The European Union, represented by the European Commission, is negotiating – since 2007- a Multilateral Agreement on Anti-Counterfeiting Trade (ACTA) with nine other countries, including the United States of America, Australia, Canada, Japan, Korea, Mexico, Morocco, New Zealand, Singapore, and Switzerland.
The purpose of such an agreement is to strengthen the enforcement of Intellectual Property Rights (IPR) and to combat large-scale counterfeiting and piracy by defining a legal framework for the enforcement of IPR in particular in the digital environment via:
- increased international cooperation and
- deployment of IPR enforcement practices.
Due to the potential impact that such an agreement may have on individuals’ privacy, the implications related to each of the above-mentioned elements should be carefully evaluated in view of the respect of fundamental rights.
Increased international cooperation
The relevant EU legal framework applicable for transfers of data in the context of ACTA is Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In particular, articles 25 and 26 define the regime applicable for transfers of data to third countries. Article 25 requires that transfers are only done to countries that ensure an adequate level of protection. Such countries have been identified by the Article 29 Working Group in a list, which however does not include most of the participants to ACTA. Therefore, transfers envisaged in the framework of this agreement would in theory run against EU law.
Despite this, ACTA negotiators are foreseeing the establishment of international cooperation instruments such as international sharing of information about suspected IPR infringements amongst public authorities (such as custom authorities, police and justice) and possibly between public and private actors.
These options, which are already under scrutiny in other negotiations (such as the EU-US agreement on data protection and information sharing for law enforcement purposes) raise important data protection questions:
a)Are the data exchanges envisaged a real exchange of data or a one-way data transfer?
Since information on the ACTA Agreement are still limited, to answer to this question it is useful to look at previous agreements in this domain. The key precedent in this respect is the SWIFT Agreement. Since the SWIFT agreement did not entail the exchange of information, but rather a one-way data transfer from the EU to the United States of America, negotiators should bare in mind pro and cons of such an approach while negotiating future agreements. Indeed, the European Parliament, together with EU data protection authorities expressed their concern in relation to this lack of reciprocity, because it obviously undermines the ability of the European Union to act as an equal party in the agreement.
b) Even supposing, for the sake of the argument, that ACTA will entail data exchange with third countries, would it be legitimate and proportionate?
Legitimate: the absence of a harmonised regime concerning the enforcement measures and sanctions within the 27 Member States raises questions over the legitimacy of such an agreement, since it might create implementation inequalities. Furthermore, if the scope of the agreement is not clearly limited to the fight against serious IPR infringement offenses, but is extended to alleged IPR infringement, it will probably go against its own purpose, which -using the European Commission’s words- targets “counterfeiting and piracy activities that significantly affect commercial interests, rather than on activities of ordinary citizens”.
Proportionate: the negotiators should bear in mind the principle of proportionality on the basis of which it is necessary to strike a right balance between the aim of the agreement and the protection of fundamental rights. The ACTA agreement is at risk of violating this principle if the actors involved in the data exchanges are not only public authorities but also private entities. Not only is there a greater risk of infringement of individuals’ privacy due to the increased number of non-accountable bodies, but also for the private sector itself which will be faced with an increased number of requests which might not be proportionate to the aim of the agreement.
c) Once the previous two questions are addressed, there still remains the issue of sufficient safeguards to be put into place for protecting data transfers from the EU to third countries.
To reach this goal, according to the EDPS:
- the legal justification under which the data processing activities take place should be verified and data transfers must respect the initial purpose of data collection,
- the amount and types of personal data to be exchanged should be clearly specified and minimised to what is strictly necessary to achieve the purpose of the transfer,
- the persons among whom the data may be shared must be clearly set out and onward transfers to other recipients should in principle be prohibited,
- the method used for exchanging personal data must be clearly chosen bearing in mind the consequences that each might have on data protection. For instance, the push system -on the basis of which ISPs and IP right-holders organisations transfer under their control a number of data to third parties located abroad- presents smaller risks of data protection infringement than the pull system. Indeed, the latter will allow the direct access of police and law enforcement authorities to databases of private parties or to databases where information is centralised third parties,
- the time during which personal data will be retained by recipients must be specified, as well as the purpose for which such retention is necessary,
- the obligations imposed on data controllers in third countries must be clearly set forth, and
- the rights of individuals with respect to their personal data when processed by third parties should be clearly specified so as to guarantee that they have effective means of enforcing their rights in respect of a processing carried out abroad.
The deployment of IPR enforcement practices
A leaked document linked to the negotiations of the ACTA Agreement that has been circulating in the last few days states:
“Each Party shall ensure that enforcement procedures (…) are available under its law so as to permit effective action against an act of, trademark, copyright or related rights infringement which takes place by means of the Internet, including expeditious remedies to prevent infringement and remedies which constitute a deterrent to further infringement”
One of the measures currently discussed in this regard (and already implemented in some countries such as France) are the so-called ‘three strikes Internet disconnection policies’. On the basis of such a measure, copyright holders can monitor and identify Internet users alleged of copyright infringements, whose access to Internet will be cut off after a three-steps warning procedure.
These practices have been met with strong criticism. As the so- called Gallo report states, the European Parliament “regrets that the Commission has not mentioned or discussed the delicate problem of on- line piracy (…), particularly the issue of the balance between free access to the Internet and the measures to be taken to combat this scourge effectively.
In the context of the review of the telecoms package the European Parliament has further pointed out that:
“Measures taken by Member States regarding end-users access’ to, or use of, services and applications through electronic communications networks shall respect the fundamental rights and freedoms of natural persons, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law. Any of these measures (…)liable to restrict those fundamental rights or freedoms may only be imposed if they are appropriate, proportionate and necessary within a democratic society, and their implementation shall be subject to adequate procedural safeguards in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms and with general principles of Community law, including effective judicial protection and due process.”
In order to establish such a balance, three strikes Internet disconnection policies should:
- Be in line with EU data protection and privacy legislation as established in Article 8 ECHR and Article 7 of the Charter of fundamental rights, and stemming from the right to data protection as laid down in Article 8 of the Charter of fundamental rights and Article 16 TFEU, and as elaborated in Directive 95/46 and Directive 2002/58. However, according to the EDPS, the monitoring of the behaviour of Internet users and the further collection of their IP addresses amounts to an interference with their right to private life. In this regard it is worth pointing out that IP addresses are considered personal data under EU legislation but not under that of, for example, the United States of America.
- Be proportionate in nature. In this respect, it is necessary to evaluate whether with the introduction of such a measure there is a balance between its scope (i.e. fighting piracy and violation of property and right) and its consequences on the right to data protection, privacy as well as freedom of information and expression.
Indeed, representatives of the civil society such as European Digital Rights have warned that the three strikes policies are not addressing the counterfeiting of products, but rather imposing a set of demands from the industry as regards copyright onto the global Internet. Besides having an impact on the right to data protection and privacy they also touch upon the right to freedom of information and expression.
In the light of these aspects, as Advocate General Kokott in Promusicae rightly stated, it is necessary to carefully evaluate whether private file sharing, with non-profit purposes, actually threatens the protection of copyright to the extent that the three strikes policies are justified.
Following all these caveats, it would be useful to consider alternative and less-intrusive measures against individuals’ copyrights infringements activities. Directive 2002/22/EC already foresees measures such as consumers’ information and dissuasion activities. Another option might be the monitoring of only a limited number of individuals suspected of engaging in non-trivial copyright infringement. Although the answer to this will obviously be that in order to single out specific individuals, you would first need to run a generalised surveillance system.
For the time being it is not possible to provide a comprehensive analysis of the ACTA Agreement because the negotiations have been kept secret. However, while waiting for the European Commission to open up a real dialogue allowing all stakeholders to contribute to the shaping of the agreement, available elements constitute a sufficient basis to argue that the ACTA Agreement are at risk of violating data protection, privacy and fundamental freedoms in contradiction with current EU legislation and jurisprudence.