On Thursday the European Court of Justice (“ECJ”) ruled that an Internet Service Provider (“ISP”) cannot be forced to filter all Internet traffic in order to stop the sharing of copyright infringing content. This opinion is the culmination of a seven year old legal battle in the case of Sabam v. Scarlet.
In 2004 a Belgian royalty collection agency, Sabam, brought legal action against Scarlet, a Belgian ISP, seeking an injunction ordering the ISP to put in place a mechanism to prevent its users from downloading copyrighted works via peer-to-peer (P2P) networks without permission from the copyright owner. In 2007 the Brussels Court of First Instance ordered Scarlet to take measures to stop the downloading of copyrighted works without the authority of the copyright owner or face fines of €2,500 per day. This decision ignored testimony from experts that no reasonable electronic measure existed for adequately stopping the downloading of copyrighted content.
Scarlet appealed the decision. In January of 2010, the Brussels Court of Appeal referred the following two questions to the European Court of Justice:
- [Do European directives on Intellectual Property rights construed in light of personal freedoms guaranteed by law] permit … a national court…to order an [ISP] to install, for all its customers, in abstract and as a preventive measure, exclusively at the cost of that ISP and for an unlimited period, a system for filtering all electronic communications, both incoming and outgoing, passing via its services, in particular those involving the use of peer-to-peer software, in order to identify on its network the movement of electronic files containing a musical, cinematographic or audio-visual work in respect of which the applicant claims to hold rights, and subsequently to block the transfer of such files, either at the point at which they are requested or at which they are sent?
- [If the answer to the first question is yes then can the court] apply the principle of proportionality when deciding on the effectiveness and dissuasive effect of the measure sought?
Effectively what the Court of Appeals was asking was, do we have the authority to order an ISP to engage in broad filtering of all content in order to identify some offending content and, if so, can we apply a proportionality, cost and benefit, analysis in granting or denying such relief? Clearly the Court felt uncomfortable with the scope of relief which Sabam claimed that it was entitled to under the existing Directives.
On Thursday, November 24, 2011, the ECJ ruled that European law precludes an injunction of the kind under review which would require monitoring of all internet user communications as a preventive measure at the ISP’s expense and for an unlimited period of time for the purpose of stopping copyright infringing content.
In its ruling the ECJ focused on the rights to privacy of Internet users. It state dthat that the general monitoring of all communications that would be required to accomplish the requirements of the injunction, would itself violate European privacy directives. The ECJ went on to say that in granting relief to copyright owners, “courts must strike a fair balance between the protection of copyright and the protection of the fundamental rights of individuals who are affected by such measures.” Moreover, the “injunction could potentially undermine freedom of information since that system might not distinguish adequately between unlawful content and lawful content, with the result that its introduction could lead to the blocking of lawful communications.”
The ECJ was also sensitive to the business impact on the ISP. It stated that courts must also “strike a fair balance between the protection of the intellectual property right enjoyed by copyright holders and that of the freedom to conduct a business enjoyed by operators such as ISPs.” The expensive monitoring system requested by Sabam would “result in a serious infringement of the freedom of the ISP concerned to conduct its business since it would require that ISP to install a complicated, costly, permanent computer system at its own expense.”
While this ruling forbids broad monitoring it does not prevent blacklisting of websites, a tactic affirmed by the British High Court last year in a case against British Telecom and currently under consideration in at least one bill pending before Congress. Nevertheless, privacy advocates were pleased with this decision.
On June 28, 2011, at the launch of Office 365, the new cloud based version of its well-known office tools, Microsoft stated that data that you store on the cloud is subject to scrutiny by the US government even when it is stored overseas. ZDNet reporter Zack Whittaker reported that, when asked if Microsoft could guarantee that data stored in the European Union would not leave the European Economic Area, Gordon Frazer, managing director of Microsoft UK, explained that it could not. Because Microsoft is a US based company it has to comply with US laws and would be forced to disclose data to the US government if required to do so under the Patriot Act. When asked if customers would be notified of a government ordered disclosure, he said that neither Microsoft nor any other company can provide such a guaranty. Gagging orders, injunctions and U.S. National Security Letters can prohibit disclosure of information requests to the owners of the information.
These public admissions are consistent with similar admissions previously made by Microsoft in a white paper detailing Office 365 security which states:
In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).
Accordingly, if a governmental entity approaches Microsoft Online Services directly for information hosted on behalf of our customers, [Microsoft] will try in the first instance to redirect the entity to the customer to afford it the opportunity to determine how to respond. …and will use commercially reasonable efforts to notify the enterprise customer in advance of any production unless legally prohibited.
In addition to the insecurity that this language creates for European users who, by using the service, may be exposed to US government scrutiny, it also brings into question the legality US run cloud services in the Europe. European data security directives prohibit removal of data from Europe without the data owner’s consent. Microsoft did not explain how it reconciles its obligations under US and European law.
Microsoft’s own white paper increases concern about the extra territorial transfer of data:
As a general rule, customer data will not be transferred to data-centers outside that region. There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (e.g., for technical support, troubleshooting, or in response to a valid legal subpoena)
This language not only creates concerns for European customers of the Office 365 service but for US customers concerned with running afoul of export controls which might hold them strictly liable for foreign transfer of certain technical information.
While some readers may shrug off the disclosure requirement assuming that laws such as the Patriot Act are limited in use to terrorist investigations, it is important to understand that nothing restricts the scope of information obtained under the act or the transfer of information gained to other government agencies. In fact, the government has repeatedly refused to disclose how it feels that it can use the Patriot Act and where there has been disclosure, the interpretation has been expansive.
So what do these disclosures suggest for users of cloud services. For one thing, it is likely that European users will shy away from accessing cloud services provided by US companies. We are also likely to eventually see litigation reconciling European Union data rules against compelled disclosure under national security laws such as the Patriot Act. Finally, companies that are subject to export control compliance would be wise to shy away from cloud services and instead opt for restricted hosting services where they can assure no foreign access to their data.