The latest leak of the ACTA (Anti-counterfeiting Trade Agreement)  from 25 August 2010, threatens  to undermine EU privacy law.


The August 25 2010 draft of ACTA  contains a  provision which is intended to permit rights-holders to get access to users' personal  data. The intention is that they can get hold of contact data which matches IP addresses that have been found via surveillance of P2P networks, and the reason for it is to facilitate graduated response/ 3-strikes measures.

 The ACTA provision is currently set out with two options. One option calls for  information sufficient to identify an alleged 

infringer'.   The other calls for ‘information of the relevant subscriber'. In neither case is it clear whether the rights-holder should go to court to get this information.


The EU aqcuis communitaire  explicitly makes provision for protection of users' personal data. EU law  is also clear as to the situations in which communications traffic data may be retained by ISPs, for how long and for what purposes. Copyright enforcement is not one of those purposes. And web browsing is not among the data to be retained.


There is no agreement on the validity of the IP address for identifying individual users in cases of copyright infringement, indeed the prevailing thinking suggests that such use is highly problematic. Witness the current policy debate in the UK over the Digital Economy Act. 

It should also be questioned whether the law permits - let alone mandates - the retaining of web browsing data for the purpose of identifying copyright infringers.

The ruling in the case of Promusicae v Telefonica states  that Member States are not obligated to ask ISPs to hand over data, although they are not prevented from doing so either. It further states  that courts should take account of the principle of proportionality.  This ruling has even been  embedded in the EU legal framework  within the E-privacy directive.


The threat from ACTA is that it could tip the delicate balance implied in this judgement, creating  an obligation for EU countries to allow access to user data, where EU law currently does not have such an obligation.



Leaked draft of 25 August 2010


4. Each Party may provide, in accordance with its laws and regulations, that its

competent authorities have the authority to order an online service provider to disclose

expeditiously the information of the relevant subscriber to the right holders, who have

given legally sufficient claim with valid reasons to be infringing their {US: copyright or

related rights}{J/EU: intellectual property rights}.


[US/J/NZ: Each Party may provide,

in accordance with its laws and regulations, its competent authorities with the authority

to order an online service provider to disclose expeditiously to a right holder, or to a

person authorized by the right holder, 31 information sufficient to identify an alleged

infringer, where that right holder has filed a legally sufficient claim of infringement of

{US: copyright or related rights}{J/EU: intellectual property rights} and where such

information is being sought for the purpose of protecting or {enforcing the right

holder's {US: copyright or related rights}{J/EU: intellectual property rights.

This article is licensed under a Creative Commons Attribution Non-commercial-Share Alike 2.5 UK:England and Wales License. It may be used for non-commercial purposes only, and the author's name should be attributed. The correct attribution for this article is: Monica Horten (2010) ACTA could override EU privacy law 17 September 2010