changes in the relationship of copyright and protection of personal data brought about by the evolution of technological-organisational measures for enforcing copyright in the digital world. It assesses the impact of such measures on privacy and related interests in light of data protection legislation and case law of the Court of Justice of the European Union.Bygrave concludes
This paper has shown how the tension between copyright and data protection has gradually shifted focal point over the past fifteen years. Whereas a decade ago that focal point was the rollout of DRMS, it subsequently became piracy surveillance. With this shift, the tension between copyright and data protection flowed over into the relationship between IPR-holders and ISPs. However, some of the heat in the latter relationship is dissipating.
We see in the USA clear manifestation of this dissipation with the recent agreement between five major ISPs (AT&T, Comcast, Time Warner Cable, Verizon and Cablevision) and the RIAA and MPAA to set up a Center for Copyright Information (CCI) that operates a Copyright Alert System (CAS). The initiative establishes a ‘graduated response’ scheme for IPR enforcement whereby end-users suspected of engaging in copyright infringement are to receive a series of warnings to stop their apparently illicit behaviour and, in the event of recalcitrance, face more serious sanctions. Of particular importance is that this sort of scheme presupposes a relatively cordial relationship between ISPs and IPR-holders—copyright enforcement becomes a shared effort between allies rather than adversaries. This is not to suggest that ISPs have or will embrace this alliance with wholehearted enthusiasm. The agreement forged in the USA was the result of considerable pressure being applied not just from IPR-holders but also from government. Further, ‘it is a very soft agreement that gives ISPs near total discretion’. Yet it also reflects nascent corporate convergence of network providers and content providers—the merger of Comcast and NBC Universal being a case in point. In some jurisdictions, though, ISPs are in any case being forced to cooperate pursuant to legislatively mandated graduate response schemes—the case, for instance, in South Korea, New Zealand, UK and France.
These developments are likely to lead to a realignment of the relative strength of copyright and data protection in the years ahead. Besides the fact that graduated response schemes help to ‘normalise’ surveillance on the Internet, they weaken the privacy-protective role that ISPs have (incidentally or intentionally) played. Even in countries that have not (yet) embraced such schemes, moves are afoot to weaken barriers to piracy surveillance which arise from data protection law. The Norwegian Parliament, for example, is currently considering a legislative bill aimed at circumventing the limitations imposed by data protection law on piracy surveillance. The bill proposes, inter alia, removing such surveillance from the licensing requirements of the Personal Data Act and providing a specific legal footing for it pursuant to proposed new provisions in the Intellectual Property Act of 1961.
Yet advocates of strong data protection can continue to take some comfort in the fact that DPI-based surveillance schemes seem still not to be widely used in the service of IPR enforcement, at least in Europe and the USA; piracy surveillance’ there continues to be ‘over the top’ rather than carried out by ISPs as part of their network management. While ISPs commonly use DPI-based ‘traffic management practices’ to regulate P2P traffic on their networks, these practices appear not to be harnessed to specifically target copyright infringement. This is due to a combination of economic and legal factors. Especially important has been the lack of any compelling commercial incentive for ISPs to conduct DPI for purposes other than management of their own network traffic, combined with disjuncture between most ISPs’ business interests and those of IPR-holders.
Moreover, DPI use going further than what is necessary for their own operational needs risks stripping ISPs of their immunity from legal liabilities as intermediaries: in the words of Marsden, DPI is ‘something of a Pandora’s box — if they [ISPs] look inside, all liabilities flow to them, from child pornography to terrorism to copyright breaches to libel to privacy breaches’. The proportionality principle as applied in the SABAM suite of cases is yet another restraining factor, at least in Europe.
However, as pointed out above, the barrier erected by that suite of cases against DPI surveillance is far from insurmountable. If OTT surveillance fails to deliver satisfactory results for IPR-holders, they will probably bring their considerable resources to bear on legislators to introduce statutory, DPI-based control schemes. Such schemes are likely to pass judicial muster by the CJEU and ECtHR if their statutory framework meets the ‘rule of law’ requirements flowing from, inter alia, ECHR Articles 8(2) and 10(2), and does not require ISPs to bear the bulk of additional costs involved. That cost reduction will undoubtedly weaken ISPs’ resistance to introducing such a framework. Their resistance, at least as an industry group acting in unison, will further decrease if, as is probable, more of them have entered into the business of content production. Civil society groups campaigning for privacy and data protection are accordingly likely to fight their coming battles over DPI with significantly less ISP support.