ISP Users’ Privacy, P2P, and the Discovery Order Provision in the EU “Enforcement Directive”: A New Conundrum?

08 Mag ISP Users’ Privacy, P2P, and the Discovery Order Provision in the EU “Enforcement Directive”: A New Conundrum?

by Marco R. Provvidera – Lawyer in New York and IIP International Studies Director

Published on American Bar Association International Data Protection and Online Security Newsletter – april 2009

Una reinterpretazione originale, in ottica americana, del caso Peppermint.

Over the past decade, the European Union has been taking consistent legislative action aimed at pursuing the harmonization and enhancement of the effectiveness of Members States’ IP-related domestic laws. Directive 2001/29/EC (the “Copyright Directive” of May 22, 2001), while focused on the substantive aspects of such harmonization, expanded the scope of IP rights protection so as to encompass also the procedural tool of an “injunction,” to be made available for right holders upon proper motion (“application”) “…[against] intermediaries whose services are used by a third party to infringe a copyright or related right. However, it was only with Directive 2004/48/EC (the “Enforcement Directive” of April 29, 2004) that the focus of the European Parliament and Council distinctly shifted to the procedural aspects of IP rights protection. Article 8 of the Enforcement Directive, in fact, by correctly framing the novel (in a civil law context) discovery remedy as being of an evidentiary nature, as opposed to a “precautionary” nature (i.e., pre-emptive), effectively provides the aggrieved party with a right to obtain discovery when supported by a “justified and proportionate request.” It is no longer a matter of absolute judicial discretion. While the Member States have more or less promptly acted to amend their domestic legislation to include these new remedies in compliance with the EU rules, major obstacles to their full implementation were caused, perhaps predictably, by the uneasiness of courts to agree on how to achieve a sound balance between the enhanced procedural protection of IP rights and the supposedly conflicting right of privacy. This issue was addressed in a recent “Preliminary Ruling” by the European Court of Justice, which is binding precedent in the national courts of the Member States. Responding to a “Preliminary Question” brought by a Spanish Court regarding the issue of whether or not EU law allows Member States to exclude an obligation of ISPs, or telecom carriers, to retain and discover data on access to communication networks, if so requested in the context of civil proceedings, the ECJ held that the provisions at bar “…do not bind the Member State to enact rules setting forth an obligation to communicate personal data to guarantee an effective protection of copyright in the context of civil proceedings. However, the ECJ held that Directive 2002/58, art. 15.1, does provide Member States with the option to enact such rules. The exercise of this option was the issue in a subsequent controversial decision by an Italian court, which denied the plaintiffs’ motion to obtain discovery from the defendant ISP “Tiscali” consisting of the names and personal references of users who had allegedly used “P2P file-sharing” programs to illegally download music protected by copyrights owned by various artists. The Court denied the plaintiffs’ motion, based on the asserted need for protection of the ISP users’ privacy, in effect sustaining the defendant’s position. Arguably, both Promusicae and Peppermint, in spite of their lengthy and articulated legal reasoning, in reality left unsettled the very issues they attempted to address. In essence, the Peppermint Court reasoned that, in light of both the combined EU Directives’ provisions invoked by plaintiffs as the basis of their legal claims, and the Promusicae ECJ “Preliminary Ruling,” given that Italy had failed to avail itself of the option to enact rules, pursuant to Directive 2002/58 art. 15.1, to extend to civil proceeding the exceptions to privacy protection already existing in the context of criminal, or national-security-related investigations and/or prosecutions, the court had no choice but to strike a balance between the two fundamental rights of IP protection and privacy in favor of the latter. The effect was to effectively prevent the defendant ISP from releasing the information sought by the plaintiff to enforce its rights, since such release would have “disproportionately” violated the ISP users’ right to personal data protection. Although such reasoning may appear at first glance to be founded on sound arguments, it nonetheless appears upon careful analysis to imply a flawed interpretation of applicable EU and domestic law as well as a superficial grasp of the current international debate on the potential “intermediary liability” of ISPs for infringement of the IP rights of third-party users in the case of unlawful on-line conduct.
The Peppermint court cautioned that that the provisions on IP enforcement in the various Directives should never open the door to an unrestricted waiver of the privacy protection laws. However, the unequivocal language of the EU law, while citing principles of proportionality and a balance of fundamental interests and rights, nevertheless effectively imposes an obligation on the Member States to protect and enforce IP rights in the “information society” to such an extent that a further “Enforcement Directive” was enacted to extend the availability of discovery as a procedural tool. In this light, the European Court’s interpretation of Directive 2002/58 art. 15.1 in Promusicae was unusually feeble. The court construed Directive 2002/58 art. 15.1 as the only provision, embodied in a single line, that provides the Member States with an “option” to enact rules directed to extend exceptions to privacy protection laws to domestic civil proceedings. In so ruling, the court arguably disregarded the overall relevant legislative intent as repeatedly reflected in the applicable Directives cited above. Furthermore, in the privacy protection laws themselves, both European and domestic, the necessary exceptions to allow proper balance, namely, the legal proceedings exception, are already existing and applicable. That is reasonable and consistent, since another fundamental individual right is at stake here, possibly prevailing on all others, namely, the availability of legal action to protect one’s rights.
The other relevant holding of the Peppermint ruling, in support of its balance-striking in favor of privacy, is that discovery of personal data is allowed only in the context of criminal proceedings in the absence of domestic legislation “opting” otherwise pursuant to Directive 2002/58 art. 15.1. The criminal law contains specific time limits on the retention and use of data for investigation and prosecution. Permitting discovery of protected data in a civil proceeding would, according to the Court, would not be grounded on the principle of lex specialis (governing the criminal law provisions), and would override altogether the prohibition against discovery of communication-related data as well as the legal proceedings exception. However, the courts’ analysis in Peppermint appears to conflict directly with the plain language of applicable EU and domestic law. The criminal provisions of the “National Security Directives” and implementing domestic legislation, far from appearing in a lex specialis/lex generalis relationship with the rules governing the legal proceeding exception to the nonconsensual use of personal data, seem rather to comprise a different body of law directed at other legislative and societal needs, with mitigating language that assures “appropriateness”, “proportionality”, and the necessary safeguards of liberties and rights “within a democratic society.” Consequently, a correct analysis of the privacy and IP-related Directives would appear to establish that these laws provide for the legal proceedings-related exceptions to data protection, so as to allow full use of discovery in the context of a civil action for infringement of IP right. In light of the above, it appears to this author that the court decisions in Promusicae and Peppermint failed to correctly balance the competing rights of IP enforcement and privacy protection, and will impair legislative efforts to assure the enforcement of such rights in the future. Ultimately the protection of privacy, which the court considered to prevail over other rights, may itself be adversely affected. The EU Commission adopted, on July 16, 2008, a “Green Paper on Copyright in the Knowledge Economy,” addressing the adequacy of copyright legislation in the digital age. On the same day, July 16, 2008, the Commission also issued its “Industrial Property Rights Strategy” for the purpose of determining whether the intellectual property system is achieving its purpose. Finally, on November 26, 2008, the Council of Europe set aside the decision of the EU Parliament which froze the so-called “Amendment 138” to the “Telecoms Package.” The Telecoms Package had proposed measures to terminate the online access privilege of abusing users. Meanwhile a bill has been introduced in the Italian Parliament, proposing measures to unequivocally extend to civil proceedings an array of more effective “discovery tools” aimed at the improvement of IP enforcement.