Eurojuris - Practice Groups’ Day - IPG Porto, May 7, 2005

IP enforcement and privacy rights: Let's keep the balance!

Etienne Wéry Partner, Ulys ( http://www.ulys.net

) Attorney at Law – Paris’ and Brussels’ Bars Senior Lecturer at Paris I (Sorbonne) University

Two legitimate but different goals

• EC directive 95/46 (general privacy) • EC directive 2002/58 (e-privacy) • Human rights • Right of the rightholder to derive a legitimate profit from his creation • Right of the rightholder to the widest possible dissemination of his work

There is more to IP enforcement that the IPE directive

• (a priori) DRM : Digital Right Management Systems provide for the identification and tracing of individuals accessing legally protected information • (a posteriori) IP enforcement : measures, procedures and remedies necessary to ensure the enforcement of the intellectual property rights (including industrial property rights)

Some issues related to DRM

The problem

International Working Group on Telecommunications :

“Electronic Copyright Management Systems (ECMS) are being devised and offered which could lead to ubiquitous surveillance of users by digital works”. “Some ECMS are monitoring every single act of reading, listening and viewing on the Internet by individual users thereby collecting highly sensitive information about the data subject concerned”

WP of the GR29

• Reaffirms the necessity to allow for anonymous or pseudonymous transactions on the Internet (justified by the necessity principle stated in article 6 c) of the data protection Directive : personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed).

• Stress that unique identifiers in the framework of DRM permit the profiling of the user based on the quality and quantity of documents he/she consults. • Affirms that tagging of a document should not be linked to an individual except if this link is necessary for the performance of the service or if the individual has been informed and has consented to.

WP of the GR29

• Reaffirms that no information can be collected regarding data subjects without them being informed in a visible manner before the user actually provides personal data (I.e. before he/she starts downloading tagged information). • Information to be provided is, notably : the identity of the controller, the purpose(s) of the processing, the recipients or categories of recipients of the data, the existence of a right of access and rectification of the data, the existence of a right to oppose to marketing purpose(s).

WP of the GR29

• Personal data must be collected for specified and explicit purpose(s) and not further processed in a way incompatible with these (those) purpose(s). No further process if it is incompatible with the DRM’ purpose.

• DRM can lead to the processing of sensitive data when data subjects are being profiled on the basis of the nature of the information consulted (ex. : a book over religious or political issues). This processing could only take place in strict compliance with the provisions of article 8 of Directive 95/46.

Some issues related to IPE directive

The problem(s)

• While processing of personal data is indisputably legitimate in the framework of one’s own litigation, is it still true for right management companies or professionnal association ?

• The fight against piracy is very often a “self-police activity”. It implies the collection by private bodies of information about users suspected, by different means and using various information publicly or non-publicly available (Peer-to-peer tools ; ISPs information ; Whois? Database ; spywares ; etc.)

Illustration : the ISPs

• Belgium : right holders have been requesting the collaboration of ISPs to send warnings to users • United-States : ISPs were requested to communicate the ID of their clients directly to the music industry representatives, without Court order. This led to several court decisions (notably the Verizon case in 12/2003), where finally such direct communication of information to right holders was considered illegal by the Court • Australia : permits the search of inquiries, including domiciliary visits, by private actors such as holders of IP rights (the “Anton Pilar order”).

• In your country ?

WP of the GR29

• Insists on the legal restrictions applying to the re-use of personal information (can only be processed and further used for a purpose compatible with the one for which they were first collected). Two critical examples : – The purpose of the Whois? directories can not be extended to other purposes just because they are considered desirable; – Data detained by ISPs processed for the purpose of the performance of a telecommunication service cannot be transferred to third parties such as right holders, except, in defined circumstances provided by law, to public law enforcement authorities.

• Processing of data related to offences, criminal convictions or security measures can be processed only under strict conditions

The (partial) answer of IPE directive : right of information

The principe (article 8.1 and 8.2) : • In the context of proceedings (…) • In response to a justified and proportionate request of the claimant (…) • The competent judicial authorities may order that (…) • Information on the origin and distribution networks • Be provided by (1) the infringer and/or (2) any person who was found in possession of infringing goods on a commercial scale, or (…) (3) was indicated as being involved in the production, manufacture or distribution thereof

The (partial) answer of IPE directive : right of information

The exception (article 8.3) : • §§ 2 and 3 shall apply without prejudice to other statutory provisions which : (…) govern the protection of confidentiality of information sources or the processing of personal data Confirmed by Recital 2 : At the same time, [the protection of intellectual property] should not hamper freedom of expression, the free movement of information, or the protection of personal data, including on the Internet.

Confirmed by Recital 15 : it “should not affect (…) Directive 95/46/EC (…) on the protection of individuals with regard to the processing of personal data”

Example : the french way

• Identification through IP address can solely be made in the frame of a judicial procedure • Processing of data related to offences, criminal convictions or security measures can be processed only by : 1. The societies for the collection and distribution of authors’ royalties and the royalties of performers and phonogram and videogram producers established in the form of civil law companies. 2. Regularly constituted bodies for professional defence

Example : the french way

• The CNIL (I.e. the “privacy Commission”) may validate tools used by those bodies.

• It has done so in March 2005 to the benefit of the SELL (a group of leisure software editors) : – An automatic message in sent to anyone using a p2p network to upload or download a software belonging to a member of the SELL. No information is kept. No identification is made.

– Collection of IP address is solely made (1) in severe cases, (2) by officers accredited by the government and (3) solely for the purpose if identification – Identification is solely made in the frame of a judicial procedure

Conclusion : Let's keep the balance!

Thank you !

Q

UESTIONS

& c

OMMENTS

Etienne Wéry

Attorney at the Brussels and Paris Bars Ulys Partner www.ulys.net