by copyright owners would be personal data and that some of it would be special data.
  2. However, the important issue on this ground of challenge is whether the relevant processing of personal data is permissible.
  3. The Defendant and the Interested Parties rely on Article 8(2)(e) (which relates strictly to special categories of data): the processing is necessary for "the establishment, exercise or defence of legal claims". That would appear to be the precise purpose of the contested provisions of the DEA: the copyright owner will be able, through the procedures under the DEA, to establish not only that there has been an infringement of copyright but also who is responsible for the infringement.
  4. Mr White argued that the provision applied only if the data controller was sure, at the beginning and throughout the relevant "processing", that at the end of the processing a legal claim would be brought. However, in my view, the copyright owner might not in a particular case decide to pursue legal proceedings, but that does mean that the action that he took under the DEA was not for the purpose of establishing or exercising such a claim. Mr White's interpretation would create intolerable legal uncertainty and something of a "Catch 22" situation. The data controller might not know at an early stage in processing the relevant data whether he intended at the end of the process to commence legal proceedings, and the processing could be rendered impermissible if in the event he did not commence such proceedings; and it might be only after the relevant data processing that he could sensibly decide whether it was appropriate to commence proceedings. The data controller might change his mind during the course of processing, and the legal position would be obscure.
  5. Article 8(2)(e), as noted, does not in strict terms apply to processing under Article 7. However, it would be absurd if that particular basis did not apply generally, for it would otherwise mean that processing of data that fell short of special category data was permissible in more restricted circumstances than those applied to special category data. It seems to me that the only sensible interpretation is that the circumstances described in Article 8(2)(e) inevitably fall within Article 7(f) as "processing … necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are controlled" and necessarily observe the balance required by the proviso to that Article."
Whereas there may be an arguable case on the various technicalities I just don't buy the repeated deference to Parliament as a rational decision making body in the context of the DEA, given how the Act came to be rushed through on the nod without appropriate scrutiny before the general election:
  1. In my judgment, there are good reasons in the present context for the Court to attach substantial weight to the balance struck by the primary decision maker, namely, Parliament. First, there is considerable support in the case law for the proposition that the Courts should afford particular deference to elected and accountable decision makers where the decision concerns subject matters that are regarded as within the particular province of the political branches. In Wilson v First County Trust Ltd (No 2) [2003] UKHL 40; (2004) I AC 816 Lord Nicholls stated that the readiness of a court to depart from the views of the legislature depends upon the circumstances, "one of which is the subject matter of the legislation". The more the legislation concerns matters of broad social policy, the less ready will be a court to intervene (see [70]). (See also Ghaidan v Godin-Mendoza [2004] UKHL 30; [2004] 2 AC 557 at [19], and Michalak v London Borough of Wandsworth [2002] EWCA Civ 27; [2003] I WLR 617, at [41]). In International Transport Roth Gmbh v SSHD [2002] EWCA Civ 158; [2003] QB 728 at [83] Laws LJ stated that
  2. "greater deference will be due to the democratic powers where the subject matter in hand is peculiarly within their constitutional responsibility."
  3. In this case Parliament has addressed a major problem of social and economic policy, where important and conflicting interests are in play. On the one hand, there is evidence to suggest that the media industry, broadly interpreted, is sustaining substantial economic damage as a result of unlawful activity on the internet; and there is concern that such damage may significantly affect creativity and productivity in an economic area of national importance where, at least historically, the UK has tended to enjoy some comparative advantage in international markets. On the other hand, the business models of ISPs are constructed on the basis that they are essentially conduits for the flow of information, and the efficiency, cost effectiveness and competitiveness of their operations depend on the minimum regulatory interference with that flow of traffic, and on the minimum responsibility and burden in respect of the actual content of the material passing through the conduit. Similarly, subscribers of the ISPs and users of the internet appreciate that the technology is the most prodigious tool for the transmission and interchange of information and other material ever designed, and, in general, they would oppose restrictions on their ability to enjoy untrammeled access to such information and material. Information is also a public good, and interference with access to, and publication of, information may adversely affect general welfare. How these competing and conflicting interests should be accommodated and balanced appears to me to be a classic legislative task, and the court should be cautious indeed before striking down as disproportionate the specific balance that Parliament has legislated.
  4. Secondly, Parliament struck the challenged balance after a lengthy process of consultation with all interested parties, which took account of the representations made by those parties, and after a voluntary, non-legislative scheme was tried out. That process is likely to have provided the decision maker with an insight and capacity that the court is unlikely to enjoy."
There is ample evidence to demonstrate that Parliament did not take account of the representations of key stakeholders in the DEA and the notion that the "decision maker" had an "insight" and capacity "that the court is unlikely to enjoy" would give me serious concerns about the capacity of the UK High Court to tackle the cases before it if this were true. There was no mention of the ECJ AG's decision last week on the SABAM v Scarlet case which, once the ECJ makes its decision will likely lend weight to BT and TalkTalk's cause (though as I warned at the time the UK situation is different).  There was also a reference to the ECJ Promusicae case from a few years back to justify the DEA's compliance with the Privacy and Electronic Communications Directive ("the PEC Directive") (Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ [2002] L No 201). Yet the Promusicae judges clearly stated that copyright does not trump fundamental rights like privacy.

As I said - this was a quick scan so I may have misinterpreted one or two points but the surprise was that the decision completely rejected the ISP's position on all counts.  It remains to be seen what BT and TalkTalk's next move will be but it looks to me as though they have still got plenty to work with. The courts' deference to Parliament, though, a Parliament that does not get technology, could continue to be a major stumbling block.

Update: I should have said that there is one small crumb of comfort in the decision for digital rights activists in that Mr Justice Baker did conclude (at paragraph 157) that IP addresses are personal data and by implication attract the associated legal protections. (The justification for this conclusion is given in paras 152 - 156).
(I've tidied up some of the formatting issues with the quotes from the decision above too, at para 129).