European data protection authorities concerns over ACTA

This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.

The secretariat is provided by Directorate D (Fundamental Rights and Citizenship) of the European Commission, Directorate General Justice, Freedom and Security, B-1049 Brussels, Belgium, Office No LX-46 01/190.


Brussels, 15.07.2010
D(2010) 11185
Mr. Karel de Gucht
Member of the European Commission
Dear Commissioner,

At its plenary meeting on 12 and 13 July 2010, the European Data Protection Authorities (the Article 29 Working Party [WP29]) discussed the data protection and privacy implications of the Anti-Counterfeiting Trade Agreement (ACTA). For many years the negotiations on this new multilateral instrument were conducted behind closed doors. WP29 therefore welcomes the recent publication by the negotiators of a consolidated version of the current draft agreement. This enabled the members of WP29 to verify the earlier rumours on the content of the agreement and the possible implications for privacy and data protection that it may have. Since the negotiations are still ongoing, we are of course unable to give a full assessment as yet of whether or not ACTA will comply with European privacy and data protection legislation.

Based on our initial assessment, WP29 finds several provisions that are to be regarded as positive as far as data protection is concerned, for example the requirement of “proportionality between the seriousness of the infringement and the remedies or penalties ordered” (article 2.X(2) General obligations with respect to enforcement) as well as the place holder in article 1.4 for a specific privacy and disclosure of information provision. We do on the other hand have several concerns as well, which I would like to draw to your attention.

As you are aware, data protection and the protection of privacy is one of the fundamental rights of the European Union. The protection of personal data and privacy is enshrined in the Treaty on European Union, in the Treaty on the Functioning of the European Union and in the Charter of Fundamental Rights of the European Union. Although no treaty such as ACTA is capable of diluting this protection, the WP29 nevertheless stresses the need for any new agreement to fully comply with EU safeguards of data protection and privacy and urges you and your negotiating team to keep this principle in mind at all times. Special attention is required for the rights of the data subject, retention periods once the personal data of the individual is obtained as well as possibilities for judicial redress.

2 Three Strikes Out Schemes WP29 understands from the draft agreement that ACTA is not only supposed to facilitate action against the trade, on an industrial scale, in counterfeited products. Very obviously it is also intended to address alleged copyright infringements carried out by individuals in the framework of using online peer-to-peer file sharing sites.

To mitigate minor alleged copyright infringement carried out by individuals, the current text would stimulate the signatory states to oblige Internet providers in case of copyright infringements to “terminate or to prevent the infringing act” or “to determine procedures in order to prevent access to information or in order to remove them”. We recognize that these wordings may not explicitly provide for Internet access blocking. The do not provide either for the monitoring of the Internet to enable the identification of alleged infringers. Nevertheless, they indicate that the states parties to ACTA shall at least be encouraged to voluntarily include Internet access blocking and to some extend the monitoring of the Internet to enable identification of alleged infringers as an answer to copyright infringements into national legislation.

In the Joint Statement of 16 April 2010 the negotiating parties emphasized that they do not propose to require the introduction at national level of the controversial “Three Strikes Out Principle”, according to which the Internet access has to be blocked after three alleged violations of copyright. The agreement should rather contain minimum standards for the enforcement of the copyright holders’ rights, in compliance with EU law. WP29 emphasizes that any form of large scale monitoring or systematic recording of data of EU citizens would be contrary to the provisions of Directive 95/46/EC since that would affect millions of individuals, regardless of whether or not they are under any suspicion. A full analysis of the objections against the “Three Strikes Out Principle” and similar systems is given in the Opinion of the European Data Protection Supervisor (EDPS) of 22 February 2010. WP29 fully subscribes to the arguments given in this Opinion.

Notice and Take Down Procedures WP 29 notes that it is also proposed to oblige all signatories to introduce a notice-and-take-down-procedure according to the US model. As a consequence, providers of online services would have to block access to content uploaded by users in case a third party claims that his/her rights are violated by making the content available. Moreover, the right holder could be granted the entitlement to ask a provider of online services for information about the identity of a user who is suspected of a copyright violation.

WP29 is concerned about this proposal. Not only can it be used to interfere with the freedom of expression of individuals, as has happened in the US, but it also raises concerns about the disclosure of individuals’ data to third parties. The WP 29 reminds that under Article 15.1 of Directive 202/58 Member States may provide that providers of electronic communication service providers can only communicate personal data of their subscribers following a legal obligation to hand over the data; thus, excluding such communication in civil cases, much less to private parties. Accordingly, at a minimum, any final text should remind of the limitations applying to the transfer of personal data held by providers of electronic communication services to third parties, and also make sure that retention periods of those data at the service provider are fixed to a strict maximum under applicable data protection legislation.

3 Without doubt copyright holders are entitled to protect their rights. However, WP29 deems it necessary that at all times a right balance is struck between the rights of all parties involved. This balance clearly depends on the circumstances of the situation. It can therefore not be determined as a general matter, whether in an agreement like ACTA or in any other instrument, that the rights of copyright holder trump the right to privacy of the individual. As copyright issues are not black and white judicial evaluation is required.

Searches by customs authorities and criminalisation ACTA critics have repeatedly expressed their worries that in future private persons’ electronic storage devices could be searched regularly at borders by customs authorities for content violating copyright. The draft agreement does not provide any binding provision for this purpose. Instead, there is a so-called “de-minimis” provision allowing the signatory states to exclude from the application of ACTA provisions for measures at the border “small quantities
of goods of a non-commercial nature contained in travellers’ personal luggage”. But the possibility for customs authorities to perform searches on private person’s equipment is not excluded.

In addition, the negotiating partners explicitly intend to proceed against file sharers. Thus, they intend to stipulate that parties to the agreement shall provide for criminal procedures in their countries as to “(a) significant wilful copyright or related rights infringements that have no direct or indirect motivation of financial gain; and (b) wilful copyright or related rights infringements for purposes of commercial advantage or financial gain. (article 2.14)” File sharing would also be covered, if and to the extent it is found to involve copyright infringement. Even if the file sharers’ Internet access were not to be cut of, due to ACTA they could be subject to criminal convictions.

Again, these two proposed measures may have serious breaches of the individuals fundamental rights as a consequence. Regular searches are likely to be carried out randomly, instead of following a specific suspicion of copyright violation. WP29 reiterates that any infringement of fundamental freedoms of individuals is only acceptable when it fulfills the conditions of subsidiarity and proportionality. As to the criminalisation, this could mean the introduction of a slippery slope. The agreement does not specify the meaning of significant, nor does it identify who is allowed to specify this meaning. That could mean that what is seen as significant in one country, may not all be significant in another. Thus, no harmonisation of legislation on this point would be achieved.

The European Data Protection Authorities have no reason to doubt that the intentions of the parties negotiating ACTA are good. Copyright infringement needs to be dealt with on a global scale and requires international cooperation. However the way things stand now, several of the proposed measures are in the end bound to interfere with the private life of many citizens. In the EU, any such interference is subject to EU fundamental rights and must be proportional. Given the aspects of ACTA currently under negotiation and outlined above, the WP29 remains to be convinced that this will be the case.

To have a final agreement which is wholly or partly unenforceable due to conflicts with fundamental rights is in the interest of no one. The European Data Protection Authorities therefore count on your continued commitment to provide for adequate safeguards for all individuals and to ensure the final agreement will be fully in line with European Union’s privacy and data protection legislation.
Yours sincerely,
Jacob Kohnstamm