The EU is taking part in negotiations on the drafting of an Anti-Counterfeiting Trade Agreement (ACTA). In the opinion of the European Data Protection Supervisor, Peter Hustinx, the negotiation by the European Union of a multilateral agreement that has as its core subject the enforcement of intellectual property rights raises significant issues as to the impact of the measures taken to combat counterfeiting and piracy on individuals’ fundamental rights, and in particular their right to privacy and data protection. He ‘particularly regrets that he was not consulted by the European Commission on the content of such an agreement’ and has taken the unusual step of issuing an opinion on his own initiative.
Peter Hustinx observes that, while the intended objective of ACTA may be to focus on large-scale infringers, ‘it cannot be excluded that activities of ordinary citizens might be captured under ACTA, especially as enforcement measures take place in the digital environment’. Moreover, he makes the point that even copyright pirates and the like have data protection rights. He encourages the EU Commission to improve the transparency of the process and perhaps engage in a full consultation exercise. His real fear is that a scheme will be adopted which is inimical to data protection and privacy rights and that concerns about those rights will then be addressed – he calls for balance between the need to protect intellectual property rights and the need to protect the individual’s rights:
‘Privacy and data protection must be taken into account from the very beginning of the negotiations, not when the schemes and procedures have been defined and agreed and it is therefore too late to find alternative, privacy compliant solutions.’
It seems very likely that the focus of attention will fall on the views expressed by the EDPS on ‘three strikes’. In an arresting passage on the effects of implementing a ‘three strikes’ rule, he states:
‘Such practices are highly invasive in the individuals’ private sphere. They entail the generalised monitoring of Internet users’ activities, including perfectly lawful ones. They affect millions of law-abiding Internet users, including many children and adolescents. They are carried out by private parties, not by law enforcement authorities. Moreover, nowadays, Internet plays a central role in almost all aspects of modern life, thus, the effects of disconnecting Internet access may be enormous, cutting individuals off from work, culture, eGoverment applications, etc. Against this background, it is relevant to assess the extent to which these policies are in line with EU data protection and privacy legislation, and more in particular whether three strikes Internet disconnection policies constitute a necessary measure to enforce intellectual property rights’.
The analysis of ‘three strikes’ which follows is as detailed and informative as any hitherto available and, given its source, is required reading for all involved in this debate. His conclusion is that less intrusive measures of enforcement are available. This view may well have a fundamental effect on the wider adoption of ‘three strikes’.
The report concludes as follows:
81. The EDPS strongly encourages the European Commission to establish a public and transparent dialogue on ACTA, possibly by means of a public consultation, which would also help ensuring that the measures to be adopted are compliant with EU privacy and data protection law requirements.
82. In the course of the ongoing negotiations on ACTA, the EDPS calls on the European Commission to strike a right balance between demands for the protection of intellectual property rights and the right to privacy and data protection. The EDPS emphasizes that it is particularly crucial that privacy and data protection are taken into account from the very beginning of the negotiations before any measure is agreed upon so as not later on having to find alternative privacy compliant solutions.
83. While intellectual property is important to society and must be protected, it should not be placed above individuals’ fundamental rights to privacy, data protection, and other rights such as presumption of innocence, effective judicial protection and freedom of expression.
84. Insofar as the current draft of ACTA includes or at least indirectly pushes for three strikes Internet disconnection policies, ACTA would profoundly restrict the fundamental rights and freedoms of European citizens, most notably the protection of personal data and privacy.
85. The EDPS takes the view that three strikes Internet disconnection policies are not necessary to achieve the purpose of enforcing intellectual property rights. The EDPS is convinced that alternative, less intrusive solutions exist or, at least, that the envisaged policies can be performed in a less intrusive manner or at a more limited scope, notably through the form of targeted ad hoc monitoring.
86. The three strikes Internet disconnection policies are also problematic on a more detailed legal level in particular as the processing of judicial data, notably by private organisations, must be based on an appropriate legal basis. The operation of three strikes schemes may further entail the storage of log files on a longer term, which would be contrary to existing legislation.
87. Furthermore, as far as ACTA involves exchanges of personal data between authorities and/or private organisations located in the signatory countries, the EDPS calls on the European Union to implement appropriate safeguards. These safeguards should apply to all data transfers made in the context of ACTA – whether they are in the field of civil, criminal, or digital law enforcement – and should be in accordance with the data protection principles set forth in Convention No 108 and Directive 95/46. The EDPS recommends that such safeguards take the form of binding agreements between EU senders and third country recipients.
88. The EDPS further wishes to be consulted on the measures to be implemented in respect of the data transfers that will take place under ACTA in order to verify their proportionality, and that they guarantee an adequate level of data protection.
The full report is available at: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2010/10-02-22_ACTA_EN.pdf