This document is the full report drafted by Teri Karobonik on the topic of Internet intermediary liability in Ireland. It was shortened and edited for use on the main Ireland page. We're providing the full document for policy-oriented individuals seeking greater detail than what is provided on the Ireland overview page.
Ireland’s largest ISP, Eircom, has been following a Three Strikes policy since May 2010 which suspends Internet users’ Internet access after receiving three allegations of copyright infringement from rightsholders. Since December 2010 Eircom has been following a policy of disconnecting Internet users for up to 12 months on a 4th allegation of copyright infringement.
This arises from an agreement between the Irish Recorded Music Association (IRMA) and Eircom, which settled a 2009 lawsuit brought by IRMA. Although this agreement only applies to Eircom, IRMA has sued  other Irish ISPs, seeking to obtain a similar agreement.In the lawsuit, IRMA demanded Eircom filter for potential copyright-infringing material over Eircom’s entire network. Eircom challenged this request. Before the court ruled on IRMA’s demand, however, Eircom and the IP rightsholders reached an out of court settlement in February of 2009 with different terms.
As part of the settlement agreement Eircom agreed to adopt and follow a three strikes Internet disconnection policy. In May 2010, Eircom launched a pilot Graduated Response program, under which it agreed to identify and forward successive copyright infringement notices to relevant subscribers. These notices would be sent out after IRMA supplied Eircom with the IP addresses that IRMA or its agents identified as having uploaded copyrighted works.
In December 2010 Eircom formally launched a Graduated Response regime as part of its new MusicHub service. In the current version, Eircom issues notices to subscribers which it matches to the relevant IP addresses, advising them that they have been identified as having uploaded or downloaded copyrighted material on a P2P network. If Eircom receives a third copyright infringement allegation, it suspends the relevant non-business subscribers’ Internet accounts for seven days. Eircom disconnects access for 12 months on receipt of a fourth copyright infringement allegation for the same IP address.
The Eircom Graduated Response process is described in a set of FAQs on Eircom’s website:
How will the graduated response work?
IRMA will provide eircom with notifications containing the IP addresses of the people they detect illegally uploading or downloading music content. Once eircom identifies the eircom account holder through their IP address eircom will:
- Contact the customer in writing to inform them that their IP address has been detected by IRMA, as infringing copyright. eircom will clearly advise the customer that such acts are illegal and will provide information on how the customer can avoid repeating the infringement.
- If the customer continues to engage in the illegal uploading or downloading of music content, eircom will issue a second warning letter to the customer indicating that unless the infringement ceases the customer will have their service withdrawn.
- Write to the customer for a third time to advise them that their service will be withdrawn for a seven day period as they continue to engage in the illegal uploading or downloading of music content. If the customer infringes a fourth time then the broadband service will be disconnected for a 12 month period.
As well as contacting customers via letter, eircom will also attempt to contact customers via telephone and a browser based pop up to advise them of the infringement and to assist them in ensuring their computers are not a source of copyright infringement.
eircom has set up a dedicated team to support customers through this process.
Subscribers who feel that they have been incorrectly identified or who are not responsible for the alleged illegal downloading can advise Eirocm’s technical team at the time of notification.
The settlement agreement between IRMA and Eircom went beyond merely imposing a three strikes policy. Under the agreement, "Eircom has agreed that it will not oppose any application our client may make seeking the blocking of access from their network to the Pirate Bay or similar websites." According to noted tech journalist Adrian Weckler this is particularly problematic:
Irma is drawing up a list of websites it doesn't like and Eircom will block them to all of its customers. And Irma is demanding that other ISPs do likewise, on pain of being sued.
Eircom says that it will only block a website if a court order requests it to. But it has undertaken not to oppose any application to a court, meaning the order is automatically granted. It's a technical way of getting out of taking responsibility for it.
IRMA has already used this clause of the settlement agreement to have Eircom block the Pirate Bay on its network. Although the blocking of a site that openly flouts copyright law might not inherently seem problematic, blogger Damien Mulley points out just how far reaching this settlement could be:
So first they’ll start with the Pirate Bay. Then comes Mininova, IsoHunt, then comes YouTube (they have dodgy stuff, right?), how long before we haveBoards.ie because someone quoted a newspaper article or a section of a book? And don’t think they’ll stop there too, any site that links to The Pirate Bay and the others on the hate list will probably be added to the list too[…]
I’m sure the business case for Eircom was they didn’t want any more costly High Court actions […] but this is going to open up a can of worms with IRMA demanding more and more attacks on how people surf the net, this is what it is in my view an attack on our freedom to read, our freedom to write, our freedom to move around the web. […]
And of course the costs of communications with IRMA and of the filtering is going to be passed on to the consumer. The cost of blocking a single site will be almost nothing I suppose but as more sites get added and as the arms race between the pirates and the ISPs escalates, then it’ll become complicated and complicated costs more. So again the majority get to pay[…]
Notably, the Irish government has also become involved in filtering web traffic. The Irish police force has recently been sending out letters to ISP’s asking them to block certain web pages that contain child porn. As Digital Rights Ireland points out in a blog post there are major problems with this policy because it "require[s] ISPs to take additional steps to monitor users, resulting in real risks to privacy. These risks are amplified in the case of the Garda proposals which – incredibly – would require ISPs to report details of web browsing without any legislative basis whatsoever."
Impact of the Settlement on Other ISPs
IRMA has sued [eight] another Irish ISPs to try to impose similar agreements to filter and adopt Three Strikes regimes.
UPC, an Irish cable network, refused to enter into an agreement with IRMA. In July of 2009, IRMA sued UPC claiming that UPC was liable for infringement because their network facilitated illegal file sharing.
In October of 2010, Justice Charleton denied IRMA’s request for an injunction against UPC. Although the court was sympathetic towards the music industry’s concerns, the judge ultimately concluded that the remedies sought for termination, filtering and blocking, could not be granted. The judge ruled that these steps could not be taken because Ireland had not fully implemented the 2000 EU e-Commerce and EU Directive 2002/21/EC into Irish copyright law thus failing to include provisions for "the blocking, diverting or interrupting of internet communications" for violations of copyright law."
Disclosure of Customer Information
Eircom is required to match the account names with the IP addresses provided to it by IRMA in order to send notices and to suspend or terminate the relevant accounts. However, Eircom has said that it will not share customer information with IRMA or any other party. Eircom’s FAQ also states that IRMA is using a third party (Dtecnet) to obtain IP addresses that are allegedly engaged in illegal downloading and sharing of music. In light of concerns raised by the Irish Data Protection Commissioner (see below), the FAQ also states that "Eircom has sought and received assurance from IRMA that the process is fully legal and approved by the High Court. The Court has confirmed that the process is in their view in accordance with Data Protection Legislation." The matter may not be as settled at the FAQ suggests. In June 2011the Irish Data Protection Commissioner announced that it had opened a further inquiry into whether the Eircom-IRMA agreement Three Strikes process violates Irish data protection law.
The identification process gives rise to several public policy concerns. Terminating particular users’ Internet access based on matching of IP addresses is particularly problematic. As this thoughtful editorial by Dr. Richard Tynan explains, IP addresses can’t necessarily be reliably linked to individuals. Record companies made this mistake when they accused wireless printers of file sharing. The Eircom-IRMA agreement effectively creates liability for operating a non-secured open wireless network. This is particularly problematic because Eircom has apparently supplied up to 250,000 of its own subscribers with modems that cannot be easily secured.
This agreement means that the actions of one member of a household can result in the Internet being shut off to the entire family. In Ireland, as in the US, a parent is not legally liable for the actions of their child in most cases; nor is a husband legally liable for the actions of his wife. Imposing legal sanctions on the inhabitants of an entire household, even if those parties did not engage in copyright infringement, completely changes the way in which the law currently assigns liability.
Some unfortunate Eircom customers have already found this out the hard way. Due to a computer glitch caused by daylight savings time, roughly 300 users were falsely accused of copyright infringement and given their first strike. Although Eircom has said that it has corrected the problem, it is troubling that problems with basic server maintenance could lead to citizens being cut off the Internet.
Background: Data protection
In 2005, IRMA sued Eircom and a few other ISP’s for refusing to turn over the IP addresses of 16 individuals suspected of copyright infringement on the basis that it would violate Ireland’s data protection laws. The court ordered Eircom to turn over "the name, postal address and telephone number" of the users registered to those IP address. The court reasoned that although privity of contract would normally dictate a duty of privacy between ISP and subscriber, privity could not be used to protect a subscriber who committed illegal acts.
One of the stipulations of the agreement between IRMA and Eircom was that Eircom would only comply with the settlement if it complied with EU data protection legislation. In February of 2010, the office of the Data Protection Commissioner claimed that using IP addresses of consumers to cut them off the Internet is not "fair use" of personal information, and therefore the settlement was unenforceable.
Eircom and IRMA found themselves in court once again to see if the settlement agreement complied with Ireland’s data protection laws. At the crux of the case was whether IP addresses were personally identifiable information, and if so, whether complying with the settlement would be unlawful ""under Irish data protection law.
Eircom argued that recent amendments to the EU telecom directive guarantee all individuals a right to a judicial hearing before depriving them of an Internet connection. Even if ISP address aren’t personally identifiable information, cutting users off an Internet connection after three accusations of copyright infringement, could be considered a disproportionate response and is therefore illegal under EU law.
Unfortunately, the Irish data commissioner failed to make an appearance at the Eircom hearing due to cost concerns. Because the commissioner was not present, the only evidence presented was presented by EMI, essentially leaving Irish citizens without a voice in the proceedings.
In April of 2010, Justice Charleton ruled that the original settlement agreement did comply with Irish data protection laws. Justice Charleton determined this by answering three questions posed by the Data Protection Commissioner. First, does the collection of IP address by Eircom to provide to EMI constitute personal data under the1988 Irish Data Protection Act? Second if an IP address constitutes "personal data," is using that data "necessary for the purposes of the legitimate interests pursued by [Eircom]" or does it instead result in a violation of fundamental rights? Third, is the personal data "sensitive" because it is involved in the prosecution of a criminal offense?
In answer to the first question, Justice Charleton determined that an IP address was not "personal data" under the Irish Data Protection Act of 1988 because it does not identify a living individual. Moreover, even if it did, at no time would Eircom disclose that information to IRMA in violation of the Act.
In answer to the second question, even though an IP address is not considered personal data, the Justice determined that Eircom’s use of IP addresses to identify which users’ Internet connection to disconnect is lawful. He took this position because infringement of copyright law is a violation of Ericom’s terms of service, and because using an IP address to terminate the service of infringing users is necessary for the legitimate purpose of enforcing Eircome’s contract.
In answer to the third question, Justice Charleton found that although violating copyright law can result in criminal penalties, neither Eircom nor IRMA were pursuing criminal charges against copyright infringers. Just because personal information is related to something that could result in criminal charges, it is insufficient to invoke the extra protections granted by the Data Protection Act of 1988 to "sensitive personal data." Since the data would only be used for civil law purposes, its use for this process did not violate Irish data protection law.
The Irish Data Commissioner announced in June 2011 that it was opening an investigation in to the legality of the identification process and agreement made by Eircom and IRMA under Irish law. The action was taken after an aggrieved customer filed a complaint after mistakenly receiving a first strike notice from Eircom. Eircom had mis- identified and mistakenly sent first strike notices to 300 of its customers following problems with server maintenance after daylight savings time change. As Irish Law Lecturer TJ McIntyre notes if the Irish Data Protection Commissioner finds, as it did previously, that using IP addresses to terminate subscribers’ Internet access is disproportionate and is not fair use of personal information, the Commissioner could issue an enforcement notice preventing Eircom from using customers’ personal data for this purpose. This measure would then likely require courts to consider the legality of the agreement under EU and Irish law again.
Facts and Figures
- As of 2009, content owners spent over €600,000 in legal expenses against Irish illegal music downloaders, but only gained €70,000 in the process.
- According to data presented at trial by IRMA, illegal downloading is costing record labels roughly €20m annually, which is on par with other statistics released by IRMA stating that $125 Million is lost to software pirates every year in Ireland.
- Since Eircom imposed their three strikes policy, they’ve been losing customers at an alarming pace, with some estimating up to 1000 users a month. While UPC (which refused to instate a three strikes regime) increased their subscribers by 60% during the same time period. Athough it is unclear if the two company’s respective three strikes policies came into play, it’s interesting to consider the impact of these policies in a competitive market for ISP services.