Home About UK Music Policy Policy & Government Relations Submissions Education Events News & Press FAQs Links Mailing List
what's new contact us print this page (pdf) graphics version
Enter keyword & click search
Current section only
Submissions

Working document on data protection issues related to IPR
Comments by British Music Rights
5th April 2005

As the representative body of composers, songwriters, music publishers and their collecting societies in the UK, British Music Rights welcomes the opportunity to comment on the Working Document on data protection issues related to IPR prepared by the Article 29 Data Protection Working Party.

Two of our member organisations, the collecting societies PRS and MCPS, have considerable expertise in the area of data protection, both as holders and users of data; their database contains approximately 5 million works. Whilst the collecting societies process often very sensitive data, they also rely on publicly available data to manage and monitor the actual use of the works of their members in compliance with data protection legislation. Alongside their core business activity of licensing users of musical works, collection of fees and distribution of royalties, collecting societies also protect and enforce the rights of their members, the majority of which are individual composers and small to medium publishing companies which do not have the resources to conduct anti-piracy activities themselves.

Corresponding to our experience we provide specific comments on:

I. Objective

The legal framework already in existence represents a carefully established balance between the requirements and interests of all parties concerned and we remain to be convinced about the value added by the suggestions of the Working Party.

The Data Protection Directive (95/46/EC) establishes a harmonised level of data protection, also acknowledged in other Community instruments relevant in this area:

- Article 1 para 5 of the e-Commerce Directive (2000/31/EC) expressly orders the predominance of the provisions of the Data Protection Directive;

- Recital 57 of the Copyright Directive (2001/29/EC) deals with the interaction of rights management information and data protection;

- Article 8 para 3 (c) of the Enforcement Directive (2004/46/EC) expressly recognises the application of rules on confidentiality/ data protection in Intellectual Property proceedings.

The relevant European Directives have been, or are about to be, implemented in all European member states. Any interference with one specific aspect within the legal framework or its interpretation will endanger the established harmonised balance.

The relationship between Intellectual property proceedings and data protection is particularly addressed in Article 13 para 2 (d) of the Data Protection Directive which allows member states to restrict specific data protection rights where necessary to safeguard the prevention, investigation, detection and prosecution of criminal offences.

In some member states, certain acts of infringement of copyright incur criminal liability (see note 1), thus triggering certain restrictions in the application of data protection rules. In the UK, section 35 of the UK Data Protection Act 1998 provides for limited exemptions from the non-disclosure provisions "where the disclosure is required by or under any enactment, by any rule of law or by the order of a court." Importantly, the exemption from the non-disclosure provisions is essential to the work of private law enforcement bodies such as the MCPS Anti-Piracy Unit (the music industry organisation that investigates the illegal use of musical works on behalf of composers and music publishers in the UK).

II. Substantive concerns

"Digital Rights Management" and enforcement of copyright

The Working Document founds its argument regarding the relationship between data protection and copyright on an artificial separation of Digital Rights Management and enforcement of copyright; we urge the Working Party to set out a clear definition of what is understood by Digital Rights Management. In this respect it is useful to consider the legal framework (see note 2) for DRM which comprises two main elements:

- Technological protection measures, securing content and enforcing usage rules - through digital means e.g. encryption

- Rights management information, identifying and describing intellectual property and specifying the rules under which it can be used

The approach taken by the Working Party will lead to more confusion in this complex area.

Acquisition of data of individuals by right holders

The paragraphs on enforcement of copyright (see note 3) are misleading and factually inaccurate; the area covered in this part is already extensively regulated (see note 4) and has been subject to court decisions throughout the world; consequently we would seek further clarification on the conclusion of these paragraphs. We believe that current community legislation in the field of IP has been carefully drafted to take into consideration (and provide a balance with) data protection principles and that the "clear legal framework" mentioned in the conclusion of the paper is already in place. The Enforcement Directive (see note 5), for example, gives rightholders a right to information provided they make a justified and reasonable application to a court. However, in order to present a justified and reasonable request, a certain amount of background preparation is necessary and access to online data is an important aspect of this.

Identification requirement

The Working document argues that the requirement for users to identify themselves before downloading from an official music service provider exposes them to the risk of being targeted by spammers. This statement is misleading since legitimate music service providers already comply with stringent data protection and anti-spamming provisions in their business activities. Also, identification is required in online transactions to verify the identity of the buyer in view of the risks of credit card fraud (also acknowledged in the Working Document - see note 6).

Storage of data

The suggestion of the Working Party that the storage of data about their customers by ISPs should be prohibited could hamper the prosecution of serious offences. In the UK, storage of data has been addressed amongst others by the Anti-terrorism, Crime and Security Act 2001 and the Regulation of Investigatory Powers Act (RIPA) 2000.

Additionally, this would be inconsistent with the current obligations on data controllers to store data (e.g. for tax reasons).

"A priori" tracing

We urge further clarification of the comments disapproving the concept of "a priori" tracing. In our experience only if identifiers are applied a priori they can be traced, in particular given and placing identifiers a posteriori is not feasible. Tracing is an important tool in the detection of all types of cyber crime but would be impossible if identifiers were applied a posteriori, as seems to be the suggestion of the Working Party. Furthermore, collecting societies such as MCPS or PRS have no interest in using tracing functionality in order to monitor the preferences of users for marketing purposes.

Principles of necessity/ anonymity

The Working Party's concern regarding the anonymity of the Internet is unfounded because the possibility for private content providers to withhold their contact details already exists; it is not clear what further protection is required.

III. Terminology

During our examination of the document we came across some linguistic inaccuracies of the English version of the Working Document, including:

Copyright protected information

The Working Document continuously refers to the "control over copyright protected information" seemingly disregarding the fundamental difference between mere information on the one hand and creative works such as songs on the other. Only the latter is protected by copyright, in view of the copyright principle that only the individual expression of an idea, in our case the composer's own intellectual creation, is protected. This is also reflected in Article 2 (8) of the principal international agreement in the area of copyright, the Berne Convention of 1886 which excludes the protection of "miscellaneous facts having the character of mere items of press information."

Data detention

A further example of the rather casual use of language in the document relates to "data detention" (the technical term is data retention).

Acronyms

Further explanation of acronyms used in the Working Document (e.g. TCG, TPM) would be helpful.

IV. Approved bodies for handling data

Under an approval system, certain private and public bodies could qualify for a special status regarding the handling of data (see note 7). Approval and supervision would address data protection concerns by ensuring that data collected is not used inappropriately. Obviously, the specific parameters of such system will need to be discussed in more detail; suggested criteria for eligibility as an approved body might include:

- Provision of contact details
- Economic interests
- Experience with copyright enforcement
- Recognition by public enforcement bodies such as the police
- Undertakings not to abuse the data collected

We are at the disposal of the Article 29 Working Party to expand on the activities of collecting societies and our activities on data protection should this be considered useful.

Notes

1. E.g. section 107 of the UK Copyright Designs and Patents Act 1988
2. E.g. Art 6 and 7 of the Copyright Directive (EC 2001/29; and respective articles in the WIPO "Internet" Treaties 1996
3. Pages 3 and 4
4. e.g. Articles 12-15 e-Commerce Directive; Articles 5 (1) and 8 (3) Copyright Directive; Section 512 US Copyright Act
5. Article 8 para 3 (c) of the Enforcement Directive (2004/46/EC)
6. Page 6: Compliance with the purpose limitation principle
7. Similar system are in place at ICANN - for Registrar Accreditation (www.icann.org); and eBay - Verified Rights Owner (VeRO) Programme (www.ebay.co.uk)