The DEA is a controversial law that includes provisions aimed at combating online copyright infringement. BT and TalkTalk previously lost a High Court challenge in April over the legality of the Act but earlier this month were given the right to appeal against the Court's ruling. Details of the scope of what that appeal may consist of have only just emerged.
Lord Justice Lewison agreed to allow the internet service providers (ISPs) the chance to argue that the DEA was enacted without following proper procedures and that it may breach the EU's E-Commerce Directive, Privacy and Electronic Communications Directive, Data Protection Directive, Authorisation Directive.
Under the E-Commerce Directive member states are obliged to introduce national laws that prevent service providers becoming liable for the transmission of communications over their network under certain conditions.
This 'mere conduit' defence can be used as long as service providers do not initiate the transmission, select who receives it and do not "select or modify the information contained in the transmission". These provisions "shall not affect the possibility for a court or administrative authority, in accordance with member states' legal systems, of requiring the service provider to terminate or prevent an infringement," the Directive states.
BT and TalkTalk argued that parts of the DEA make ISPs responsible for the copyright infringement of customers and that this violates the 'mere conduit' laws provided for in the E-Commerce Directive.
"The argument advanced this morning is that the liability for information transmitted ... should be interpreted as meaning responsibility as a result of the transmission of information," Lord Justice Lewison said in his ruling.
"[BT] argues that this construction does not stretch the language beyond its natural meaning and is consistent with the policy objectives behind the Directive, including the establishment of a level playing field across all member states. In my judgment, those arguments do have a real prospect of success and I grant permission to appeal," the judge said in his ruling.
Under the DEA Ofcom, the UK's communications regulator, must draw up new regulations on ISPs' involvement in attempts to stop copyright infringement.
In a draft code of practice published in May last year Ofcom said that internet users should receive three warning letters from their ISP if they are suspected of copyright infringements online.
Details of illegal file-sharers that receive more than three letters in a year would be added to a blacklist, the draft code said. Copyright holders would have access to the list to enable them to identify infringers. Under the draft code, ISPs could also have to suspend users' internet access if they are found to be illegally downloading copyrighted material.
Ofcom and the Department for Culture, Media and Sport (DCMS) had been expected to publish the finalised regulations by now.
Under sections 17 and 18 of the DEA other anti-piracy measures can be drawn up at the behest of the Culture Secretary. Those measures would see courts decide whether to force ISPs to block access to pirated copyright works. In August the Government announced that it had no plans to bring any new regulations under sections 17 and 18 into law "at this time".
Lord Justice Lewison said that he had "considerable sympathy" with the view that it was "permissible" for ISPs to process personal data of customers "for the establishment, exercise or defence of legal claims," but that he would allow the ISPs to contest that point. He said the appeal was justified because the opinion of the judge who ruled on the legality of the processing in April differed from that of the EU's privacy watchdog, the European Data Protection Supervisor.
Under EU data protection laws member states are required to "prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life" subject to a number of exemptions. One exemption to that rule is if "the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims".
Mr Justice Lewison also ruled that there were "sufficient reasons to grant permission to appeal" the High Court's ruling that the DEA does not breach the EU's Privacy and Electronic Communications Directive. The Directive governs what information can be gathered from electronic communications and says that ISPs should not be responsible for material sent over their network unless informed about infringements of the law.
The judge said that BT and TalkTalk should be allowed to challenge the legality of the DEA on the basis that the ISPs are "supported in their contention" by an opinion by an advocate general at the European Court of Justice (ECJ).
In April ECJ advocate general Pedro Cruz Villalón said that Belgian ISP Scarlet should not have to filter copyright-infringing traffic from its service because to do so would invade users' privacy rights.
BT and TalkTalk have also been granted permission to argue that the DEA sets out provisions that are outwith the scope of the Authorisation Directive. The Directive states that EU member states must create a legal framework "ensuring rights for the provision of electronic communications networks or services and laying down sector specific obligations that may apply to all or to specific types of electronic communications networks and services".
The ISPs have previously argued that the parts of the DEA that would require ISPs to act upon notification of copyright infringement over their network fall outside those "sector specific obligations".
The ISPs will also be able to argue that the European Commission should have been "notified in draft" about the parts of the DEA that require Ofcom to draw up its code before the laws were enacted, Lord Justice Lewison said.
The judge rejected the ISPs' claims that the DEA violated provisions within the E-Commerce Directive that state that service providers should not have a "general obligation ...to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity" imposed upon them.