Norwich Pharmacal orders, the GDPR – and porn: Mircom & Golden Eye v Virgin Media

July 18, 2019

The GDPR has had its first brush (to my knowledge at least) with the pornography industry in the Courts of England and Wales. In Mircom International and Golden Eye International v Virgin Media and Persons Unknown [2019] EWHC 1827 (Ch), a judgment of 16 July, the High Court declined to order Virgin Media to hand over the IP addresses of persons who had allegedly downloaded and shared porn films in breach of copyright. It was not, however, the GDPR that saved those naughty “persons unknown”. Instead it was, if I can be explicit about it, the Court’s highly problematic analysis of the GDPR.

Background

First, some background. The case is about companies that make pornographic films the titles of which, unsurprisingly, “leave little to the imagination” (para 7 of the judgment). The companies wish to protect their copyright in those films. They therefore use the services of Mircom and Golden Eye to track down people who have allegedly been downloading those films unlawfully and send them letters demanding payment for copyright infringement. To do that, they need detail of IP address owners. They want ISPs – in this instance, Virgin Media – to hand over details of the registered owner(s) of certain IP addresses identified by the Applicants “in batches of no more than 5000 addresses per fortnight”. Mircom and Golden Eye applied for Norwich Pharmacal orders. Virgin was in formal terms neutral, though it in fact argued fulsomely against the granting of the order.

The Court’s approach to the Norwich Pharmacal order sought

The first issue for the Court (Recorder Douglas Campbell QC sitting as a Judge of the High Court) concerned the legal framework for granting Norwich Pharmacal relief in this context.

Golden Eye has, in fact, had a similar outing previously: see the litigation culminating in Golden Eye (International) Ltd v Telefónica UK Ltd (Open Rights Group intervening) [2012] EWCA Civ 1740. In that litigation, the Courts had accepted that the persons identified by a Norwich Pharmacal order will have their privacy and data protection rights invaded. It also accepted that they may be exposed to proceedings for infringement, may be caused embarrassment and may (on costs grounds) pay up even if innocent. However, the Court of Appeal concluded that the orders should be granted, in particular because the underlying claimants genuinely intended to obtain redress for the infringement:  they were not setting up cynical schemes for extracting money from people regardless of innocence.

Understandably, Golden Eye approached its 2019 venture on the same footing. It effectively asked the Court in this case to do as the Court of Appeal had done last time round.

Virgin sought to argue that the law had changed in the interim, by virtue of the Supreme Court’s judgment on Norwich Pharmacal relief in Rugby Football Union v Viagogo [2012] UKSC 55. That got short shrift here: the principles from the previous Golden Eye litigation were not altered by Viagogo.

That said, the Court in this instance was not prepared simply to grant the same relief that Golden Eye had secured years ago. This was for a number of reasons. One was that the evidence in support of its application was deficient. Another was Virgin’s challenge that the licence agreement between the production companies and Golden Eye did not confer title on Golden Eye to sue in its own name.

In addition, “Virgin’s central allegation was that the Applicants did not genuinely intend to sue anyone. Instead Virgin variously alleged that the Applicants were part of a “money-making scheme” or “shakedown”, and that they intended to “continue to ride the ‘gravy train’ of letter-writing in the absence of court supervision”” (para 54). In order to examine that contention, the Court understandably wished to understand how the fruits of the last Golden Eye litigation had been used: it seems that, from the thousands of IP addresses disclosed, letters were sent to 749 people, 76 confessed liability, 15 settled and no proceedings were issued against anyone.

On this crucial evidential issue, the Court concluded as follows (paras 59-60):

“I accept the Applicants’ submission that they cannot be expected to sue everyone and that it is not necessarily abusive for them to seek a sum by way of settlement which is higher than that which would be awarded by a Court. However I do accept Virgin’s submission that in order to perform the difficult and delicate balancing exercise which the law requires, I do at least need to consider whether the Applicants still have a genuine intention to try to obtain redress for the infringement rather than merely setting up a money-making scheme designed to embarrass and coerce as many people as possible (regardless of whether they were actual infringers) into making the payments demanded. I also accept Virgin’s submission that in order to consider this question, I need to know how the Applicants have actually used the information provided to them under previous Court orders, now going back a number of years…”

The 2019 evidence was not up to scratch in terms of dispelling the “shake-down” concerns, and relief was refused. So far, so understandable. But…

What role for the GDPR?

Virgin had also resisted the application on the grounds that the disclosure of the IP addresses sought would result in infringements of the GDPR. The Court found that the GDPR had no bearing on its analysis. Its reasoning, however, was highly suspect in my humble view.

First, it asked itself whether the IP addresses would be personal data. The Court referred to the comparable case of Breyer v Federal Republic of Germany (Case C-582/14). Fairly enough, it concluded that Breyer did not necessarily dictate the answer here: identifiability depends on the circumstances. Nonetheless, the Court concluded that the IP addresses sought would be personal data. See para 28:

“I will assume that the mere possibility of granting the relief sought means that the Applicants’ schedules of IP addresses are therefore “personal data” in the Applicants’ hands. In any event it seems to me that the data in question will certainly become personal data in their hands if the orders sought are granted.”

I’m not sure I follow the two-stage reasoning entirely, but anyway, we get to the conclusion that the disclosure by Virgin of these IP addresses would be the disclosure of personal data.

The GDPR argument came unstuck, however, at the next stage. The Court concluded that, once the applicants received those IP addresses (which they proposed to use to contact the underlying individuals and demand money), they would not be “controllers” of that data. Some submissions were made along the lines that “to be a controller, you have to be registered with the ICO”. More substantively, the Court’s conclusion was that the applicants would be mere “recipients”, which is a term defined under Article 4(9) GDPR. The conclusion was this (para 33):

“… if the order is made, the Applicants would be “recipients” of personal data but not “controllers” thereof, and thus not subject to the more onerous obligations on “controllers”. This conclusion is supported by the natural meaning of these words in any event.”

As I read the judgment, that conclusion (and the whole analysis behind it) is plainly wrong. “Controllers” and “recipients” are not mutually exclusive categories. The recipients in this case would obviously be controllers.

The Court went on (para 35): “If it had been necessary, I would in any event have held that the Applicants’ proposed undertaking would still have been sufficient to deal with any issues arising out of the GDPR. So nothing turns on the GDPR after all”. It may be that this point would be right but the judgment contains no supporting analysis.

Robin Hopkins is a leading specialist barrister in information law: data protection, privacy and freedom of information at 11KBW

This post first appeared on the Panopticon blog and is reproduced with permission.