UK ISPs were ordered earlier this year by the High Court to disclose information relating to its customer’s data based on information provided to them by amongst others the games companies. The information sought was based on the customer’s IP address. Pursuant to CPR 31.18 Lawyers applied for an order that the ISP disclose the full name, postal address and telephone number of the subscriber of each of the IP addresses supplied.
The game plan was to match the ISP address with the individual and write to them with a hefty threatening letter and a request for 600 pounds. If this sum was not paid, court action would follow, costing tens of thousands of pounds. It all seemed fairly conclusive. The ISP complied and the Lawyers commenced the enormous task of writing to over (so we understand) 25,000 potential infringers.
However it was only when responses started to flood in – many in their hundreds to Lawdit Solicitors- did it become clear that the IP addresses while revealing a name and address did not reveal the culprit. It proved very little. It certainly did not prove that any copyright infringement had taken place far from it. Only by inspecting the hard drive of the customer’s computer could you do this. If there were any other evidence to sit alongside the IP address, for example a user name or password of the file sharing software you could sympathise with the rights holder.
But to rely on the IP address alone is wholly disproportionate and has resulted in untold misery to many thousands of individuals. This whole affair sums up in my view how little the IC is really concerned with an individual’s data. I am not aware of any publicly quoted concerns from the IC and he has remained silent as the forums and notice board crackle with the indignation and invasion of individual’s data. You cannot blame the ISP. As a Court Order was in place, why would an ISP go out on a limb for a few thousand customers?
But the IC ought to (at the very least) have been keeping a watchful eye out and at the very least issue a press release to offer individuals some comfort. The silence is even more deafening in that on 29 January 2008 the ECJ held that Community law does not require member states to oblige ISPs to disclose details of suspected file-sharers to enable a copyright owner to bring civil proceedings. Personal data is protected generally in the EU by virtue of the EC Directive on the protection of individuals with regard to the processing of personal data (95/46/EC) (Data Protection Directive). Member states may provide exemptions to protection in order to conduct criminal investigations or safeguard national or public security or to protect the rights and freedom of others (Article 13(1), Data Protection Directive).
In the UK such an exception can be found under section 35 (1) of the Data Protection Act 1998 which provides that ‘Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.’ This exemption does not contain any further considerations for a Data Controller before making a disclosure in these circumstances. The EC Directive on the processing of personal data and the protection of privacy in the electronic communications sector (2002/58/EC) (E-Privacy Directive) provides that national authorities may only lift the protection of data privacy in order to safeguard national or public security or to conduct investigations into criminal offences or the unauthorised use of an electronic communications system, where this is a “necessary, appropriate and proportionate measure” (Article 15(1), E-Privacy Directive).
The ECJ reached its conclusion following a Spanish case concerning Telefonica. The Juzgado de lo Mercantil No 5 de Madrid decided to stay the proceedings and referred the following question to the Court for a preliminary ruling:
Does Community law, specifically Articles 15(2) and 18 of Directive [2000/31], Article 8(1) and (2) of Directive [2001/29], Article 8 of Directive [2004/48] and Articles 17(2) and 47 of the Charter permit Member States to limit to the context of a criminal investigation or to safeguard public security and national defence, thus excluding civil proceedings, the duty of operators of electronic communications networks and services, providers of access to telecommunications networks and providers of data storage services to retain and make available connection and traffic data generated by the communications established during the supply of an information society service?
The ECJ, responded that the question must be that Directives 2000/31, 2001/29, 2004/48 and 2002/58 do not oblige Member States to ensure effective protection of copyright in the context of civil proceedings to communicate personal data. A fair balance needs to be struck between the various fundamental rights and in particular the principle of proportionality. In Advocate General Kokott’ opinion she considered that it was compatible with Community law for member states to exclude operators of electronic communications networks and services from having to make available personal data relating to connection and traffic information in the context of a civil, as distinct from criminal, action.
While the decision is not binding on the ECJ it will generally follow the Advocate General’s opinion. For the vast majority if not all of the 25,000 recipients this decision ought to have been interpreted as a request for information relating to a non criminal offence (i.e. any copying was non-commercial) and the request for the personal data ought to have been refused. If you have received a letter accusing you of file sharing and you are innocent then please write to the Information Commissioner with your story and complain that the release of your personal data was a breach of the Data Protection Act 1998 and urging them to carry out a review of all subsequent releases.The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.