Irish "three strikes" system investigated by Data Protection Commissioner

By EDRi · June 15, 2011

This article is also available in:
Deutsch: [Datenschutzbehörde prüft irisches “Three-Strikes”-System | http://www.unwatched.org/EDRigram_9.12_Datenschutzbehoerde_prueft_irisches_Three_Strikes_System?pk_campaign=edri&pk_kwd=20110623]

The Irish Data Protection Commissioner is investigating the Eircom / music
industry three strikes system, a report in the Sunday Times has revealed.
According to the story by Mark Tighe, predictions that Eircom would end up
falsely accusing innocent users have now proved correct, with over 300 users
wrongfully being sent a “first strike” letter accusing them of sharing
music.

Eircom have admitted to the mistakes, stating that “this was due to a
software failure caused when the clocks went back last October”. However,
far from being a technical sounding “software failure”, this appears to show
up failings in relation to a very basic aspect of network management – i.e.
making sure that the server clock reflects daylight savings time. As a
result, it seems that users found themselves being accused on the basis of
what somebody else did from the same IP address either an hour earlier or an
hour later. Consequently, the users who were wrongfully accused should
consider themselves lucky that this incompetence did not lead to their being
accused of a serious crime – for example, being arrested and having their
homes searched due to the wrong time being used (as has previously happened
e.g. to a number of Indian users).

The significance of this case goes well beyond simple technical failings
however, as the complaint to the Data Protection Commissioner has triggered
a wider investigation of the legality of the entire three strikes system.
According to the Sunday Times, “the DPC said it was investigating the
complaint ‘including whether the subject matter gives rise to any questions
as to the proportionality of the graduated response system operated by
Eircom and the music industry’.”

This is unsurprising. When the Eircom / music industry three strikes
settlement was being agreed, the Data Protection Commissioner identified
significant data protection problems with it. These problems remain,
notwithstanding the deeply flawed High Court judgement which permitted the
parties to operate the system – a judgement which, for example, decided on
the question of whether or not IP addresses are personal data without once
considering the views of the Article 29 Working Party. The Data Protection
Commissioner was not convinced by that judgement (it was
problematic at least in part because the Commissioner was not represented –
the only parties before the court had a vested interest in the system being
implemented). However, until a concrete complaint arose no further action
could be taken.

The complaint in this case has now triggered that action, and it seems
likely that the Commissioner will reach a decision reflecting his previous
views that using IP addresses to cut off customers’ internet connections is
disproportionate and does not constitute “fair use” of personal information.
If so, the Commissioner has the power and indeed the duty to issue an
enforcement notice which would prevent Eircom from using personal data for
this purpose – an outcome which would derail the three strikes system unless
Eircom successfully challenges that notice before the courts, or unless the
music industry were to succeed in its campaign to secure legislation
introducing three strikes into Irish law.

Eircom investigated after falsely accusing customers of piracy (5.05.2011)
http://www.thesundaytimes.co.uk/sto/news/ireland/article642095.ece

Data Protection Commissioner investigating Eircom’s “three strikes” system
(11.06.2011)
http://www.tjmcintyre.com/2011/06/300-false-accusations-data-protection.html

(Contribution by TJ McIntyre – EDRi-member Digital Rights Ireland)