ISPs data protection fears about database of suspected online copyright infringers unfounded

Out-Law Analysis | 20 Sep 2013 | 9:41 am | 2 min. read

OPINION: ISPs are wrong to suggest that data protection laws prevent rights holders creating a database of suspected online copyright infringers. Any concerns ISPs have about invasion of customers' privacy can be overcome by the use of safeguards.

Record label and film industry bosses reportedly want to enlist the help of ISPs to combat online copyright infringement on a voluntary basis and recently met with Prime Minister David Cameron to get his backing for the plans. They have grown frustrated by delays to the introduction of a statutory framework under the Digital Economy Act (DEA) and are justifiably keen to put in place alternative measures.

Those plans reportedly involve the creation of a database of suspected infringers. Under this plan ISPs would log details of customers' alleged illegal file-sharing and would combine this with evidence gathered by rights holders.

TalkTalk has said that the database plans could breach the Data Protection Act whilst Virgin has described them as "unworkable". However, data protection concerns are unfounded.

Rights holders can, on a lawful basis, store details of infringements for up to six years before initiating legal action against infringers. The processing of personal information in the form of maintaining a database serves a legitimate purpose in that it enables rights holders to obtain redress against serial infringers. This activity is both necessary and proportionate. Rights holders do not need individuals' consent to collect this information.

However, they face a practical difficulty in ensuring that illegal file-sharers are identified, and this is where they need the help of ISPs. The technology that rights holders use to scan for illegal file-sharing can identify the IP addresses of suspected infringers, but this doesn't identify individuals. They need ISPs to tell them which person, meaning the ISP's customer, is behind an IP address so that they can take action.

The Data Protection Act allows businesses, in this case ISPs, to disclose personal data in line with statutory duties or by order of a court. If the voluntary arrangement envisaged by rights holders involves a court assessing the legitimacy of rights holders' disclosure requests to ISPs then this should provide an appropriate safeguard to ensure individuals' privacy rights are observed.
 
In a case involving O2, the High Court has already shown that it is reluctant to order the disclosure of personal data held by ISPs for the purpose of allowing rights holders to pursue redress against ISPs' customers where evidence purportedly linking individuals' to infringements is flimsy. As a result, the evidence gathering methods used by rights holders to identify suspected infringers to be listed on a database will have to stand up to scrutiny.

Arguably, ISPs should notify customers that they could process their personal data for the purpose of forming a list of suspected copyright infringements and state that the data is subject to disclosure to rights holders. This information could be set out in the terms of use customers are asked to agree to when subscribing to a broadband providers' services.

In addition, there would need to be a procedure through which individuals could challenge the robustness of the evidence against them and obtain the removal of their details from any list of suspected infringers where that listing is not justified. Ofcom envisaged that an independent appeals panel would fulfil this oversight role under the statutory code delayed under the DEA regime. A voluntary framework would need to ensure that a similar oversight and complaints procedure exists to ensure alleged infringers' rights are observed.

Ultimately, a court would rule on whether individuals listed on a database of suspected infringers and pursued by rights holders via legal proceedings have breached UK copyright laws by engaging in illegal file-sharing. This provides a final safeguard to ensure that only wrongdoers are punished.

ISPs are right to state that data protection issues are engaged in the formation of any database of suspected copyright infringers, but they are wrong to use data protection as an excuse to avoid helping rights holders enforce their rights.

Iain Connor is an intellectual property law specialist at Pinsent Masons, the law firm behind Out-Law.com