‘ [Anti-Counterfeiting Trade Agreement] ACTA is too vague, leaving the room for abuses and raising concern about its impact on consumers' privacy and civil liberties’ – stated the President of the European Parliament Martin Schulz, after the MEPs rejected the agreement on 4 July. Besides the EU and 22 of its Member States, ACTA has been signed by nine countries, among them the US, Canada, and Australia, and is aimed at ensuring a more effective international enforcement of intellectual property rights (IPRs) - also in the e-environment. The critics of ACTA believe that, among other issues, the agreement provides unprecedented possibilities for the surveillance of online activity by private parties. Based on ACTA, can individuals’ actions on the web indeed be tracked and traced by their Internet service providers (ISPs) or rightholders?
Art. 27(3) ACTA obliges the Parties to ‘endeavor to promote cooperative efforts within the business community’, aimed at the enforcement of copyright in the digital environment. It is unlikely that ACTA will create new cooperation practices between the rightholders and ISPs, but rather provide a push for the extension of existing ones. The first such practice is the so-called graduated response – when, after being warned several times over alleged copyright infringements, a user may be denied Internet access. In the existing graduated response systems, the monitoring of a certain type of online activity (most commonly, file sharing on P2P networks) is carried out by rightholders. On the other hand, the ISPs’ role is mainly limited to the provision of an alleged infringer’s identity to rightholder (UK) or relevant public authority (France) and the enforcement of the disconnection penalty. Another way of fighting online copyright infringements is filtering and blocking, where, upon rightholders’ demand, ISPs may monitor files passing though their network, preventing downloading or display of infringing content. Whether ACTA may encourage one of these two ‘private surveillance’ practices in the EU will be addressed below.
As to the filtering and blocking, Scarlet v SABAM judgment has shown that indiscriminate content monitoring by ISPs for copyright enforcement purposes is contrary, inter alia, to Art. 15(1) of the e-Commerce Directive, as well as the fundamental rights to data protection and to receive and impart information. This does not leave room, under ACTA, for general monitoring by ISPs - unless it is to be deemed contrary to key European civil liberties. The e-Commerce Directive does allow ‘specific’ monitoring – however, neither the Directive nor the Scarlet judgment defines it. Furthermore, even if formally the monitoring is tailored to several files, in order to get to those, communications content may need to be scanned indiscriminately – thus, such monitoring, being de-facto general, will be disallowed. The legal uncertainty of what constitutes an acceptable specific monitoring by ISPs, as well as difficulties in ensuring such monitoring technologically, suggest that, under ACTA, a more likely cooperation option between ISPs and rightholders would be graduated response.
Apart from Art. 27(3) ACTA, a further push for graduated response regimes may lie in its Art. 23(1), which provides for criminal sanctions against users engaging in willful copyright infringement on a commercial scale. Art. 23(1) ACTA defines commercial scale acts very broadly as acts ‘carried out as commercial activities for direct or indirect economic or commercial advantage’, and, as the European Data Protection Supervisor warns, thus might cover activities resulting in virtually no economic gain, such as file-sharing for personal use. Should Art. 23(1) indeed be read this way, the need will emerge for measures aimed at tracking down and punishing a large number of small-scale infringers – which graduated response, with its monitoring by rightholders and enforcement of a disconnection penalty by ISPs, will likely meet.
Graduated response may fit well the rightholders’ agenda – however, it raises a number of data protection concerns, such as data retention periods, processing of sensitive data which may be inferred from communications content and, first and foremost, the scope of private surveillance. The European Data Protection Supervisor underlines that the monitoring of Internet user behavior by rightholders should be proportionate. Before, for instance, the French graduated response system was put to start, the rightholder-authorized company TMG was expected to detect approximately 50,000 infringements daily on four major P2P networks. While the monitoring of such networks is more narrow than the scanning of all communications content by ISPs, given the expected number of detected infringements, as well as the number of user identification requests (1,023,079 in the first year of HADOPI operation) it would seem that such monitoring nevertheless raises serious proportionality questions.
Are users likely to escape the ‘all-seeing eye’ of private surveillance under ACTA? As shown above, all will depend on the interpretation of Arts. 27(3) and 23(1) of the agreement, as the former would allow, and the latter may push for graduated response regimes. While the European Parliament voted ACTA down, and none of the signatories has actually ratified the agreement, similar initiatives in the US, such as Stop Online Piracy Act and Protect Intellectual Property Act, have been under discussion as well. This context given, the apprehension over ACTA could well be understood, as its signing, in a sense, is symbolic. It shows that the Internet, a dimension of people’s lives that we came to think of as free from regulatory initiatives, or, if you like, intrusions, is not as free as it used to be, and that this trend may be developing faster - and further - than we could ever imagine.