In an age when the media analyzes legal decisions on the basis of winners and losers, the recent Federal Court appellate decision over music file sharing left many people a bit bewildered. The court described the decision as a divided success, newspaper headlines trumpeted it as a loss for the music industry, while the Canadian Recording Industry Association declared total victory. Actually, years from now this case will be remembered not for who won or lost, but rather for its impact on privacy law and copyright policy.
On May 19th, when many were distracted by Belinda or the budget vote, the Federal Court of Appeal released its ruling on CRIA’s effort to compel five of Canada’s largest Internet service providers to reveal the identities of 29 of their customers. Those customers are alleged to have infringed copyright by allowing other Internet users to download songs from their computers on peer-to-peer networks.
Last year, a federal court dismissed CRIA’s motion, citing unreliable evidence, privacy concerns, and doubts that the impugned activity violated Canadian copyright law. At one level, the rejection of CRIA’s appeal is easy to understand. Quite simply, the appellate court upheld the earlier decision since it was unwilling to rehabilitate what even CRIA has acknowledged was “evidentiary deficiencies.”
The court’s analysis did not stop there, however. It provided a cursory review of key copyright issues but declined to arrive at any firm conclusions. In other words, claims that the court ruled that file sharing is either legal or illegal are simply inaccurate as that question has been left for another day.
Next week this column will focus on the copyright policy ramifications of the decision. In the meantime, however, the court’s discussion concerning the development of a privacy framework merits further analysis.
Although some parties have sought to downplay the centrality of privacy to the case, the court opened its discussion by calling attention to the tension between privacy and copyright. It noted that “citizens legitimately worry about encroachment upon their privacy rights. The potential for unwarranted intrusion into individual personal lives is now unparalleled. In an era where people perform many tasks over the Internet, it is possible to learn where one works, resides or shops, his or her financial information, the publications one reads and subscribes to and even specific newspaper articles he or she has browsed.”
This comment, alongside similar wording last summer from Justice LeBel of the Supreme Court of Canada, sends an unequivocal message from Canada’s highest courts that Internet privacy involves highly sensitive information that deserves strong legal protection.
Just how strong became apparent later in the judgment. While the court acknowledged the obvious – privacy rights are not absolute and must sometimes take a back seat to other interests – it proceeded to establish a rigorous test designed to provide significant privacy protections.
The test requires a plaintiff such as CRIA to first demonstrate that it has a “bona fide” claim based on evidence that it has obtained (not merely that it intends to file a lawsuit) and that it has no other improper purposes for seeking the identity of the subscribers. CRIA must demonstrate that the information cannot be obtained from another source and tender evidence that is (i) admissible, (ii) timely, and (iii) links the Internet protocol addresses of the subscribers to the alleged infringement.
The importance of each of these evidentiary requirements should not be underestimated. In addressing the deficiencies of this particular case, the court warned that relying on faulty evidence created “the risk that innocent persons might have their privacy invaded and also be named as defendants where it is not warranted.”
Assuming that the evidentiary hurdles are met, the test then requires courts to determine whether the public interest in disclosure outweighs the privacy interests that are at stake. If the court determines that disclosure is appropriate, it must ensure that privacy rights are invaded “in the most minimal way” such that CRIA must collect no more information than is necessary for the purpose of the claim. The court recommended that judges provide specific directions on how the information can be used and also consider keeping the information from the broader public by issuing a confidentiality order or identifying the defendants solely by their initials.
With CRIA indicating that it plans to proceed with a fresh round of lawsuits, the effectiveness of these privacy protections will quickly be put to the test. While federal court judges will ultimately weigh the public interest considerations, other parties share responsibility for protecting Internet privacy.
Internet service providers, many of whom have proclaimed their support for customer privacy, have an obligation to play active role in any future lawsuits by rapidly notifying their customers and by raising the privacy issues with the court. Moreover, the Privacy Commissioner of Canada would do well to consider intervening in future cases since the issues at stake sit at the heart of the Commissioner’s mandate.
Ultimately, CRIA should also assess the privacy ramifications of its proposed actions. While it is legally entitled to file these suits, similar actions in other jurisdictions have had no discernable impact on file sharing and put the industry at odds with the growing concern for personal privacy. That makes for a risky strategy with few winners and many losers.