5.6.2010   

EN

Official Journal of the European Union

C 147/1

1.

The European Union is taking part in negotiations on the drafting of an Anti-Counterfeiting Trade Agreement (ACTA). These negotiations were launched in 2007 amongst an initial group of interested parties and then continued with a broader group of participants; to date those include Australia, Canada, the European Union, Japan, Korea, Mexico, Morocco, New Zealand, Singapore, Switzerland and the United States. The European Commission received a mandate from the Council to enter into these negotiations in 2008.

2.

The EDPS acknowledges that the cross-border trade in counterfeit and pirate goods is a growing concern that often involves organised criminal networks, which calls for the adoption of appropriate cooperation mechanisms at international level in order to fight against this form of criminality.

3.

The EDPS outlines that the negotiation by the European Union of a multilateral agreement that has as its core subject the enforcement of intellectual property rights raises significant issues as to the impact of the measures taken to combat counterfeiting and piracy on individuals’ fundamental rights, and in particular their right to privacy and data protection.

4.

In this respect, the EDPS particularly regrets that he was not consulted by the European Commission on the content of such an agreement. Acting on his own initiative, the EDPS has therefore adopted the current opinion based on Article 41(2) of Regulation (EC) No 45/2001 in view of providing guidance to the Commission on the privacy and data protection related aspects that should be considered in the ACTA negotiations.

5.

The seventh round of negotiations took place in Mexico on 26-29 January 2010, with a view to concluding an agreement in the course of 2010. However, to date no official draft of the agreement has been released.

6.

The negotiations aim at adopting a new multilateral agreement designed to strengthen the enforcement of Intellectual Property Rights (IPR) and to combat counterfeiting and piracy. If adopted, this new agreement would create improved international standards as to how to act against large-scale infringements of IPR. The European Commission's Directorate General for Trade has particularly outlined that ‘the intended focus is on counterfeiting and piracy activities that significantly affect commercial interests, rather than on activities of ordinary citizens’ (4).

7.

As to the content of the agreement, the Summary of key elements under discussion released by the European Commission’s Directorate General for Trade in November 2009 indicates that ACTA's goal of fighting piracy and counterfeiting will be pursued through three primary components: (i) international cooperation, (ii) enforcement practices, and (iii) definition of a legal framework for the enforcement of IPR in several identified areas, and in particular in the digital environment (5). The foreseen measures will notably deal with legal procedures (such as injunctions, provisional measures), the role and responsibilities of Internet service providers (ISPs) in deterring copyright infringement over the internet, and cross-border cooperation measures to prevent goods from crossing borders. The information made public, however, only provides the general lines of the agreement and does not go into the details of any specific and concrete measures.

8.

The EDPS notes that even if the intended objective of ACTA is to pursue only large-scale infringements of IPR, it cannot be excluded that activities of ordinary citizens might be captured under ACTA, especially as enforcement measures take place in the digital environment. The EDPS stresses that this will require that appropriate guarantees are set forth to protect the fundamental rights of individuals. Moreover, data protection laws cover all individuals, including those who are potentially involved in counterfeiting and piracy activities; the combat of large-scale infringements will certainly also involve the processing of personal data.

9.

In this respect, the EDPS strongly encourages the European Commission to establish a public and transparent dialogue on ACTA, possibly by means of a public consultation, which would also help ensuring that the measures to be adopted are compliant with EU privacy and data protection law requirements.

10.

The EDPS strongly calls on the EU, and in particular the European Commission who received the mandate to conclude the agreement, to strike a right balance between demands for the protection of intellectual property rights and the privacy and data protection rights of individuals.

11.

The EDPS emphasises that privacy and data protection are core values of the European Union, recognised in Article 8 ECHR and Articles 7 and 8 of the EU Charter of Fundamental Rights (6), which must be respected in all the policies and rules adopted by the EU pursuant to Article 16 of the Treaty on the Functioning of the European Union (TFEU).

12.

Furthermore, the EDPS stresses that any agreement reached by the European Union on ACTA must comply with the legal obligations imposed on the EU with respect to privacy and data protection law, as notably set forth in Directive 95/46/EC, in Directive 2002/58/EC (7) and in the jurisprudence of the European Court of Human Rights (8) and of the Court of Justice (9).

13.

Privacy and data protection must be taken into account from the very beginning of the negotiations, not when the schemes and procedures have been defined and agreed and it is therefore too late to find alternative, privacy compliant solutions.

14.

In view of the little information made publicly available, the EDPS notes that he is not in a position to provide an analysis of the specific provisions of ACTA. In this opinion, the EDPS will therefore focus on depicting the potential threats to privacy and data protection of possible concrete measures that the agreement, as it has been reported, may raise in the two following areas: intellectual property rights enforcement in the digital environment (Chapter IV), and international cooperation mechanisms (Chapter V).

15.

According to the European Commission, ACTA will create a legal framework to fight piracy in the digital environment (10). This framework will establish the conditions under which ISPs and other online intermediaries (11) may be held liable as a result of infringing copyright material running through their facilities. The framework may also provide for measures and remedies to be imposed upon Internet users as a result of uploading or downloading infringing copyright material. While the details of such framework have not been officially released, in view of the information available from different channels, it can be foreseen that it could include the imposition of obligations on ISPs to adopt ‘three strikes Internet disconnection policies’, also referred to as ‘graduated response’ schemes. Such schemes will allow copyright holders to monitor Internet users and identify alleged copyright infringers. After contacting the ISPs of the alleged infringer, ISPs would warn the user identified as infringer; he would be disconnected from Internet access, after first receiving three warnings.

16.

At the same time as the ACTA negotiations, three strikes Internet disconnection policies are being implemented in some Member States such as France. They are also discussed in various EU forums such as the Stakeholders’ Dialogue on illegal up — and downloading that currently takes place animated by the Directorate-General for the Internal Market and Services, in connection with the adoption of the Commission's communication enhancing the enforcement of intellectual property rights in the internal market (12). Discussions on this topic also take place in the European Parliament in the context of the pending debate on a draft European Parliament resolution on enhancing the enforcement of intellectual property rights in the internal market (referred to as ‘the Gallo report’).

17.

Such practices are highly invasive in the individuals’ private sphere. They entail the generalised monitoring of Internet users’ activities, including perfectly lawful ones. They affect millions of law-abiding Internet users, including many children and adolescents. They are carried out by private parties, not by law enforcement authorities. Moreover, nowadays, the Internet plays a central role in almost all aspects of modern life, thus, the effects of disconnecting Internet access may be enormous, cutting individuals off from work, culture, eGoverment applications, etc.

18.

Against this background, it is relevant to assess the extent to which these policies are in line with EU data protection and privacy legislation, and more in particular whether three strikes Internet disconnection policies constitute a necessary measure to enforce intellectual property rights. In that context, it should furthermore be analysed whether other, less invasive methods exist.

19.

It is still unclear whether three strikes Internet disconnection policies will be part of ACTA. However, these policies are being considered also in other areas and they have — potentially — an enormous impact on the protection of personal data and privacy. For these reasons, the EDPS finds it necessary to discuss them in this opinion. Before performing the analysis just referred to, the EDPS will briefly describe the applicable legal data protection and privacy framework.

20.

It should be noted that in addition to data protection and privacy, three strikes Internet disconnection policies raise concerns regarding other values such as due process and freedom of speech. However, this opinion will only address those issues that are related to the protection of personal data and privacy of individuals.

21.

In a nutshell, under three strikes Internet disconnection policies copyright holders using automated technical means, possibly provided by third parties, would identify alleged copyright infringement by engaging in monitoring of Internet users’ activities, for example, via the surveillance of forums, blogs or by posing as file sharers in peer-to-peer networks to identify file sharers who allegedly exchange copyright material (13).

22.

After identifying Internet users alleged to be engaged in copyright violation by collecting their Internet Protocol addresses (IP addresses), copyright holders would send the IP addresses of those users to the relevant Internet service provider(s) who would warn the subscriber to whom the IP address belongs about his potential engagement in copyright infringement. Being warned by the ISP a certain number of times would automatically result in the ISP's termination or suspension of the subscriber’s Internet connection (14).

23.

Three strikes Internet disconnection policies have to comply with the requirements stemming from the right to privacy, as laid down in Article 8 ECHR and Article 7 of the Charter of fundamental rights, and stemming from the right to data protection as laid down in Article 8 of the Charter of fundamental rights and Article 16 TFEU, and as elaborated in Directive 95/46/EC and Directive 2002/58/EC.

24.

In the EDPS view, the monitoring of Internet user's behaviour and further collection of their IP addresses amounts to an interference with their rights to respect for their private life and their correspondence; in other words, there is an interference with their right to private life. This view is in line with the case law of the European Court of Human Rights (15).

25.

Directive 95/46/EC is applicable (16) since the three strikes Internet disconnection policies involve the processing of IP addresses which — in any case under the relevant circumstances — should be considered as personal data. IP addresses are identifiers which look like a string of numbers separated by dots, such as 122.41.123.45. A subscription to an Internet access provider will give the subscriber access to the Internet. Every time the subscriber wishes to go onto the Internet, he will be attributed an IP address through the device he is using to access the Internet (a computer, for example) (17).

26.

If a user engages in a given activity, for example, uploads material onto the Internet, the user may be identified by third parties through the IP address he/she used. For example, the user holding IP address 122.41.123.45 uploaded allegedly copyright infringing material onto a P2P service at 3 p.m. on 1 January 2010. The ISP will then be able to connect such IP address to the name of the subscriber to whom it assigned this address and thus ascertain his/her identity.

27.

If one considers the definition of personal data provided in Article 2 of Directive 95/46/EC, ‘any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number’ (18), it is only possible to conclude that IP addresses and the information about the activities linked to such addresses constitutes personal data in all cases relevant here. Indeed, an IP address serves as an identification number which allows finding out the name of the subscriber to whom such IP address has been assigned. Furthermore, the information collected about the subscriber who holds such IP address (‘he/she uploaded certain material onto the Web site ZS at 3 p.m. on 1 January 2010’) relates to, i.e. is clearly about the activities of an identifiable individual (the holder of the IP address), and thus must also be considered personal data.

28.

These views are fully shared by the Article 29 Working Party which, in a document on data protection issues related to intellectual property rights stated that IP addresses collected to enforce intellectual property rights, i.e. to identify Internet users who are alleged to have infringed intellectual property rights, are personal data insofar as they are used for the enforcement of such rights against a given individual (19).

29.

Directive 2002/58/EC is applicable as well, as three strikes Internet disconnection policies entail the collection of traffic and communication data. Directive 2002/58/EC regulates the use of such data and provides for the principle of confidentiality of communications made over public communications networks and of the data inherent in those communications.

30.

Article 8 ECHR sets forth the principle of necessity pursuant to which any measure that infringes the right to privacy of individuals is only allowed if it constitutes a necessary measure within a democratic society to the legitimate aim it pursues (20). The principle of necessity can also be found in Articles 7 and 13 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC (21). The principle requires an analysis of the proportionality of the measure, which must be assessed on the basis of a balance of the interests involved, which is placed in the context of the democratic society as a whole (22). It furthermore implies an assessment as to whether alternative measures exist which are less intrusive.

31.

Although the EDPS acknowledges the importance of enforcing intellectual property rights, he takes the view that a three strikes Internet disconnection policy as currently known — involving certain elements of general application — constitutes a disproportionate measure and can therefore not be considered as a necessary measure. The EDPS is furthermore convinced that alternative, less intrusive solutions exist or that the envisaged policies can be performed in a less intrusive manner or with a more limited scope. Also on a more detailed legal level the three strikes approach poses problems. These conclusions will be explained below.

32.

The EDPS wishes to emphasise the far-reaching nature of the imposed measures. The following elements must be mentioned in this regard:

33.

The EDPS is not convinced that the benefits of the measures outweigh the impact on the fundamental rights of individuals. The protection of copyright is an interest of right holders and of society. However, the limitations on the fundamental rights do not seem justified, if one balances the gravity of the interference, i.e. the scale of the privacy intrusion as highlighted by the above elements, with the expected benefits, deterring the infringement of intellectual property rights involving — for a great part — small-scale intellectual property infringements. As indicated by the Opinion of Advocate General Kokott in Promusicae: ‘It is … not certain that private file sharing, in particular when it takes place without any intention to make a profit, threatens the protection of copyright sufficiently seriously to justify recourse to this exception. To what extent private file sharing causes genuine damage is in fact disputed’ (25).

34.

In this context, it is also worth recalling the European Parliament’s reaction to ‘three strikes schemes’ in the context of the review of the telecoms package, particularly Amendment 138 to the Framework Directive (26). In this amendment it was laid down that any restriction to fundamental rights or freedoms may only be imposed if they are appropriate, proportionate and necessary within a democratic society, and their implementation shall be subject to adequate procedural safeguards in conformity with the ECHR and with general principles of Community law, including effective judicial protection and due process (27).

35.

In this view, the EDPS further underlines that any limitation to fundamental rights will be subject to careful scrutiny both at EU and national level. In this context, a parallel can be drawn with the Data Retention Directive 2006/24/EC (28), which derogates from the general data protection principle of deletion of data when they are no longer necessary for the purpose for which they were collected. This directive requires that traffic data are retained for the purpose of combating serious crime. It has to be noted that retention is only allowed for ‘serious crime’, that the retention is limited to ‘traffic data’ which in principle excludes information about the content of communications, and that stringent guarantees are adduced. Nevertheless, doubts have been raised on its compatibility with fundamental rights standards; the Romanian Constitutional Court decided that blanket retention is incompatible with fundamental rights (29), and there is currently a case pending before the German Constitutional Court (30).

36.

The findings above are strengthened by the fact that less intrusive means for achieving the same purpose exist. The EDPS insists that such less intrusive models should be investigated and tried.

37.

In this context, the EDPS recalls that the amended Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services (referred to as ‘Citizens Rights Directive’), which is part of the recently reformed telecoms package, contains certain rules and procedures to limit small-scale copyright infringement among consumers (31). Such procedures include the obligation by Member States to produce standardised public interest information on various topics, specifically mentioning infringements of copyright and related rights, and their legal consequences (32). Member States can then request ISPs to distribute it to all their customers, and to include it within their contracts.

38.

The system is meant to inform and dissuade individuals from disseminating copyrighted information and engaging in infringing activities, while avoiding monitoring of internet usage and related privacy and data protection concerns. The Citizens Rights Directive must be implemented in May 2011; thus, such procedures are not in place yet. Therefore, there have been no opportunities to test their benefits yet. Thus, it seems premature to overlook the potential beneficial outcome of these new procedures and embrace instead ‘three strikes disconnecting policies’, which are far more limiting of fundamental rights.

39.

In addition to the above, it should be recalled that Directive 2004/48/EC of 28 April 2004 on the enforcement of intellectual property rights provides for various tools to enforce intellectual property rights before courts (discussed below in paragraphs 43 and s.) (33).

40.

The IPRE Directive has only recently been transposed into Member States laws. So far there has not been sufficient time to evaluate whether its provisions are appropriate for the purposes of enforcing intellectual property rights. Therefore, any need to replace the current system based on court proceedings, which has not been tested yet, is at least doubtful. The above raises the inevitable question of why existing infringements cannot be appropriately addressed by existing civil and criminal penalties for copyright infringement. Thus, before proposing such policy measures, the Commission should produce reliable information showing that the current legal framework has failed to produce its intended effects.

41.

Furthermore, it is unclear whether any serious thought has been given to alternative economic business models which would not involve the systematic monitoring of individuals. For example, if copyright holders demonstrate their losses due to P2P usage, right holders and ISPs might, for example, trial differentiated Internet access subscriptions where part of the price for a subscription with unlimited access is distributed to copyright holders.

42.

Apart from the use of completely different models, which as indicated should be investigated and tested, targeted monitoring could in any event be operated in a less intrusive manner.

43.

The purpose of enforcing intellectual property rights can also be achieved by the monitoring of only a limited number of individuals suspected of engaging in non-trivial copyright infringement. The IPRE Directive provides some guidance in that respect. It sets forth the conditions under which authorities may order that personal data held by Internet access providers be disclosed for the purposes of enforcing intellectual property rights. Article 8 provides that ISPs may be ordered by competent judicial authorities to provide personal information that they hold about alleged infringers (e.g. information on the origin and distribution networks of the goods or services which infringe an intellectual property right) in response to a justified and proportionate request in cases of infringements on a ‘commercial scale’ (34).

44.

Accordingly, the ‘commercial scale’ criterion is decisive. Pursuant to this criterion, monitoring may be proportionate in the context of limited, specific, ad hoc situations where well-grounded suspicions of copyright abuse on a commercial scale exist. This criterion could encompass situations of clear copyright abuse by private individuals with the aim of obtaining direct or indirect economic commercial benefits.

45.

In practice, to make the above effective, copyright holders might engage in targeted monitoring of certain IP addresses in order to verify the scale of the copyright violation. This would mean that copyright holders would also be allowed to keep track of reports alleging infringement for the same purposes. Such information should only be used after having verified the significance of the infringement. For example, clear cases of major infringements as well as non-significant yet continuous infringements, over a certain period of time, for the purpose of commercial advantage or financial gain. The need for continuity within certain periods of time is emphasised and further explained below in the discussion related to the conservation principle.

46.

This would mean that in such cases, the collection of information for the purposes of demonstrating alleged Internet abuse may be deemed proportionate and necessary for the purposes of preparing legal proceedings, including litigation.

47.

The EDPS considers, as an additional guarantee, that the data processing operations aimed at gathering such type of evidence should be prior checked and authorised by national data protection authorities. These views are based on the fact that the data processing operations would present specific risks to the rights and freedoms of individuals in the light of their purposes, i.e. carrying out enforcement actions which could eventually be criminal and in the light of the sensitive nature of the data collected. The fact that the processing involves monitoring of electronic communications is an additional factor that calls for enhanced supervision.

48.

The EDPS considers that the ‘commercial scale’ embodied in the IPRE Directive is a very appropriate element to set the limits of the monitoring in order to respect the principle of proportionality. Furthermore, there does not appear to be reliable evidence showing under the criteria set forth under IPRE that effective legal action against copyright infringement proves not possible or ineffective. For example, reports such as from Germany, where since 2008, following the transposition of the IPRE Directive, there have been about 3 000 court orders pursuant to which ISPs have disclosed to courts the subscriber information of 300 000 subscribers, seem to suggest the opposite.

49.

In sum, since the IPRE Directive has only been in force for two years, it is difficult to understand why legislators would move from the criteria embodied in this Directive to more intrusive methods when the EU is just beginning to test those recently adopted. For the same reason it is also difficult to understand the need for replacing the current court based system by other type of measures (in addition to raising questions of due process, which are not addressed here).

50.

There are other more specific legal reasons why the three strikes approach is problematic from a data protection point of view. The EDPS would like to highlight the doubtful legal ground for the processing, which is required by Directive 95/46/EC, and the obligation contained in Directive 2002/58/EC to discard log files.

51.

Three strikes approach schemes entail the processing of personal data, some of which will be used for the legal or administrative procedures towards cutting Internet access to repeated infringers. From this perspective, such data qualifies as sensitive data under Article 8 of Directive 95/46/EC. Article 8(5) establishes that ‘Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law …’.

52.

In this context, it is pertinent to recall the Article 29 Working Party document mentioned before, which discusses the issue of processing judicial data (35). The Working Party states that ‘While any individual obviously has the right to process judicial data in the process of his/her own litigation, the principle does not go as far as permitting in depth investigation, collection and centralisation of personal data by third parties, including in particular, systematic research on a general scale such as the scanning of the Internet (…). Such investigation falls within the competence of judicial authorities’ (36). While the collection of targeted, specific evidence, particularly in cases of serious infringements may be necessary to establish and exercise a legal claim, the EDPS fully shares the views of the Article 29 Working Party on the lack of legitimacy of wide scale investigations involving the processing of massive amounts of data of Internet users.

53.

The discussion on the principle of proportionality described above and the ‘commercial scale’ criterion are relevant to determine in which conditions the collection of IP addresses and related information will be legitimised.

54.

ISPs might try to legitimise the processing carried out by copyright holders by inserting clauses in their customer's contracts allowing the monitoring of their data and the cutting of their subscriptions. By entering into such contracts, customers would be deemed to have agreed to the monitoring. However, this practice raises first the basic question as to whether individuals can give consent to ISPs for a data processing that will be carried out not by the ISP but by third parties which are not under the ‘authority’ of the ISP.

55.

Second, there is the question of the validity of consent. Article 2(h) of Directive 95/46/EC defines consent as ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’. An important point is that in order to be valid, consent, whatever the circumstances in which it is given, must be a freely given, specific and informed indication of the data subject’s wishes, as defined in Article 2(h) of the Directive. The EDPS has serious doubts as to whether individuals asked to consent to the monitoring of their Internet activities will have the opportunity to make a genuine choice — especially because the alternative will be having no Internet access, thus potentially jeopardising many other areas of their life.

56.

Thirdly, it is highly questionable whether any such monitoring could ever be considered necessary for the performance of a contract to which the data subject is a party, as required in Article 7(b) of Directive 95/46/EC, since the monitoring is obviously not an object of the contract entered into by the data subject, but only a means for the ISP to serve other interests.

57.

Under Directive 2002/58/EC, more in particular its Article 6, traffic data such as IP addresses may only be collected and stored for reasons directly related to the communication itself, including billing, traffic management and fraud prevention purposes. Afterwards, the data must be erased. This is without prejudice to the obligations under the Data Retention Directive which, as discussed, requires the conservation of traffic data and its release to police and prosecutors to aid in the investigation of a serious crime only  (37).

58.

In accordance with the above, Internet service providers should discard any log file revealing Internet users’ activities that is no longer required for the above purposes. Taking into account that log files are not necessary for billing purposes, it would appear that three or four weeks should be sufficient for ISP for traffic management purposes (38).

59.

This means that, when contacted by copyright holders, unless such contact occurred within the limited period outlined above, ISPs should not have the log files linking the IP addresses to the relevant subscribers. Retaining the log files beyond such period should only be done for justified reasons within the scope of the purposes provided by law.

60.

In practical terms this means that, unless carried out very quickly, copyright holder's requests addressed to IPSs will not be able to be fulfilled, simply because the ISP will no longer have the information. This in itself sets the boundaries of what is meant by acceptable monitoring practices described in the above section.

61.

The EDPS is furthermore concerned not only about the privacy and data protection impact of three strikes Internet disconnection policies but also about their spillover effects. If three strike Internet disconnection policies are allowed, they could be a slippery slope towards legitimising even more massive surveillance of Internet users’ activities, in different areas and for different purposes.

62.

The EDPS urges the Commission to ensure that ACTA does not go further and against the current EU regime for enforcement of IPRs, which respects fundamental rights and freedoms and civil liberties, such as the protection of personal data.

63.

One of the means put forward by ACTA participants in order to tackle the issue of IPR enforcement is to enhance international cooperation, with a number of measures that would allow for the effective enforcement of intellectual property rights in the jurisdictions of ACTA signatories.

64.

In view of the information available, it can be foreseen that a number of the measures planned for ensuring enforcement of intellectual property rights will involve international sharing of information about alleged IPR infringements amongst public authorities (such as custom authorities, police and justice) but also between public and private actors (such as ISPs and IP right-holders organisations). Such data transfers raise a number of issues from a data protection viewpoint.

65.

In the current state of the negotiations’ process in which a number of concrete data processing elements remain either undefined or unknown, it is impossible to verify whether the proposed framework of measures is in accordance with fundamental data protection principles and EU data protection law.

66.

It can be questioned first whether data transfers to third countries in the context of ACTA are legitimate. The relevance of adopting measures at international level in that field can be questioned as long as there is no agreement within the EU member states over the harmonisation of enforcement measures in the digital environment and the types of criminal sanctions to be applied (39).

67.

In view of the above, it appears that the principles of necessity and proportionality of the data transfers under ACTA would be more easily met if the agreement was expressly limited to fighting the most serious IPR infringement offences, instead of allowing for bulk data transfers relating to any suspicions of IPR infringements. This will require defining precisely the scope of what constitutes the ‘most serious IPR infringement offences’ for which data transfers may occur.

68.

Moreover, particular attention should be paid to the persons involved in the data exchanges, and whether data will only be shared amongst public authorities or if they will also involve exchanges between private actors and public authorities. As outlined earlier in this opinion, the involvement of private actors in an area that is in principle under the competence of law enforcement authorities raises a number of concerns (40). The conditions under which private actors will be involved in collecting and exchanging with public authorities personal data relating to IPR infringements should be strictly limited to specific circumstances, with appropriate guarantees.

69.

The general data protection framework applicable in the EU is set forth in Directive 95/46/EC. Articles 25 and 26 of Directive 95/46/EC define the regime applicable for transfers of data to third countries. Article 25 requires that transfers are only done to countries that ensure an adequate level of protection, or otherwise such transfers are in principle prohibited.

70.

The level of adequacy afforded by third countries is assessed on a case-by-case basis by the European Commission, who issued several decisions recognising adequacy to a number of countries following a thorough analysis from the Article 29 Working Party (41).

71.

The EDPS notes that most of the participants to ACTA are not part of the list of countries providing adequate data protection drawn up by the Commission: with the exception of Switzerland and — in specific circumstances — Canada and the US, all other participants to ACTA are not recognised as providing an adequate level of protection. This means that for data to be transferred from the EU to these countries one of the conditions of Article 26(1) of Directive 95/46/EC must be fulfilled or appropriate safeguards must be adduced by the parties at the data transfer in accordance with Article 26(2) of the Directive.

72.

While Directive 95/46/EC constitutes the main data protection instrument in the EU, its scope is currently limited as it expressly excludes activities concerning, inter alia, the activities of the State in the area of criminal law (Article 3). Data exchanges for the purpose of criminal law enforcement will therefore fall outside the scope of Directive 95/46/EC and will be subject to the general data protection principles set forth in the Council of Europe Convention No 108 and its additional Protocol to which all EU member states are a party (42). In addition, the rules adopted by the EU concerning police and justice cooperation in the field of criminal matters that are set forth in the Council Framework Decision 2008/877/JHA will apply (43).

73.

These instruments also pose as a principle that there must be an adequate level of data protection in the third country to which data are to be transferred. A number of derogations are provided, in particular when the third country provides adequate safeguards. Similarly to data exchanges under Directive 95/46/EC, data exchanges in the field of criminal law enforcement will therefore require that appropriate safeguards are adduced between the parties to the data transfer for such transfer to take place.

74.

In the near future, new common rules for data protection applicable to all fields of activities of the EU can be expected to be adopted by the EU on the basis of Article 16 TFEU. This means that in a few years there might be a comprehensive EU data protection framework that sets out coherent rules for data protection across all fields of activities of the EU, which will impose the same level of safeguards and guarantees to all data processing activities. As was outlined by Viviane Reding (44), Commissioner for Justice, Fundamental Rights and Citizenship, this new framework should work as a single ‘modern and comprehensive legal instrument’ for data protection in the EU. Such a framework is particularly welcomed as it would bring more clarity and consistency as to the rules applicable in the EU in respect of data protection.

75.

In an international context, the EDPS also points at the Resolution on International standards for the protection of personal data and privacy adopted recently by data protection authorities, which is a first step towards establishing global data protection standards. (45) The International Standards include a number of data protection safeguards similar to those stated in Directive 95/46/EC and Convention No 108. Although the international standards have no binding force yet, they do provide useful guidance as to the data protection principles that can be voluntarily applied by third countries so that their legal framework is compatible with EU standards. The EDPS believes that ACTA signatories should also take into account the principles laid down in the International Standards when processing personal data from the EU.

76.

If the necessity of transferring personal data to third countries is demonstrated, the EDPS stresses that the European Union should negotiate with third country recipients — in addition to the agreement on ACTA itself — specific instruments that contain appropriate data protection guarantees to govern the exchange of personal data.

77.

Appropriate data protection safeguards should usually be set forth in a binding agreement between the EU and the third country recipient, by which the receiving party undertakes to respect EU data protection law and to provide individuals with the same rights and remedies as granted under EU law. The need for a binding agreement stems from Article 26(2) of Directive 95/46/EC and Article 13(3)(b) of the Framework decision and is furthermore supported by the existing practice of the EU of concluding specific agreements to allow specific data transfers to third countries (46).

78.

Similarly, under the draft international standards the recipient may be required to guarantee that he will afford the required level of protection for the transfer to take place. These guarantees could also take the form of a contractual commitment.

79.

The EDPS particularly stresses that international exchanges of information for law enforcement purpose are particularly sensitive from a data protection viewpoint, as such a framework could legitimise massive data transfers in a field where the impact on individuals is particularly serious, and where strict and reliable safeguards are all the more needed.

80.

The EDPS outlines that specific conditions and safeguards can only be defined on a case-by-case basis in the light of all the parameters of the data exchanges. For the purpose of guidance, the EDPS is however highlighting below some of the principles and safeguards that must be adduced by third party recipients for the transfers of data to take place:

81.

The EDPS strongly encourages the European Commission to establish a public and transparent dialogue on ACTA, possibly by means of a public consultation, which would also help ensuring that the measures to be adopted are compliant with EU privacy and data protection law requirements.

82.

In the course of the ongoing negotiations on ACTA, the EDPS calls on the European Commission to strike a right balance between demands for the protection of intellectual property rights and the right to privacy and data protection. The EDPS emphasises that it is particularly crucial that privacy and data protection are taken into account from the very beginning of the negotiations before any measure is agreed upon so as not later on having to find alternative privacy compliant solutions.

83.

While intellectual property is important to society and must be protected, it should not be placed above individuals’ fundamental rights to privacy, data protection, and other rights such as presumption of innocence, effective judicial protection and freedom of expression.

84.

Insofar as the current draft of ACTA includes or at least indirectly pushes for three strikes Internet disconnection policies, ACTA would profoundly restrict the fundamental rights and freedoms of European citizens, most notably the protection of personal data and privacy.

85.

The EDPS takes the view that three strikes Internet disconnection policies are not necessary to achieve the purpose of enforcing intellectual property rights. The EDPS is convinced that alternative, less intrusive solutions exist or, at least, that the envisaged policies can be performed in a less intrusive manner or at a more limited scope, notably through the form of targeted ad hoc monitoring.

86.

The three strikes Internet disconnection policies are also problematic on a more detailed legal level in particular as the processing of judicial data, notably by private organisations, must be based on an appropriate legal basis. The operation of three strikes schemes may further entail the storage of log files on a longer term, which would be contrary to existing legislation.

87.

Furthermore, as far as ACTA involves exchanges of personal data between authorities and/or private organisations located in the signatory countries, the EDPS calls on the European Union to implement appropriate safeguards. These safeguards should apply to all data transfers made in the context of ACTA — whether they are in the field of civil, criminal, or digital law enforcement — and should be in accordance with the data protection principles set forth in Convention No 108 and Directive 95/46/EC. The EDPS recommends that such safeguards take the form of binding agreements between EU senders and third country recipients.

88.

The EDPS further wishes to be consulted on the measures to be implemented in respect of the data transfers that will take place under ACTA in order to verify their proportionality, and that they guarantee an adequate level of data protection. The EDPS further wishes to be consulted on the measures to be implemented in respect of the data transfers that will take place under ACTA in order to verify their proportionality, and that they guarantee an adequate level of data protection.