Pangloss has just grabbed a few minutes to consider this rather important new decision from the ECJ. Basically, the European court was asked to consider if it was legal for Spanish law to require telecoms providers, ISPs etc to retain traffic data relating to users for security or crime related purposes, but not to allow the use of that law for retrieval of evidence for OTHER (civil law) purposes, most obviously their use by IP rightsholders to uncover the identities of P2P filesharers.
The key provision here is Article 5(1) of Directive 2002/58 (the Privacy and Electronic Communications Directive, amending the Data Protection Directive 1995), which requires states to pass laws to ensure the confidentiality of traffic data. There can be exceptions to this obligation under Art 15(1) , but only where necessary to safeguard national security , defence, public security, or for the prevention, investigation, detection and prosecution of criminal offences - and to prevent "unauthorised use" of the electronic communications system, as referred to in Article 13(1) of Directive 95/46.
There was some dubiety in the ECJ that this last exception covered traffic data collection to get evidence for *civil* litigation - but the court were willing to more or less go along with that one. What they weren't willing to say was that this implied laws MUST be passed requiring disclosure of personal data to safeguard the rights of litigants in civil proceedings - ie, the PECD did NOT require automatic disclosure of P2P traffic data to help out the music industry, though such laws would not violate EC law.(para 56).
Several other IP-related Directives cited generally required states to provide for procedures for disclosure of information relating to pirate goods, after "justified and proportionate" applications by aggrieved rightsholders; however these did not take precedence over the specific obligation in the DPD and PECD to protect personal data.
And most importantly, as Cedric Manara has already mentioned elsewhere, the Court finally held that, turning to fundamental rights in the EC Charter, if the fundamental rights to property, and to privacy (which appear therein, as well as in the ECHR) appear to come into conflict when EC Directived are implemented in national laws , well, then , IP does not take precedence over privacy (or vice versa): instead, national courts must "make sure that they do not rely on an interpretation of [national laws] which which would be in conflict with these rights." (para 68) Put it plainly: IP rights do not trump DP rights, says the ECJ.
In other words also - my interpretation purely, now - although the ECJ have not said that laws requiring automatic disclosure of personal data to rights holders to protect IP rights would be illegal under the PECD, a serious warning has been issued to national legislatures not to be pushed into passing such laws, without considering first if rights of protection of personal data are being taken properly into account.
In the UK, this is serious stuff. The government is currently basically trying to shove through (as per Gower recommendation no 39) a model borrowed from France under which ISPs will disconnect and bar repeat P2P infringers via BCP codes, without ever going near a court. But this is probably only the tip of the iceberg. It is no surprise that the industry would far rather have automatic disclosure via industry codes of practice than, as currently, have to go for Norwich Pharmacal disclosure. This will be a very useful opinion for lobby groups fighting such a legal or "soft law" progression.
I'll be saying more about this at a conference in March :)More details when I have them.
1 comment:
Post a Comment