IP enforcement and privacy rights: Let's keep the balance!

Eurojuris - Practice Groups’ Day - IPG
Porto, May 7, 2005
IP enforcement and privacy rights:
Let's keep the balance!
Etienne Wéry
Partner, Ulys (http://www.ulys.net)
Attorney at Law – Paris’ and Brussels’ Bars
Senior Lecturer at Paris I (Sorbonne) University
Two legitimate but different
• EC directive 95/46
(general privacy)
• EC directive
2002/58 (e-privacy)
• Human rights
• Right of the rightholder to
derive a legitimate profit
from his creation
• Right of the rightholder to the
widest possible dissemination
of his work
There is more to IP enforcement
that the IPE directive
• (a priori) DRM : Digital Right Management
Systems provide for the identification and
tracing of individuals accessing legally
protected information
• (a posteriori) IP enforcement : measures,
procedures and remedies necessary to ensure
the enforcement of the intellectual property
rights (including industrial property rights)
Some issues related to DRM
The problem
International Working Group on Telecommunications :
“Electronic Copyright Management Systems (ECMS) are
being devised and offered which could lead to ubiquitous
surveillance of users by digital works”.
“Some ECMS are monitoring every single act of reading,
listening and viewing on the Internet by individual users
thereby collecting highly sensitive information about the
data subject concerned”
WP of the GR29
• Reaffirms the necessity to allow for anonymous or
pseudonymous transactions on the Internet (justified by the
necessity principle stated in article 6 c) of the data protection
Directive : personal data must be adequate, relevant and not
excessive in relation to the purposes for which they are collected
and/or further processed).
• Stress that unique identifiers in the framework of DRM permit
the profiling of the user based on the quality and quantity of
documents he/she consults.
• Affirms that tagging of a document should not be linked to an
individual except if this link is necessary for the performance of
the service or if the individual has been informed and has
consented to.
WP of the GR29
• Reaffirms that no information can be collected regarding data
subjects without them being informed in a visible manner
before the user actually provides personal data (I.e. before
he/she starts downloading tagged information).
• Information to be provided is, notably : the identity of the
controller, the purpose(s) of the processing, the recipients or
categories of recipients of the data, the existence of a right of
access and rectification of the data, the existence of a right to
oppose to marketing purpose(s).
WP of the GR29
• Personal data must be collected for specified and explicit
purpose(s) and not further processed in a way incompatible
with these (those) purpose(s). No further process if it is
incompatible with the DRM’ purpose.
• DRM can lead to the processing of sensitive data when data
subjects are being profiled on the basis of the nature of the
information consulted (ex. : a book over religious or political
issues). This processing could only take place in strict
compliance with the provisions of article 8 of Directive 95/46.
Some issues related
to IPE directive
The problem(s)
• While processing of personal data is indisputably
legitimate in the framework of one’s own litigation, is
it still true for right management companies or
professionnal association ?
• The fight against piracy is very often a “self-police
activity”. It implies the collection by private bodies of
information about users suspected, by different
means and using various information publicly or
non-publicly available (Peer-to-peer tools ; ISPs
information ; Whois? Database ; spywares ; etc.)
Illustration : the ISPs
• Belgium : right holders have been requesting the collaboration
of ISPs to send warnings to users
• United-States : ISPs were requested to communicate the ID of
their clients directly to the music industry representatives,
without Court order. This led to several court decisions (notably
the Verizon case in 12/2003), where finally such direct
communication of information to right holders was considered
illegal by the Court
• Australia : permits the search of inquiries, including domiciliary
visits, by private actors such as holders of IP rights (the “Anton
Pilar order”).
• In your country ?
WP of the GR29
• Insists on the legal restrictions applying to the re-use of personal
information (can only be processed and further used for a purpose
compatible with the one for which they were first collected).
Two critical examples :
– The purpose of the Whois? directories can not be extended to other
purposes just because they are considered desirable;
– Data detained by ISPs processed for the purpose of the performance of
a telecommunication service cannot be transferred to third parties such
as right holders, except, in defined circumstances provided by law, to
public law enforcement authorities.
• Processing of data related to offences, criminal convictions or
security measures can be processed only under strict conditions
The (partial) answer of IPE
directive : right of information
The principe (article 8.1 and 8.2) :
• In the context of proceedings (…)
• In response to a justified and proportionate request of the
claimant (…)
• The competent judicial authorities may order that (…)
• Information on the origin and distribution networks
• Be provided by (1) the infringer and/or (2) any person who was
found in possession of infringing goods on a commercial scale,
or (…) (3) was indicated as being involved in the production,
manufacture or distribution thereof
The (partial) answer of IPE
directive : right of information
The exception (article 8.3) :
• §§ 2 and 3 shall apply without prejudice to other statutory
provisions which : (…) govern the protection of confidentiality
of information sources or the processing of personal data
Confirmed by Recital 2 : At the same time, [the protection of
intellectual property] should not hamper freedom of expression, the
free movement of information, or the protection of personal data,
including on the Internet.
Confirmed by Recital 15 : it “should not affect (…) Directive
95/46/EC (…) on the protection of individuals with regard to the
processing of personal data”
Example : the french way
Identification through IP address can solely be
made in the frame of a judicial procedure
Processing of data related to offences, criminal
convictions or security measures can be processed
only by :
1. The societies for the collection and distribution of
authors’ royalties and the royalties of performers and
phonogram and videogram producers established in
the form of civil law companies.
2. Regularly constituted bodies for professional defence
Example : the french way
• The CNIL (I.e. the “privacy Commission”) may validate
tools used by those bodies.
• It has done so in March 2005 to the benefit of the SELL (a
group of leisure software editors) :
– An automatic message in sent to anyone using a p2p network to
upload or download a software belonging to a member of the
SELL. No information is kept. No identification is made.
– Collection of IP address is solely made (1) in severe cases, (2) by
officers accredited by the government and (3) solely for the
purpose if identification
– Identification is solely made in the frame of a judicial procedure
Conclusion :
Let's keep the balance!
Thank you !
Etienne Wéry
Attorney at the Brussels and Paris Bars
Ulys Partner

similar documents