The European Data Protection Supervisor (EDPS) said (16-page / 130KB PDF) that elements of the Anti-Counterfeiting Trade Agreement (ACTA) cannot be justified and that the wording of the text is not sufficiently detailed to guarantee that individuals' rights would not be breached in any enforcement against suspected online copyright infringers.
"It should be ensured that any online enforcement measure implemented within the EU as a result of entering into ACTA is necessary and proportionate to the aim of enforcing IP rights," Giovanni Buttarelli, assistant EDPS, said.
"Measures that entail the indiscriminate or widespread monitoring of internet user' behaviour, and/or electronic communications, in relation to trivial, small-scale not for profit infringement would be disproportionate and in breach of [individuals' right to privacy under the European Convention on Human Rights], [individuals' right to privacy and the protection of their personal data under] the Charter of Fundamental Rights, and the Data Protection Directive," he said.
Buttarelli said a drafting of "targeted" enforcement plans could legitimatise monitoring of internet activities under certain conditions.
"A targeted form of monitoring by right holders would be legitimate if the processing is carried out in the context of specific, current or forthcoming judicial proceedings, to establish, make or defend legal claims," he said. "However, the generalised monitoring followed by the storage of data on a general scale for the purpose of enforcing claims, such as the scanning of the Internet as such, or all the activity in P2P networks, would go beyond what is legitimate.
"Such general monitoring is especially intrusive to individuals' rights and freedoms when it is not well defined and there is no limitation to it, in scope, in time, and in terms of persons concerned," Buttarelli said.
ACTA requires member countries to have in place "enforcement procedures" under national laws that allow for "effective" action to be taken against IP infringers that is both "expeditious" and a suitable "deterrent to further infringements".
In January the UK, along with 21 other EU member countries, signed up to ACTA at a ceremony in Japan. Australia, Canada, Japan, South Korea, Morocco, New Zealand, Singapore and the US signed ACTA in October last year.
However, in February thousands of people took to the streets of cities across Europe to protest against the impact they believe ACTA would have on their internet freedoms. Member countries of ACTA must ensure that IP that exists in "the digital environment" can also be enforced through civil and criminal legal procedures.
A number of EU ACTA signatories, including Poland and the Czech Republic, have expressed concern with the proposed text and have suspended their "ratification" of it. The signatory countries and the European Parliament must approve the text before it can come into effect.
Other concerns have been raised about the secrecy in which ACTA was negotiated, with a rapporteur on the text at the European Parliament resigning in protest over the ACTA signing process - something he referred to as a "charade".
In response to the concerns over ACTA the European Commission has asked the European Court of Justice (ECJ) to review whether ACTA is compatible with the guardian principles and rights behind EU law. Earlier this month it announced it had "unanimously" agreed to ask the ECJ if "the Anti-Counterfeiting Trade Agreement (ACTA) [is] compatible with the European Treaties, in particular with the Charter of Fundamental Rights of the European Union".
The ECJ is expected to weigh fundamental rights that rights holders have to the protection of intellectual property against individuals' rights to privacy and the protection of their personal data. Those rights, together with others that the ECJ may consider – including the freedom to conduct business – are guaranteed under the EU Charter of Fundamental Rights.
However, the watchdog that is responsible for ensuring EU bodies comply with data protection law, has issued its own opinion on ACTA and expressed concerns about its drafting.
The EDPS said that ACTA's wording is not prescriptive enough to ensure that data protection requirements would be satisfied if measures are introduced to enforce against online copyright infringement.
"The current deficiencies in the wording of the text together with the incentives provided to contracting parties over the implementation and design of enforcement mechanisms in the digital environment in their own territory are elements that will open the door for fragmented approaches within the EU, which in turn will run the high risk of inappropriate or insufficient respect of data protection requirements within the EU," the watchdog said.
ACTA also lacks detail on the kind of acts by internet users that would lead to enforcement action being taken against them and whether those individuals could make copies of material for their private use without facing such action, the opinion said. "It is particularly unclear whether only those activities carried out on a 'commercial scale' would be subject to the enforcement measures set forth in the digital chapter [of ACTA]".
"It is insufficiently guaranteed in ACTA that only the activities that are on a 'commercial scale' would be subject to the enforcement measures envisaged in the digital chapter," it said.
ACTA states that acts of ‘wilful copyright piracy’ or ‘wilful related rights piracy’ committed ‘on a commercial scale’ would be considered criminal offences and that offenders could face imprisonment or fines as a result. However, the EDPS said that the treaty "appears to create new categories of offences that would be subject to criminal enforcement" without defining what particular acts could lead to such sanctions as is required to provide "legal certainty".
"The EDPS underlines that the Agreement is unclear about the scope of enforcement measures in the digital environment, and whether they only target large-scale infringements of IP rights," the opinion said. "He regrets that the notion of 'commercial scale' is not defined with sufficient precision and that acts carried out by private users for personal and not-for profit purpose are not expressly excluded from the scope of the Agreement."
The watchdog said that ACTA implies that rights holders will in some form monitor use of the internet to identify alleged infringements of their rights by individuals in order to seek an injunction against individuals. Such activity would amount to processing of "sensitive data" because it would relate to suspected offenders, it said. Widespread monitoring by rights holders would be neither necessary nor proportionate and would not be justified, the opinion said.
"Whilst the processing by right holders of data relating to suspicions of IP rights infringement may be allowed for purpose of their own litigation under specific conditions, it should not extend beyond what is necessary and proportionate for such purpose," the EDPS said.
"From a data protection viewpoint right holders would only be allowed to engage into targeted monitoring in the context of limited, specific, ad hoc situations where well-grounded suspicions of copyright abuse on a commercial scale exist. Furthermore, in view of the specific risks to the rights and freedoms of individuals, such targeted monitoring should be subject to additional data protection safeguards, such as the prior checking or authorisation by the relevant national data protection authorities," it said.
Disclosure of suspected infringers' details by internet service providers (ISPs) to rights holders should only be done under the control of a "judicial authority", the opinion said. "The involvement of judicial authorities is an essential part of the current EU system and crucial to ensure that enforcement takes place in respect of due process and fundamental rights".
ACTA's wording would not ensure that only judicial bodies have control over these disclosure procedures, the EDPS said. "The use of the vague notion of 'competent authorities' does not provide much legal certainty that the disclosure of personal data under this provision would only take place under the control of judicial bodies."
As a result of the ability of 'competent authorities' to rule on disclosure, EU citizens' data protection rights could not be guaranteed, it said. "The current wording of the Agreement may legitimise orders from foreign non-judicial bodies to EU based ISPs to disclose information allowing identification of their EU-based Internet subscribers to right holders, even when these orders would be outside the scope of any ongoing legal proceeding."
ACTA allows for voluntary anti-piracy schemes to be drawn up by ISPs and rights holders, but the EDPS said that "large scale" processing of personal data under those schemes would raise "serious" privacy and data protection concerns. If those schemes also enabled "blocking of websites" the rights to freedom of expression and to receive or impart information and access to culture would be interfered with, it said.
The EDPS said that ACTA failed to "sufficiently" ensure that the correct balance would be achieved between intellectual property rights and data protection in the operation of voluntary anti-piracy schemes.
The watchdog added that the EU would have to ensure that any agreements the trading bloc formed under ACTA that involves the transfer of personal data to international trade partners would require "adequate data protection safeguards".
Although ACTA requires that enforcement measures are taken with "fundamental principles, such as freedom of expression, fair process and privacy" in mind, merely listing those principles is insufficient, the EDPS said.
"At international level, freedom of expression and privacy are recognised as fundamental rights in the Universal Declaration of Human Rights, and not as mere 'principles'," the opinion said. "Furthermore, the notion of 'fair process' does not correspond to any generally recognised human right. It appears to mix two different legal concepts, on the one hand the right to a fair trial (recognised in Article 10 of the Universal Declaration of Human Rights and Article 47 of the Charter of Fundamental Rights of the EU), and on the other hand, the notion of 'due process'".
"The EDPS underlines the benefits of an approach that lays out clearly the limitations and safeguards within which measures touching upon the use and monitoring of electronic communications networks may take place. It would therefore have been much better if ACTA had laid out clearly such safeguards," it said.