Monday 28 November 2011

SABAM/Scarlet meets Newzbin2 – but will they play nicely together?


The ECJ’s decision in SABAM v Scarlet is a seminal judgment. 
It is not just what it says, but the way that it says it.  By the standards of ECJ judgments it is unusually forthright:  IP rights are not absolutely protected or inviolable, but have to be balanced against other fundamental rights - not just as a matter of form but in substance. It is not enough to pay lip service to rights of privacy, freedom of expression and (the new kid on the block) freedom to conduct a business. 
The ECJ has stated in the plainest terms that these rights have real substance and can trump overreaching IP rights.  Moreover, the ECJ has given real teeth to the prohibition on general monitoring obligations in Art 15 of the ECommerce Directive.
SABAM/Scarlet comes hot on the heels of Mr Justice Arnold’s second judgment in Newzbin2.  There are important factual differences between the cases.  SABAM/Scarlet is about content filtering, whereas Newzbin2 is about site blocking.  But there are also parallels.  Both concerned conduit ISPs.  Both involved the use of DPI (deep packet inspection) technology, albeit in very different ways.  Both required the court to balance the various fundamental rights at stake.  How does Mr Justice Arnold’s approach now stack up against that of the ECJ? 
General monitoring obligations
Article 15 of the ECommerce Directive prohibits national authorities (which includes courts)  from adopting measures that would require an ISP to carry out general monitoring of the information that it transmits on its network.  In L’Oreal v eBay the ECJ held that this applies to measures that would require an online intermediary, such as an ISP, to actively monitor all of the data of each of its customers in order to prevent any future infringement of intellectual property rights.
The filtering system at issue in SABAM/Scarlet would require an ISP:
1.       to identify, within all of the electronic communications of all its customers, files relating to peer-to-peer traffic;

2.      to identify, within that traffic, files containing works in which rightsholders claimed to hold rights;

3.      to determine which of those files were being shared unlawfully; and

4.      to block file sharing that it considered to be unlawful.
This involved a cascade of deeper and deeper dives into transmitted packets in order to determine their nature and contents.  In the words of the ECJ:

“Preventive monitoring of this kind would thus require active observation of all electronic communications conducted on the network of the ISP concerned and, consequently, would encompass all information to be transmitted and all customers using that network.”
How does Newzbin2 sit with this?  The system of site blocking that the court required BT to employ was a two stage process: first, redirection based on IP addresses, then the redirected traffic would be analysed at the URL level. 
Although this would use DPI technology, in his original judgment Arnold J had taken care to distinguish between three levels of packet inspection, which he described as (i) a minimal analysis; (ii) summary analysis (iii) detailed, invasive analysis of the contents of a data packet.  The order against BT requires it to use:
“DPI-based URL blocking utilising at least summary analysis in respect of each and every URL  … .
2. For the avoidance of doubt paragraph 1 … does not require the Respondent to adopt DPI-based URL blocking utilising detailed analysis.”
Arnold J commented:
“The order sought by the Studios does not require BT to engage in active monitoring of the kind described by the Court of Justice [in L’Oreal v eBay] at [139], but simply to block (or at least impede) access to the Newzbin2 website by automated means that do not involve detailed inspection of the data of any of BT's subscribers. To the extent that this amounts to monitoring, it is specific rather than general.
It is clear from SABAM/Scarlet that (a) the fact that the deepest inspection is carried out only on some preselected traffic does not prevent there being a violation of Article 15 and (b) the deeper the dive into the packets, the greater the likelihood that Article 15 will be contravened.
It is also evident that Arnold J was alive to these issues.  However because the Newzbin2 judgment gives no further detail as to the difference between minimal, summary and detailed DPI analysis it is unclear exactly what level of packet inspection is involved and whether SABAM/Scarlet would have had any impact on that.
Arnold J went on to say:
“Furthermore, it would be imposed by a case-specific order made under national legislation which implements Article 8(3) of the Information Society Directive.”
However that, in the light of SABAM/Scarlet, is not an answer to a potential violation of Article 15.
Fundamental rights
Much of the fundamental rights analysis in SABAM/Scarlet and Newzbin2 is similar.  Both balanced the rightsholders’ IP rights against freedom of expression.  Both recognised that the risk of preventing access to lawful content through overblocking or overfiltering is a relevant factor to take into account. 
However SABAM/Scarlet not only placed heavy emphasis on the fact that IP rights are neither absolutely protectable nor inviolable, but also introduced some new elements.
The biggest contrast with Newzbin2 is in the ECJ’s reliance on the fundamental freedom of ISPs to conduct their businesses.  This is now enshrined in Art 16 of the EU Charter of Fundamental Rights: “The freedom to conduct a business in accordance with Community law and national laws and practices is recognised.” 
The ECJ held that the injunction in issue would be a serious infringement of the freedom of the ISP concerned to conduct its business since it would require that ISP to install a complicated, costly, permanent computer system at its own expense.
On the facts this differed from Newzbin2, in which Arnold J held that the costs of implementing the injunction were modest.  But he also said this:
“The Studios are enforcing their legal and proprietary rights as copyright owners and exclusive licensees, and more specifically their right to relief under Article 8(3). BT is a commercial enterprise which makes a profit from the provision of the services which the operators and users of Newzbin2 use to infringe the Studios' copyright. As such, the costs of implementing the order can be regarded as a cost of carrying on that business.”
Even before SABAM/Scarlet, this passage looked a bit lopsided.  The Studios also are commercial enterprises which make a profit from exploiting their legal and proprietary rights as copyright owners and exclusive licensees.  As such the costs of protecting and enforcing those rights, including implementing this order, could just as easily be regarded as a cost of carrying on that business.  In any event now, after SABAM/Scarlet, it will not be possible to elevate rights owners above mere commercial enterprises.  They both have fundamental rights which have to be balanced.
One point which SABAM/Scarlet leaves open is how the balance between competing fundamental rights is to be drawn if the costs burden of complying with an injunction is shifted to the rightsholder.  It could be argued that even if the compliance burden could be fully compensated by cost-shifting, an excessive burden is damaging to the interests of the internal market and consumers generally, whichever party bears it.  In any event cost-shifting cannot reduce any impact on the freedom of expression rights of ISP customers, which the ECJ emphasised, or affect violation of Art 15 of the ECommerce Directive.
The ECJ also noted a cross-border issue which is potentially of great importance when considering whether an injunction could result in overblocking and thus interfere with the freedom of expression rights of the ISP’s customers.  The court said:
“it is not contested that the reply to the question whether a transmission is lawful also depends on the application of statutory exceptions to copyright which vary from one Member State to another. Moreover, in some Member States certain works fall within the public domain or can be posted online free of charge by the authors concerned.”
The discussion in Newzbin2 was entirely domestic, predicated on infringements of UK copyright.  It now appears that future cases will have to take cross-border issues into account, at least where an ISP has customers in more than one EU country.

Saturday 12 November 2011

How dare we speak across borders!

I've been inspired by this excellent but thoroughly depressing piece by Nate Anderson in Ars Technica to add the "through any media and regardless of frontiers" quote from Article 19 of the UDHR to my sidebar.  Adopted in 1948, it could not have been better expressed had it been written with the internet in mind.

Anderson highlights the proposed US Stop Online Piracy Act (SOPA) as the first legislation that would officially distinguish between domestic and foreign internet sites, and the last nail in the coffin of the borderless internet. 

It has become de rigeur over the last 10 years not only to dismiss the early cyberlibertarians (Johnson, Post, Perry Barlow et al) as impossibly naive and idealistic, and to predict the erection of national borders in cyberspace, but also to welcome that as a Good Thing (Goldsmith and Wu). 

There is certainly a serious debate to be had over how far attempts by national authorities to prevent undesirable bits and bytes from flying across their borders can be effective; and about the negative externalities associated with going to ever greater lengths in trying to make them so.  SOPA is a case in point. 

But it's the last proposition that really sticks in the throat - the idea that we should, as a laudable goal, positively seek to re-erect national borders in cyberspace rather than take the opportunity provided by the internet to break them down. 

For domestic politicians wedded to notions of national sovereignty the idea of preserving national borders online is inevitably meat and drink.  The unfortunate and surprising thing is that these ideas seem to have traction beyond that (I had a slightly crisp exchange with an adherent at the Society for Computers and Law Policy Forum in September).  Some seem quite happy, in the name of preserving domestic sovereignty, to toss on the scrapheap the most liberating development for cross-border freedom of expression that has ever taken place.

Naive and idealistic?  Maybe, but unless we cling tenaciously to the rock of Article 19 we risk being swept away in the rush to put speakers back in their rightful and respectful place behind national barriers.  How dare we speak across borders!  (How dare we speak at all?)

Tuesday 1 November 2011

ECommerce Directive trumps Jurisdiction Regulation (maybe)

The CJEU’s Martinez/eDate judgment (C-509/09 and C-161/10, 25 October 2011) is another significant decision on cross-border internet liability.  In December last year we had Pammer/Alpenhof, which provided much needed guidance on what constitutes cross-border targeting of online activities under the consumer contract provisions of the Brussels Jurisdiction Regulation. 
Now the Court has turned its attention to cross-border tort liability, in two joined cases that raise questions under both the Jurisdiction Regulation and the Electronic Commerce Directive.   
The eDate case involved a claim for violation of personality right, the Martinez case infringement of privacy.  eDate was an Austrian company sued in Germany over statements on its Austrian website.  Martinez sued the English publisher MGN in France, over a publication on its English Sunday Mirror website.   
The most heavily reported aspect of the judgment has been that on jurisdiction.  I will start at the other end, with an aspect that didn’t even make it into the Court’s press release – and yet which has equally far-reaching implications.  This concerns the scope of the country of origin and internal market clauses of the ECommerce Directive.  These are powerful, often overlooked, provisions which can require a court to disapply a Member State’s otherwise applicable local law.
Some have argued that it is at best unclear whether these clauses apply only to restrictions of a public law or regulatory nature, or can also include disputes over private rights.  The judgment confirms that these clauses do apply to private rights. 
The country of origin provision of the Directive (Art 3.1) requires a Member State to ensure that service providers established in its territory comply with its law.  The internal market clause (Art 3.2) prohibits a Member State from restricting the freedom to provide information society services from another Member State.   Both apply only within the ‘co-ordinated field’ of the Directive, and are subject to exceptions such as copyright and industrial property rights. 
One argument in favour of limiting these provisions to regulatory regimes is the reference in the definition of co-ordinated field to ‘requirements with which the service provider has to comply’ – a phrase that does not read easily onto private law rights and obligations.   
The CJEU devotes two paragraphs of its judgment to determining that both the law to which a service provider established in a Member State is subject, and the provisions requiring other Member States to respect the binding nature of that law, include the private law field.  The Court relies on the reference to private law disputes in Recital (25), the reference to excluded private law rights and the reference to liability of service providers in the definition of the co-ordinated field.  The result is that the provisions apply to liabilities such as defamation and privacy infringement.
This should be very significant.  It ought to provide a basis on which to prevent a stringent local law from applying to an online service incoming from another Member State with a more liberal law.
That is exactly what the CJEU went on to hold.  The country of origin and internal market provisions do not amount to a rule of conflicts of law.  But the Member State must ensure that within the coordinated field, and subject to certain permitted derogations in a specific case, the provider of an electronic commerce service is not made subject to stricter requirements than those provided for by the substantive law applicable in the Member State in which that service provider is established.
This is all very positive for cross-border trade and publication on the internet within Europe.  But the last aspect of the judgment, the one that garnered all the headlines, is not.  It allows a person claiming infringement of personality rights to sue under Article 5(3) of the Brussels Regulation in the Member State in which his centre of interests is based (as an alternative to the Member State of the establishment of the publisher), for all the damage caused; or to sue in any Member State where the online content is accessible, only for the damage in that country.  So it is now very easy for a publisher established in one Member State to be sued in another, for the contents of a merely accessible website.  That is bad news for the internet.

It is still tempting to ask “so what?”.   According to the remainder of the judgment, under the ECommerce Directive the court should consider whether its local law is more stringent than that of another Member State in which the defendant publisher is established and, if so, disapply its local law unless grounds for a specific derogation can be established.  That is the theory.  In practice it is difficult to avoid the suspicion that a defendant would be better off arguing in front of its home court, rather than trying to persuade a foreign court to disapply its own local law.