23 July 2012

ACTA and Privacy

I'm belatedly catching up with the European Data Protection Supervisor's (EDPS) April Opinion regarding the controversial Anti-Counterfeiting Trade Agreement (ACTA)

That Agreement is meant to cover the US, Australia, New Zealand, European Union (and Member States), Switzerland, Canada, Japan, South Korea, Mexico, Singapore and other nations such as Morocco.

Scrutiny by the EDPS of the proposals reflects the Supervisor's role in advising on EU agreements and legislation, in particular to check whether changes are compliant with the EU data protection regime.

Alas for ACTA fans, include people in Australia's DFAT, the Supervisor is unimpressed, commenting that -
  • measures that allow the indiscriminate or widespread monitoring of Internet users' behaviour, and/or electronic communications, in relation to trivial, small-scale, not for profit infringement would be disproportionate and in breach of Article 8 ECHR, Articles 7 and 8 of the Charter of Fundamental Rights, and the Data Protection Directive; 
  • many of the voluntary enforcement cooperation measures would entail a processing of personal data by ISPs which goes beyond what is allowed under EU law; 
  • ACTA does not contain sufficient limitations and safeguards, such as effective judicial protection, due process, the principle of the presumption of innocence, and the right to privacy and data protection.
The 16 page Opinion states [PDF] that
In February 2010, the EDPS issued an Opinion on his own initiative in order to draw the attention of the Commission on the privacy and data protection aspects that should be considered in the ACTA negotiations. While negotiations were being conducted confidentially, there were indications that ACTA would contain online enforcement measures having an impact on data protection rights, notably the three strikes mechanism. 
The EDPS at the time focused his analysis on the lawfulness and proportionality of this type of measure and concluded that the introduction in ACTA of a measure that would involve the massive surveillance of Internet users would be contrary to EU fundamental rights and in particular the rights to privacy and data protection, which are protected under Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the Charter of Fundamental Rights of the EU. The EDPS furthermore underlined the safeguards needed for international exchanges of personal data in the context of IP rights' enforcement. 
Now that the text of the proposed agreement on ACTA has been made public, the EDPS considers it appropriate to issue a second Opinion on ACTA to assess some of the provisions contained in the Agreement from a data protection perspective, and by doing so to provide specific expertise that could be taken into consideration in the ratification process. Acting on his own initiative, the EDPS has therefore adopted the current Opinion ... in view of providing guidance on the privacy and data protection issues raised by ACTA.
... the EDPS underlines that the Agreement is unclear about the scope of enforcement measures in the digital environment, and whether they only target large- scale infringements of IP rights. He regrets that the notion of 'commercial scale' is not defined with sufficient precision and that acts carried out by private users for personal and not-for profit purpose are not expressly excluded from the scope of the Agreement.
The nub of the Opinion begins at para 63  -
Pursuant to Articles 27(2), 27(3) and 27(4) of the Agreement, the enforcement measures to be implemented in the digital environment must preserve 'fundamental principles, such as freedom of expression, fair process and privacy'. The EDPS underlines that a mere reference to these principles is not enough. Besides, it is unclear what 'fundamental principles' and 'fair process' refer to. ... 
At international level, freedom of expression and privacy are recognised as fundamental rights in the Universal Declaration of Human Rights, and not as mere 'principles'. Furthermore, the notion of 'fair process' does not correspond to any generally recognised human right. It appears to mix two different legal concepts, on the one hand the right to a fair trial (recognised in Article 10 of the Universal Declaration of Human Rights and Article 47 of the Charter of Fundamental Rights of the EU), and on the other hand, the notion of 'due process' (used for example in the US constitution as a means to protect any person against deprivation of life, liberty or property without due process of law). 
While the EDPS acknowledges the legitimate concern of ensuring the enforcement of IP rights in an international context, a right balance must be struck between demands for the protection of IP rights and the rights to privacy and data protection. 
The EDPS emphasizes that the means envisaged for strengthening enforcement of IP rights must not come at the expense of the fundamental rights and freedoms of individuals to privacy, data protection and freedom of expression, and other rights such as presumption of innocence and effective judicial protection.
Many of the measures envisaged in the Agreement in the context of enforcement of IP rights in the digital environment would involve the monitoring of users' behaviour and of their electronic communi­cations on the Internet. These measures are highly intrusive to the private sphere of individuals and, if not implemented properly, may therefore interfere with their rights and freedoms to, inter alia, privacy, data protection and the confidentiality of their communications. 
It should be ensured that any online enforcement measure implemented within the EU as a result of entering into ACTA is necessary and proportionate to the aim of enforcing IP rights. The EDPS underlines that measures that entail the indiscriminate or widespread monitoring of Internet user' behaviour, and/or electronic communications, in relation to trivial, small-scale not for profit infringement would be disproportionate and in breach of Article of the ECHR, Articles 7 and 8 of the Charter of Fundamental Rights, and the Data Protection Directive. 
The Supervisor then details specific concerns
  •  the Agreement is unclear about the scope of enforcement measures in the digital environment envisaged in Article 27, and whether they only target large-scale infringements of IP rights. The notion of ‘com­mercial scale’ in Article 23 of the Agreement is not defined with sufficient precision, and acts carried out by private users for a personal and not-for profit purpose are not expressly excluded from the scope of the Agreement, 
  •  the notion of ‘competent authorities’ entrusted with the injunction power under Article 27(4) of the Agreement is too vague and does not provide sufficient certainty that the disclosure of personal data of alleged infringers would only take place under the control of judicial authorities. Furthermore, the conditions to be fulfilled by right holders to be granted such an injunction are also not satisfactory. These uncertainties may have a particular impact in cases of requests from foreign ‘competent au­ thorities’ to EU-based ISPs, 
  •  many of the voluntary enforcement cooperation measures that could be implemented under Article 27(3) of the Agreement would entail a processing of personal by ISPs which goes beyond what is allowed under EU law, 
  • the Agreement does not contain sufficient limitations and safeguards in respect of the implementation of measures that entail the monitoring of electronic communications networks on a large scale. In particular, it does not lay out safeguards such as the respect of the rights to privacy and data protection, effective judicial protection, due process, and the respect of the principle of the presumption of innocence".