In my previous post I mentioned the Court's questionable assumption of balance in the text of the legislation and the associated lack of understanding of the technology. The other thing that concerns me about the decision was the selective perspective on legislative histories of the relevant legal instruments.
Then Secretary of State for Business, Innovation and Skills Peter Mandelson's road to Damascus like revelation, following a holiday with some rich friends and including a meeting with a well known entertainment mogul, that the UK 'needed' a 3 strikes regime, quickly led to the ill thought out Digital Economy Bill. This got rushed through parliament in the wash up of legislation before the last election becoming the controversial Digital Economy Act (DEA). The possibility of balance in the final text of the statute was effectively blown out of the water by the unseemly, unprecedented haste with which it was rushed through, the almost complete lack of parliamentary scrutiny of the bill and the universal lack of understanding amongst parliamentary representatives about what it was all about.
Let's look at some of the detail of that in the context of the data protection element of the case. As previously mentioned BT and TalkTalk challenged the act on four grounds. Firstly in relation to the technical standards directive and secondly the ecommerce directive. These aspects of the case I covered in my first post. Ground 3 of the challenge was based on the data protection directive and the privacy and electronic communications directive.
On the data protection directive the Court focuses on Article 8(1) and 8(2)(e)
"SPECIAL CATEGORIES OF PROCESSING
The processing of special categories of data
1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
2. Paragraph 1 shall not apply where: ...
(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims. "In High Court last year judge Parker originally concentrated his analysis of the data protection directive angle on the processing of personal data by copyright owners. As explained by Lord Justice Richards in the Court of Appeal decision this week:
"75. For reasons given at -, the judge concentrated on the processing of data by the copyright owners, i.e. the processing involved in their identifying apparent infringements, together with relevant IP addresses and subscriber details, for the purpose of compiling copyright infringement reports: it was accepted that subsequent processing by the ISPs, including the sending of notifications and the completion of copyright infringement lists, would be compatible with the directive. The judge proceeded on the basis that the data processed by the copyright owners would be “personal data” and that, because of what might be revealed by the nature of the unlawfully copied digital material identified by the exercise, some of it would be special category data falling within Article 8(1). He held at -, however, that such processing would fall within the exception in Article 8(2)(e). In particular:
So the judge bypassed the ISP processing of the personal data and concentrated on that done by copyright owners. He then concluded the data at the heart of the case was covered by article 8(1) privacy protection provisions but that article 8(2)(e), the right to pursue legal claims, was an absolute get out clause which facilitates fishing expeditions to detect copyright infringement via mass invasion of privacy. Contrary to European Court of Justice recommendations in the Promusicae case in 2008 (which I'll get to a little later in the context of the privacy and electronic communications directive) Judge Parker effectively decided that copyright protection trumps privacy.“159. The Defendant and the Interested Parties rely on Article 8(2)(e) …: the processing is necessary for ‘the establishment, exercise or defence of legal claims’. That would appear to be the precise purpose of the contested provisions of the DEA: the copyright owner will be able, through the procedures under the DEA, to establish not only that there has been an infringement of copyright but also who is responsible for the infringement.”
BT argued that a substantial number of cases triggered by the DEA would not involve legal claims because it was estimated that 70% of ISP customers receiving warning letters would act to stop infringement associated with their account at that point.
"76. The appellants’ essential submission is that the judge lost sight of the fact that in a substantial proportion of cases the scheme established by the DEA 2010 is not intended to involve legal claims at all... assumption in the Government’s impact assessment for the statute that 70% of infringers would stop once and for all upon receiving a single notification from their ISP... if that is right, those cases will not get as far as inclusion in a copyright infringement list and there will be no prospect of a legal claim... “a principal aim of the measures is educational (so obviating legal action)”. In the light of those matters, Mr White submitted that the scheme would operate for the most part as an extra-judicial curtailment of copyright infringement, and he submitted that in those circumstances the processing could not be said to be necessary for the establishment, exercise or defence of legal claims and could not therefore fall within the exemption in Article 8(2)(e)."Quite clever that - 70% of suspects will never get involved in legal proceedings so the personal data processing exception, article 8(2)(e) can't apply to these. The surveillance and processing of personal data in the case of the 70% cannot be considered to be necessary for the establishment, exercise or defence of legal claims.
Lord Richards sadly completely rejected that argument. His explanation feels a bit like saying the ends justify the means:
"77. I do not accept that submission. In my view the processing is plainly necessary for the establishment, exercise or defence of legal claims even if the beneficial consequence of the sending of a notification by the ISP pursuant to a copyright information request will be that in the majority of cases the infringing activity ceases and no further action is required. As Mr Saini QC observed on behalf of the Interested Parties, the fact that the scheme seeks to educate users about the legal rights of copyright owners and to encourage them to desist without the need for legal action does not mean that the copyright owners are not establishing, exercising or defending their legal rights. It no more has that effect than does the sending of a letter before action to an infringer in the hope that he will desist. In my view, therefore, the judge was right to find that the processing in question in this case would fall within the exception in Article 8(2)(e)."The mass processing, he suggests, is necessary and 8(2)(e) applies because it facilitates the sending of warnings equivalent to cease and desist letters. It's a defensible perspective but I think it avoids addressing the fishing expedition issue. I'm wondering if there is Supreme Court (doubtful) or ECJ guidance on the specific interpretation of 8(2)(e) in this kind of context that would help here?
Lord Richards then concludes his assessment of the data protection directive's impact on the case by mentioning the European Data Protection Supervisor's (EDPS) clear opinion (relating to ACTA negotiations) that mass personal data processing for 3 strikes regimes was disproportionate and in breach of EU data protection laws; but the noble Lord rounds off by stating that EDPS opinion is not binding on the Court so does not alter his view on article 8(2)(e).
"78. I should mention for completeness that the appellants placed reliance in this context on an Opinion dated 22 February 2010 of the European Data Protection Supervisor (“the EDPS”) on then current negotiations by the EU of an Anti-Counterfeiting Trade Agreement with third countries. We were told by Mr Saini that the Opinion was provided by the EDPS of his own motion and was based on the EDPS’s own understanding of what was then proposed. At paragraph 52 of the Opinion, in relation to the possible imposition on ISPs of a “three strikes internet disconnection policy”, the EDPS acknowledged that the collection of targeted, specific evidence, particularly in cases of serious infringements, might be necessary to establish and exercise a legal claim, but he cast doubt on the legitimacy of wide-scale investigations involving the processing of massive amounts of data of internet users. It is not clear that he had Article 8(2)(e) of the DPD specifically in mind, but if he did it is difficult to see why the applicability of that provision should depend on the scale of the operation. In any event the view expressed by the EDPS is not binding on us and it does not cause me to alter my own view that the processing in this case would fall within Article 8(2)(e)."Whereas it is true that the EDPS's opinion is not binding on the UK, Lord Justice Richards casual dismissal of the scale factor here is rather worrying: "it is difficult to see why the applicability of that provision should depend on the scale of the operation". Seriously? If the judiciary can’t understand that scale changes everything we have a potentially insurmountable problem. Yet I'm flummoxed on how to get that through to a distinguished judge in terms he would understand.
Possibly what we have here is a Court seeing a problem through the lens of the strongest possible contrast of the false privacy v security dichotomy. When the problem is constructed as the balancing of the privacy of a single individual against the security of a whole nation or society, then the needs of the many outweigh the needs of the few. In this case, the privacy of the individual (remember scale doesn't matter according to Lord Richards), especially a suspected pirate hiding his nefarious copyright infringing deeds and therefore unworthy of the rights of decent law abiding citizens, has to be weighed against the interests of an important industry. Do we want to protect the dirty pirate - the underlying unspoken assumption being that privacy is fundamentally about concealing bad behaviour - or the livelihoods of thousands of people dependent on that industry? Again it's a no contest. The greater good favours protecting the many by protecting the industry. The abstract societal value of protecting the privacy of the individual is incalculable but nebulous. And the absence of evidence to the effect that this mass privacy invasion will help the industry is not even a factor that remotely touches the cognitive radar of the learned judge. Routine copyright warning notices or the 3 strikes regime almost inevitably bound to emerge from the DEA will not solve the industry's internet copyright infringement problem. Machines, transmission pipes and storage are getting faster, bigger and cheaper and copying is only going to increase in volume.
I got a little side-tracked there but the scale and the framing of the problem are critical when it comes to protecting privacy and finding sustainable business models for the >entertainment industry. Lord Richards took slightly less space to dispose of the BT challenge based on the privacy and electronic commerce directive than he did in the two pages of the decision dealing with the data protection directive.
The privacy and electronic commerce directive articles 5 and 6 impose obligations regarding the confidentiality of communications and traffic data. Article 15(1) is the universal get out clause here and provides for bypassing confidentiality when it is:
"a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph."Note that copyright protection is not included in that list of reasons to ignore privacy. However, in paragraph 80 of the judgment, Lord Richards uses the Promusicae decision from the European Court of Justice to conclude that protection of copyright can be used as an excuse to bypass privacy obligations imposed by the directive. It is true that the ECJ in Promusicae said that article 15 could provide a route around privacy obligations when it involved "the protection of the rights and freedoms of others." The ECJ indeed clearly stated that music labels had the right to protect their copyrights. The fundamental foundation of the Promusicae decision, though, was that copyright owners rights must be balanced with the basic human rights of users of the Net. Having access to the Net is now a basic part of nearly everyone's life in the developed world and it relates to basic rights to
- free expression
- freedom of association
- and employment
BT's final shot on the privacy and electronic communications directive was that the the recent judgement of the European Court of Justice in Scarlet v SABAM (Case C-70/10, November 2011), negating the demand that the ISP install a copyright filtering system, supported their argument that article 15 could not be an excuse for copyright trumping privacy. Lord Richards simply responded that the Scarlet case was effectively not relevant here and rejected that argument.
I'm not going to spend a lot of time on the fourth and final ground on which BT brought the case, the Authorisation Directive, (2002/20/EC), save to say that both BT, the original judge made some fair points. Though I would question the semantic hair splitting of both sides in paragraph 97; and the concluding implicit value judgment in that same paragraph that the DEA strikes "a proportionate balance between the free market and the protection of copyright."
Now just three final points to note on the authorisation directive. Firstly at paragraph 95, Lord Richards says:
"95... the Commission’s comments on the French legislation which permits measures to be taken against internet users who commit copyright infringement online. In those comments the Commission recognised that copyright protection is a general interest objective of a kind referred to in Article 1(3). As to the Commission’s comments on the draft Costs Order, the fact is that the United Kingdom persisted in its reliance on Article 1(3) but the Commission took no further action, which is at least consistent with an acceptance by the Commission that Article 1(3) is applicable."This sounds a little like deciding to take the legislative history of the directive into account when it supports the Court's perspective on the case but ignore it when it doesn't.
Secondly, Lord Richards does agree with BT's counsel, Mr White, that: "all costs and charges under the DEA regime, including “relevant costs”, are to be regarded as “administrative charges” within Article 12.
What matters is substance, not form:" So the ISPs had a partial win on the authorisation directive.
Thirdly, I predict that Lord Richards final paragraph on the authorisation directive where he says:
111... I do not think that anything material is added by recourse to the principle of non-discrimination or the desirability of technological neutrality. "will be repeatedly taken out of context. I confess I can't resist the temptation to be the first to do so. This statement on its own is a simple example of the learned judge's lack of understanding of the technology.
So there you have it. The decision was predictable though questionable in the underlying assumption of balance in the text of the legislation. It's disappointing that that judiciary continue to have a problem understanding the technology and the difference that the scale of surveillance and data processing has on this whole landscape. We techies have to get better at explaining it to them.
What we have here is a clash of values even more than of law or of vested economic actors like telcos and the entertainment companies. Perhaps we need a modern day Samuel D. Warren or Louis D. Brandeis to create a navigation blueprint, internet constitutional framework or just a base level equivalent understanding of the impact of the technology of the information society on our fundamental right to privacy.