'Data Protection vs. Copyright' by Lee A. Bygrave in Dan Jerker B. Svantesson & Stanley Greenstein (eds.)
Internationalisation of Law in the Digital Information Society: Nordic Yearbook of Law and Informatics 2010-2012 (Copenhagen: Ex Tuto Publishing, 2013) 55-75
considers
changes in the relationship of copyright and protection of personal data brought about by the evolution of technological-organisational measures for enforcing copyright in the digital world. It assesses the impact of such measures on privacy and related interests in light of data protection legislation and case law of the Court of Justice of the European Union.
Bygrave concludes
This paper has shown how the tension between copyright and data protection
has gradually shifted focal point over the past fifteen years. Whereas a
decade ago that focal point was the rollout of DRMS, it subsequently
became piracy surveillance. With this shift, the tension between copyright
and data protection flowed over into the relationship between IPR-holders
and ISPs. However, some of the heat in the latter relationship is dissipating.
We see in the USA clear manifestation of this dissipation with the recent
agreement between five major ISPs (AT&T, Comcast, Time Warner
Cable, Verizon and Cablevision) and the RIAA and MPAA to set up a
Center for Copyright Information (CCI) that operates a Copyright Alert
System (CAS). The initiative establishes a ‘graduated response’ scheme for
IPR enforcement whereby end-users suspected of engaging in copyright
infringement are to receive a series of warnings to stop their apparently illicit
behaviour and, in the event of recalcitrance, face more serious sanctions.
Of particular importance is that this sort of scheme presupposes a
relatively cordial relationship between ISPs and IPR-holders—copyright
enforcement becomes a shared effort between allies rather than adversaries.
This is not to suggest that ISPs have or will embrace this alliance with
wholehearted enthusiasm. The agreement forged in the USA was the result
of considerable pressure being applied not just from IPR-holders but also
from government. Further, ‘it is a very soft agreement that gives ISPs
near total discretion’. Yet it also reflects nascent corporate convergence of
network providers and content providers—the merger of Comcast and
NBC Universal being a case in point. In some jurisdictions, though, ISPs
are in any case being forced to cooperate pursuant to legislatively mandated
graduate response schemes—the case, for instance, in South Korea,
New Zealand, UK and France.
These developments are likely to lead to a realignment of the relative
strength of copyright and data protection in the years ahead. Besides the
fact that graduated response schemes help to ‘normalise’ surveillance on
the Internet, they weaken the privacy-protective role that ISPs have
(incidentally or intentionally) played. Even in countries that have not (yet)
embraced such schemes, moves are afoot to weaken barriers to piracy surveillance
which arise from data protection law. The Norwegian Parliament,
for example, is currently considering a legislative bill aimed at circumventing
the limitations imposed by data protection law on piracy surveillance.
The bill proposes, inter alia, removing such surveillance from the
licensing requirements of the Personal Data Act and providing a specific
legal footing for it pursuant to proposed new provisions in the Intellectual
Property Act of 1961.
Yet advocates of strong data protection can continue to take some comfort
in the fact that DPI-based surveillance schemes seem still not to be
widely used in the service of IPR enforcement, at least in Europe and the
USA; piracy surveillance’ there continues to be ‘over the top’ rather than
carried out by ISPs as part of their network management. While ISPs
commonly use DPI-based ‘traffic management practices’ to regulate P2P
traffic on their networks, these practices appear not to be harnessed to
specifically target copyright infringement. This is due to a combination of
economic and legal factors. Especially important has been the lack of any
compelling commercial incentive for ISPs to conduct DPI for purposes
other than management of their own network traffic, combined with disjuncture
between most ISPs’ business interests and those of IPR-holders.
Moreover, DPI use going further than what is necessary for their own
operational needs risks stripping ISPs of their immunity from legal liabilities as intermediaries: in the words of Marsden, DPI is ‘something of a Pandora’s
box — if they [ISPs] look inside, all liabilities flow to them, from
child pornography to terrorism to copyright breaches to libel to privacy
breaches’. The proportionality principle as applied in the SABAM suite
of cases is yet another restraining factor, at least in Europe.
However, as pointed out above, the barrier erected by that suite of cases
against DPI surveillance is far from insurmountable. If OTT surveillance
fails to deliver satisfactory results for IPR-holders, they will probably bring
their considerable resources to bear on legislators to introduce statutory,
DPI-based control schemes. Such schemes are likely to pass judicial muster
by the CJEU and ECtHR if their statutory framework meets the ‘rule of
law’ requirements flowing from, inter alia, ECHR Articles 8(2) and 10(2),
and does not require ISPs to bear the bulk of additional costs involved.
That cost reduction will undoubtedly weaken ISPs’ resistance to introducing
such a framework. Their resistance, at least as an industry group acting
in unison, will further decrease if, as is probable, more of them have
entered into the business of content production. Civil society groups campaigning
for privacy and data protection are accordingly likely to fight
their coming battles over DPI with significantly less ISP support.
