European "Three Strikes" Initiatives Move Beyond Concept and Become Law

Over the last year, we've been following the recent trends in Europe regarding "three strikes" legislation, where end-users may be subject to sanction by their ISPs for repeated acts of copyright infringement.  Following passage of the first such law in France last fall, the United Kingdom followed suit in early 2010 with passage of the Digital Economy Act.  While it is too early to say with certainty whether the laws will achieve their stated goal of deterring and ultimately reducing infringement, the debate surrounding these laws and early experience under their enforcement schemes provides insight into whether or not "deputizing" ISPs to police piracy will become more prevalent or whether yet another approach will need to be devised to protect content owners.

In October 2009, the France' high court approved "Loi favorisant la diffusion et la protection de la création sur Internet", or "HADOPI" (see our previous post: Three Strikes and You're…OUTTTT! (Of French Cyberspace)).  Now almost one year into the life of the law, results have been mixed. The French government has said that it is prepared to begin issuing warnings and sanctions under the law, but no action has been taken yet. Commentators have questioned the feasibility of the law (e.g., the ease with which offenders can regain access to the Internet), and some original supporters of the legislation have qualified their original support of the law in response to adverse political reaction.

The U.K.'s Digital Economy Act was enacted on June 8, 2010. Aimed at regulating the access of copyrighted material by end-users, one controversial section of the law establishes a system for identifying users who access illegal materials and for gradually increasing technical restrictions on their Internet access. These restrictions involve initially downgrading the quality of a user's connection (the hope being that slower upload and download speeds will act as a deterrent to piracy) and culminate in a complete denial of Internet access.

Since the enactment of the DEA, the Office of Communication (Ofcom), an independent regulator and competition authority for the UK communications industries, has developed a protocol/obligations code for implementing the legislation (but has said that plans to disconnect end-users from the Internet would not come into force until next year). ISPs are tasked with identifying and compiling a list of those end-users believed to be engaging in infringing conduct via a three-stage notification process, which includes sending letters to such end-users (which must include certain "standardized" information in connection with the allegations made against the end-user and such end-user can take both to challenge the allegation and to protect their network). Rights' holders can also request the ISP to identify those end-users who have breached an Ofcom-defined threshold for continued violation of access to information (i.e., following the third notification to a particular end-user), after which the rights' holder may petition a court for identification of the user for purposes of initiating litigation.

Not surprisingly, the DEA has been subject to criticism from many perspectives.  Certain commentators have claimed that the complete denial of Internet service may violate existing European Union principles and regulations intended to preserve EU residents' "basic rights and freedoms", one of which is the right to access and use the Internet, and say that even worse is the manner in which the act was passed into law (which ISPs claim was rushed through Parliament with insufficient scrutiny). Further criticism focuses on the fact that the DEA provides only for an independent, limited appeals process for end-users who believe they have been wrongly accused of copyright infringement (as opposed to due process in a judicial proceeding). Consumer rights groups have raised concerns that an innocent user who has not encrypted her wireless network may be sanctioned if others access the network to engage in authorized conduct.  In addition, some have predicted that the threat of disconnection may alienate the most avid legal buyers of entertainment content, encouraging them to switch to anonymized, encrypted alternatives so as not to reveal their identity.  Lastly, because the DEA only applies to ISPs with more than 400,000 customers, one consequence of the law could be a flight of consumers to smaller ISPs, placing the larger ISPs at a commercial disadvantage.

Many major ISPs have recently spoken out against the DEA.  Talk Talk and British Telecom (the UK's largest providers of broadband to homes) have initiated legal challenges, with their core claim being that the DEA conflicts with existing European Union regulations relating to individual privacy and electronics communications directives, as well as e-commerce directives.  They have also raised concerns about the role of ISPs in policing the Internet (i.e., that ISP's are mere conduits of content and should not be held responsible for traffic on their services).

Many reporters and commentators have also started to speculate about the practical ramifications of the DEA.  These include concerns that the increased costs borne by ISPs in identifying and notifying infringing users may be passed onto subscribers, raising access costs across the board.  Additionally, there is speculation that additional taxes may be imposed on ISPs for transmission of pirated content by their subscribers.  Finally, the potential ramifications of long-term end-user tracking (e.g., data retention issues) have raised additional privacy concerns.

Reception of the three-strikes legislation, or graduated response, has been mixed elsewhere in the European Union and around the world.  In some countries, such as Belgium and Singapore, active or proposed legislation has tried to establish administrative oversight of illegal access to copyrighted material. In others, such as Germany, the government has taken a more laissez-faire approach by asking individual ISPs to handle content regulation and restriction without active government intervention.

The point of restriction of content access varies as well. Graduated response, such as the process promulgated by HADOPI, puts the onus upon the individual end-user (i.e., if the end-user infringes upon copyright and accesses copyrighted material, she suffers the potential sanction of denial of Internet service). In other proposals, this remedy is rejected in favor of putting the burden on ISPs: the service provider must actively block websites known to provide copyrighted material illegally. Yet other proposed regulations include targeting the website itself and have imposed (or have tried to impose) sanctions against individual websites for their presence within a certain country.

These alternate approaches clearly reveal the competing, deeply-rooted political philosophies and interests engaged in the debate.  Is digital piracy something that should be primarily policed by the government through stringent regulatory schemes?  Or should the responsibility fall to commercial stakeholders, such as content owners and ISPs?  How does one resolve the competing interests between content owners (who seek the most stringent protections available) and ISPs (who may view themselves as a passive provider of a basic service, not an active enforcement agency)?  And will innocent end-users find that they are adversely impacted by the actions of true infringers?

While there may be universal agreement that infringing activity must be inhibited, it is unlikely that a single, unified approach to the problem will emerge any time soon.  However, through trial and error and the experience of "early adapter" nations such as France and the UK, it is possible that a consensus will emerge on a scheme that achieves a balance among the concerns and interests of the various stakeholders

We will obviously keep an eye on future developments in this area of the law and relevant industry practices.