Peter Hustinx, the European Data Protection Supervisor, has issued a 20-page opinion expressing concern about ACTA. The opinion is a must-read and points to the prospect of other privacy commissioners speaking out. Moreover, with the French HADOPI three strikes law currently held up by its data protection commissioner, it raises questions about whether that law will pass muster under French privacy rules.
Given the secrecy associated with the process, the opinion addresses possible outcomes based on the information currently available. The opinion focuses on three key issues: three strikes legislation, cross-border data sharing as part of enforcement initiatives, and transparency.
On three strikes, the opinion begins by noting the privacy implications:
Such practices are highly invasive in the individuals' private sphere. They entail the generalised monitoring of Internet users’ activities, including perfectly lawful ones. They affect millions of law-abiding Internet users, including many children and adolescents. They are carried out by private parties, not by law enforcement authorities. Moreover, nowadays, Internet plays a central role in almost all aspects of modern life, thus, the effects of disconnecting Internet access may be enormous, cutting individuals off from work, culture, eGoverment applications, etc.
The opinion then assesses three strikes within the context of European data protection law, concluding that it is a disproportionate measure:
Although the EDPS acknowledges the importance of enforcing intellectual property rights, he takes the view that a three strikes Internet disconnection policy as currently known – involving certain elements of general application – constitutes a disproportionate measure and can therefore not be considered as a necessary measure. The EDPS is furthermore convinced that alternative, less intrusive solutions exist or that the envisaged policies can be performed in a less intrusive manner or with a more limited scope. Also on a more detailed legal level the three strikes approach poses problems.
Among the specific problems, Hustinx concludes that the benefits simply don't outweigh the costs:
The EDPS is not convinced that the benefits of the measures outweigh the impact on the fundamental rights of individuals. The protection of copyright is an interest of right holders and of society. However, the limitations on the fundamental rights do not seem justified, if one balances the gravity of the interference, i.e. the scale of the privacy intrusion as highlighted by the above elements, with the expected benefits, deterring the infringement of intellectual property rights involving – for a great part – small scale intellectual property infringements.
The opinion also considers the privacy implications of data sharing arrangements facilitated by ACTA for enforcement purposes:
It can be questioned first whether data transfers to third countries in the context of ACTA are legitimate. The relevance of adopting measures at international level in that field can be questioned as long as there is no agreement within the EU member states over the harmonisation of enforcement measures in the digital environment and the types of criminal sanctions to be applied. In view of the above, it appears that the principles of necessity and proportionality of the data transfers under ACTA would be more easily met if the agreement was expressly limited to fighting the most serious IPR infringement offences, instead of allowing for bulk data transfers relating to any suspicions of IPR infringements. This will require defining precisely the scope of what constitutes the 'most serious IPR infringement offences' for which data transfers may occur.
The opinion follows this with detailed recommendations on how ACTA can facilitate sharing of information and ensure appropriate privacy safeguards.
Hustinx is direct and to the point on the issue of transparency:
The EDPS strongly encourages the European Commission to establish a public and transparent dialogue on ACTA, possibly by means of a public consultation, which would also help ensuring that the measures to be adopted are compliant with EU privacy and data protection law requirements.