Sunday, March 21, 2010

Update on Eircom, IRMA and "three strikes" in Ireland

In all the excitement surrounding St. Patrick's day this week the fact that Eircom and the music industry were back in court on Tuesday didn't really receive the attention it deserves.

The background to Tuesday's hearing lies in last January's settlement under which Eircom agreed to introduce a "three strikes" system to disconnect users accused of filesharing by the music industry. Under that agreement (which has never been made public, but details of which have leaked) the record companies seem to have been required to show that they - and Eircom - would be acting in compliance with data protection law.

The Data Protection Commissioner, however, threw a spanner in the works, as summarised by the Sunday Times:
As part of the agreement, Irma said it would use piracy-tracking software to trace IP addresses, which can identify the location of an internet user, and pass this information to Eircom. The company would then use the details to identify its customer, and take action.

But the office of the Data Protection Commissioner (DPC) has indicated that using customers’ IP addresses to cut off their internet connection as a punishment for illegal downloading [presumably this should be uploading] does not constitute "fair use" of personal information. Irma and Eircom have asked the High Court to rule on whether these data-protection concerns mean the 2009 settlement cannot be enforced...

The Eircom case was reopened in the High Court last month and Judge Peter Charleton will hear submissions from both sides on March 16. The record companies asked for the DPC to be joined to the High Court action, but it refused on the basis that no one would guarantee to pay its legal costs.

Charleton will first have to decide whether an IP address constitutes "personal information" under data protection law. If it does, then data controllers are required to "get and use the data fairly". They are also required to use that data for "only one or more clearly stated purposes". The DPC does not think this includes cutting off their internet service.

"The EU telecoms directive indicated people have a fundamental right to an internet connection," said a source involved in the case. "So the judge must decide whether processing a person’s IP address to cut them off is a proportionate response to discovering they have downloaded pirated music."
Consequently, arguments on these issues were heard on Tuesday, throwing up some interesting new information. (It emerged for example that Eircom has agreed to throttle user traffic after strike two, and that Eircom will have three staff devoted to running the three strikes procedure.)

Unfortunately, that hearing seems to have been something of a case of Hamlet without the Prince. With the Data Protection Commissioner not represented, the court was hearing only from parties with a vested interest in the three strikes procedure and was deprived of an independent and impartial perspective.

I don't yet have a full transcript of the hearing, but I understand that the court was asked to rule on three broad questions:

1. Do IP addresses (in the hands of the music industry) constitute personal data?
2. Is the settlement agreement itself compatible with the Data Protection Acts?
3. If IP addresses are personal data, are they "sensitive personal data" in a context where they might reveal the commission of a criminal offence?

Other issues that arose included the fundamental rights implications of disconnecting users, whether users waived those rights by agreeing to Eircom's terms of use, and whether the Eircom/IRMA agreement was compatible with the new Telecoms Package rules on disconnecting users in relation to proportionality, necessity and procedural safeguards (including judicial review). Judgment is expected next week.

1 comment:

  1. This being a judicially approved settlement between mutually interested parties means that those whose rights are affected have not been represented.

    Fair enough, an IP address does not, on the face of it, amount to personal data. However it is submitted that the method of selection of IP addresses communicated from Eircom to the record industry may still be a breach of privacy rights.

    If Eircom use your private communications to select the IP addresses that they give to the record industry to investigate then, it is submitted, a breach has occured.

    Under the Constitution, a positive duty is imposed upon the State to protect the citizen from unjust attack. The Attorney General is failing to vindicate our rights by allowing this to commerical parties to proceed uncontested.

    ReplyDelete