European Commission: “Notice and action” and stronger civil law enforcement of IP rights

The European Commission released a (provisional) communication with suggestions to boost Europe’s e-commerce. Below are some outtakes.

No need for revision of the E-commerce Directive. Liability of online intermediaries needs clarification and better implementation

The Directive on Electronic Commerce removed a series of obstacles to crossborder online services. It is crucial to legal certainty and confidence for both consumers and businesses. Its internal market clause, which states that the Member States may not restrict the freedom to provide information-society services from another Member State, is the cornerstone of the Digital Single Market. The consultations and analyses carried out indicate that a revision of the Directive is not required at this stage. It is, however, necessary to improve the implementation of the Directive (in particular through better administrative cooperation with the Member States and an in-depth evaluation of the implementation of the Directive), provide clarification, for example concerning the liability of intermediary internet providers, and take the additional measures needed to achieve the Directive’s full potential, as identified in the current action plan. Recourse to the IMI system, already in place for other European legislative instruments, could facilitate administrative cooperation between Member States when it comes to enforcing the e-commerce Directive.

Notice and action

The mechanisms to stop abuse and illegal information must therefore be made more efficient, within a framework which guarantees legal certainty, the proportionality of the rules governing businesses and respect for fundamental rights. In the Annex, the European Commission describes in detail the differing interpretations which are at the root of the above-mentioned problems. In view of the growing volume of statutory and case-law in the Member States, it now appears necessary to set up a horizontal European framework for notice and action procedures.*

* The notice and action procedures are those followed by the intermediary internet providers for the purpose of combating illegal content upon receipt of notification. The intermediary may, for example, take down illegal content, block it, or request that it be voluntarily taken down by the persons who posted it online. This initiative should encourage rather than undermine more detailed initiatives in certain fields. For instance, the European Protocol signed in May 2011 between major rights-holders and internet platforms on the online sale of counterfeit products requires, in addition to a notification and take-down procedure, action against repeat infringements as well as proactive and preventive measures.

Action could thus be the removal or blocking of content. Should this be done by e.g. YouTube and hosting providers, or also by ISPs? And what about due process? Just remove upon notification? “Respect for fundamental rights”?

Plus, (even) stronger civil law enforcement of intellectual property rights

In parallel to this, the Commission will revise the Directive on the enforcement of intellectual property rights in 2012 in order to combat illegal content more effectively and in a manner which upholds the internal market and fundamental rights by improving the framework for civil law proceedings. The creation of the European notice and action framework will be without prejudice to this initiative.

And more private codes of conduct

Cooperation between stakeholders, in particular internet providers, rights-holders and payment services, in the European Union and the US, may also help to combat illegal content.

And who will represent me? An Internet user?

Dutch ISPs have to block the Pirate Bay

Yesterday the Dutch lower court of ’s-Gravenhage ordered Dutch Internet Service Providers (ISPs) Ziggo and XS4ALL to start blocking IP-addresses and domain names that are used by the Pirate Bay. The Dutch Entertainment Industry Trade Association (BREIN) had its claim for a preliminary injunction rejected, but now that the court decided on the merits of the case, BREIN got almost all it wished for.

Taking into account that the administrators of the Pirate Bay have been convicted in Sweden and that a Dutch lower court has (ineffectively) ordered them to delete all torrents that link to copyrighted material of copyright holders represented by BREIN, the court allowed BREIN’s claims.

In its earlier judgment, the court held that blocking the Pirate Bay was not a proportional measure. BREIN could have also asked Ziggo to release personal data of certain infringers so that BREIN could target these individual users. In contrast, the court yesterday argued that trying to sue individual Internet users has proven to be too difficult. Even if BREIN is able to trace IP-addresses of copyright infringing users, BREIN would have to request the ISPs to identify their users, which is something the ISPs have not done on a voluntary basis so far.

Besides blocking the Pirate Bay’s current IP-addresses and domain names, the court ordered the two ISPs to also block future Pirate Bay IP-addresses and domain names that are listed by BREIN.

XS4ALL has announced that it will appeal the case.

This post has been cross posted on the Herdict Blog.

Scarlet v. SABAM, a real victory for Internet freedoms?

A little over a week ago the European Court of Justice gave a long awaited judgement in the Scarlet v. SABAM case. It is the first ECJ case dealing with Article 15 of the E-commerce Directive, which prohibits EU Member States to impose a general obligation on Internet services providers to monitor the information transmitted by them.

SABAM, which is the Belgian copyright collection society, had sought an order requiring Scarlet, an Internet Access Provider, to bring copyright infringements by its subscribers to an end by blocking the transmission of files containing musical works through peer-to-peer software. In order to block infringing transmissions, Scarlet would have to install a filtering system scanning all electronic communications of all its subscribers passing via its services. Furthermore, Scarlet would have to pay for implementing and maintaining the system itself.

The ECJ had to answer the question whether the Copyright Directive and the Enforcement Directive, in the light of the Privacy Directive, the E-Privacy Directive, the E-commerce Directive, and Article 8 and 10 of the ECHR, permit …

“…Member States to authorise a national court, before which substantive proceedings have been brought and on the basis merely of a statutory provision stating that: ‘They [the national courts] may also issue an injunction against intermediaries whose services are used by a third party to infringe a copyright or related right’, to order an [ISP] to install, for all its customers, in abstracto and as a preventive measure, exclusively at the cost of that ISP and for an unlimited period, a system for filtering all electronic communications, both incoming and outgoing, passing via its services, in particular those involving the use of peer-to-peer software, in order to identify on its network the movement of electronic files containing a musical, cinematographic or audio-visual work in respect of which the applicant claims to hold rights, and subsequently to block the transfer of such files, either at the point at which they are requested or at which they are sent?”

To put it simple: Whether Scarlet can be required to implement and pay for a filtering system to filter out copyright infringing files?

Article 9 of the Enforcement Directive instructs Member States to ensure that interlocutory injunctions may be issued against intermediaries whose services are used by a third party to infringe an intellectual property right. Also, the E-commerce Directive does not prohibit courts to lay injunctions on intermediaries as it explicitly leaves open the possibility for a court or administrative authority to require the service provider to terminate or prevent an infringement (recital 45). Article 18 of this same directive instructs Member States to “ensure that court actions available under national law concerning information society services’ activities allow for the rapid adoption of measures, including interim measures, designed to terminate any alleged infringement and to prevent any further impairment of the interests involved.” On the basis of Article 15(1) of the E-commerce Directive, injunctions may, however, never imply a general obligation to monitor the information that is transmitted or stored. The same accounts for a general obligation to actively seek facts or circumstances indicating illegal activity.

Article 15(1) of the E-commerce Directive is thus at the centre of the issue. The ECJ finds that imposing an injunction to install a filter mechanism is in fact an obligation to actively monitor all the data relating to each of its customers (general monitoring), which is prohibited by Article 15(1) of the E-commerce Directive.

The Promusicae case taught us that the fundamental right to intellectual property, as protected by Article 17 of the EU Charter of Fundamental Rights, has to be balanced with other fundamental rights. The ECJ thus also had to touch on the compatibility of an obligation to implement a filtering system, which clearly is a manifestation of the right to property, with the ISP’s freedom to conduct a business (Article 16 of the EU Charter).

Regarding the freedom to conduct a business, the ECJ holds:

“48       […]such an injunction would result in a serious infringement of the freedom of the ISP concerned to conduct its business since it would require that ISP to install a complicated, costly, permanent computer system at its own expense, which would also be contrary to the conditions laid down in Article 3(1) of Directive 2004/48, which requires that measures to ensure the respect of intellectual-property rights should not be unnecessarily complicated or costly.

49        In those circumstances, it must be held that the injunction to install the contested filtering system is to be regarded as not respecting the requirement that a fair balance be struck between, on the one hand, the protection of the intellectual-property right enjoyed by copyright holders, and, on the other hand, that of the freedom to conduct business enjoyed by operators such as ISPs.”

The ISP, however, is not the only actor that is affected by a filtering obligation. The ECJ thus also considered the right to freedom of information and the right to the protection of personal data of Internet subscribers.

The ECJ on freedom of information:

“52      […] that injunction could potentially undermine freedom of information since that system might not distinguish adequately between unlawful content and lawful content, with the result that its introduction could lead to the blocking of lawful communications. Indeed, it is not contested that the reply to the question whether a transmission is lawful also depends on the application of statutory exceptions to copyright which vary from one Member State to another. Moreover, in some Member States certain works fall within the public domain or can be posted online free of charge by the authors concerned.”

Regarding the right to personal data, the ECJ holds:

“51      It is common ground, first, that the injunction requiring installation of the contested filtering system would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data because they allow those users to be precisely identified.”

The ECJ concludes that imposing a general filtering obligation does not respect the requirement that a fair balance be struck between the right to intellectual property, on the one hand, and the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information, on the other.

However, the ECJ’s assessment of the filtering obligation in relation to the Internet user’s freedom of information and right to personal data is not as strict as its assessment of the filtering obligation in the light of the ISP’s freedom to conduct a business. The ECJ calls the filtering obligation a “serious infringement” of the ISP’s freedom to conduct a business. In contrast, regarding the right to freedom of information, the ECJ only speaks of it being potentially undermined by a filtering obligation.

Regarding the right to personal data, the ECJ seems to only focus on the fact that a filtering obligation implies that IP addresses are collected and identified. The ECJ is right that identifying an IP address is processing of personal information, but it being processing of personal data does not mean that it is absolutely forbidden. The EU Data Protection Directive gives rules on how to process personal data and does not completely forbid such processing. Furthermore, the court mentions that a filtering system involves a systematic analysis of all content sent on the network, but does not qualify it as being problematic in the light of data protection law, nor other aspects of privacy such as communication privacy. After all, privacy is more than data protection and the question of the Belgian court did not refer to Article 10 ECHR without reason.

This judgement is great news for ISP’s that are targeted by copyright owners as the ECJ holds that an obligation to install a general filtering mechanism is in conflict with Article 15(1) of the E-commerce Directive. The court furthermore finds that a fair balance is lacking when an ISP has to install and pay for a general filtering mechanism. This of course does not prevent an ISP from ‘voluntarily’ installing a filtering mechanism as a part of a deal with copyright holders. In this context, it is a pity that the ECJ did not express a clear opinion on the Internet subscriber’s right to freedom of information and the right to privacy when filtering mechanisms are installed.

Open data and privacy. Should I bother?

Privacy is often mentioned as an obstacle when implementing an open data policy, but never really elaborated on. Should you really bother about privacy when opening up your data? My answer: yes you should.

Alan Westin laid the foundation of our modern conception of information privacy, which focuses on the individual’s right to control what is known about him. The modern European right to information privacy still leans on the notion of privacy as a right to control one’s personal information. Article 8 of the Charter of Fundamental Rights of the European Union gives everyone the right “to the protection of personal data concerning him or her”. This fundamental right to information privacy is further elaborated by the EU Data Protection Directive. The concept of ‘processing personal data’ is the touchstone of this directive. Personal data should be processed fairly and for legitimate and specified purposes.

EU data protection is all about the protection of ‘personal data’. Personal data is “information relating to an identified or identifiable natural person” and an identifiable person is “one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (Article 2 of the EU Data Protection Directive). Personal data can thus be both directly and indirectly identifying.

Train times, the location of public toilets and the number of car accidents could all be open data. No open data provider will (hopefully) offer names, addresses, social security numbers, or other data that directly or indirectly identifies natural persons as open data. Open data is at the most anonymized or aggregated data that cannot be related to individuals. The Open Knowledge Foundation visualizes open data and “private data” as two non-overlapping subsets. Unfortunately, in reality this distinction is not so easy to draw.

Even when data has been anonymized or aggregated, data analysis techniques now allow us to re-identify individuals in such data (See Paul Ohm for an overview). For instance, when Netflix offered anonymized data for a contest for the best method to improve its movie recommendations, Arvind Narayanan and Vitaly Shmatikov showed that this data could in fact be used to identify Netflix subscribers.

In particular regarding open data, Andrew Simpson demonstrated that it is relatively easy to link statistical open data to individuals. In one case, names and addresses of councillors, and names, posts and salaries of senior public servants were uncovered by combining data from the British open data portal with other already available public data. The lack of consideration of other data in the public domain prior to publication of statistical open data thus led to the identification of individuals.

Combining datasets is at the core of de-anonymizing and de-aggregating data. Data that is non-identifiable today, may turn out be indirectly identifiable tomorrow. The more computing power and publicly available data, the easier it becomes to identify individuals in data. And when data can be related to individuals, data protection law kicks in.

What does this mean for open data providers? Open data providers should not just consider the identifiability of their open data in isolation. They should also take other publicly available data into account when selecting data that they want to offer as open data. That is a difficult task. Maybe open data is not such a great idea after all?

Open Data Workshop @ Geonovum

Geonovum (a semi-public organization devoting itself to providing better access to geo-information in the public sector) is hosting an open data workshop on November 9, 2011. Location: De Observant in Amersfoort.

Who will be there and what will they be talking about?

• Marc de Vries (ePSI platform) will try to look into the future of open data.
• Christopher Dittmann (Shell) will give a talk on the experience of availability/non-availability of open geospatial data.
• Paul Suijkerbuijk (ICTU) will share his experience with national government open data platform.

Interactive sessions:

• Johan van Arragon (Province of Zuid-Holland) will talk about the costs and benefits of open data.
• Paul Hendriks and Peter-Jan Speerstra (Municipality of Rotterdam) will deal with the question of how to implement an open data policy.
• Jens Riecken (Ministry of the Interior and Local Affairs NordRhein Westfalen, Germany) will explain how to utilize the wisdom of the crowds.
• Kathleen Janssen will take a step back and will deal with legal, financial and practical issues that need to be tackled. I am particularly interested in this session.
• Richard Blad will give a talk on how to organize an open data-community.

The full program can be found here: http://www.geonovum.nl/dossiers/kennissessies/opengeodata/programma.

I’ll be there. By the way, in the spirit of the open data philosophy: it’s free!