Sunday, March 21, 2010

Update on Eircom, IRMA and "three strikes" in Ireland

In all the excitement surrounding St. Patrick's day this week the fact that Eircom and the music industry were back in court on Tuesday didn't really receive the attention it deserves.

The background to Tuesday's hearing lies in last January's settlement under which Eircom agreed to introduce a "three strikes" system to disconnect users accused of filesharing by the music industry. Under that agreement (which has never been made public, but details of which have leaked) the record companies seem to have been required to show that they - and Eircom - would be acting in compliance with data protection law.

The Data Protection Commissioner, however, threw a spanner in the works, as summarised by the Sunday Times:
As part of the agreement, Irma said it would use piracy-tracking software to trace IP addresses, which can identify the location of an internet user, and pass this information to Eircom. The company would then use the details to identify its customer, and take action.

But the office of the Data Protection Commissioner (DPC) has indicated that using customers’ IP addresses to cut off their internet connection as a punishment for illegal downloading [presumably this should be uploading] does not constitute "fair use" of personal information. Irma and Eircom have asked the High Court to rule on whether these data-protection concerns mean the 2009 settlement cannot be enforced...

The Eircom case was reopened in the High Court last month and Judge Peter Charleton will hear submissions from both sides on March 16. The record companies asked for the DPC to be joined to the High Court action, but it refused on the basis that no one would guarantee to pay its legal costs.

Charleton will first have to decide whether an IP address constitutes "personal information" under data protection law. If it does, then data controllers are required to "get and use the data fairly". They are also required to use that data for "only one or more clearly stated purposes". The DPC does not think this includes cutting off their internet service.

"The EU telecoms directive indicated people have a fundamental right to an internet connection," said a source involved in the case. "So the judge must decide whether processing a person’s IP address to cut them off is a proportionate response to discovering they have downloaded pirated music."
Consequently, arguments on these issues were heard on Tuesday, throwing up some interesting new information. (It emerged for example that Eircom has agreed to throttle user traffic after strike two, and that Eircom will have three staff devoted to running the three strikes procedure.)

Unfortunately, that hearing seems to have been something of a case of Hamlet without the Prince. With the Data Protection Commissioner not represented, the court was hearing only from parties with a vested interest in the three strikes procedure and was deprived of an independent and impartial perspective.

I don't yet have a full transcript of the hearing, but I understand that the court was asked to rule on three broad questions:

1. Do IP addresses (in the hands of the music industry) constitute personal data?
2. Is the settlement agreement itself compatible with the Data Protection Acts?
3. If IP addresses are personal data, are they "sensitive personal data" in a context where they might reveal the commission of a criminal offence?

Other issues that arose included the fundamental rights implications of disconnecting users, whether users waived those rights by agreeing to Eircom's terms of use, and whether the Eircom/IRMA agreement was compatible with the new Telecoms Package rules on disconnecting users in relation to proportionality, necessity and procedural safeguards (including judicial review). Judgment is expected next week.

Friday, March 05, 2010

Cloud computing controversy won't clear

It seems as though the controversy caused by the Chief State Solicitor's advice about purchasing cloud computing just won't go away. John Collins has an update in today's Irish Times. Here's an excerpt:
ON A Thursday afternoon early last month an e-mail with the subject line "eTenders – Cloud Computing Warning" began to arrive in the inbox of public servants.

Sent by the National Public Procurement Operations Unit, which operates the Government’s electronic tendering website, eTenders, the brief communication said the Chief State Solicitor’s Office had advised "that issues such as data protection, confidentiality and security and liability are not necessarily dealt with in a manner that would be necessary for public-sector responsibilities" by cloud services.

The e-mail was quickly forwarded around Ireland’s technology industry. Not only are companies such as Microsoft, IBM and HP investing millions into research centres and data centres here to support the new model of delivering software and other services over the internet, but Minister for Communications Eamon Ryan last year identified cloud computing as one of six "pillars" that would drive the creation of a smart economy.

In fact, Ryan is understood to have been extremely annoyed at the message being sent out, and his advisers have moved to soothe the nerves of some of the major technology multinationals based here.

While not renowned for its technology expertise, one of the roles of the Chief State Solicitor’s Office is to review commercial agreements for public bodies before they sign them.

"They must have reviewed a contract which wasn’t up to scratch and now they have concluded all cloud contracts are like this," says Philip Nolan, a partner in legal firm Mason Hayes + Curran who specialises in technology contracts. "It’s a totally disproportionate reaction and the IT industry is recoiling in shock."

Nolan equates the advice given by the Chief State Solicitor’s Office to someone saying 12 years ago "don’t buy anything using e-commerce because it’s not secure".

Describing the e-mail as "damaging", Ed Byrne, general manager of Hosting365, a local firm that provides a platform to support cloud computing, says eTenders should have instead "outlined the questions that need to be asked before buying a cloud service".

According to Byrne, this would have included questions such as where is the service based, who is the supplier, how much money can it save and what levels of support can be expected.
Previously on this blog: 1|2

Tuesday, March 02, 2010

Ryanair v. Billigfluege.de - Full decision now available

I've just received a copy of the decision of Hanna J. in Ryanair v. Billigfluege.de and uploaded it to Scribd. At first glance it appears to represent a significant win for site owners who wish to control screenscraping, indexing and other uses of their content:

Ryanair v. Billigfluege.de                                                            

Monday, March 01, 2010

Ryanair screenscraping: Irish court accepts jurisdiction, rules on enforceability of website terms of use

You might have noticed that Ryanair has an ongoing legal campaign to stop sites from scraping its content and then reselling flights. (Blogged previously by me: 1|2|3.)

Until now, however, Ryanair found itself stymied by jurisdictional problems, and in two separate decisions the Irish High Court held that it did not have jurisdiction to hear its claims. (The first decision saw Ryanair thwarted by its own terms of use which provided for the English courts to have jurisdiction; the second involved prior Swiss proceedings which caused the Irish court to decline jurisdiction in favour of the Swiss court.)

In the most recent development in this saga, Ryanair has now amended its terms of use to provide for the exclusive jurisdiction of the Irish courts, and has succeeded in establishing jurisdiction in Dublin in an action against Billigfluege and Ticket Point. According to the Irish Times Hanna J. held as follows:
The exclusive jurisdiction clause contained in [Ryanair’s] website’s terms of use was binding on [Billigfluege and Ticket Point] in circumstances where those terms were at all times available for inspection by [Billigfluege and Ticket Point] as users of or visitors to the website, [Ryanair] having taken appropriate steps to ensure that the terms were brought to the user’s attention through their inclusion on the website via a clearly visible hyperlink.

If you use the site, you agree not to breach its terms and if you do so, the exclusive jurisdiction clause set out in the Terms of Use makes it clear that Ireland is the appropriate jurisdiction for the purposes of litigating any disputes that may arise as a result.
The full decision isn't available online yet, but from this excerpt it may be very significant indeed.

This appears to be the first time an Irish court has ruled on whether site terms of use are enforceable, and the passage quoted seems to adopt a very wide browsewrap theory whereby visitors to a website will be bound by terms of use without any positive act on their part, provided that a hyperlink to the terms is "clearly visible". I'm not entirely sure that this result is correct - as Andres Guadamuz notes in a similar context, there are issues of acceptance and consideration in these cases - and it will be interesting to read the full decision to see whether and how these issues are considered.

The potential implications of this decision are also important. If the broad approach above is followed it would appear to have the potential to eliminate screenscraping entirely, and to enable site owners to assert exclusivity over information which is not protected by copyright or database right - in effect creating a new quasi intellectual property right and upsetting the balance created by statute. (Just witness the Dublin Bikes iPhone app case.) Hopefully if this case goes to a full hearing we will see these points raised and considered in detail.