[A2k] Privacy challenges facing the European Union from ACTA

Malini Aisola malini.aisola at keionline.org
Tue Aug 17 06:13:37 PDT 2010

Source URL: http://keionline.org/node/914 

Privacy challenges facing the European Union from ACTA

By Alberto Cerda
16 Aug 2010

Since the early ‘70s, European countries have adopted a comprehensive
legal framework on personal data protection that aims to balance the
free flow of information for market purposes with an adequate level of
protection for the right of privacy. This framework includes several
Directives on the matter, such as the Data Protection Directive [1] and
the Data Retention Directive [2], among others. The European Union
authority that supervises the compliance with those laws is the Article
29 Working Party [3], also known as WP29, which is integrated by the
European Data Protection Authorities. Two week ago, in a letter to the
European Commission [4], based in the public release of ACTA draft, the
WP29 concluded that several of the proposed measures of the ACTA
interfere with the right to privacy, and called them into question for
future negotiations. Why is the WP29 concerned?

Unlike any other previous international instrument on intellectual
property, ACTA is the first one that include provisions on the privacy
of individuals.[1] [5] And while we are pleased that the subject to
personal privacy has been explicitly raised in the ACTA negotiations, we
note that so far, the provisions do not protect the right of people with
respect to their personal data, so much as make concessions for purposes
of intellectual property enforcement. Furthermore, we note that some of
those concessions are inconsistent with EU legal norms, and in general
show a lack of consideration for the privacy of individuals, by omitting
certain pro-privacy flexibilities, limitations, and safeguards that one
would expect in a serious agreement like this. 

Indeed, by the eight round of negotiations, ACTA still did not have a
provision that guarantees the protection of privacy in domestic law, but
a mere expressed intention to include one (Article 1.4).

The WP29 specifically called attention to three sets of provisions in
the ACTA that would seriously affect the right to privacy; those related
to the three strikes policy, the notice-and-take-down procedure, and the
searches of personal luggage by custom authorities.

The WP29 observed that the current text of the ACTA at the very least
encourages the implementation of the controversial three strikes policy,
which requires disconnecting purported intellectual property infringers,
by collaboration between Internet service providers and right holders.
Even worst, this policy does not seem limited to piracy and
counterfeiting, which was the initial purpose of negotiating the ACTA,
but it would extend to infringement of any kind of intellectual property
rights, even patents (Articles 2.18.3 and 2.18.3 quarter).

In relation to the notice-and-take-down procedures, the main concern of
the WP29 is that the ACTA sets forth the obligation to identify
subscribers of online service providers in both criminal and civil
enforcement actions. This is inconsistent with the EU legal norms that
only requires disclosure of personal data of Internet users for criminal
purposes (such as Article 1 of Data Retention Directive and Convention
on Cybercrime). Also, the WP29 noted the ACTA does not adopt any
temporal limitation for the processing of personal data by Internet
service providers, which is another possible conflict with EU legal
norms (See Article 6 Data Retention Directive).

KEI has further concerns about the proposed ACTA procedures relating to
notice-and-take-down of infringing content, and for identifying users of
Internet services or content.

• First, the proposed Article 2.18.3 ter is at odds with the literal
wording of Article 15.2 or the E-Commerce Directive. ACTA would extend
the obligation to identify users to firms that only provide access to
Internet in their capacity as conduit.[2] [6]
• Second, unlike EU law (Article 5 Data Retention Directive and Article
1 Convention on Cybercrime), the ACTA lacks precision (and useful
boundaries), because it does not indicate exactly what personal data of
Internet users must be collected and processed by online service
• Third, while EU law limits the collection of personal data generated
or processed by providers of publicly available electronic
communications services or of a public communications network (Article 3
Data Retention Directive), ACTA undermines that standard (See the
definition of an online service provider in footnotes 50 and 55 of the
April 2010 draft), by applying the obligations to online service
providers that are not yet addressed in the current EU Directives, such
as private network services.
• Fourth, the current draft of ACTA fails to provide sufficient
protections from inappropriate or abusive uses of the identifying
procedures; in fact, it privileges expeditious access to data, without
mentioning either substantive or procedural safeguards. This can be
contrasted with the EU law (See, European Court of Justice, decision on
Case C-275/06 [7], Productores de Música de España (Promusicae) v.
Telefónica de España SAU; and Article 5 Data Retention Directive).

With respect to searches of personal luggage by custom authorities, the
WP29 noted that the ACTA allows countries to exclude from the
application of the section on border measures small quantities of goods
of a non-commercial nature contained in travelers’ personal luggage (or
sent in small consignments) (Article 2.X), but does not go beyond this
possible exception to provide mandatory protections of personal privacy.

Surprisingly, in spite of its previous work on the matter, the WP29 did
not address the ramifications of the ACTA provisions on providing
protection for effective technological measures (Article 2.18.4 and
2.18.5) on the associated privacy issues impacted by such technical

In addition to the concerns of the WP29, several months back the
European Data Protection Supervisor expressed concerns about potential
the incompatibility between envisaged ACTA measures and EU data
protection requirements. In an opinion [8], the European supervisor
called attention to the provision dealing with the three strikes policy,
which did not satisfy the test of proportionality, and where less
intrusive solutions could be considered. Also, the supervisor noticed
the lack of harmonization between the ACTA and the EU rules about
international cooperation and the transfer of personal data to third
countries, other than EU members, for purposes of intellectual property
enforcement. The very purpose of building an adequate level of
protection for European citizens could be undermined if data could be
transferred to third countries that do not provide such levels of
protection (Articles 25 and 26 of the Data Protection Directive). This
is hardly a small point, as privacy protections vary greatly, and are
almost non-existent in some countries that are likely to join the ACTA.

If the current text of the ACTA is approved, it will force the European
Union to significantly modify both the community legal norms and the
domestic laws of its members, in order to be in full compliance with the
ACTA provisions. Those changes seem to undermine the European balance
between the free flow of information for market purposes and an adequate
level of protection for the right of privacy. 

In closing, we note that even when the European Data Protection
Authorities say that they have no reason to doubt the good intentions of
the ACTA negotiators, they raise serious concerns about the harm of the
draft ACTA provisions on a citizens' rights to privacy and personal data

1 [9]. The WTO TRIPS Agreement does has certain provisions relating
confidential information, which are primarily relevant for businesses. 

      * Article 42 of the TRIPS, on Fair and Equitable Procedures,
        provides that enforcement measures "shall provide a means to
        identify and protect confidential information, unless this would
        be contrary to existing constitutional requirements."
      * Article 43 of the TRIPS on Evidence, provides that in
        considering mechanisms to obtain evidence, WTO members provide
        for "conditions which ensure the protection of confidential
      * Article 47 on the "Right of Information," provides that
        obligations to inform the right holder of the identity of third
        persons involved in the production and distribution of the
        infringing goods or services and of their channels of
        distribution," may be limited when the request is "out of
        proportion to the seriousness of the infringement."

2 [10]. See also, CDT, "ACTA Debate Gets Specific, May 18, 2010,
(http://www.cdt.org/policy/acta-debate-gets-specific [11]) which when
considering US legal norms, states:
“Proposed Article 2.18.3 ter is flatly inconsistent with U.S. law. The
proposed language would require each country to enable rights holders to
“expeditiously obtain” from Internet service providers the identity of
any subscriber that the rights holders claim are engaging in
infringement. This conflicts with settled decision of two federal
appeals courts, which have held that the DMCA does not require ISPs in
their capacity as conduits to turn over subscriber information based on
allegations of infringement. (See in re Charter Communications (8th Cir.
2005) and RIAA v. Verizon (D.C. Cir. 2003).)”

[2] http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!
[5] http://keionline.org/node/914#fn_number1b
[6] http://keionline.org/node/914#fn_number2b
[9] http://keionline.org/node/914#fn_number1
[10] http://keionline.org/node/914#fn_number2
[11] http://www.cdt.org/policy/acta-debate-gets-specific

Malini Aisola
Knowledge Ecology International
1621 Connecticut Avenue NW, Suite 500, Washington DC 20009
malini.aisola at keionline.org|Tel: +1.202.332.2670|Fax: +1.202.332.2673

More information about the A2k mailing list