Monday, November 21, 2011

Will the ECJ stymie attempts to identify internet users?

PHILIPS SHP1900 Headphones

This time last year I blogged about Bonnier Audio v. Perfect Communication, the Swedish case which questioned whether data retained under the Data Retention Directive could be used in litigation to identify users accused of infringing copyright. In that case five audiobook companies brought an action against Perfect Communication, an ISP, seeking the details of a user who was said to be sharing many popular audiobooks. The ISP, however, resisted the application and argued (in essence) that data retained under the Data Retention Directive could only be used for the purposes of that Directive and not for unrelated purposes such as civil litigation. In a preliminary reference, the Swedish court asked the ECJ the following questions:
* Whether the Data Retention Directive prevents the application of a national rule based on the EU IP Rights Enforcement Directive (2004/48/EC), which provides that an ISP in a civil case can be ordered to provide a copyright owner or a rights holder with information on which subscriber holds a specific IP address assigned by the ISP, from which address the infringement is alleged to have taken place.

* Whether the answer to the first question is affected by the fact that the state has not yet implemented the Data Retention Directive, although the deadline for implementation has passed.
As I said at the time, this has the potential to be a very important case - one in which a ruling against the copyright plaintiffs might well force a revision of the entire approach which Irish and English law takes to identifying internet users. I am surprised therefore that there hasn't yet been much reaction to the Advocate General's opinion, issued last Thursday, which comes down largely on the side of the ISP.

While there's no official English translation yet, the key part of the decision appears to be in paragraphs 60-62 which build on Promusicae to hold that (irrespective of the Data Retention Directive) the disclosure of information about internet users in civil proceedings is only permissible in accordance with the provisions of Article 15 of the e-Privacy Directive - that is, only where there are "legislative measures" in place which are "necessary, appropriate and proportionate... within a democratic society". Pending the official translation, the following is an auto-translated version, tidied up slightly by myself:
60. EU law requires that before the disclosure of personal data is possible, a retention obligation must be provided for by national legislation which sets out the categories of data to be kept, the purpose for which it may be kept, the retention period and those who can access the data. It would contradict the rules governing personal data protection principles to draw on data sets that have been collected for purposes other than those set by the legislature.

61. Therefore, for the preservation and transmission of personal data to be consistent with Article 15 of Directive 2002/58, in a situation such as that described in the main proceedings, national legislation should include, at advance and in detail, the limitations on the scope of rights and obligations under Articles 5, 6, 8, paragraphs 1 to 4, and 9 of the Directive (20). A limitation so established must be a necessary, appropriate and proportionate. However, a disclosure obligation, imposed on Internet service provider and relating to personal data kept for another purpose, is not sufficient to meet these requirements.

62. In conclusion, it should be noted that the human rights protection of personal data and privacy on the one hand, as well as protection of intellectual property on the other, shall enjoy equal protection. There is no reason to favor the owners of intellectual property rights by allowing them to use personal data that have been lawfully obtained or retained for purposes unrelated to the protection of their rights. The collection and use such data for such purposes in compliance with EU law on the protection of personal data would require the prior adoption by the national legislature, of detailed provisions, in accordance with Article 15 of Directive 2002/58. (Emphasis added.)
The Advocate General's approach, if followed by the ECJ, will undoubtedly be extremely significant on a number of fronts. From my perspective, the most significant aspect would be the requirement that identification of users requires "legislative measures". Under the existing Norwich Pharmacal jurisdiction as applied to the internet in Ireland (EMI v. Eircom) and England and Wales (Totalise v. Motley Fool) there are no such legislative measures - instead the courts are relying on an inherent equitable jurisdiction which has been developed through caselaw. This would be thrown into disarray by the Bonnier Audio reasoning. Some litigants might not be too badly affected - for example, many intellectual property litigants could fall back on their rights under the various implementations of the IPR Enforcement Directive (e.g. SI 360/2006 in Ireland) - but this result would be fatal to other cases such as online defamation claims. (One example being the current litigation against RateYourSolicitor.)

I'll be watching with interest to see whether the ECJ follows the AG's opinion - if it does, expect the cat to be put among the pigeons at national level.

Friday, November 18, 2011

Is illegally obtained CCTV footage admissible in evidence?


Every now and then media reports reveal an employer who has engaged in illegal CCTV monitoring of staff and today's example is Dunnes Stores which was shown in an unfair dismissal claim to have secretly used CCTV to view employees in a restaurant in Galway:
DUNNES STORES monitored workers on CCTV at a restaurant in one of its stores for 77 days without telling them. A security man monitored the behaviour of staff at the restaurant almost exclusively and reported his findings daily to the store manager. As a result of the monitoring, two members of staff at the Dunnes outlet in Terryland, Galway, were dismissed. Two others quit, an Employment Appeals Tribunal was told yesterday... Dunnes Stores security officer Peter Zatorski said the women at the restaurant were not told they were being monitored.
It's not clear from the media reports whether the camera was hidden, or whether staff were aware of its presence but unaware that it would be used to monitor them. Either way, however, it is clear that this use of CCTV recording would breach the fair obtaining principle in data protection law which requires (even in the case of visible cameras) that individuals should be informed of the purpose for which recordings may be used. Guidance from the Data Protection Commissioner is unequivocal on this point:

If the purpose or purposes is not  obvious, there is a duty on the data controller to make this clear.  A CCTV camera in a premises is often assumed to be used for security purposes. Use for monitoring staff performance or conduct is not an obvious purpose and staff must be informed before any data are recorded for this purpose. Similarly, if the purpose of CCTV is also for health and safety reasons, this should be clearly stated and made known.
In the Dunnes Stores case, therefore, it seems likely that the CCTV footage was obtained illegally. If so, should Dunnes be able to rely on it before the Employment Appeals Tribunal to justify the dismissal? Surprisingly, the issue doesn't seem to have been raised before the EAT but as this is a relatively common issue it might be worth considering generally.

There is a general rule in Irish law that illegally (not unconstitutionally) obtained evidence may be excluded at the discretion of the court. Yvonne Daly provides a very good summary of this rule in this article (PDF), where she points out that in practice this discretion is very seldom used to exclude evidence on the basis of mere illegality. I have been unable to find any reported decisions of the Irish courts dealing specifically with evidence obtained in breach of data protection law - however, in light of the discretionary nature of the exclusionary rule and the general tendency towards admitting illegally obtained evidence there is no guarantee that the courts will prevent this evidence from being used.

This is not, however, an end to the matter, as an employee may be able to achieve the same result indirectly by going to the Data Protection Commissioner. This happened in Case Study 10 of 2008, where employees succeeded in stopping an internal disciplinary inquiry based on improperly obtained CCTV footage:

In this case, the employer had used CCTV images to compile a log that recorded the employees’ pattern of entry and exit from their place of work.  The employer then notified a trade union representative that this log would be used at a disciplinary meeting.  It also supplied a copy of the log to the union representative.  The employer sent letters to each employee requesting that they attend a disciplinary meeting to discuss potential irregularities in their attendance.  The letters indicated that this was a very serious matter of potential gross misconduct and that it could result in disciplinary action, up to and including dismissal.

The employees immediately lodged complaints with my Office.  They stated that they had never been informed of the purpose of the CCTV cameras on the campus where they were employed.  They pointed out that there were no signs visible about the operation of CCTV.  On receipt of the complaints, my Office contacted the employer and we outlined the data protection implications of using CCTV footage without having an appropriate basis for doing so.  We informed the company that, to satisfy the fair obtaining principle of the Data Protection Acts with regard to the use of CCTV cameras, those people whose images are captured on camera must be informed about the identity of the data controller and the purpose(s) of processing the data.  This can be achieved by placing easily read signs in prominent positions.  A sign at all entrances will normally suffice.  If an employer intends to use cameras to identify disciplinary (or other) issues relating to staff, as in this instance, staff must be informed of this before the cameras are used for these purposes.

The employer accepted the views of my Office.  It informed the two employees that it was not in a position to pursue the matter of potential irregularities in attendance as it could not rely on CCTV evidence obtained in contravention of the Data Protection Acts.
That case related to an internal disciplinary matter only. Consequently an interesting question arises where a matter makes it to the Employment Appeals Tribunal or a court: would those bodies be willing to accept into evidence material which the Data Protection Commissioner had found to be illegally obtained and may have directed not to be used for disciplinary purposes? Would an employer be bound by a ruling of the Data Protection Commissioner from tendering such evidence? What would happen in the event of such a clash?

There has been one case which illustrates the type of issues that might arise - in Case Study 2 of 2007 (Baxter Healthcare) the Data Protection Commissioner found that an employer had breached the fair obtaining principle by using a medical report of an employee (obtained in the context of a personal injury action brought by the employee) to defend a later unfair dismissal claim before the Labour Relations Commission. However, in that case the data protection ruling was made only after the unfair dismissal claim was concluded, leaving the issue open as to how the Labour Relations Commission would have handled the report if the ruling was made before it heard the matter.

It is unlikely that there will be any clarity until this issue is the subject of a written decision by the High Court. In the meantime, however, it's surprising that more litigants don't appear to be relying on data protection arguments to challenge the admissibility of evidence.

For more on this topic see Clark, “Data Protection and Litigation” (2009) 16(8) Commercial Law Practitioner 167 (no free link available).

Update (23.2.12) - The High Court has recently ruled against a prison officer seeking to prevent CCTV footage from being used in disciplinary proceedings against him on the basis that it was obtained in breach of his data protection rights. However there's no written judgment in this case making it difficult to determine the precise basis of the decision.