Wednesday 26 October 2011

Newzbin2 - the order

The High Court has just handed down its order in "Newzbin2".

For those not following the story so far goes like this: newzbin (whose site I will not link to for obvious reasons) describe themselves as a "Hand edited, searchable archive of Usenet binary content from the creators of the NZB Format." USENET is of course the grandparent of most peer-to-peer file sharing networks. People were sharing copyright material via USENET even when I started using the internet over 20 years ago. Newzbin do not host any of the material (which is available via USENET) but their site undoubtedly makes it much easier to find copyright infringing material to be downloaded. Unsurprisingly, many large copyright owners do not like it.

Last year, a group of Hollywood studios persuaded Mr Justice Kitchen that Newzbin were guilty of copyright infringement in three different ways (1) their actions amounted to "authorisation" of copyright infringement; (2) they were also joint infringers with or procurers of the infringement of their subscribers; (3) even though they did not host any of the movies complained about they "made them available to the public" which is an act protected by copyright. The case Twentieth Century Fox v Newzbin [2010] EWHC 608 (Ch) makes interesting reading as it explores just how far a website may (or in that case may not) go without infringing copyright.

Newzbin's reaction was to be expected: their operation moved outside the jurisdiction of the UK courts. Undeterred (one hopes they were sufficiently web-savvy to have anticipated the move) the studios applied to the High Court for an injunction against BT to force BT to block access to Newzbin to its (ISP) customers. The studios made use a statutory power given to the High Court to make injunctions of this kind under section 97A of the Copyright Designs and Patents Act 1988.

At the end of July, Mr Justice Arnold agreed to grant the injunction (Twentieth Century Fox v British Telecommunications [2011] EWHC 1981 (Ch) ). Lillian Edwards wrote a very neat analysis of the decision on the day it appeared. As she explains, Newzbin was an unusually good case for an injunction, not least because there had already been a decision of the High Court finding that the site was involved in copyright infringement. Other cases may be more difficult for rights holders to argue. It will depend.

Mr Justice Arnold postponed deciding on the exact form of the injunction — that is exactly what BT should be ordered to do — until he had heard further submissions from the parties. His decision on the form of order was what was handed down today.

A huge simplifying factor is that BT are already running a system known as Cleanfeed which is used to filter out material on the Internet Watch Foundation's list of suspect IP addresses and blacklisted URL's. This meant the order could require BT to add IP addresses and URL's supplied by the studios to its Cleanfeed list.

Cleanfeed is not used with all BT ISP products. In particular it is not used for what is effectively wholesale supply of internet connectivity, nor to particular customers in certain cases — one example being the police who, one imagines, absolutely do wish to be able to access illegal material for investigatory purposes. The order applies "In respect of its customers to whose internet service the system known as Cleanfeed is applied whether optionally or otherwise". Read literally that would appear to mean that customers who have Cleanfeed as an option but have opted out would still have to be filtered by BT. It is unclear to me whether that is what the judge intends.

The order makes it clear that BT is not required to carry out deep packet inspection. BT need simply rely on the IP addresses and URL's reported to it by the studios, but this, in my view, leads to the most serious defect in the order: it relies entirely on the good faith and judgment of the studios. There is no sanction for mis-reporting of websites. Since there is no requirement to publish the list of sites supplied to BT or to notify site owners that they have been placed on the list, it may be difficult to ensure that the studios act fairly and properly.

BT did try to obtain what is known as a cross-undertaking or an indemnity from the studios which would have compensated BT for any loss it suffered as a result of any mistakes made by the studios. The judge rejected that request on the basis that, as he decided, BT could not be liable for damages (eg by being sued by its customers) because it was acting under a court order. That will no doubt be a useful decision for ISP's and web service providers in other situations, but it did mean there was no basis for imposing any sanction on the studios for supplying incorrect sites in its list.

There was some argument as to how precisely the list should be described. In order to ensure that it would be difficult to circumvent the order, the judge decided that the order would apply to not only the newzbin website itself but also to "any other IP address or URL whose sole or predominant purpose is to enable or facilitate access to the Newzbin2 website". Here we see one of the weaknesses of section 97A. It gives the High Court the power to grant an injunction but it fails completely to say what kind of an injunction that might be. In particular it does not say that the injunction should be restricted to preventing access to sites where copyright is being infringed (like Newzbin). I am therefore concerned about whether the combination of the wording of the order and lack of sanction on studios may cause problems at a later date.

The other significant issue was costs. While costs (which lawyers get very excited about) may not seem as interesting as arguments about what should be blocked and how, costs are often as expensive to a party as the consequences of losing (or winning) a claim. Costs are a big deal. One positive outcome of the decision is that BT was entitled to be paid its legal costs for the first part of the claim up to 16 December 2010 - in other words the costs that would have to be incurred to obtain a court order. In the future ISP's can be reasonably confident that they can demand a court order before instituting website blocking and not expect to have to pay the costs of that order. The judge found that BT should pay the costs of the contested part of the proceedings, but that each party would bear its own costs for the decision about the final order.

In conclusion, I have two points to make: first, it is now clear that copyright owners are perfectly able to obtain quite favourable court orders to block websites, so that there was really no need for the Digital Economy Act 2010 to introduce more website blocking provisions when the existing ones (in section 97A) had not been properly tried out. Second, other cases may not work out the same way as this one. For example TalkTalk do not run Cleanfeed. One expects that the argument (and subsequent order) in a case against TalkTalk might be a little different for that reason. We will see.

Thursday 20 October 2011

Can we force facebook to give us its "like" database?

Jim Killock of the Open Rights Group pointed me at an interesting response made by facebook to an Irish student named Max's subject access request under Irish data protection legislation which forms a part of the Europe versus facebook campaign.

The particular point that interests me is that, concerns facebook's tracking of all pages visited which show a "like" button - a practice that can be really intrusive. Although Max did obtain a considerable quantity of information, facebook did not release to him their list of "like" tracked data.

In their response facebook say:

Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.

Unfortunately for facebook, that isn't quite what the relevant Irish legislation appears to say (health warning: I am not an Irish lawyer). What section 4(12) of the Irish Data Protection Act 1988 says, according to a consolidated version of the statute, is:

(12) Subsection (1)(a)(iv) of this section is not to be regarded as requiring the provision of information as to the logic involved in the taking of a decision if and to the extent only that  such provision would adversely affect trade secrets or intellectual property (in particular any  copyright protecting computer software).

Note the phrase "information as to the logic involved in the taking of a decision". What this is all about is that section 4 gives data subject several different rights. One right (in section 4(1)(iii)(I)) is to be supplied with a copy of "the information constituting any personal data of which that individual is the data subject" - a simple right to information. Another, and different right, can be found in section 4(1)(iv) which applies to automatic decision making by the data controller. Here the data subject has a right to be informed of the "logic involve in the processing". Obviously that's quite a different right since it is essentially a right to know about algorithms rather than data.

Quite clearly section 4(12) is a restriction on the right under 4(1)(iv) to know about the logic of automatic decision making and not a restriction on the right of information simplicter. Nice try facebook, but I can't see that working.

Our own legislation is very slightly different. We also have a right (in section 7(1)(d) of the Data Protection Act 1998 to be informed about the logic involved in automatic decision making, but the restriction on that right is limited to trade secrets. Section 8(5) says:

Section 7(1)(d) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking if, and to the extent that, the information constitutes a trade secret.
So that any UK national involved in the Europe v facebook campaign has a much stronger argument.

In any case, at best facebook can claim a database right over the contents of the list of pages visited by Max that they have collected using the "like" button. The database right is a creature of European law (directive 96/9/EC). Recital 48 of the directive states that "the provisions of this Directive are without prejudice to data protection legislation", which seems to me to argue that data protection law ought to trump database right. If you think about it, the contrary would be an impossible situation. Personal data will often be protected by database rights. If you could use database rights to avoid subject access requests they would be of far less use.

Monday 10 October 2011

Digital Economy Act appeal: more detail

As I said on Saturday, TalkTalk and BT have obtained permission to appeal to the Court of Appeal in their judicial review of the Digital Economy Act 2010 ("the DEA").

Thanks to the counsel for the appellants I now have a little more information. The appeal is going forward on essentially the first four grounds that were put forward at the original judicial review hearing. The appellants did not appeal on the fifth ground: proportionality. I thought it might be useful, at this stage, to give an extremely rough outline of those four grounds.

The first objection concerns the Technical Standards Directive (83/189/EEC), the aim of which is that any laws that impose technical standards on goods or services (known as "technical standards" and "rules on services") are reported to the European Commission in enough time for the impact of the proposed law on intra-community trade to be assessed and any objections to be raised. This is known as the "standstill period". Failure to comply with the procedure renders the relevant law unenforceable.

The appellants say: "The DEA is a technical standard and/or rule on services; it wasn't notified to the Commission before it was passed, therefore it is void. The government responds: "No it isn't! Its not nearly detailed enough to be a technical standard etc at this stage, you have to wait for all the little statutory instruments we are going to make under it before there's enough detail to need notification."

The second ground concerns the E-Commerce Directive. As readers may know, this gives various kinds of immunity to providers of "information society services" and in particular to ISP's who, as "mere conduits", are not liable for the information that they transmit.

The appellants case is that the DEA does impose liability for information transmitted and/or it imposes a requirement to remove or disable access to information. Neither of these, they say, can be imposed on a mere conduit. In the High Court, the appellants also argued that the DEA imposed a "general obligation to monitor" which is forbidden by article 15 of the directive. That argument is no longer live - I think (though I may have misunderstood this) because the Court of Appeal did not give permission on that point.

The third ground is based on the Directive on Privacy and Electronic Communications (2002/58/EC) which (amongst other things) imposes conditions on the processing of traffic data by ISP's. Ordinarily, traffic data must be anonymised or erased when it is no longer needed for the purposes of transmission, except for certain limited exceptions and derogations. The appellants case is that the DEA's purpose does not fall within any of those exceptions or derogations and so keeping the traffic data in order to enforce copyright is not permitted.

The last of the four grounds is built on the Authorisation Directive. The Authorisation Directive was aimed at opening up the electronic communications sector to competition by preventing member states from imposing onerous conditions on prospective comms providers. To that end, a member state may not charge a prospective ISP fees, or impose conditions on them, unless authorised to do so by the directive. The appellants say that is exactly what the DEA does, or will do, and that the DEA therefore offends against the Authorisation Directive. The appellants won a partial victory on this point in the High Court, managing to knock out a requirement that they pay a share of OFCOM's fees for managing the initial obligations code.

I am extremely pleased that permission has been given. Being optimistic, I can hope that light will be thrown - possibly even by the CJEU if the Court of Appeal consults it - on any one of these directives. They are all of some importance in my practice and so I am understandably keen to see as much clarity as possible. With four directives to chose from there's every chance that some useful principles will come out of this case.

In any event, it means that the "graduated response" intended by the DEA is going to be just that farther in the future. In related news, Julian Hupper (Liberal Democrat MP for Cambridge) has tweeted his plan to try to have the web blocking provision (section 17) of the DEA repealed. The government have already indicated that they are unlikely to use section 17 in the foreseeable future, so this may be uncontroversial. I will watch events with interest as they unfold.

Saturday 8 October 2011

Digital Economy Act to go to the Court of Appeal

Yesterday, the Court of Appeal gave BT and TalkTalk permission to appeal to the Court of Appeal. I do not have any more details - in particular what was the reasoning of the court and what on what grounds will the appeal be argued. I hope to blog about them as soon as they become available.

Earlier this year, the Court of Appeal, in the form of Buxton LJ, had refused permission to appeal, leading to some rather misleading press coverage such as the Guardian's "Court of appeal's decision means long-running battle by UK's biggest ISPs is effectively over". Not so of course.

Unless the Court of Appeal thinks that an application for permission is "totally without merit", a prospective appellant may always renew an application for permission orally, under CPR 52.3. This, is, I understand, what BT and TalkTalk did.