IP addresses “not personal data” says Irish court

Jeremy Phillips

EMI Records (Ireland) Ltd and others v Eircom Ltd [2010] IEHC 108, decided last Friday by Mr Justice Charleton in the Irish High Court, has attracted attention in terms of its copyright enforcement content, since it relates to the voluntary “three strikes” arrangement made between various owners of copyright in recordings and the country’s largest internet service provider. The decision however is of great interest to Datonomites too.

Under the voluntary scheme which the court was asked to consider, the recording companies planned to operate software which would identify file-sharing with regard to works in which they claimed copyright and where one of the file-sharers was operating from an internet protocol (IP) address assigned to Eircom. Once notified of an alleged infringement, Eircom would implement a “three strikes” procedure which, if the alleged infringement continued, would ultimately lead to termination of the subscriber’s internet access on the third such notification.

This scheme prompted the Irish Data Protection Commissioner to write to the solicitors for one of the recording companies (EMI) to express concern over that company’s intention to collect, share and process IP addresses which might constitute “personal data” and/or “sensitive personal data”.

In these proceedings the judge was asked to rule on three questions:

(1) Do IP addresses, in the hands of EMI, constitute “personal data” for the purposes of the Irish Data Protection Acts 1988-2003, such that EMI must comply with certain specified provisions of the Data Protection Acts? No, said the judge: since the subscriber cannot be identified from the IP address, and it is unlikely that the record labels can combine the IP address with other information, or will even attempt to do so, the IP addresses are not personal data within the meaning of the Act.

(2) Assuming that the processing by Eircom of “personal data” when terminating an internet user’s subscription is potentially permissible under the Data Protection Acts, is it nevertheless prohibited because the termination of internet access represents unwarranted processing by reasons of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject? Again the court said no. Terminating an internet user’s subscription is not unwarranted and therefore not prohibited. Copyright is a personal property right under the Irish Constitution which the Courts have a duty to protect. By imposing on subscribers, as a condition of internet access, a prohibition on copyright infringement, Eircom as an ISP acts legitimately in supporting a third party’s constitutional right; the sanction of terminating access is not excessive and is consented to by the subscriber. Enforcing this sanction, using the automated system agreed with the record labels, is similarly not excessive or unwarranted.

(3) Is it open to EMI and/or Eircom under the Data Protection Acts to implement the three strikes process, and in particular, the termination of an internet user’s subscription, in circumstances where (a) In doing so they would be engaged in the processing of “personal data” and/or “sensitive personal data”, including the provision of such data from one private entity to another private entity; and (b) The termination of an internet user’s subscription by Eircom would be predicated on the user having committed an offence (i.e. the uploading of copyright-protected material to a third party by means of a peer-to-peer application) but without any such offence having been the subject of investigation by an authorised body; and, further, without any determination having been made by a court of competent jurisdiction, following the conduct of a fair and impartial hearing, to the effect that an offence had in fact been committed. This time the judge said yes. It was open to the parties to operate the three strikes process. The judge reasoned that the parties were not really concerned with whether any criminal offence had been committed (this would require a showing of knowledge or intent, which was beyond the scope of the detection and notification procedures), and that their only concern, in operating the three strikes process, was in detecting and preventing civil copyright infringement. As such, the issues associated with “sensitive personal data” and the more stringent controls on processing data relating to criminal offences, did not require consideration.

The Data Protection Commissioner was not represented in these proceedings, nor was there any representation for the consumer, for digital advocacy groups, or for any party strongly opposed to the implementation of the three strikes system.

This note is an edited version of a more copyright-oriented post on the IPKat which was based on information from David Brophy (FR Kelly).

Leave a Reply

Your email address will not be published. Required fields are marked *