That Irish "three strikes" ruling: a explanation

On Friday the IPKat posted a "breaking news" item on an Irish case, EMI Records (Ireland) Ltd and others v Eircom Ltd [2010] IEHC 108, which he somewhat unhelpfully described as being the first Irish decision on that country's "three strikes" law (the Irish "three strikes" being the result of a consensual arrangement, not legislation). The Kat had planned to dedicate part of the weekend to reading the decision and producing a note on it. However, David Brophy (FRKelly) has fortuitously saved him the trouble by sending him this summary. Say David:
"The question being decided was whether a "three strikes" protocol agreed between the four major record labels (EMI, Sony, Universal and Warner) and the largest of Ireland's ISPs (Eircom) was objectionable on data protection grounds. Briefly, the arrangement was that the record labels would operate software to identify file-sharing of files in which they claimed copyright, where one of the parties was operating from an IP address assigned to Eircom. Eircom would be notified of the alleged infringement, and agreed it would implement a "three strikes" procedure ultimately leading to termination of the subscriber's internet access on the third such notification.

The Data Protection Commissioner wrote to the solicitors for EMI, expressing concern over their intention to collect, share and process IP addresses which might constitute "personal data" and/or "sensitive personal data". The judge was asked to make a ruling on three questions which can be summarised, simplified and rephrased for context as follows:

(1) Do IP addresses, in the hands of EMI, constitute “personal data” for the purposes of the Data Protection Acts 1988-2003, such that EMI must comply with certain specified provisions of the Data Protection Acts?

Held: No. Since the subscriber cannot be identified from the IP address, and it is not likely that the record labels can combine the IP address with other information, or will even attempt to do so, the IP addresses are not personal data within the meaning of the Act.

(2) Assuming that the processing by Eircom of “personal data” when terminating an internet user's subscription is potentially permissible under the Data Protection Acts, is it nevertheless prohibited because the termination of internet access represents “unwarranted [processing] by reasons of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject”?

Held: No. Terminating an internet user's subscription is not unwarranted and therefore not prohibited. Copyright is a personal property right under the Irish Constitution which the Courts have a duty to protect. By imposing on subscribers, as a condition of internet access, a prohibition on copyright infringement, Eircom as an ISP is acting legitimately to support a third party's constitutional right, and the sanction of terminating access is not excessive and is consented to by the subscriber. Enforcing this sanction, using the automated system agreed with the record labels, is similarly not excessive or unwarranted.

(3) Is it open to EMI and/or Eircom under the Data Protection Acts to implement the three strikes process, and in particular, the termination of an internet user’s subscription, in circumstances where:
(a) In doing so they would be engaged in the processing of "personal data" and/or "sensitive personal data", including the provision of such data from one private entity to another private entity; and
(b) The termination of an internet user’s subscription by Eircom would be predicated on the user having committed an offence (i.e. the uploading of copyright-protected material to a third party by means of a peer-to-peer application) but without any such offence having been the subject of investigation by an authorised body; and, further, without any determination having been made by a court of competent jurisdiction, following the conduct of a fair and impartial hearing, to the effect that an offence had in fact been committed.

Held: Yes. It was open to the parties to operate the three strikes process. The judge reasoned that the parties were not really concerned with whether any criminal offence had been committed (this would require a showing of knowledge or intent, which was beyond the scope of the detection and notification procedures), and that their only concern, in operating the three strikes process, was in detecting and preventing civil copyright infringement. As such, the issues associated with "sensitive personal data" and the more stringent controls on processing data relating to criminal offences, did not require consideration.

It is noteworthy that the Data Protection Commissioner was not represented before the Court, nor was there any representation for the consumer, for digital advocacy groups, or for any party strongly opposed to the implementation of the three strikes system. The overall tenor of the judgment strongly champions the rights of the copyright holder, and one can only speculate if this would be different in a case where the legitimate interests of the data subject were strongly advocated. The judgment is particularly striking for the language used to describe the act of copyright infringement ("theft", "stealing", "filching"), and the data subjects, whose interests the case is of course addressing, become "copyright thieves" when their IP addresses have been identified as having been involved in file-sharing.

Finally, it should be noted that this three strikes procedure arises from a settlement between the record labels and a single ISP, namely Eircom. No other ISP has yet agreed to implement this three strikes rule, and some have said that they will fight any attempt to impose this solution on them. All of this suggests that this is not the last word on the three strikes system from the Irish courts".
The IPKat thanks David for his lucid exposition of the decision and also for his observations concerning it. Merpel says, it will be interesting to see whether internet users migrate from Eircom to other ISPs in result of this ruling, or whether most remain indifferent to it.
That Irish "three strikes" ruling: a explanation That Irish "three strikes" ruling: a explanation Reviewed by Jeremy on Monday, April 19, 2010 Rating: 5


  1. Gee, thanks, IPKat, I was just looking for the latest kink in the struggle between IP rights and privacy in the EU area. Now, my international legal English class and I will have a good time tonight in Oslo. - June Edvenson

  2. "Finally, it should be noted that this three strikes procedure arises from a settlement between the record labels and a single ISP, namely Eircom. No other ISP has yet agreed to implement this three strikes rule, and some have said that they will fight any attempt to impose this solution on them. (...)".

    Paragraph 10 of the Judgement appears to acknowledge the above:

    10. Since it was likely to be deeply unfair that only Eircom with about 40% of the market share, as the defendant in these proceedings, should bear the burden of this settlement, thus activating the winds of market forces to drive customers towards Eircom’s competitors, the plaintiffs agreed to initiate similar proceedings against other internet service providers in the State. This, I understand, has been done. That case is in the Commercial Court list for hearing on 10th June, 2010.

    Next word on 10 June 2010 then, when remaining ISPs will be given their chance to walk the walk...

  3. As David Brophy notes, the language of the judgment is striking ("theft", "stealing", "filching") and certainly suggests criminality. However, in finding that IP addresses are not sensitive personal data, Charleton J goes on to say "in reality, no one is accusing anyone of an offence. There is no issue as to anything beyond civil copyright infringement.”

    Data protection rights appear to have been given very little credence (an "entitlement"), while copyright is presented as a "fundamental right".

    It will be interesting to see if there are any developments with the other ISPs, particularly in advance of June's hearing. It seems possible that the case against UPC, at least, may involve a different judge.


All comments must be moderated by a member of the IPKat team before they appear on the blog. Comments will not be allowed if the contravene the IPKat policy that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should make a constructive contribution to the discussion of the post on which they purport to comment.

It is also the IPKat policy that comments should not be made completely anonymously, and users should use a consistent name or pseudonym (which should not itself be defamatory or obscene, or that of another real person), either in the "identity" field, or at the beginning of the comment. Current practice is to, however, allow a limited number of comments that contravene this policy, provided that the comment has a high degree of relevance and the comment chain does not become too difficult to follow.

Learn more here:

Powered by Blogger.