Irish "three strikes" system investigated by Data Protection Commissioner
This article is also available in:
Deutsch: Datenschutzbehörde prüft irisches "Three-Strikes"-System
The Irish Data Protection Commissioner is investigating the Eircom / music industry three strikes system, a report in the Sunday Times has revealed. According to the story by Mark Tighe, predictions that Eircom would end up falsely accusing innocent users have now proved correct, with over 300 users wrongfully being sent a "first strike" letter accusing them of sharing music.
Eircom have admitted to the mistakes, stating that "this was due to a software failure caused when the clocks went back last October". However, far from being a technical sounding "software failure", this appears to show up failings in relation to a very basic aspect of network management - i.e. making sure that the server clock reflects daylight savings time. As a result, it seems that users found themselves being accused on the basis of what somebody else did from the same IP address either an hour earlier or an hour later. Consequently, the users who were wrongfully accused should consider themselves lucky that this incompetence did not lead to their being accused of a serious crime - for example, being arrested and having their homes searched due to the wrong time being used (as has previously happened e.g. to a number of Indian users).
The significance of this case goes well beyond simple technical failings however, as the complaint to the Data Protection Commissioner has triggered a wider investigation of the legality of the entire three strikes system. According to the Sunday Times, "the DPC said it was investigating the complaint 'including whether the subject matter gives rise to any questions as to the proportionality of the graduated response system operated by Eircom and the music industry'."
This is unsurprising. When the Eircom / music industry three strikes settlement was being agreed, the Data Protection Commissioner identified significant data protection problems with it. These problems remain, notwithstanding the deeply flawed High Court judgement which permitted the parties to operate the system - a judgement which, for example, decided on the question of whether or not IP addresses are personal data without once considering the views of the Article 29 Working Party. The Data Protection Commissioner was not convinced by that judgement (it was problematic at least in part because the Commissioner was not represented - the only parties before the court had a vested interest in the system being implemented). However, until a concrete complaint arose no further action could be taken.
The complaint in this case has now triggered that action, and it seems likely that the Commissioner will reach a decision reflecting his previous views that using IP addresses to cut off customers' internet connections is disproportionate and does not constitute "fair use" of personal information. If so, the Commissioner has the power and indeed the duty to issue an enforcement notice which would prevent Eircom from using personal data for this purpose - an outcome which would derail the three strikes system unless Eircom successfully challenges that notice before the courts, or unless the music industry were to succeed in its campaign to secure legislation introducing three strikes into Irish law.
Eircom investigated after falsely accusing customers of piracy (5.05.2011)
Data Protection Commissioner investigating Eircom's "three strikes" system
(Contribution by TJ McIntyre - EDRi-member Digital Rights Ireland)