Friday 20 April 2012

Curbing unwholesome desires

Despite her various extracurricular activities - some of which find an outlet on this blog - it cannot be disputed that Matron is first and foremost a lawyer. This means that sometimes, when a particularly complex legal issue comes along, she can't help abusing blogger's privilege for a proper, in-depth legal analysis. So this post comes with the health warning that it is likely to put anyone in deep slumber who isn't similarly freakishly endowed with what Tom Hanks, in the movie Philadelphia, vomit-inducingly called "a love for the law".

Having given those who come out in bumps at this thought the opportunity to google something more interesting, let us have a look at an extremely interesting decision by the EU's Court of Justice that was published yesterday*. The case of Bonnier Audio and others v Perfect Communication Sweden AB concerned claims by several Swedish publishing companies against a Swedish ISP, ePhone, for disclosure of the name and address of ePhone users who were suspected of illegal filesharing. As is common in these cases, the publishers had collected the users’ IP addresses by monitoring activity on certain filesharing sites and required ePhone to disclose the users’ identity so that they could bring infringement proceedings against them. In the UK, such claims for information disclosure would be made through a legal instrument called a Norwich Pharmacal Order, in Sweden, this is permitted on the basis of section 53(c) of the Swedish Copyright Law.

In reality, in many cases, ISPs will willingly hand over the data once a court order is made as they have nothing to gain from opposing it other than incurring unnecessary legal costs. However, in this case, ePhone challenged the order on grounds arising under the 2006 Data Retention Directive.

ePhone argued that the Directive specifically prohibits the disclosure of retained communications data (because that is what this information is) to anyone for purposes other than the prevention, detection, investigation and prosecution of serious crime. In particular, Article 4 of the Data Retention Directive requires member states to ensure that data retained in accordance with the Directive are provided only to the competent national authorities (mainly security and law enforcement agencies) in specific cases and in accordance with national law.

However, this defence was ultimately unsuccessful and instead, the Swedish court of first instance granted the publishers’ application. Both, ePhone and the publishers appealed the case at various stages in the proceedings until the Swedish Supreme Court decided to make a reference to the ECJ. In particular it asked the ECJ for guidance on two questions:

1. Does the Data Retention Directive preclude the application of a national provision (in this case section 53(c)) under which ISPs may be ordered to disclose communiations data about their users to rightsholders for the purpose of IP enforcement?

2. Does it matter that the member state in question has not yet implemented the Data Retention Directive?

In brief, the ECJ ruled that (a) the Data Retention Directive (2006/24/EC) does not prevent member states from enacting such laws and that (b) it was irrelevant to the main proceedings that Sweden had not yet transposed the Data Retention Directive.

On first reading, Matron was extremely disappointed by this decision, which seemed a step back after rather encouraging recent rulings on ISPs’ role in the monitoring and filtering of online activity, for example in SABAM v Netlog. On second reading, Matron began to wonder whether the court could in fact have decided in any other way. But on third and most recent reading, questions are beginning to crop up, of which Matron wondered whether they should have been answered, even if they weren’t asked.

Lets tackle it step by step:

1. The thing that can be ascertained most clearly is that the ECJ is not going to depart from its 2008 decision in Promusicae any time soon. In that case, it had ruled that while Community law does not require member states to oblige internet service providers to disclose details of suspected file-sharers to enable a copyright owner to bring civil proceedings, it does also not prevent them from doing so, provided that the law in question allows the national courts to strike a fair balance between the IP rights of rightsholders and the privacy rights of individuals. In the Bonnier case, the ECJ examined the Swedish law and found that section 53(3) fulfilled the Promusicae requirements.

2. The ECJ’s ruling that the Data Retention Directive would not have precluded member states from adopting section 53(c) (or from permitting rightsholders to use it to obtain communications data from ISPs) even if the Directive had been implemented in Sweden was probably – technically – also correct. Even the Advocate General, who in his own opinion on the Bonnier case has taken a much wider view of the issues in question, had come to that conclusion. The Data Retention Directive clearly only envisaged disclosure of communications data to public authorities so that it could be argued, as the ECJ did, that the disclosure to private entities does not come within its remit.

3. This means that the ECJ’s ruling, at least in this respect, cannot be blamed on the quality of its interpretation of the law, but on the quality of the law itself. Maybe, just maybe, lawmakers should have asked themselves whether or not a provision should have been included in the Data Retention Directive that would have limited access to the retained data to access by law enforcement agencies solely for the purposes of law enforcement. But the truth, of course, is that campaigners DID in fact ask for such a provision at the time, but that they were widely ignored, with the then UK Home Secretary, Charles Clarke, admitting openly in Parliament that he saw no reason why such data, once retained, should not be available to rightsholders for IP enforcement purposes. Going forward this means that member states are still free to adopt similar laws – mainly on the basis of Article 8 of the 2004 IP Enforcement Directive – without having to fear that the ECJ will use the Data Retention Directive to strike them down.

4. The question the ECJ has not answered is whether this means that the ECJ has now given card blanche to rightsholders to make applications for the disclosure of any kind of data held by ISPs, including data that are in existence solely because the ISP is required to retain them by EU or national laws (rather than because they need them for their own business purposes). This is a question of “landgrabs” where the mere existence of a data pool generates unwholesome desires in third parties, who would enthusiastically like to get their mittens on that data, if only they could find a legal way to do so. This is a point that has exercised Matron for several years now and where she has come to the firm conclusion that the only way to protect personal data from those “landgrabs” is by making sure that the data pools do not come into existence at in the first place. In her opinion, any arguments – including arguments put forward by members of the tech community – that data protection law should only concern itself with regulating the use of personal data and not its collection, fall at that initial hurdle. "Build it and they will come", as they say, and anyone who argues otherwise is highly likely to be unpleasantly surprised a few years down the line.

5. So how should the ECJ have addressed this question in the context of Bonnier and has it really made such a fist of it? Well, yes and no. And yes again. At first glance, the court does not seem consider at all the purpose for which the requested data was initially retained as a factor in its decision on whether or not member states should have the right to grant rightsholders access to that data. This could suggest that it does not care and that the right it has granted to member states is wide-ranging.

6. On the other hand, as the German civil society organisation AK Vorrat points out on its blog (in German), the ECJ has made it clear in its decision, that it “is starting from the premiss that the data at issue in the main proceedings have been retained in accordance with national legislation, in compliance with the conditions laid down in Article 15(1) of Directive 2002/58”, and that “this is a matter which it is for the national court to ascertain”.

7. This list is enumerative, meaning that any national laws granting rightsholders access to communications data must comply not only with the conditions laid down in Article 15(1) of the E-Privacy Directive (which includes the right to derogate from the general requirement to erase communications data when they are no longer required by ISPs for their own business purpose – this is the derogation on which the Data Retention Directive was based), they must also comply with other national laws! And EU member states must, of course, have national laws in place that implement the 1995 Data Protection Directive. In order to determine whether national laws that allow rightsholders access to retained communications data comply with the EU legal framework, we must therefore examine whether those laws comply with the provisions of the Data Protection Directive.

8. The way Matron sees it, a core principle of the Data Protection Directive is that the processing of personal data is only permitted for “specified, explicit and legitimate purposes” and that it must not be “further processed” in a way “incompatible with the original purpose” (Article 6(1)(b), Data Protection Directive). This “purpose restriction principle” applies to all forms of processing except where the further processing is for “historical, statistical or scientific purposes”. Member states are only permitted to impose restrictions on this general rule in very limited cases when such a restriction constitutes a “necessary measures to safeguard” an important public interest (national security, defence and public security, to name but a few, see Article 13, Data Protection Directive). The protection and enforcement of IP rights is specifically not included in that list of public interests, so it is difficult to see how a member state can justify adopting a law that allows the “further processing” by ISPs or rightsholders of data for IP enforcement purposes, when that data was originally collected by ISPs for purposes of billing and traffic management.

9. Some may argue that Article 7(c) of the Data Protection Directive permits a data controller to process data if such processing is necessary for "compliance with a legal obligation to which the controller is subject". This, they say, leaves the door open for member states to adopt all kinds of laws that legitimise “futher processing”. However, as the Article 29 Working Party has pointed out on several occasions, ontologically, Article 7 is merely setting out the conditions on which the first data protection principle (to process data fairly and lawfully, see Article 6(1)(a), Data Protection Directive) is met. That principle and the purpose restriction principle contained in Article 6(1)(b) stand side by side. One does not override the other. A legal obligation referred to in Article 7(c) should therefore merely legitimise the first instance of processing, i.e. the collection of the communications data by the ISP, but not any “further processing” by him or any third party.

10. This is an unpopular interpretation of Articles 6 and 7, and indeed the recently proposed Data Protection Regulation that is designed to replace the Data Protection Directive includes a provision that would permit member states to legitimise “further processing” through national laws (see Article 5(4) of that draft Regulation). However, it is almost impossible to say at this stage whether Article 5(4), which would effectively remove the purpose restriction principle from the EU data protection framework, will make it into the final version of the Regulation given that it is strenuously opposed by the EDPS, the Article 29 Working Party and many privacy advocates. In addition, for the time being courts would still have to decide cases on the basis of existing law.

11. On an objective reading of the Data Protection Directive, it therefore seems to Matron that any member state trying to adopt a law that mandates the disclosure (i.e. further processing) for the purpose of IP enforcement of communications data initially collected for billing purposes would fail to implement the Data Protection Directive correctly and would (or at least should) have to expect a legal challenge before the ECJ on that basis.

12. As for the question of whether the ECJ should have made this clear, well, in the court’s defence, this wasn’t the question the national court had asked. Already, it is obvious from the decision that the ECJ had to do a certain amount of reinterpretation of the original reference to get to the heart of the question that, in its view, the national court actually wanted to have answered. Maybe the judges felt that there was only so much they could do in this context – particularly in light of the fact that the court already receives a fair amount of stick for allegedly answering questions it isn’t asked. Judges are political animal too, after all.

13. However - and this is where the Advocate General’s opinion is much more useful than the ECJ’s decision – the court could probably have made it clearer that the national courts will have to consider the framework put in place by the Data Protection Directive when deciding whether or not section 53(c) is compatible with EU law. This is a massive oversight and may very well lead to the Swedish courts skirting this issue entirely when the case comes back to them for review. If that happens, it is impossible to say how long we would have to wait for another suitable case that would allow the ECJ to clarify the situation.

One can only hope that ePhone’s lawyers will make sure that this doesn’t happen.

* It should be stressed that this is Matron's reading of the decision and than she actively welcomes dissent on this. The judgement is a complicated piece and more may need to be said.


  1. First of all, I think we really have to differentiate between data held under rules implementing the data retention directive and data retained under national legislation under article 15(1) of the e-Privacy-directive. "Retained data" in the narrower sense (under the data retention directive) may only be forwarded to the authorities for the "purpose of the investigation, detection and prosecution of serious crime".

    I do not share your opinion (in paragraph 3), that it would be possible to give private rightsholders access to data held solely under the data retention regime. Any national legislation may, however, require ISPs to retain data under the specific conditions of article 15(1) of the e-Privacy directive; and private rightsholders might get the data - again: only if national legislation so provides - after the court has weighed "the conflicting interests involved, on the basis of the facts of each case and taking due account of the requirements of the principle of proportionality".

    In the premiss stated in nr 37 of the judgment the Court makes it very clear that it has not undertaken to examine whether or not the ISP really had been required by national legislation (compatible with article 15(1) of the e-Privacy directive) to retain the relevant data, but that this question is central to the outcome of the case. My reading would be that If the data were held only under directive 2006/24 or if the data were held illegally, then the rightsholders would bot be allowed to get access to the data.

  2. Very good point. Thanks for a very useful comment. So you're saying that

    1. because the provisions of the Data Retention Directive replace Article 5, 6 and 15(1) of the E-Privacy Directive with regard to data CSPs are required to retain under its Article 3(1), that data is ringfenced and protected from access other than by competent national authorities because of Article 4, Data Retention Directive?

    2. data retained by CSPs for other purposes (billing, marketing, providing value-added services, see Articles 6 and 9 E-Privacy Directive) must be erased when it is no longer required for that purpose;

    3. unless member states have exercised their right to mandate further retention of that type of data on the conditions set out in Article 15(1) (taking account of the fact that the derogation for law enforcement purposes has been all but "usurped" by the EU through the Data Retention Directive so that member states are largely prevented from adopting additional national retention requirements for that particular purpose)?

    I agree with you that on this interpretation data retained solely under the 2006 Directive would be off limits to rightsholders requesting access for IP enforcement purposes. Interesting thought, although I still see some practical issues in distinguishing between data retained under that Directive and data retained for billing and marketing purposes. At least during the first few months of the retention period, traffic data are likely to be retained for a number of different purposes. Does this mean that CSPs wishing to resist a claim for disclosure to rightsholders would have to argue that the requested data is solely retained under the 2006 Directive?

    Also, this interpretation still seems to leave the door open for access by rightsholders of data that was retained

    a) under Articles 6 and 9 of the E-Privacy Directive (for the purposes of billing, direct marketing, provision of value-added services, or because the user has given his consent); or

    b) under a national law adopted on the basis of Article 15(1) (provided that the national law allows for a balancing of the parties' rights).

    It seems to me that the court specifically did NOT make a connection between the purpose for which the data was initially (lawfully) retained and the purpose for which it can then be accessed. In particular, it does not say that if the publishers want to access the data for IP enforcement purposes, it must have been retained for specifically IP enforcement purposes. The court merely said that the requested data must have been lawfully retained by the CSPs at the time the request is received.

    The Advocate General, in his opinion, was a lot clearer about this and I can't help thinking that if the court had wanted to take the same line, it would have been equally clear. But it wasn't.

    Does this mean that member states can adopt laws under Article 8 of the 2004 IP Directive which require disclosure of traffic data for IP enforcement purposes regardless of the purpose for which that data was initially retained?

    At that point, the question whether the Data Protection Directive would allow this type of "further processing" that the original blog post focuses on, must surely be revisited?