In Ireland, IP rightsholders’ efforts to turn Internet intermediaries into copyright police of their networks have taken a different form: one ISP has adopted a Three Strikes Internet disconnection policy as part of a “voluntary” agreement, not as a requirement of a law.
Ireland’s largest ISP, Eircom, has been following a Three Strikes Internet disconnection policy since May 2010, as the result of an agreement it entered into to settle a copyright infringement lawsuit brought against it by the Irish Recorded Music Association (IRMA). In addition to Internet disconnection, the agreement requires Eircom to block access to websites identified by IRMA and its members, including The Pirate Bay and “similar websites”, without any further judicial review.
Agreements by ISPs such as Eircom to adopt Three Strikes policies and other “voluntary measures” not required by national law raise serious concerns for transparency, due process and accountability. As IP rightsholders’ efforts to get more countries to adopt Three Strikes laws meet with increasing resistance, efforts to have ISPs adopt such “voluntary measures” are now being discussed in global policy venues and enshrined in instruments from WIPO to the Anti-counterfeiting Trade Agreement, in the OECD’s June 2011 Communique on Internet Policy-Making Principles, and in recent European Commission proposals. Given the importance of “voluntary measures” to citizens’ rights of online privacy and freedom of expression and the future of the open Internet, Global Chokepoints includes a detailed description of recent developments in Ireland.
Although the IRMA-Eircom agreement applies only to Eircom, IRMA sued  other ISPs in an attempt to force their agreement to adopt similar “voluntary measures”. One of those ISPs, UPC, subsequently brought a legal challenge that resulted in the key ruling that ISPs could not be subject to injunctions requiring them to filter, block websites and terminate Internet access under Irish law.
Ireland is also at the vanguard of challenges to three strikes systems based on privacy and personal data protection. In June 2011, the Irish Data Protection Commissioner announced that it was opening an inquiry into whether the data processing and identification obligations under the IRMA-Eircom agreement are consistent with Irish data protection law. This could result in Irish courts reconsidering whether the type of data processing required for Three Strikes regimes violates Irish and EU data protection and privacy laws, and accordingly, is being closely watched across the world.
DisconnectionCreated by: back room deal
Ireland’s largest ISP, Eircom, has been following a Three Strikes policy since May 2010 under which it suspends Internet users’ Internet access after receiving three rightsholder allegations of copyright infringement. Since December 2010 Eircom has been disconnecting Internet users for up to 12 months on a 4th allegation of copyright infringement.
This policy arises from an agreement between the Irish Recorded Music Association (IRMA) and Eircom, which settled a 2009 lawsuit brought by IRMA. In the lawsuit, IRMA demanded Eircom filter for potential copyright-infringing material over Eircom’s entire network. Eircom challenged this request. Before the court ruled on IRMA’s demand, however, Eircom and the IP rightsholders reached an out of court settlement in February of 2009 with different terms. Although this agreement only applies to Eircom, IRMA has sued  other Irish ISPs, seeking to obtain a similar agreement
As part of the settlement agreement Eircom agreed to adopt and follow a three strikes Internet disconnection policy. In May 2010, Eircom launched a pilot Graduated Response program, under which it agreed to identify and forward successive copyright infringement notices to relevant subscribers. These notices would be sent out after IRMA supplied Eircom with the IP addresses that IRMA or its agents identified as having uploaded copyrighted works.
In December 2010 Eircom formally launched a Graduated Response regime as part of its new MusicHub service. In the current version, Eircom issues notices to subscribers which it matches to the relevant IP addresses, advising them that they have been identified as having uploaded or downloaded copyrighted material on a P2P network. If Eircom receives a third copyright infringement allegation, it suspends the relevant non-business subscribers’ Internet accounts for seven days. Eircom disconnects access for 12 months on receipt of a fourth copyright infringement allegation for the same IP address.
The Eircom Graduated Response process is described in a set of FAQs on Eircom’s website:
“How will the graduated response work?
IRMA will provide eircom with notifications containing the IP addresses of the people they detect illegally uploading or downloading music content. Once eircom identifies the eircom account holder through their IP address eircom will:
- Contact the customer in writing to inform them that their IP address has been detected by IRMA, as infringing copyright. eircom will clearly advise the customer that such acts are illegal and will provide information on how the customer can avoid repeating the infringement.
- If the customer continues to engage in the illegal uploading or downloading of music content, eircom will issue a second warning letter to the customer indicating that unless the infringement ceases the customer will have their service withdrawn.
- Write to the customer for a third time to advise them that their service will be withdrawn for a seven day period as they continue to engage in the illegal uploading or downloading of music content. If the customer infringes a fourth time then the broadband service will be disconnected for a 12 month period.
As well as contacting customers via letter, eircom will also attempt to contact customers via telephone and a browser based pop up to advise them of the infringement and to assist them in ensuring their computers are not a source of copyright infringement.
eircom has set up a dedicated team to support customers through this process.”
Subscribers who feel that they have been incorrectly identified or who are not responsible for the alleged illegal downloading can advise Eircom’s technical team at the time of notification.read more...
FilteringCreated by: back room deal
In its original lawsuit against Eircom, IRMA sought an injunction requiring Eircom to filter its subscribers’ communications for potential copyright-infringing material. At around the same time, in 2007, a Belgian music collecting organization had obtained an injunction against Belgian ISP Tiscali (now Scarlet), requiring it to filter all communications on its network for potential copyright-infringing material.
At around the same time, in 2007, a Belgian music collecting organization had obtained an injunction against Belgian ISP Tiscali (now Scarlet), requiring it to filter all communications on its network for potential copyright-infringing material. The European Court of Justice has since ruled that such a broad pre-emptive injunction violates EU law. The Irish court did not rule on whether this was legal under EU and Irish law because the lawsuit was settled by the out of court agreement on different terms.read more...
Whether ISPs are required to disclose customers’ identity and contact information to rightsholders on an allegation of copyright infringement has been a hotly contested issue in Irish law, and the subject of a 2005 lawsuit against Eircom (more details below). As a member of the EU, Ireland has obligations to protect citizens’ privacy and personal data under a set of EU directives that have been transposed into Irish law.
At the same time, Article 8 of the EU IPR Enforcement Directive (2004/48/EC), establishes a right of information for copyright holders to obtain information from intermediaries (including ISPs) about those in the chain of distribution of infringing material. How the obligations under these various EU directives fit together was the subject of the 2008 European Court of Justice decision in Telefonica v Promusicae and is the focus of another case currently pending before the European Court of Justice.
Eircom’s data collection and IP matching obligations under its agreement with IRMA are particularly interesting because the Irish Data Protection Commissioner had previously expressed concerns about whether data processing for three strikes regimes complies with Irish data protection law, which were effectively sidestepped by judicial approval of the agreement (see below). Then, in June 2011 the Irish Data Protection Commissioner announced that it had opened a further inquiry into whether the agreement’s data processing and identification requirements violates Irish data protection law. This was triggered by a complaint filed by an aggrieved customer who had received a first strike notice after Eircom misidentified and mistakenly sent first strike notices to 300 of its customers when a server failed to update correctly after daylight savings time change in October 2010.
As Law Lecturer TJ McIntyre notes if the Irish Data Protection Commissioner finds, as it did previously, that using IP addresses to terminate subscribers’ Internet access is disproportionate and is not fair use of personal information, the Commissioner could issue an enforcement notice preventing Eircom from using customers’ personal data for this purpose. This could require Irish courts to reconsider the legality of the agreement under EU and Irish law. The inquiry is taking place at a particularly interesting time. Whether data collection and processing for Three Strikes systems is permissible under EU law is one of the questions raised in the pending appeal of the judicial review of the UK Digital Economy Act [LINK TO UK page].
Under its agreement with IRMA, Eircom is required to match its customers’ account names with the IP addresses provided to it by IRMA to send notices and to suspend or terminate the relevant accounts after three copyright infringement allegations. Eircom has said that it will not share customer information with IRMA or any other party. Eircom’s FAQ states that IRMA is using a third party (Dtecnet) to obtain IP addresses that are allegedly engaged in illegal downloading and sharing of music.
In light of the concerns raised by the Irish Data Protection Commissioner, the FAQ also states that "Eircom has sought and received assurance from IRMA that the process is fully legal and approved by the High Court. The Court has confirmed that the process is in their view in accordance with Data Protection Legislation." However, given the June 2011 inquiry, the matter is not as settled at the FAQ suggests.
Identifying users by IP address matching gives rise to several public policy concerns. As a thoughtful editorial by TJ McIntyre and Dr. Richard Tynan explains, IP addresses can’t necessarily be reliably linked to individuals. Recorded music companies made this mistake when they accused wireless printers of file sharing. Second, the Eircom-IRMA agreement effectively creates liability for operating a non-secured open wireless network. This is particularly problematic because Eircom has apparently supplied up to 250,000 of its subscribers with modems that cannot be easily secured.
Third, it may have disproportionate results. The Eircom-IRMA agreement means that the actions of one member of a household or premises can result in termination of Internet access to the entire family or set of individuals using the connection. In Ireland a parent is not legally liable for the actions of their child in most cases; nor is a husband legally liable for the actions of his wife. Imposing legal sanctions on the inhabitants of an entire household, even if those parties did not engage in copyright infringement, completely changes the way in which the law currently assigns liability.
Background: Data Protection and Copyright Enforcement in Ireland
In 2005, IRMA sued Eircom and a few other ISP’s for refusing to turn over the IP addresses of 16 individuals suspected of copyright infringement on the basis that it would violate Ireland’s data protection laws. The court ordered Eircom to turn over "the name, postal address and telephone number" of the users registered to those IP address. The court reasoned that although privity of contract would normally dictate a duty of privacy between ISP and subscriber, privity could not be used to protect a subscriber who committed illegal acts.
One of the stipulations of the agreement between IRMA and Eircom was that Eircom would only comply with the settlement if it complied with EU data protection legislation. In February of 2010, the office of the Data Protection Commissioner claimed that using IP addresses of consumers to cut them off the Internet is not "fair use" of personal information, and therefore the settlement was unenforceable.
Eircom and IRMA found themselves in court once again to see if the settlement agreement complied with Ireland’s data protection laws. At the crux of the case was whether IP addresses were personally identifiable information, and if so, whether complying with the settlement would be unlawful ""under Irish data protection law. Unfortunately, the Office of the Irish Data Protection Commissioner did not make an appearance at the Eircom hearing due to cost concerns. Because the Commissioner was not present, the only evidence was presented by rightsholder EMI, leaving no one to raise the fundamental concerns about protection of Irish citizens’ personal data.
In April of 2010, Justice Charleton ruled that the settlement agreement did comply with Irish data protection laws. Justice Charleton answered three questions posed by the Data Protection Commissioner. First, does the collection of IP addresses by Eircom to provide to EMI constitute personal data under the1988 Irish Data Protection Act? Second if an IP address constitutes "personal data," is using that data "necessary for the purposes of the legitimate interests pursued by [Eircom]" or does it instead result in a violation of fundamental rights? Third, is the personal data "sensitive" because it is involved in the prosecution of a criminal offense?
In answer to the first question, Justice Charleton determined that an IP address was not "personal data" under the Irish Data Protection Act of 1988 because it does not identify a living individual. Moreover, even if it did, at no time would Eircom disclose that information to IRMA in violation of the Act. Interestingly, the European Court of Justice found that an IP address is personal data in its subsequent SABAM v. Scarlet decision.
Second, even though an IP address is not considered personal data, Justice Charlton determined that Eircom’s use of IP addresses to identify which users’ Internet connection to disconnect is lawful. He reasoned that infringement of copyright is a violation of Ericom’s terms of service, and using an IP address to terminate the service of infringing users is necessary for the legitimate purpose of enforcing Eircom’s contract.
Third, Justice Charleton found that although violating copyright law can result in criminal penalties, neither Eircom nor IRMA were pursuing criminal charges against copyright infringers. Just because personal information is related to something that could result in criminal charges, it is insufficient to invoke the extra protections granted by the Data Protection Act of 1988 to "sensitive personal data." Since the data would only be used for civil law purposes, its use for this process did not violate Irish data protection law.read more...
The agreement between IRMA and Eircom went beyond merely imposing a three strikes policy. Under the agreement, "Eircom has agreed that it will not oppose any application our client may make seeking the blocking of access from their network to the Pirate Bay or similar websites." As technology journalist Adrian Weckler notes, this is particularly problematic:
“Irma is drawing up a list of websites it doesn't like and Eircom will block them to all of its customers. And Irma is demanding that other ISPs do likewise, on pain of being sued.
Eircom says that it will only block a website if a court order requests it to. But it has undertaken not to oppose any application to a court, meaning the order is automatically granted. It's a technical way of getting out of taking responsibility for it.”
IRMA has already used this clause of the settlement agreement to have Eircom block the Pirate Bay on its network. Although the blocking of a site that openly flouts copyright law might not inherently seem problematic, blogger Damien Mulley points out just how far reaching this settlement could be:
“So first they’ll start with the Pirate Bay. Then comes Mininova, IsoHunt, then comes YouTube (they have dodgy stuff, right?), how long before we haveBoards.ie because someone quoted a newspaper article or a section of a book? And don’t think they’ll stop there too, any site that links to The Pirate Bay and the others on the hate list will probably be added to the list too[…]
I’m sure the business case for Eircom was they didn’t want any more costly High Court actions […] but this is going to open up a can of worms with IRMA demanding more and more attacks on how people surf the net, this is what it is in my view an attack on our freedom to read, our freedom to write, our freedom to move around the web. […]
And of course the costs of communications with IRMA and of the filtering is going to be passed on to the consumer. The cost of blocking a single site will be almost nothing I suppose but as more sites get added and as the arms race between the pirates and the ISPs escalates, then it’ll become complicated and complicated costs more. So again the majority get to pay[…]”
The Irish government has also become involved in filtering web traffic. The Irish police force has recently been sending out letters to ISP’s asking them to block certain web pages that contain child porn. As Digital Rights Ireland points out in a blog post there are major problems with this policy because it "require[s] ISPs to take additional steps to monitor users, resulting in real risks to privacy. These risks are amplified in the case of the Garda proposals which – incredibly – would require ISPs to report details of web browsing without any legislative basis whatsoever."
Impact of the Settlement on Other ISPs
IRMA has sued [eight] another Irish ISPs to try to impose similar agreements to filter and adopt Three Strikes regimes.
UPC, an Irish cable network, refused to enter into an agreement with IRMA. In July of 2009, IRMA sued UPC claiming that UPC was liable for infringement because their network facilitated illegal file sharing.
In October of 2010, Justice Charleton denied IRMA’s request for an injunction against UPC. Although the court was sympathetic towards the music industry’s concerns, the judge ultimately concluded that the remedies sought for termination, filtering and blocking, could not be granted because Ireland had not fully implemented its obligations under the 2000 EU e-Commerce and EU Directive 2002/21/EC into Irish law. In short, Irish law did not include provisions for "the blocking, diverting or interrupting of internet communications" for violations of copyright law.
Following that decision, the Irish government has indicated that it intends to legislate to allow injunctions to be granted against ISPs requiring them to engage in filtering. A consultation process was carried out concluding in July 2011, but no proposals have yet been published.read more...
Facts and Figures
300 Eircom subscribers mistakenly received a “first strike” notice after a server failed to update correctly after daylight savings time went into effect in October 2010.
Since Eircom implemented its three strikes policy, it has apparently seen its customers depart to other competitors at an escalating rate. Some have estimated departures at 1000 subscribers per month. By comparison, UPC (which challenged the lawsuit brought against it by IRMA) has seen its subscriber base increase by 60% during the same time period. Although it is unclear what drives consumer choice of broadband providers in Ireland, some have speculated that the observed changes demonstrate the impact impact of the respective companies’ three strike policies in a competitive market for ISP services.