Privacy challenges facing the European Union from ACTA

Since the early ‘70s, European countries have adopted a comprehensive legal framework on personal data protection that aims to balance the free flow of information for market purposes with an adequate level of protection for the right of privacy. This framework includes several Directives on the matter, such as the Data Protection Directive and the Data Retention Directive, among others. The European Union authority that supervises the compliance with those laws is the Article 29 Working Party, also known as WP29, which is integrated by the European Data Protection Authorities. Two week ago, in a letter to the European Commission, based in the public release of ACTA draft, the WP29 concluded that several of the proposed measures of the ACTA interfere with the right to privacy, and called them into question for future negotiations. Why is the WP29 concerned?

Unlike any other previous international instrument on intellectual property, ACTA is the first one that include provisions on the privacy of individuals.[1] And while we are pleased that the subject to personal privacy has been explicitly raised in the ACTA negotiations, we note that so far, the provisions do not protect the right of people with respect to their personal data, so much as make concessions for purposes of intellectual property enforcement. Furthermore, we note that some of those concessions are inconsistent with EU legal norms, and in general show a lack of consideration for the privacy of individuals, by omitting certain pro-privacy flexibilities, limitations, and safeguards that one would expect in a serious agreement like this.

Indeed, by the eight round of negotiations, ACTA still did not have a provision that guarantees the protection of privacy in domestic law, but a mere expressed intention to include one (Article 1.4).

The WP29 specifically called attention to three sets of provisions in the ACTA that would seriously affect the right to privacy; those related to the three strikes policy, the notice-and-take-down procedure, and the searches of personal luggage by custom authorities.

The WP29 observed that the current text of the ACTA at the very least encourages the implementation of the controversial three strikes policy, which requires disconnecting purported intellectual property infringers, by collaboration between Internet service providers and right holders. Even worst, this policy does not seem limited to piracy and counterfeiting, which was the initial purpose of negotiating the ACTA, but it would extend to infringement of any kind of intellectual property rights, even patents (Articles 2.18.3 and 2.18.3 quarter).

In relation to the notice-and-take-down procedures, the main concern of the WP29 is that the ACTA sets forth the obligation to identify subscribers of online service providers in both criminal and civil enforcement actions. This is inconsistent with the EU legal norms that only requires disclosure of personal data of Internet users for criminal purposes (such as Article 1 of Data Retention Directive and Convention on Cybercrime). Also, the WP29 noted the ACTA does not adopt any temporal limitation for the processing of personal data by Internet service providers, which is another possible conflict with EU legal norms (See Article 6 Data Retention Directive).

KEI has further concerns about the proposed ACTA procedures relating to notice-and-take-down of infringing content, and for identifying users of Internet services or content.

• First, the proposed Article 2.18.3 ter is at odds with the literal wording of Article 15.2 or the E-Commerce Directive. ACTA would extend the obligation to identify users to firms that only provide access to Internet in their capacity as conduit.[2]
• Second, unlike EU law (Article 5 Data Retention Directive and Article 1 Convention on Cybercrime), the ACTA lacks precision (and useful boundaries), because it does not indicate exactly what personal data of Internet users must be collected and processed by online service providers.
• Third, while EU law limits the collection of personal data generated or processed by providers of publicly available electronic communications services or of a public communications network (Article 3 Data Retention Directive), ACTA undermines that standard (See the definition of an online service provider in footnotes 50 and 55 of the April 2010 draft), by applying the obligations to online service providers that are not yet addressed in the current EU Directives, such as private network services.
• Fourth, the current draft of ACTA fails to provide sufficient protections from inappropriate or abusive uses of the identifying procedures; in fact, it privileges expeditious access to data, without mentioning either substantive or procedural safeguards. This can be contrasted with the EU law (See, European Court of Justice, decision on Case C-275/06, Productores de Música de España (Promusicae) v. Telefónica de España SAU; and Article 5 Data Retention Directive).

With respect to searches of personal luggage by custom authorities, the WP29 noted that the ACTA allows countries to exclude from the application of the section on border measures small quantities of goods of a non-commercial nature contained in travelers’ personal luggage (or sent in small consignments) (Article 2.X), but does not go beyond this possible exception to provide mandatory protections of personal privacy.

Surprisingly, in spite of its previous work on the matter, the WP29 did not address the ramifications of the ACTA provisions on providing protection for effective technological measures (Article 2.18.4 and 2.18.5) on the associated privacy issues impacted by such technical measures.

In addition to the concerns of the WP29, several months back the European Data Protection Supervisor expressed concerns about potential the incompatibility between envisaged ACTA measures and EU data protection requirements. In an opinion, the European supervisor called attention to the provision dealing with the three strikes policy, which did not satisfy the test of proportionality, and where less intrusive solutions could be considered. Also, the supervisor noticed the lack of harmonization between the ACTA and the EU rules about international cooperation and the transfer of personal data to third countries, other than EU members, for purposes of intellectual property enforcement. The very purpose of building an adequate level of protection for European citizens could be undermined if data could be transferred to third countries that do not provide such levels of protection (Articles 25 and 26 of the Data Protection Directive). This is hardly a small point, as privacy protections vary greatly, and are almost non-existent in some countries that are likely to join the ACTA.

If the current text of the ACTA is approved, it will force the European Union to significantly modify both the community legal norms and the domestic laws of its members, in order to be in full compliance with the ACTA provisions. Those changes seem to undermine the European balance between the free flow of information for market purposes and an adequate level of protection for the right of privacy.

In closing, we note that even when the European Data Protection Authorities say that they have no reason to doubt the good intentions of the ACTA negotiators, they raise serious concerns about the harm of the draft ACTA provisions on a citizens’ rights to privacy and personal data protection.


1. The WTO TRIPS Agreement does has certain provisions relating confidential information, which are primarily relevant for businesses.

  • Article 42 of the TRIPS, on Fair and Equitable Procedures, provides that enforcement measures “shall provide a means to identify and protect confidential information, unless this would be contrary to existing constitutional requirements.”
  • Article 43 of the TRIPS on Evidence, provides that in considering mechanisms to obtain evidence, WTO members provide for “conditions which ensure the protection of confidential information,”
  • Article 47 on the “Right of Information,” provides that obligations to inform the right holder of the identity of third persons involved in the production and distribution of the infringing goods or services and of their channels of distribution,” may be limited when the request is “out of proportion to the seriousness of the infringement.”

2. See also, CDT, “ACTA Debate Gets Specific, May 18, 2010, ( which when considering US legal norms, states:
“Proposed Article 2.18.3 ter is flatly inconsistent with U.S. law. The proposed language would require each country to enable rights holders to “expeditiously obtain” from Internet service providers the identity of any subscriber that the rights holders claim are engaging in infringement. This conflicts with settled decision of two federal appeals courts, which have held that the DMCA does not require ISPs in their capacity as conduits to turn over subscriber information based on allegations of infringement. (See in re Charter Communications (8th Cir. 2005) and RIAA v. Verizon (D.C. Cir. 2003).)”