Mr Justice Peter Charleton, in a High Court judgment handed down on 16 April 2010 has ruled that an IP address does not constitute “personal data”. This ruling was made in the context of a judgment on the compatibility of the “three strikes and you are out” protocol that has been agreed by Eircom (Ireland’s largest internet service provider) and four record companies as a result of the settlement of an earlier set of proceeding brought by those record companies against Eircom. Those proceedings sought to restrain Eircom from infringing copyright and sound recordings that were owned by or exclusively licensed to the record companies by making available copies of those recordings to the public (through Eircom’s internet service facilities) without their consent.
As part of the settlement reached by the parties in January 2009, they have developed a protocol that governs their respective obligations and duties as part of the settlement with regard to dealing with illegal file sharing. This includes an education and awareness campaign by Eircom directed at its internet customers about the abuse of peer-to-peer software, securing broadband installation in the home and how signs of copyright infringement might be detected, and a three month pilot program (as this was the only way the parties could see how things were working and to analyse how practical their measures might prove to be). The record companies, using information that they have acquired via third party operators using specialist software to detect illegal downloaders, pass the relevant information to Eircom. This includes a notification that there has been an illegal downloading of their copyright material; details of the copyright holder (this could be a particular song writer); that a breach of copyright has occurred; details of the relevant album or song or video; the IP address that has been detected in infringing copyright and other details that show proper investigation, namely, the relevant detection software used and the digital fingerprint of the copyright material used. On a first “infringement” Eircom will notify the bill payer at the IP address in their bill that an infringement was detected at a particular time in respect of particular copyright work. On a second infringement, a formal letter will be sent by Eircom. The customer can only go to the second level after fourteen (14) days have passed since the first infringement. When a third infringement notification is received by Eircom, it will after a further fourteen (14) days review all of the evidence. Where a termination notice is issued to the customer it will give them fourteen (14) days before cut off. The customer is entitled to make representations to Eircom. If that does not cause the consequences of the protocol to be diverted or postponed, the customer is cut off from internet service.
Issues Raised by Data Protection Commissioner
As details of the settlement became available, the Irish Data Protection Commissioner raised a number of concerns as to the compatibility of the settlement terms and the proposed protocol with the Irish data protection legislation. As a result of these concerns, an application was made by the record companies to the court for a ruling on three specific data protection related issues.
Do data comprising IP addresses in the hands of the record companies or its agents, and taking account of the purpose for which they are collected and their intended provision to Eircom, constitute “personal data” for the purposes of the Irish Data Protection Legislation thereby requiring that the collection of such IP addresses by the record companies must comply with the specific requirements of the Irish data protection legislation (compliance with data protection principles; the legitimate processing conditions for processing of personal data (including sensitive category personal data); the security requirements and the information requirements)?
Mr Justice Peter Charleton stated that in order to be personal data, the information had to identify an individual from the data or from the data in conjunction with other information in the possession of the data controller, or from other information that is likely to come into the possession of the data controller. He was of the view that in most, if not all, statutory contexts, that “likely” means probable; no more or less than that. Then having reviewed all of the evidence presented, he formed the opinion that the information provided by the specialist detection software does not give any clue as to the name of the main householder or business or café. He concluded that none of the record companies had any interest in personally identifying any living person who is infringing their copyright by means of the settlement and protocol. He did not regard it as at all being likely that they would attempt in any way to use the IP address as supplied to them of those engaged in illegal downloading in order to find out their names and addresses. He was therefore of the view that in these circumstances, the IP addresses did not constitute “personal data”.
Did the settlement further any legitimate interests pursued by Eircom and give rise to a possible conflict with the fundamental rights and freedoms of the data subject?
Under the Irish Data Protection Acts, one of the “legitimate processing” grounds that a data controller can rely on is where the processing of the data is necessary for the purposes of the legitimate interests pursued by the data controller, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject. In this context, the focus was on the processing of the information in the context of the third of the three steps envisaged by the protocol – cutting off internet access.
Mr Justice Charleton noted that there is a fundamental right to copyright in Irish law, and that it is a right of private property which is protected by the Irish Constitution. He found that it was completely within the legitimate standing of Eircom to act, and to be seen to act, as a body which upholds the law and the Constitution. He noted in particular the express conditions inserted by Eircom in the user-internet service provider contract which, inter alia, prohibit the infringement of the copyright of others, and that it was abundantly clear that the data subject had given his or her consent to such provisions. The processing of the data, involving sifting the data from the record companies, warning customers and ultimately cutting them off, was necessary for both the performance of the contract and for compliance with the legal obligation cast upon the courts, among other organs of the State, to defend the Constitution and the laws of our society. He found it impossible to imagine that such interference was unwarranted because there is some fundamental right of freedom or legitimate interest in the data subject, whereby in contrast to those who engage in other forms of unlawful copyright theft which may leave them more readily subject to the law, the internet is used for the violation. There was nothing disproportionate, and it was therefore not unwarranted, to cut off internet access because of three infringements of copyright.
Did the processing by Eircom through warning and then on the third infringement, through cutting internet access, involve the processing of “sensitive category” personal data?
Here the judge was satisfied that neither the record companies as owners or assignees of valuable copyright, nor Eircom as the internet service provider, were in any way interested in the detection or prosecution of criminal offences. Nothing in the evidence which he had seen nor anything in the evidence which he had heard, showed any interest by any of them in alleging the commission by the person illegally downloading and copying material, the data subject, of a criminal offence. There was no issue as to anything beyond civil copyright infringement.
Cases involving the interpretation of provisions of the Irish data protection legislation by the Irish courts are rare. This ruling is interesting in that, in the circumstances of this case at least, it has decided that as a matter of Irish law IP addresses do not constitute “personal data”. Interestingly the views of the Article 29 Working Party on this issue do not appear to have been referred to in the proceedings. Also, because of a concern over indemnity as to his costs, the Irish Data Protection Commissioner did not appear in the proceedings.