Ireland: Data Protection Commissioner loses in Supreme Court over GR
On 3 July 2013 the Irish Supreme Court gave its judgment in the appeal by the Irish Data Protection Commissioner ("DPC") in EMI Records (Ireland) Limited & ors v The Data Protection Commissioner  IESC 34. Although this represents an endorsement of the voluntary graduated response scheme agreed between ISP Eircom and the record labels, the decision was based essentially on technical grounds. It offers an interesting example, however, of the attitude of an authority charged with enforcing data protection laws.
As described in an earlier post, EMI and other record labels had sued Eircom for participating in the infringement of copyright by its Internet access subscribers. The case was settled by a contractual GR scheme, under which an infringing user would on his third notification be suspended from Internet access for one week; after a fourth notification, Eircom would terminate his access agreement. The user was free to find another ISP if he could.
The DPC had taken the position that the conventional process of gathering anonymous data and its transmission and processing by Eircom was in some way an infringement of the rights of internet users under data protection law. The parties to the original action took the matter back to court to get a ruling on the issue, but the DPC refused to take part in it. He had asked the parties to pay his costs, win or lose, or at least not claim costs against him, which the parties had declined to agree. Nonetheless, Charleton J gave a judgment on the issue, robustly holding that there was no valid data protection objection to the GR scheme.
Nothing daunted, the DPC issued an enforcement notice against Eircom under the Data Protection Acts 1988-2003, ordering it to stop operating the scheme. Eircom sought to appeal using the statutory procedure and the labels sought to be joined in that appeal. In an impressive display of fairmindedness, the DPC opposed their joinder, demanding in any event that the labels agree that they would receive no costs if allowed to take part. The labels, who had no automatic right to participate in the appeal, applied for judicial review of the enforcement notice, alleging that the DPC was wrong in law and, in any case, had failed to state any reasons in his notice (a requirement under the Data Protection Acts).
On 27 June 2012 Charleton J ruled on the judicial review application ( IEHC 264), holding that the enforcement notice was bad in law, confirming his earlier analysis that peer-to-peer enforcement involved no breach of privacy, and held that the notice was bad in any event for lack of reasons.
The Supreme Court has now confirmed his decision, affirming that the lack of reasons was fatal. Given this procedural point, however, the court does not reach the substance of data protection law, beyond saying, en passant:
"it appears to be accepted that the method by which the Protocol works is that all Eircom does is to receive a series of IP addresses from the record companies, write the appropriate letter to the customer corresponding with that IP address, and invoke the suspension or termination provisions of the Protocol as appropriate. On that basis it is not inherently obvious as to why such activity necessarily involves a breach of data protection law."
No doubt the DPC will return to the fray in due course.
4-5 Gray's Inn Square