The background to Tuesday's hearing lies in last January's settlement under which Eircom agreed to introduce a "three strikes" system to disconnect users accused of filesharing by the music industry. Under that agreement (which has never been made public, but details of which have leaked) the record companies seem to have been required to show that they - and Eircom - would be acting in compliance with data protection law.
The Data Protection Commissioner, however, threw a spanner in the works, as summarised by the Sunday Times:
As part of the agreement, Irma said it would use piracy-tracking software to trace IP addresses, which can identify the location of an internet user, and pass this information to Eircom. The company would then use the details to identify its customer, and take action.Consequently, arguments on these issues were heard on Tuesday, throwing up some interesting new information. (It emerged for example that Eircom has agreed to throttle user traffic after strike two, and that Eircom will have three staff devoted to running the three strikes procedure.)
But the office of the Data Protection Commissioner (DPC) has indicated that using customers’ IP addresses to cut off their internet connection as a punishment for illegal downloading [presumably this should be uploading] does not constitute "fair use" of personal information. Irma and Eircom have asked the High Court to rule on whether these data-protection concerns mean the 2009 settlement cannot be enforced...
The Eircom case was reopened in the High Court last month and Judge Peter Charleton will hear submissions from both sides on March 16. The record companies asked for the DPC to be joined to the High Court action, but it refused on the basis that no one would guarantee to pay its legal costs.
Charleton will first have to decide whether an IP address constitutes "personal information" under data protection law. If it does, then data controllers are required to "get and use the data fairly". They are also required to use that data for "only one or more clearly stated purposes". The DPC does not think this includes cutting off their internet service.
"The EU telecoms directive indicated people have a fundamental right to an internet connection," said a source involved in the case. "So the judge must decide whether processing a person’s IP address to cut them off is a proportionate response to discovering they have downloaded pirated music."
Unfortunately, that hearing seems to have been something of a case of Hamlet without the Prince. With the Data Protection Commissioner not represented, the court was hearing only from parties with a vested interest in the three strikes procedure and was deprived of an independent and impartial perspective.
I don't yet have a full transcript of the hearing, but I understand that the court was asked to rule on three broad questions:
1. Do IP addresses (in the hands of the music industry) constitute personal data?
2. Is the settlement agreement itself compatible with the Data Protection Acts?
3. If IP addresses are personal data, are they "sensitive personal data" in a context where they might reveal the commission of a criminal offence?