On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu



Wednesday, 20 April 2011

Digital Economy Act judicial review judge: ISPs could in theory be left with higher cost burden

This post is mainly crowd-sourced as details emerged. Check back later for updates.

The ruling in now online here

Background and summary

All four initial grounds brought by ISPs Talk Talk and BT were dismissed by MR Justice Kenneth Parker, however the review was partially successful on a fifth ground that was added to the scope of the review last month - a draft parliamentary order that requiring ISPs to pay 25% of the costs of running the scheme.
  
The initial four grounds covered compatibility with EU law and basic human rights such as proportionality in law, respect of privacy and were brought in relation to the main Digital Economy Act (known as primary legislation):
  1. The EC was not notified of the Act and since parts of the Act constitute a "technical regulation" within the meaning of the Technical Standards Directive (98/34/EC) it should therefore have been notified to the European Commission before enactment.
  2. Parts of the Act are not compatible with the E-Commerce Directive (2001/31/EC)
  3. Parts of the Act are not compatible with the E-Privacy Directive (2002/58/EC)
  4. Parts of the Act will unduly affect the ability of ISPs in other member states to offer services in the UK, leading to possible infringement of Articles 8 and 10 of the European Convention on Human Rights.
The additional fifth ground relating to a draft parliamentary order, the Costs Order, was added last month. The order is highly contentious as the government's own estimate revealed it could lead to an increase in broadband prices and force up to 40,000 mostly poorer families off the net.

I was the first person to reveal publicly that The EC raised official concerns about the Costs Order; and, more recently, that the EC remained unsatisfied with the UK's response to the order.

The best ruling campaigners could hope for

Perhaps not:
Jason Clifford said...
"I think you are wrong on the costs aspect. Although the Judgement does hold that it is unlawful to require ISPs to pay for OFCOMs costs in setting up and running the Code it also holds that ISPs can lawfully be required to pay 25% of the costs of the actual implementation - ie processing the notices and of the appeals processed.

That is the substantive part of the costs matter and it is a total loss for the ISPs. Essentially the copyright holders and their agents can now pass 25% of the costs of policing their copyrights onto ISPs who in turn will pass it into consumers."
If the tweets I'm seeing are accurate, campaigners against the Digital Economy Act should not be disheartened. UPDATE: yes they should.

Thanks to Jason's comment it's clear from pp 193 and 194 of the ruling that the judge believes only the portion of costs paid by the ISPs to cover the government's costs in running the scheme (ie Ofcom's costs) are covered by the EC Authorisation Directive.

Essentially the judge describes the costs shouldered by ISPs as falling into 3 categories:
  • Qualifying costs, which should be seen as Administrative Charges and therefore not allowed under the EC Authorisation Directive [pp 195]
  • Relevant costs, the "internal" charges that ISPs incur to satisfy the provisions of the act, which the judge ruled are ok [pp 193]
  • Case fees - the cost of handling appeals under the act, again are allowed [pp 194]
Furthermore Mr Justice Parker opens up the possibility that ISPs could be asked to bear the full costs of tracing and notifying customers if this was an obligation under law:
193. ... ... The DEA could have left ISPs to bear such costs entirely and have provided no mechanism for recovering any part of such costs. However, Parliament provided that in fairness copyright owners should reimburse ISPs for a substantial part of the costs incurred by ISPs in discharging their obligations under the DEA.
To add insult to this injury, the judge ruled that ISPs could be asked to bear a proportion of appeals costs:
194. Similarly, it does not seem to me that "case fees" can be regarded as "administrative charges" under Article 12 AD. The fees arise because a subscriber has brought a specific appeal, involving a relevant ISP and a relevant copyright owner. The fees are intended to do no more than ensure that the judicial vehicle for resolving disputes under the DEA is adequately funded.

Your privacy and freedom of expression is only on a par with the rights of Big Music!

@Copyrightgirl points out pp 166 of the ruling.

In a further blow to campaigners, the ruling draws an analogy between copyrights and ordinary property rights, citing relevant case law to conclude:
166. ... ... However, the Court's ruling, at [53] cited above, goes beyond protection in the context of civil proceedings and includes "the protection of the right to property" within the scope of the "protection of the rights and freedoms of others" under Article 15(1). It is indisputable that the contested provisions are intended to promote the protection of the right to property, namely, copyright, and therefore, fall within Article 15(1) as interpreted by the Court.
(My bold)
I find this astounding, since I feel strongly that it is not possible to draw any analogy between the completely arbitrary scarcity of resource where intellectual property is concerned, and the corresponding "paper loss" suffered when copyright is infringed; and the very real physical loss suffered when ordinary property is stolen by way of theft.

UPDATE: check comments below from Will Tovey on this and data protection issues

Reasons to take heart

To win the case on the first four grounds was always going to be a challenge.  The court had to be satisfied that UK law was in clear breach of EU law before overruling the will of the elected parliament.

I've yet to see the judgement, but the first ground (1, above) was already argued as the bill passed parliament - that the primary legislation itself did not need to be notified under the Technical Standards Directive, only the two orders that define how the measures would run  need to be notified - the Costs Order and the Initial Obligations Code.

Again any compatibility issues with EU law on privacy or free trade grounds would mainly be determined on how the anti-file sharing measures would operate; again defined in the Costs Order and the Initial Obligations Code.

In addition sections 114-116 of the ruling draw a clear line between the current proposals - a mechanism to allow copyright holders to trace and punish alleged perpetrators of infringement - and any obligation on an ISP to conduct surveillance of traffic on their network in order to detect and tackle copyright infringement.   This is significant, and appears to re-enforce so-called "mere conduit" status of ISPs - they are just pipes carrying data, and cannot be expected to be liable for that data.

Likely consquences

Despite the very limited scope on which the review succeeded, the costs order needs to go back to the drawing board.  The updated legislation will presumably need to go back to Europe for comment (3 months), and so is unlikely to be passed into law until late into the year.

Assuming ISPs no longer  have to share any of the costs, this already is a win for campaigners Just because Mr Justice Parker believes that ISPs shouldering some categories of costs is compatible with EU law doesn't make it right or moral.  Campaigners argue that money would be diverted from investment in next-gen broadband and disproportionately affect poorer families. This point should be stressed to MPs and Lords when they finally get chance to vote on the Cost Order and Initial Obligations Code.

Additionally, the Initial Obligations Code still needs to be finalised, released to the EC for comment under the Technical Standards Directive (a 3-month period) then laid before parliament, and passed by parliament.  All this will happen under immense public scrutiny and could be open to further judicial challenge.

This legislative process must also happen in the shadow of a ruling by the European Court of Justice Advocate General Cruz Villalón (pdf) that an order on a Belgium ISP to monitor content on its network and block potentially copyright-infringing content is not compatible with EC law on privacy grounds, as it constitutes a general obligation to monitor contrary to Article 15 of the directive on electronic commerce (Directive 2000/31/EC) and also infringing on data protection and privacy guaranteed under the European Charter of Fundamental Rights.

Depending on what is contained in the initial obligations code, the above general monitoring obligation is unlikely to affect the Digital Economy Act as no monitoring obligation is likely to be placed on ISPs, however as second aspect of AG Villalón's ruling is interesting as it discusses the legal problems associated with determining whether copyright has actually been infringed (not an easy case in law, and needs to be handled on a case-by-case basis as needs also to deal with people who are licensed users of copyrighted works).

The AG's ruling also discusses other complexities in EU law such as predictability, and notes that law must be open to challenge and have adequate safeguards.

Summary

An appeal may follow.  Computer Active reports ISPs complaining the ruling lacked the "clarity" they hoped for.  TalkTalk is reportedly considering its options:
"Though we may have lost this particular battle, we will continue fighting to defend our customers' rights against this ill-judged legislation" 
Despite the review judgement, Ofcom and the Department for Media, Culture and Sport still have a mountain to climb before the measures of the Digital Economy Act take hold.

The ISPs who brought this judicial review may instead of appealing wait until the Initial Obligations Code is published as in my view this will offer a better chance to challenge on much of the same grounds.

@JamesFirth

16 comments:

  1. I think you are wrong on the costs aspect. Although the Judgement does hold that it is unlawful to require ISPs to pay for OFCOMs costs in setting up and running the Code it also holds that ISPs can lawfully be required to pay 25% of the costs of the actual implementation - ie processing the notices and of the appeals processed.

    That is the substantive part of the costs matter and it is a total loss for the ISPs. Essentially the copyright holders and their agents can now pass 25% of the costs of policing their copyrights onto ISPs who in turn will pass it into consumers.

    ReplyDelete
  2. Thanks Jason, do you have references in the ruling?

    ReplyDelete
  3. Personal perspective is that I'm more cheerful than I was 90 minutes ago - if the entire costs order had been found to be unlawful, then the ISPs would have little reason to appeal. Given only a small aspect of the costs order has been found unlawful, and most of the ongoing costs upheld, I think there's a better chance of an appeal than I originally thought. Question is whether they'll just appeal the rest of the costs, or proceed with the broader arguments (privacy, proportionality etc) now that the High Court has made determination on those matters.

    Not an unexpected judgement, though a little disappointing nonetheless. All in BT/TalkTalk's court now...

    ReplyDelete
  4. I'm sorry to mislead Morus but my original assumption (clearly stated as an assumption) is not grounded in the facts of the case now I've read the judgement (in my interpretation).

    I'll update throughout the day as more info is added.

    ReplyDelete
  5. You didn't mislead - I got the same impression from the judge's words myself (that the whole costs order had been found unlawful). Only now I'm settling down with the judgement and a nice cup of tea that I'm getting some hope of an appeal...

    ReplyDelete
  6. The point in 166 may seem strange, but there is case law from both the ECJ and ECrHR on this. It seems that use of the term "intellectual property" (in the 80s in particular) has made legislators, judges etc. think that copyright etc. are forms of property (which in a very vague way they are).

    In the EU, Art 17(2) of the charter of fundamental rights explicitly mentioned "intellectual property" under the more general "right to property", and this was agreed by the ECJ in (among others), the Promusicae case (C-275/06, [2008] All ER (EC) 809, see 62).

    The ECHR only refers to the much more vague "peaceful enjoyment of ... possessions" (in protocol 1 article 1), and it seems to me to be a significant logical leap to make that cover the enforcement of copyright. However, that's what the ECrHR did in Anheuser-Busch Inc v Portugal [2007] ECHR 73049/01, see 72, and this has been followed since.

    I'm writing up something more detailed on this issue at the moment, but it seems that the "intellectual property" movement has been very successful at tricking lawmakers into equating copyright etc. with real property - and is a good reason for avoiding that term wherever possible.

    ReplyDelete
  7. One thing I've noticed so far is in 157, where the judge notes that he will "proceed on the basis that the relevant data which would be processed by copyright owners would be personal data".

    This could be interpreted as confirming that an IP address is 'personal data' within the scope of data protection laws and so could be quite significant.

    On the other hand, as this point turned out to be irrelevant (the data protection ground failing on a later point) it could just be that this is a working assumption; i.e. even *if* it is (special) personal data the claim fails.

    Still, an interesting point.

    ReplyDelete
  8. Interesting point you make on intellectual property Will - you're right that the courts seem to interpret it in the same way as they'd intepret physical property, which has an adverse effect on cases.

    As for IP addresses, are they or aren't they personal data? Ireland and Germany think not, but elsewhere they are thought to be. Jury's out on that one so it would be interesting to note any clarification at a higher court level.

    ReplyDelete
  9. The judge very clearly concludes that the info harvested by rightsholders and processed by the ISPs (including dynamic IPs) would be personal data, and some of it special data. That's good. (paras 155-157). However the judge then does a bad thing: citing a desire to avoid a Catch 22, he appears to greenlight the indiscriminate processing of all online filesharers' data before rightsholders form a view as to whether they want to bring legal claims.

    He finds it very straightforward to hold this for specially protected data, relying on Art 8(e). For ordinary personal data, he also finds it permissible even though, by his own admission, the legal provision he's relying on for that green light "does not in strict terms apply to processing [of "standard" personal data] under Article 7." (para 161) - he instead shoehorns the pursuit of legal claims permission into Art 7(f), which requires balancing with the subject's interests, fundamental rights and freedoms* (in particular, but not limited to, privacy). He doesn't conduct such a balancing exercise for 7(f) purposes when dealing with that ground. Note para 203, which could admittedly extend his proportionality assessment under the last ground to Art 7(f), but doesn't do so explicitly.

    * by the way, the text of the DPD at
    http://eur-ex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
    seems to have a typo in the article I'm talking about, 7(f); it speaks of "interests FOR fundamental rights and freedoms" (emphasis mine). This struck me as linguistically odd, and indeed, both french and german versions of the text actually translate to "interests OR fundamental rights and freedoms"; is the eur-lex version authoritative? if so, is this typo well known? Can it be set straight?

    ReplyDelete
  10. Emily, Will, I don't think pp 166 of this ruling is completely in line with the ECJ AG's published opinion on privacy in relation to monitoring obligations.

    Even though the AG's ruling is in relation to a distinct scenario where ISPs are asked to monitor content to check for infringement, the principle is still essentially similar, and deals with the balance between "property rights" and fundamental human rights.

    Furthermore I would hope pp 166 is open to appeal as it's made on the assumption that measures in the act will actually be effective in preventing IP "theft". If the measures are ineffective, then surely the human rights balance argument falls?

    ReplyDelete
  11. Promusicae specifically considers this sort of procedure; i.e. copyright owners collating IP addresses and then taking them to an ISP asking for names and physical addresses. Under existing Spanish law, ISPs were required to hand over details in criminal cases, but not civil cases. The question before the ECJ was whether the relevant EU directives (can't remember which) required that domestic law cover civil cases as well. The ECJ ruled that while it didn't *require* member states to allow this, it didn't stop it. Around 53 (referenced in the DEA JR judgment), the court (not the AG) considers the PEC Directive and makes it clear that it is acceptable to gather and use personal data for the purposes of enforcing civil rights etc., which included copyright enforcement.

    Iirc, what they said wasn't OK was for ISPs to hand subscriber info straight to the copyright owners; as with the DEA, copyright owners would still have to go through a Court to get the names.

    166 doesn't quite say that the DEA will protect the "right to property", it says it is *intended* to do so, and so that makes it acceptable. The issue of whether or not it will be effective is dealt with later, but largely skipped over by suggesting that that isn't the Courts problem, nor can it rule on that.

    Phil:
    I'm not convinced that 155-157 do conclude that IP addresses are personal data. He notes that what the ISP handles is (but they have names), but the question is whether what the copyright owner handles is (i.e. IP addresses). It was argued that this was, but he doesn't confirm it. What he says in 157 is that he will "proceed on the bases" that IP addresses etc. are personal data, but it may be that this is only for the sake of argument, and if the processing of personal data *wasn't* permissible (which he found it was), this assumption would have had to be challenged. In essence, he doesn't know whether or not IPs are personal data, but even if they are (the assumption in 157), processing the data would be allowed.

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. Hi Will: quoting from the judgement below. It seems fairly clear he agrees with White QC on this; he refers repeatedly to invariable linkage between the IP(+timestamp) to the rest of the CIR data.

    Personal data in the DPA 1998 is defined as "data which relate to a living individual who can be identified:-
    * from those data; or
    * from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual".

    It is therefore clear that the dynamic IP, being the linkage to data from which a living individual can be identified, is personal data in the judge's opinion. There's seemingly no other construction that can be put onto the Judge's words (he's not just relating White QC's argument: his view is 'as White QC submitted'), and thus, from the legal definition of personal data, no other conclusion that can be drawn from what he has said.

    "As to “personal data”, the main point advanced in writing [by the government] was that the purpose of the CIRs/CILs was to identify the subscriber, and the subscriber may not have been the copyright infringer. (It is necessary only to think of internet cafés or wi-fi hotspots in libraries).

    However, as Mr White submitted, the data nonetheless relates to an identified or identifiable person because the subscriber, who can be identified through the dynamic IP address, is inevitably linked to the data (the particulars of the copyright infringement, including the dynamic IP address) as the person who, in a broad sense, has facilitated the infringement, even if he is not the infringer and could incur no legal liability for the infringement.

    The same point was made in respect of special data under Article 8, but the answer is the same: an identified or identifiable person (the subscriber) is inevitably linked, through the dynamic IP address, to material that might, for example, tend to show unusual sexual proclivities.

    It does not seem to me to be sufficient to show that the subscriber might not be the person who putatively has such proclivities, where the relevant link was to the subscriber’s internet access, and the inference would be that he was either a person who has permitted access to someone with such proclivities or has them himself."

    ReplyDelete
  14. Will: I've gone back to the text to have a read and I still hold that opinion. Notice he's not repeating White QC's views for sake of argument: he's agreeing with them ("as Mr White says...") and clearly thinks that dynamic IPs invariably link the rest of the CIR data to a subscriber; and remember that "personal data" is defined in the DPA 1998 as:

    "“personal data” means data which relate to a living individual who can be identified—
    (a)from those data, or
    (b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

    and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;"

    So there are no two ways about it: the judge views the CIR data as personal data, including (at the very least, through (b) above) dynamic IPs. In fact he even says 'the subscriber, who can be identified through the dynamic IP address'.

    "However, as Mr White submitted, the data nonetheless relates to an identified or identifiable person because the subscriber, who can be identified through the dynamic IP address, is inevitably linked to the data (the particulars of the copyright infringement, including the dynamic IP address) as the person who, in a broad sense, has facilitated the infringement, even if he is not the infringer and could incur no legal liability for the infringement. The same point was made in respect of special data under Article 8, but the answer is the same: an identified or identifiable person (the subscriber) is inevitably linked, through the dynamic IP address, to material that might, for example, tend to show unusual sexual proclivities. It does not seem to me to be sufficient to show that the subscriber might not be the person who putatively has such proclivities, where the relevant link was to the subscriber’s internet access"

    ReplyDelete
  15. I think that the comments in 156 are more aimed at the argument that the IP address relates to the subscriber, while the sensitive/personal data is about the infringer, and they may not be the same person.

    But yes, on further reading (particularly the previous quotes) he does seem to be agreeing that IP addresses are personal data, but there is a little bit of uncertainty; possibly enough for this issue to be argued at a later date.

    I get the feeling that this may be deliberate as the point wasn't really argued and the judge may not have felt in a position to make a ruling, so instead relies on the working party group response.

    ReplyDelete
  16. Apologies one of the later comments got stuck on spam. I want to avoid pre-moderation but can't help the amount of spam I get.

    On are IP addresses personal data and are they sensitive personal data IIRC there are emerging principles in various forums:

    (1) An IP address alone should probably not personal data, especially if it does not resolve using rDNS. Even if it did resolve, the IP address on its own tells us nothing personal or sensitive about the subscriber.

    (2) An IP address which resolves using rDNS indicating a fixed IP or an IP address and timestamp so can be traced, with accompanying information could be personal data *if* accompanied by other information that was considered personal. E.g. reads the Telegraph.

    (3) As per 2 but the accompanying information is sensitive, e.g. belies sexual preferences (porn site visits), political inclination (party website visits) or trades union memberships, religious beliefs etc -> then obviously the IP address or IP/timestamp combo becomes sensitive PII under S2 of the DPA.

    Sorry I don't have references, this is just a collection of discussions and debates I've witnessed.

    ReplyDelete

Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.