Lawyers in the UK are obtaining the personal details of over 25,000 alleged file-sharers for the purposes of sending them a £500+ bill accompanied by threats of being sued. Read why the government’s Information Commissioner has let down every single one of them and why each disclosure could be a serious breach of the Data Protection Act.
Following numerous TorrentFreak investigations, today the BBC has published numerous articles, online and on radio about companies and lawyers who track down alleged file-sharers in the UK.
If you have received a letter from lawyers Davenport Lyons (or indeed any other law-firm operating the same business model) accusing you of illegally sharing games, videos or music, this article will provide serious food for thought and give you the tools and knowledge to make your voice heard at a government level. It is unacceptable that people are being wrongfully accused. We believe that your names and addresses should not have been handed over to these lawyers in the first place, and that you should not have received a threatening letter.
This is a guest post from Michael Coyle of Lawdit Solicitors who is currently defending many of those accused in the Dream Pinball, Colin McRae Dirt, Call of Juarez and more recently, the various porn titles cases brought by DigiProtect in the UK. (Intros, links, editing and letter template added by TorrentFreak/Penumbra)
Alleged File-Sharers: Why the Information Commissioner Has Let You Down
The Information Commissioner’s Office (ICO) is a non-departmental public body reporting directly to Parliament. It is the office dealing with the Data Protection Act 1998 and the Freedom of Information Act 2000, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Environmental Information Regulations 2004 in England and Wales.
UK ISPs were ordered earlier this year [and in 2007] by the High Court to disclose information relating to its customer’s data, based on information provided to them by amongst others, video games companies. The information sought was based on the customer’s IP address. Pursuant to CPR 31.18, lawyers applied for an order that the ISPs disclose the full name, postal address and telephone number of the subscriber of each of the IP addresses supplied.
The game plan was to match each IP address with an individual and write to them with a hefty threatening letter and a request for £500-600. If this sum was not paid, court action was threatened, costing tens of thousands of pounds. It all seemed fairly conclusive. The ISPs complied and the Lawyers [Davenport Lyons] commenced the enormous task of writing to over (so we understand) 25,000 potential infringers.
However it was only when responses started to flood in – many in their hundreds to Lawdit Solicitors – did it become clear that while IP addresses could reveal a name and real-life address, it did not reveal the culprit. It proved very little. It certainly did not prove that any copyright infringement had taken place, far from it. Only by inspecting the hard drive of the customer’s computer could you do this. If there were any other evidence to sit alongside the IP address, for example a user name or password of the file sharing software you could sympathize with the rights holder.
But to rely on the IP address alone is wholly disproportionate and has resulted in untold misery to many thousands of individuals. This whole affair sums up in my view how little the Information Commissioner (IC) is really concerned with an individual’s data. I am not aware of any publicly quoted concerns from the IC about this issue and he has remained silent as the forums and bulletin boards crackle with the indignation and invasion of individual’s data. You cannot blame the ISPs. As a Court Order was in place, why would an ISP go out on a limb for a few thousand customers?
But the IC ought to have been keeping a watchful eye out and at the very least issue a press release to offer individuals some comfort. The silence is even more deafening in that on 29 January 2008, the ECJ held that Community law does not require member states to oblige ISPs to disclose details of suspected file-sharers to enable a copyright owner to bring civil proceedings.
Personal data is protected generally in the EU by virtue of the EC Directive on the protection of individuals with regard to the processing of personal data (95/46/EC) (Data Protection Directive). Member states may provide exemptions to protection in order to conduct criminal investigations or safeguard national or public security or to protect the rights and freedom of others (Article 13(1), Data Protection Directive).
In the UK such an exception can be found under section 35 (1) of the Data Protection Act 1998 which provides that ‘Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.’ This exemption does not contain any further considerations for a Data Controller before making a disclosure in these circumstances.
The EC Directive on the processing of personal data and the protection of privacy in the electronic communications sector (2002/58/EC) (E-Privacy Directive) provides that national authorities may only lift the protection of data privacy in order to safeguard national or public security or to conduct investigations into criminal offences or the unauthorised use of an electronic communications system, where this is a “necessary, appropriate and proportionate measure” (Article 15(1), E-Privacy Directive).
The ECJ reached its conclusion(.pdf) following a Spanish case concerning Telefonica. The Juzgado de lo Mercantil No 5 de Madrid decided to stay the proceedings and referred the following question to the Court for a preliminary ruling:
Does Community law, specifically Articles 15(2) and 18 of Directive [2000/31], Article 8(1) and (2) of Directive [2001/29], Article 8 of Directive [2004/48] and Articles 17(2) and 47 of the Charter permit Member States to limit to the context of a criminal investigation or to safeguard public security and national defence, thus excluding civil proceedings, the duty of operators of electronic communications networks and services, providers of access to telecommunications networks and providers of data storage services to retain and make available connection and traffic data generated by the communications established during the supply of an information society service?
The ECJ, responded that the answer must be that Directives 2000/31, 2001/29, 2004/48 and 2002/58 do not oblige Member States to ensure effective protection of copyright in the context of civil proceedings to communicate personal data. A fair balance needs to be struck between the various fundamental rights and in particular the principle of proportionality. In Advocate General Kokott’s opinion she considered that it was compatible with Community law for member states to exclude operators of electronic communications networks and services from having to make available personal data relating to connection and traffic information in the context of a civil, as distinct from criminal, action.
While the decision is not binding on the ECJ it will generally follow the Advocate General’s opinion. For the vast majority if not all of the 25,000 recipients, this decision ought to have been interpreted as a request for information relating to a non criminal offence (i.e. any copying/file-sharing was non-commercial) and the request for the personal data ought to have been refused.
If you have received a letter accusing you of illicit file-sharing and you are innocent then please write to the Information Commissioner with your story and complain that the release of your personal data was a breach of the Data Protection Act 1998, while urging them to carry out a review of all subsequent releases.
The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
For your convenience, a TorrentFreak reader Penumbra has created this template in order to streamline the complaints procedure: (Link)
Update: You may petition the government online by following this link.