English High Court raises eyebrows over request to disclose ISP customer data

To paraphrase Oasis (badly): Norwich Pharmacal Orders - familiar to thousands. In the consolidated claims of Mircom International Content Management & Consulting Ltd and Ors and Golden Eye International Ltd and Ors v Virgin Media Limited and Persons Unknown [2019] EWHC 1827 (Ch), Mr Recorder Douglas Campbell QC (sitting as a High Court judge) got to grips with an application to compel Virgin Media to disclose the personal details of tens of thousands of its residential broadband subscribers that correspond to IP addresses identified by the Applicants as having downloaded (without permission) copyright films of an adult nature (whose titles were archly described by the learned judge as "leav[ing] little to the imagination").

Golden Eye is not new to this arena; it succeeded in a 2012 action against Telefónica/O2 (first instance judgment here and appeal here). The Applicants essentially argued that the 2012 decisions should be cloned in the present case.

To recap, the O2 claim was decided in the same way as any other Norwich Pharmacal action, for which the requirements are: (i) a good arguable case that wrongs have been committed against the Applicant; (ii) the Respondent to the application is mixed up in those wrongs; (iii) the Applicant is intending to seek redress for the wrongs; (iv) disclosure of the information sought is necessary for the Applicant to pursue the redress; (v) it is necessary and proportionate to grant the order / the court should exercise its discretion in favour of granting the relief sought. Regarding proportionality, Virgin Media sought to rely on the Supreme Court's judgment in Rugby Football Union v Viagogo [2012] UKSC 55 and in particular an apparent distinction drawn between the RFU's righteous quest to promote the sport of rugby by maintaining ticket prices at a reasonable level on the one hand, and a shakedown of unauthorised viewers of pornography on the other. This argument did not impress Mr Campbell, given that (a) the Supreme Court expressly approved Mr Justice Arnold's (as he then was) test for proportionality in O2; and (b) the appeal in O2 was decided (in favour of the Claimants) after the Supreme Court's judgment. The Supreme Court's comments in Viagogo merely suggested that Viagogo was a more attractive case on the facts than O2, but a Norwich Pharmacal order was still granted in O2

The decision in Virgin Media is interesting for three reasons:

1. It is the first decision of this nature to consider the effect of the General Data Protection Regulation (GDPR). [True, the GDPR has flown largely under the radar, but Merpel keeps insisting that it is significant.] Virgin Media raised the ghoulish prospect of GDPR issues, resulting in three live points: (i) are the IP addresses in the Applicants' possession personal data within the meaning of Article 4(1) GDPR; (ii) if the disclosure sought were to be ordered, would the Applicants be “data controllers” (Article 4(7)) or “data recipients” (Article 4(9)); and (iii) would the Applicants’ promise to register as a data controller with the UK Information Commissioner’s Office (ICO) make any difference? The Applicants also sought to rely on the CJEU decision in Breyer v Federal Republic of Germany (Case C-582/14) in support of the argument that the court should order Virgin Media to disclose data regarding its relevant customers (presumably because the data requested would be “means reasonably likely to be used” to identify the alleged infringers).

The judge dealt with these arguments swiftly. The fact that the disclosure requested might allow the Applicants to identity relevant individuals was not a sufficient basis alone to support the applications. And yes, if the court were to grant the order requested, the IP addresses would become personal data, because the addresses would allow the identification of individuals. But the Applicants would not be data controllers because of Schedule 2, Part 1, paragraphs 5(2) and (3) of the implementing Data Protection Act 2018. These provisions dis-apply the more onerous obligations placed on data controllers under the GDPR for the purposes of (among other things) establishing, exercising or defending legal rights. If the order had been granted the Applicants would merely have been “recipients” of personal data, not data controllers, and freed from many of the strictures of the GDPR (such as the need to provide data processing/privacy notices to data subjects).

2. The application was denied because the Applicants produced painfully inadequate evidence. In the 2012 litigation mentioned above, Arnold J found that the evidence demonstrated a good arguable case that the alleged file sharing took place, and it was the identified IP addresses relating to O2 customers that were engaged in such file sharing. Not so in this case. Virgin Media took the Applicants to task over the quality of their evidence, and the court came down heavily in Virgin Media’s favour. The Applicants' expert reports were out of date (nine years old), not properly commissioned and lacked statements of truth. Witness statements were missing exhibits showing the relevant IP addresses, or the wrong exhibits were exhibited. Clearly, the Applicants knew of these defects because they offered to make the court's order conditional on an undertaking to correct deficiencies in their evidence. Put simply, the evidence was not sufficient to persuade the judge that the Applicants had a "good arguable case" on the merits (a higher standard than for e.g. an interim injunction). 

Nope, it definitely tastes defective

3. Given the above, the judge did not need to decide whether to exercise his discretion to make the order sought. There was evidence before the court that following a similar earlier order in favour of Mircom against Virgin Media, Mircom sent demand letters to 749 individuals; 76 of these admitted liability, and a further 15 settled without admission of liability. No proceedings were issued. Given that 658 people did not reach a settlement but were apparently left untroubled, Virgin Media argued that this was evidence that the Applicants in the present case were simply interested in setting up a money-making scheme, not suing anyone or seeking genuine redress. Although the judge was circumspect in his comments on this point, the judgment makes clear that he would have weighed the point as part of the balancing exercise (step (v)) if it came to it.

Comment

Mr Campbell QC produced a clear-eyed judgment on a rather blurred application. A lot of the issues raised by Virgin Media did not stick or did not fall to be decided. Perhaps most notably, it seems that the GDPR will not radically change the requirements for this type of application to succeed in future.

Ultimately, this was a decision about quality of evidence. Just because the court has granted a similar order before, the court will consider the evidence in each case on its merits; the court is far from a conveyor belt. The judge's summing up paragraph provides a succinct, and slightly wry, lesson:

"The defects in both the fact and expert evidence are so fundamental that I will dismiss these applications. If it is simple and straightforward as the Applicants say to prepare and serve acceptable evidence then this dismissal will not present them with any great problem. All they need to do is correct what they have said are technical defects." 



English High Court raises eyebrows over request to disclose ISP customer data English High Court raises eyebrows over request to disclose ISP customer data Reviewed by Alex Woolgar on Wednesday, July 31, 2019 Rating: 5

No comments:

All comments must be moderated by a member of the IPKat team before they appear on the blog. Comments will not be allowed if the contravene the IPKat policy that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should make a constructive contribution to the discussion of the post on which they purport to comment.

It is also the IPKat policy that comments should not be made completely anonymously, and users should use a consistent name or pseudonym (which should not itself be defamatory or obscene, or that of another real person), either in the "identity" field, or at the beginning of the comment. Current practice is to, however, allow a limited number of comments that contravene this policy, provided that the comment has a high degree of relevance and the comment chain does not become too difficult to follow.

Learn more here: http://ipkitten.blogspot.com/p/want-to-complain.html

Powered by Blogger.