ECJ ruling encourages copyright holders to shoot the messenger

In their decision issued last week in the case of UPC Telekabel v Constantin Film, the European Court of Justice (ECJ) confirmed that EU states have the right to issue injunctions requiring internet service providers (ISPs) to block their internet users’ access to copyright-infringing websites.

Whilst at first glance the decision may appear to be a landslide victory for rights owners, the decision also offers welcomed clarity to ISPs on the extent of their obligations to prevent infringements.

The ECJ’s decision arose out of an Austrian case involving an application by two film producers, for an injunction requiring an Austrian ISP to prevent its users accessing a website that enabled its users to stream or download films which infringed the producers’ copyright.

According to Article 8(3) of the Copyright in the Information Society Directive (2001/29) (Directive), national courts have the power to grant a blocking injunction against an ‘intermediary’ whose services are used by a third party, to infringe copyright or related rights. The ECJ’s decision addresses two key issues; firstly, what sort of intermediaries can be subject to injunctions under the Directive, and secondly, what form of injunctions can be granted against them?

Can an injunction be granted against an ISP as an intermediary?

The primary issue to be determined by the court was whether a party making infringing information available on their website ‘uses’ the services of the ISP whose customers access the website to do so, where the ISP’s customers themselves have not committed an infringement, thus providing a jurisdictional platform for courts to grant injunctions against such an ISP.

UPC argued that they had no contractual business relationship with the website operators, having neither made internet access or storage space available to them. Since it could not be established that their direct customers acted unlawfully (although, as the Advocate General Cruz Villalon pointed out in his preceding opinion delivered back in November, it could be assumed with near certainty that they took advantage of the services on offer on the offending website), they maintained that it could not be considered that their services had been used to infringe a copyright or related rights. UPC also emphasised that, in any event, the various blocking measures available were excessively costly, especially as for the most part they could be easily circumvented with minimal technical expertise.

Contrary to the assertions of UPC, the ECJ found that where an ISP’s service users access infringing content on a website, that ISP is in fact an intermediary whose services are used to infringe copyright within the scope of the Directive, and as a result they can be subject to injunctions forcing them to block access to the offending sites. They cited the rationale that the ISP “is an inevitable actor in any transmission of an infringement over the internet between one of its customers and a third party, since in granting access to the network it makes the transmission possible.”

In their decision, the ECJ recognised that, on a practical level, as the services of intermediaries are increasingly used to infringe copyrights, such intermediaries are often ideally placed to take preventative action. The ECJ emphasised that in order to fulfil the key objective of the Directive, which is to guarantee right holders a high level of protection as outlined at Recital 9 of the Directive, ISPs must be included within the parameters of Article 8(3), because to rule otherwise would substantially diminish the protection afforded to such right holders.

This means that in future it will not be necessary to show a specific relationship between a person infringing copyright and the intermediary against whom an injunction may be issued, nor will it be necessary to prove that the customers of the ISP in question actually access the protected subject matter on the known infringing website, as the ECJ reiterated that that spirit of the Directive required Member States to not only take action to bring existing infringements to an end, but also to prevent further infringements, or at least make them more difficult to commit.

Can an injunction be granted without specifying the means of implementing it?

Having decided that an injunction could be granted against an ISP in the circumstances outlined, the ECJ then proceeded to consider the nature of the injunction to be granted, and in particular whether the Austrian court’s approach in leaving the ISP to decide the means to be used in blocking the website was acceptable, or whether the court should be required to specify any prescribed block should be implemented.

In reaching their decision, the ECJ recognised the tension between the ISP’s freedom to conduct a business, the internet users’ freedom of information, and the right holders’ copyright, and emphasised the need to achieve a “fair balance” between these fundamental rights. In assessing whether such a balance had been struck, the ECJ found that by giving the ISP a wide discretion to determine the appropriate measures to implement a block of the website, the Austrian Court’s ‘results’ form of injunction had in fact ensured the optimum business freedom of the ISP, as they could choose to put in place measures best adapted to their available resources and the challenges of carrying on their particular business activities. Furthermore, provided the ISP had taken all measures “capable of being considered reasonable”, they could rest assured that they would not be held liable for breach of the injunction, thus ensuring that an ISP cannot be expected to make unbearable sacrifices in order to protect the conflicting interests of a rights-holder.

In this regard the ECJ judgment differed from the opinion of the Advocate General, where he expressed the view that it would be “incompatible with the weighing of the fundamental rights of the parties to prohibit an ISP generally [from accessing an infringing website] and without ordering specific measures”.

The Advocate General did, however, acknowledge that a specific blocking measure imposed on an ISP relating to a specific website would not automatically be disproportionate simply because it entailed not inconsiderable costs and could be easily circumvented without any special technical knowledge.

The ECJ imposed two conditions on the granting of a general injunction such as that proposed by the Austrian court in order to ensure a fair balance is struck between the fundamental rights of the parties:

(i)            Firstly, measures must not unnecessarily deprive users of the possibility of lawfully accessing the information available, so in other words measures must be strictly targeted to ensure that internet users’ right to freedom of information is not be curtailed more than is necessary; and

(ii)           Secondly, those measures must have the effect of preventing unauthorised access to the protected subject-matter or, at least, of making it difficult to achieve and of seriously discouraging users accessing the infringing subject-matter. This means that courts will not decline to grant an injunction just because there is no fool-proof solution available. As the English High Court has acknowledged “a blocking order may be justified even if it only prevents access by a minority of users”.

The ECJ declined to elaborate further on how best to balance and protect the competing rights of parties in such a case, leaving the ultimate decision as to “fair balance” in the domain of national courts.

In order to ensure that the fundamental rights of internet users are afforded adequate protection, and are not diminished in the wake of an insurgence of applications for injunctions by rights-holders, the ECJ also introduced the concept that internet users can assert their rights before national courts, ensuring that they have a forum for redress where they believe measures imposed by an ISP are unduly restrictive.

The battle is won, but the war has just begun…

Whilst the International Federation of the Phonographic Industry (IFPI) has issued a positive statement in support of the ECJ ruling, which undoubtedly represents a string to their bow in fighting online piracy, the decision is unlikely to have a notable impact on the approach of the UK courts to website blocking. The High Court had already been persuaded to grant specific injunctions against a number of ISPs under domestic intellectual property legislation before the recent judgment came to light, and is likely to continue to grant such orders without hesitation in the future, particularly with the reinforcement of an ECJ decision behind them. Other EU member states are now likely to follow suit, adopting an approach more consistent with that already prescribed by English law.

Whilst those campaigning for better protection of intellectual property rights are celebrating their apparent victory, they may stop to consider that whilst in principle the ECJ ruling is a step in the right direction, in practice the operators of illegal websites, and the ISPs making them available online, are often based outside of Europe or conceal their identity, which means that in reality it is very difficult to pursue them before the courts. Let the historic examples of the difficulty encountered in shutting down notorious copyright-infringing sites such as Pirate Bay serve as a cautionary warning not to celebrate too soon – the road ahead for rights-holder’s crusading against piracy in the internet age is a treacherous one; and for every website you successfully shut down you can all but guarantee the same will resurface under a different address or hosting provider!

EU Data Protection Reform – Are we nearly there yet? In a word, no.

The EU’s plans for an overhaul of data protection laws have suffered yet another set-back. After much speculation from commentators that the June 2014 deadline was unrealistic, the EU Justice Commissioner Viviane Reding finally conceded in a speech at a meeting of EU justice and home affairs ministers in Athens last week that the draft Data Protection Regulation will not be agreed during the current term of the EU Parliament.

This most recent delay has been caused by EU ministers failing to reach agreement before starting negotiations with the EU Parliament and the Commission. The draft Data Protection Regulation was first published by the European Commission in January 2012 and has proved to be one of the most controversial proposals ever to come out of Brussels, with over 4000 amendments proposed to the Commission’s original draft.

New timetables have been proposed and Viviane Reding has made some optimistic statements that there will still be a new data law by the end of the year. However, the reality is that we will have to wait and see how discussions regarding the draft Regulations progress following the forthcoming parliamentary election season. There currently remain fundamental differences among Member States and some significant changes of approach will be needed if a consensus is going to be reached.

The UK is currently calling for the proposals to be watered down and for the Regulation to become a Directive, giving each Member State the opportunity to interpret the requirements in a way which best suits them when adopting the Directive into national law. However, this approach is unlikely to be welcomed by international businesses looking for consistency regarding the application of data protection legislation cross Europe.

The one consensus which appears to exist among Member States is the acknowledgement that a change of some description to the current data protection regime is required. In the UK, the core data protection legislation has been in force since 1998 and is outdated and often incompatible with the technological advances which have been made in the last 16 years. Updated legislation, which reflects the world in which businesses are now operating and the advances which are likely to occur over coming years, is likely to be welcomed by all, but only if it is clearly drafted, thoughtful and well-reasoned. No one wants another piece of hastily constructed legislation which raises more questions than it answers. We’ve already got the cookies legislation for that!

Data Protection Reform Update

In January 2012, the European Commission proposed a major reform of the EU legislation regarding the protection of personal data. The aim of the new proposals was to update the current Data Protection Directive (95/46/EU) passed in 1995 in order to provide a higher level of protection over EU citizens’ personal data. It is also meant to consolidate and harmonise data protection laws across all EU member states. Another key objective of the proposals is to ensure that the revised law addresses the recent developments in technology to cover progressions in e-commerce, social networking, and cloud computing. In terms of compliance, the new regulation is set to be stricter than the previous law with harsher enforcement and penalties. As the draft regulation will be directly effective in member states, there will not be a need for local legislation to implement it.

 Key provisions of the Regulation 

  • Most businesses (including public sector bodies, private sector businesses with over 250 employees, and businesses that demand regular data monitoring) will be required to appoint or designate a data protection officer to ensure that data controllers and processors fulfil their duties, and monitor the implementation of policies. 
  • Companies will have to be more transparent about what they require data for. They can only collect the minimum amount of data that they require for a specified intention. 
  • Data subjects should have the right to ‘erase’ their personal data through a ‘right to be forgotten’. 
  • The activities of data processors will also be brought within the scope of the draft regulation. Previously, the Directive applied only to the data processing activities of data controllers. Furthermore, the regulation will also apply to data controllers who offer goods or services to data subjects in the EU, but who are not themselves established in the EU. 
  • Both data processors and data controllers will be required to implement security measures to strengthen online privacy. 
  • Data controllers will be obliged to inform the relevant national data protection authority of a data security breach within 24 hours of becoming aware of the breach.

 Although the regulation cannot enforce criminal sanctions, there will be more significant consequences of breaching the draft regulation. This will include fines of up to 2% of a business’ annual turnover for intentional or negligent breaches.

 According to the current timescales, the draft regulation is to be implemented before the European Parliament elections in May 2014, but is not likely to apply to the UK until 2016 at the earliest. Despite this, businesses should continue to keep informed about the proposed changes to ensure they are in a position to fulfil the requirements and comply with the key provisions when the time comes.

Graphing privacy

Graph SearchLast month, Facebook announced its latest innovation: Graph Search, widely regarded as an attack on Google’s dominance in the online search market.

Graph Search is being rolled out gradually across Facebook’s billion-strong user base, and will enable people to conduct “real language” searches of Facebook users. So you can search for “people in Tunbridge Wells who like Pizza Express”, and you’ll get a list of Facebook users who live in Tunbridge Wells and who have clicked the “Like” button on Pizza Express’s website at some point.

Like almost everything that Facebook does, this has given rise to some serious privacy concerns. Web developer Tom Scott started an Actual Facebook Graph Searches on Tumblr, giving some of the more embarrassing, amusing or even alarming examples of Graph Search results.

Facebook’s response to these concerns is that Graph Search will only show information that users have agreed to be made publicly available in their privacy settings. However, Graph Search undoubtedly makes that information far more accessible and usable to the world at large. It’ll be interesting to see if any European data protection commissioners challenge Facebook’s actions here – perhaps arguing that people cannot have given properly informed consent, since Graph Search is so innovative that people could not have had it in mind when they agreed to Facebook’s privacy terms.

As I’ve written before, people tend to focus too much on what information companies hold about them. However, the real impact on privacy comes from what companies are able to do with the data they hold about you: making connections, drawing inference, building up a surprisingly accurate picture about you from what may appear only a small amount of information. You could say that Graph Search puts something of this same power of “Big Data” in the hands of ordinary Facebook users – for good or ill.

New rules for Online Behavioural Advertising

Bulletin on new OBA rules - click to read PDFSince spring last year, websites and advertisers have been getting to grips with the new law on obtaining consent for cookies.

One common use of cookies is for online behavioural advertising (OBA), and from 4 February 2013 websites and advertisers using OBA will have additional rules to comply with.

The Advertising Standards Authority (ASA) is taking over responsibility for ensuring that consumers are made aware of, and can exercise choice over, the collection and use of information for OBA. The ASA’s first step is the introduction of new rules on OBA which will come into force from early February.

I have prepared an article summarising the key elements of the OBA Rules which websites and advertisers should be aware of. To read this article in full please click here (PDF).

The Orwellian future of TV advertising?

“In America, you watch television. In Soviet Russia, television watch you!” – Yakov Smirnov

Apple's '1984' Superbowl ad The FT’s Decoding Big Data series includes the following vision of a future which will either sound dystopian or thrilling, depending on how protective you are of your privacy:

A married couple sit in their living room, arguing about the text messages she keeps receiving from an ex-boyfriend. The television, playing in the background, listens in on their conversation, detects that they are fighting and automatically selects an advertisement about a local marriage therapist for the next commercial break.

The FT observes that this faintly Orwellian concept is already technologically feasible, at least if a recent Verizon patent application is to be believed.

The claims of the patent application make for fun reading (and it’s not often you can say that about patent claims). As ever, they begin with a very broad claim on which the others are then founded:

1. A method comprising: presenting, by a media content presentation system, a media content program comprising an advertisement break; detecting, by the media content presentation system, an ambient action performed by a user during the presentation of the media content program and within a detection zone associated with the media content presentation system; selecting, by the media content presentation system, an advertisement associated with the detected ambient action; and presenting, by the media content presentation system, the selected advertisement during the advertisement break.

Or, in English: under this system, the same TV advertisements will not be broadcast to everyone watching the same programme. Instead, your TV will show an advertisement that is targeted specifically at you, based on what you’re doing in the vicinity of the TV at the time. What sort of things might those be? Claim 2 gives some examples:

2. The method of claim 1, wherein the ambient action comprises at least one of eating, exercising, laughing, reading, sleeping, talking, singing, humming, cleaning, and playing a musical instrument.

I would love to have been a fly on the wall at the meeting where Verizon and its patent attorneys brainstormed the activities people are likely to get up to while watching TV. But these are mostly solitary activities. What about where two or more people are in the same room? Claim 3 picks this up:

3. The method of claim 1, wherein the ambient action comprises an interaction between the user and another user.

In case you were wondering (possibly with a sense of dread) what sort of “interaction between the user and another user” this might include, claim 4 gets down to brass tacks:

4. The method of claim 3, wherein the interaction between the user and the another user comprises at least one of cuddling, fighting, participating in a game or sporting event, and talking.

Though perhaps this is less alarming than claim 11:

11. The method of claim 1, further comprising identifying, by the media content presentation system, one or more physical attributes associated with the user.

So when all the ads you see in future are for weight-loss products and gym memberships, you’ll know why.

Of course, a practical implementation of this is some way in the future, as internet-enabled TVs become more commonplace. Maybe it will take the semi-mythical Apple TV set to provide a platform sophisticated enough to implement this new advertising experience. And the data protection implications of such a system would also be interesting, especially obtaining informed consent from anyone watching the TV.

What all this also highlights is how the future of advertising, both on TV and online (a distinction that will itself seem quaint before too long), lies in the ability to respond in real time to users’ actions, matched to existing data about those individuals (or others in the same demographic). And that’s a reality that is already here, at least on the web.

Passwords: cracking the code

Interesting post by Willard Foxton on password security, describing how the 2009 hacking of the RockYou gaming website started a cascade of website cracking – all too easy in an era where “cryptographic feats that were the stuff of legend in the Second World War” can now “be done on your iPhone”.

Foxton summarises “current best advice” on password security as follows:

The current best advice is to have passwords composed of 20 characters, with no real words, and your gobbledegook has to include upper and lower case letters, symbols, numbers and punctuation, all randomly scattered through the word. On top of that, you need to have a different password for every site you use and change your password for all of them every three months.

I think it’s safe to say that a system whose “best practice” amounts to that is a system that is irretrievably broken.

Are there any legal implications to this? Well, the Data Protection Act requires organisations holding personal data to take:

Appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The Act does not prescribe any specific security measures, but the Information Commissioner’s current advice to organisations on passwords recommends:

use a strong password – these are long (at least seven characters) and have a combination of upper and lower case letters, numbers and the special keyboard characters like the asterisk or currency symbols.

This is some way short of the “best advice” set out by Foxton, though how much actual practical difference it makes to security may be a different matter – for now. “Appropriate” measures include striking a balance between theoretical security and practical workability, depending on the risks involved. But it would seem likely that, over time, the gap between what is “appropriate” and Foxton’s counsel of perfection will close.

Rather than tightening up password policies beyond the ICO’s recommendations, there may be a stronger case for looking at measures such as two-factor authentication. I adopted this for my personal email account after reading this chilling account of how a hacked Gmail account enabled Mat Honan’s entire digital life to be wiped out earlier this year. Google offer two-step verification for their accounts, which is relatively simple to set up and use, at least if you own a smartphone.

I’m not aware of any guidance from the ICO as yet on the use of two-factor authentication. What the ICO does insist upon, however, is the use of encryption for any mobile devices holding personal data (laptops, memory sticks, tablets). If your organisation is using such devices without encryption, you should correct this straight away – or risk joining Greater Manchester Police in the dock with a £120,000 (or more) penalty.