This paper was published in Transparenz/Transparency Tagungsband des 17. Internationalen Rechtsinformatik Symposions IRIS 2014, Österreichische omputer Gesellschaft, Vienna 2014 pp. 549-556 eds. Erich Schweighofer Franz Kummer, Walter Hötzendorfer

1. HOW TO PROTECT USERS” PERSONAŁ DATA
AND ENFORCE COPYRIGHT ON THE INTERNET - IS
THERE AN ALTERNATIVE TO CYBER-SURVEILLANCE?
Michał Czerniawski
Ph.D. researcher, Uniyersity ofWarsaw, Faculty of Law and Administration
Krakowskie Przedmiescie 26/28, Oo-927 Warsaw, PL
rn.czerniawski@student.uw.edu.pl; http://www.wpia.uw.edu.pl
Keywords: Data protection, priyacy, copyright, graduated response, suryeillance
Abstract: For the lastfew years, we haye been witnessing a iong and unsuccessĄdJght ojcop
yright holders against online copyright inJi-ingement. During this time, by establish
ing the so-called graduated response mechanisms, for theJrst time some state legis
lators haye legalised a widespread use oj suryeilłance measures on the Internetfor
priyate purposes. Under the graduated response system, copyright holders monitor
Internet users” actiyities in order to identfy those who potentially ininge copy
rights, in particular by uploading or downloading copyrighted content. In many cas
es the actions ofthe copyright holders are not transparent and are characterised by
a lack ojproportionality. This paper argues that graduated response systems do not
guarantee a balance between copyright enforcement qnd priyacy. Online suryeil
lance should be considered a threat to Internet uśers „jundamental rights to priyacy
and the protection ofpersonal data. Graduated response systems, based on priyate
monitoring, do not contribute to the deyelopment ofan open transparent Internet and
the information society, but may become its undoing. It is lrue, howeyer, that copy
right holders need legal tools that will heip them protect their interests and thereby
supportfurther creation. This paper analyses instruments deyeloped by priyacy ad
yoeates and scholars, such as public interest information, aimed at dealing with
online piracy and allowing ejfectiye enforcement oj copyright law on the Internet.
These solutions may contribute to combating massiye online copyright inJ”ingement,
without haying a negatiye impact on Internet users” right to protection ojpersonal
data and without imposing online suryeillance measures. Howeyer, jor some rea
sons, these instruments still seem to be ignored by copyright holders and legislators
worldwide.
Copyright has always been a form of control”; a form that eyołyes and responds to tecimologicał
changes. For the last few years, we haye been witnessirig a worldwide shift in laws and policies
aimed at fighting illegal fUe sharing on the Internet. The most coritroyersial deyelopment is the so
called graduated response — a suryeillance-based solution that may eyen resuit in cutting an Internet
user 0ff from the web. Although supported by goyernments and approyed by independent courts2, it
raises serious personał data protection concerns.
Strowel, Alain, Internet Piracy as a Wake-up Cali for Copyright Law Makers — Is the Graduated Response” a Good
Reply?, WIFO Journal no. 1, p. 84 (2009).
2
1-ladopi law (its reyised version) and Irish priyate ordering were yaiidated by courts.
- 549 -

2. 1. The graduated response system and online suryeiHance
With the rapid deyelopment of the Internet and arriyal of the digital market, copyright industries
haye started to perceiye the web as a growiiig danger to their yested interests and established yalue
chains. In fact, they would prefer to maintain their positions as gatekeepers that contro! ali indiyidu.
al instances of accessing works ontine, as weli as offline. Copyright holders, therefore describe the
graduated responśe system as a useful and effectiye tool, enabłing them to effectiyely contro! and
enforce their rights. That is the rationale behind their push forward for solutions based on oniine
suryeillance3. The open question is how far legisiators, supported by the rights holders, may go in
creating new monitoring systems. This question is yery up-to-date as legislations introducing the
graduated response system were passed in the last few years in countries such as New Zeaiand4,
France5, Ireland6 (priyate ordering), Tajwan7 wid South Korea8 and are being considered in other
countries, for example in the United Kingdom9.
Under the graduated response policy, there are two basic suryeillarice methods. First, copyright
holders may cooperate directly with Internet Seryjce Proyiders (ISPs) in monitoring of their sub
scribers actiyities — this type of monitoring inyolyes deep packet inspection (DPI)10. In case where
such cooperation is not possible, a less intrusiye solution is being used — copyright holders hire third
party entities to monitor the Internet, usually selected webpages or file sharing networks. In 2011,
the Court of Justice of the European Union confirmed that in the European Union ISPs cannot be
required to adopt genem! filtering systems on their networks in order to preyent copyright infinge
ment11. Currently the Buropean graduated response systems are based on the second model, the
American six-strike” policy does not inyolye DPI-based suryeillarice either. After obtaining an
Internet Protocol (IP) address of a user allegedly infringing copyright, copyright holders are able to
Following David Lyon, suryeillance refers to „the collection and processing of persona! data, whether identifiable or
pot, for the purposes of influencing or managing those whose data haye been garnered” Lyon. David, Suryeillance
Socjety: Monitoring Eyeryday Life, p. 2, Open Uniyersity Press, Philadelphia (2001). Data suryeillance „tries to make
yisible the identities or the behayiours of people of interest to the agency in question” Lyon, David, Editoria].
Suryeillaiice Studies: Understanding yisibility, mobility wał tbe phenetic x, Suryeillance ara! Society no. 1, p. 2
(2002).
Copyright (Infringing File Sharing) Amendment Act, 201 L
French Loi n°2009-669 du 12 juiii 2009 fayorisant la diffusion et la protection de la crćation sur internet, JORF
n°0 135 chi 13 juin 2009 p. 9666, known as „Hadopi law”.
6
See EMI Records cc Ors y. Eircom Ltd. [2010] IEHC 108. Eircorn is the first ISP in Europe to yoluntarily introduce
the graduated response procedure. Under its policy, subseribers who download music illegally can end up losing their
Internet connection. The iSP agreed to this solution in order to ayoid legał sanctions under a lawsuit brought by the
Irish Recorded Music Association.
„
Copyright Act ofTaiwan, articte 90 (2007).
Copyright Act of South Korea, articie l33bis (2007).
Under section 124G of the Digital Economy Act, tbe Secretary of State can request OFCOM, asi independent
regulator aud competition authońty for the British communications industries, to assess whether technical obligatioos
should be irnposed on ISPs. A technical obligation is asi obligation to take technical measures against a subscriber that
inilinges copyright which inciude suspension ofthe seryice proyided to a subscriber.
„°Lawrence Lessig described the role of ISPs in the Internet using the exarnple of a daydrearning postal worker, who
only moyes the data and leayes interpretation of the data to the applications at either end — Lessig, Lawrence, Code
2.0, Basic Books, New York, p. 44 (2006). Ralf Bendrath, basing on Lessig”s postał worker example, describes DPJ
technology as follows: „Imagine a postał worker who is not just daydrearning aud moying packets from one point to
another in the transportation cham. linagine the postal worker: opens up ali packets and letters, inspects and eyen
reads the content, checks it against databases of illegal material and if finding a rnatch, sends a copy to the police
authorities, destroys letters he finds haying prohibited or irnmoral content...”, Bendrath, Rai]; Global technoło
trends and national regulation: Explaining Variation in tJe Goyernance ofDeep Packet Inspection, http://userpagefu
ber1in.de/bendratiiJPaper_Ra1f-Bendrath_DPI_y1-5.pdi last accessed 20 December 2013 (2009).
CJEU”s ruling in Case C-70/10 Scarlet Extended SA y Socićtd belge des auteurs, compositeurs et ćditeurs SCRL
(SABAM). See also Case C-360/10 Belgische yereniging yan Auteurs, Componisten en Uitgeyers CVBA (SABAM)
y Netłog NV aud Case C-461/10 Bonnier Audio AB aud Others y Perfeet Comtnunication Sweden AB.
- 550 -

3. establish which ISP proyides seryices to a particular user. The ISP is capable of identif”ing the user
of the particular address at a particular time, who otherwise would remain anonymous for a copy
right holder. The principle underlying the graduated response system is that sanctions should esca
late as inactions or persist.
An internet user ailegedly inńinging copyright laws usuaily receiyes at least two notices (strikes”)
from a copyright holder, commoniy forwarded to the user by his/her ISP, without disciosure of the
subscriber”s personał data to the hołder. The first one normaiły consists of the information about
copyright law. The second one, sent after a certain time since the first notice (for example under
Hadopi ław”3 it used to be six months), only ifthe user did not cease to infringe copyrights, is a le
gał warning. The third strike” initiates forma! procedure and may ułtimately effect in a suspension
of the subscriber”s access to the Internet or other sanctions. Therefore, some researchers fnd the
term graduated response” too soft and inaccurate — for example William Patry argues that the term
should be replaced with digital guiHotine”14.
Recently, much of the debate on Internet monitoring actiyities is being focused on yoluntary agree
ments between ISPs and right holders. These schemes, usualiy deyeloped by łarge companies under
confidentiality and imposed on their subscribers contractually, raise signilicant transparency con
cems. Such systems are enforceable through releyant proyisions of ISPs” terms of seryjce, with no
state action inyolyed and no judicial reyiew. The first country where an ISP agreed to implement
graduated response on a contractual basis was Ireland15, but the brightest exampie of such an ap
proach is the yoluntary Copyright Alert System (tbe so called six-strike” policy), introduced in
2013 in the United States as a result of a consensus reached between copyright holders and major
American ISPs. The strikes, similar to other graduated response systems, start out in an educational
manner, but may ultimately result in a temporary disconnection of a repeat infringer from the Inter
net. Due to the yoiuntary agreement form and priyate legał character, it is difficuit for the public to
obtain information whether the program meets its established goa!s16. Moreoyer, as pointed out by
Annemarie Bridy, a contract law implementation of the graduated response is not subject to any
kind ofpublic scrutiny before it takes effect17.
2. Foundations of the graduated response system
There are three factors necessary for the proper functioning of a graduated response policy: a)
monitoring ofusers” online behayiour; b) capture ofusers” lP addresses and matching ofa captured
address to a particular subscriber”s accotmt; c) collection ofusers” data. Ali three factors create risks
„2Bridy Annemarie, Graduated Response and the Turn to Priyate Ordering In Online Copyright Enforcement, Oregon
Law Reyiew no- 89, p. 128 (2010).
u Hadopi law was ultimateły reyoked by the French Goyemment on 8 July 2013 by Dćcret n° 2013-596 du 8 juillet
2013 supprirnant Ja peine contrayentionnelle complmentaire dc suspension dc l”aecs un seryjce de communication
au public en ligne et relatif aux modalitćs dc transmission des informations prćyue l”article L. 331-21 du code de la
proprićt intellectuelle, howeyer French goyernment did not resign from a system based on graduated response.
4Patry, William, Moral Panies aud the Copyright Wars, Oxford Uniyersity Press US, Oxford, p. 14 (2009). See also
Serbin, Danielle, The Graduated Response: Digital Guillotine or a Reasonable Plan for Combatiug Online Piracy?,
Intellectual Property Briefno. 3, pp. 42-52 (2012).
„5e system was introduced as a resuit of a settlement between the largest ISP in the Ireland, Eircom, aud members of
tlie Irish Recorded Musie Association (IRMA). According to IRMA, Bircom agreed that it will implement a
graduated process in which it will: (i) inform its broadbaud subseriber that the subscriber”s lP address bas been
deteeted ininging copyright; (ii) wam the subscriber that unless the infringement ceases the subscriber will be
disconnected; (iii) in default of compliance by the subscriber with the warning it will disconnect the subscriber — see
statement of the International Federation of the Phonographic Industry, http://www.iĘpLorg/content!
section_news/20090129a.html, last accessed 20 December 2013 (2009).
tóBridy, Annen2arie, Graduated Response American Style: „Sb Stdkes Measured Against Fiye Norms, Fordham
Intellectual Property, Media 8c Entertainment Law Journal, Vol. 23, No. 1, p. 66 (2012).
Op.cit., p. 17.
-551-

4. 2.1. Monitoring ofusers” ontine behayiour
2.2. Capture of users” lP addresses
in the area of personał data protection. Without online suryeillance, the possibility of identiiing an
Internet user on the basis of his/her lP address or user data collection, the system would not work.
AlI yariants of graduated response systems rely, by necessity, on priyate online suryeillance.
Moreoyer, graduated response polices stimulate the deyelopment of new teebnologies aimed at
online monitoring. Copyright holders are wiliing to pay for new, sophisticated iristrumerits that will
allow them to pursuit copyright infringers in a more efficient way. Graduated response also encour
ages the deyelopment of regulatory instruments aimed at internet fltering and blocking of content”9.
Online suryeillance, eyen in its less intrusiye form, must not be taken at face yalue. Acceptance of
oniine monitoring as something normal and needed, may lead in the future to the normalisation of
suryeillance. Thus, the graduated response system may constitute a template for similar solutions
coyering different areas of oniine actiyities to be implemented in the future20. During Hadopi law
consultations only the French Cornmission for Information and Liberties (CNIL) and ciyil socjety
representatiyes raised the issue of suryeiliance. The French goyernment accepted this solution from
the beginning21. In lreland, the settlernent between Bircom and members of the IRMA was unsuc
cessfully chailenged by the Irish Data Protection Commissioner22. The graduated response system is
difficult to accept also because online monitoring affects miilions of law-abiding indiyiduals tbat
haye nothing in common with online inń-ingements. As long as an indiyiduai uses the Internet, there
is no way he or she can be excluded from the monitoring. In the information socjety, the Internet
plays a central role in most of aspects of our life. In order to participate in the information socjety,
wę reyeal on the Internet data about yarious spheres of our personał life. Therefore, online suryeil
lance affects personal liyes and as Brian Soloye stated, it can cause chilling effects on our actiyities
and change the way we behaye23. It makes us more willing to hide certain actions and act in a man
ner that is not transparent.
According to Peter I-Iustinx, the European Data Protection Superyisor, lP addresses and the infor.
mation about the actiyities linked to such addresses constitute personal data in ali cases releyant to
graduated response24. Also the Article 29 Working Party states that lp addresses captured in order
As Alain Strowel wrote c”... solution that wouid eliminate ali piracy, if at ali possibie, wouid seetn dangerous or at
least dubious for both indiyiduai iiberties and technological inrioyation”, Strowel, Alain, The „Graduated Responso”
in France: Is It the (]ood Reply to Oniine Copyright In11ngements? In: Copyright Enforcement and the 1ntemo
edited by Stamatoudi, Inni, Kluwer Law International, Aiphen ann den Rijn, p. 160 (2010).
„9See Meyen, Tnisha, and Van Audenhoye, Leo, Suryeiilance and regulating code: an analysis of graduated respoose in
France, Suryeillance and Socjety no. 9, p. 365 (2012).
20The graduated response was aiso discussed during the Anti-Counterfeiting Trade Agreement (ACTA) negotiatioris. It
seems that initial intention of ACTA”s creators was to include in the agreement proyisions ailowing the
response to be impiemented. It, howeyer, did not happen — probabiy because the European Union expressed ils
reluctance to inciude the graduated response in the treaty — Meyer, David, Europe wili not accept three strikes in
ACTA Treaty, http://www.zdnet.coni/europe-wiIi-not-accept-three-strikes-in-acta-treaty-3040057434/ iast accessed
20 December 2013 (2010).
21
Meyer, Triska, and Van Audenhoye, Leo, op.cit. p. 372.
22See EMJ Records (ireland) Ltd Ors -y- Eireom Ltd, [2010] IEHC 108 and EMI Records (Ireland) Ltd Jc Ors -V.
The Data Protection Commissioner Anor, [2012] IEHC 264.
23Soloye, Daniel J, A Taxonomy ofPriyacy, Uniyersity ofPennsylyania Law Reyiew no. 3, p. 487 (2006).
24Opinion of tbe European Data Protection Superyisor on the current negotiations by the European Union of aii t
Counterfeiting Trade Agreement (ACTA) — 2010/C 147/01 adopted on 22 Februaiy 2010, at 27 and Opinion of li
European Data Protection Superyisor on the proposal for a Council Decision on the Conciusion of the Mil.
Counterfeiting Trade Agreeinent between the European Union and its Member States, Australia, Canada, Japan, tha
-552-

5. io enforce intellectual proerty rights are personał data if used for the enforcement of such rights
: against a giyen indiyidual .
Therefore, there is no doubt that the collection of lP addresses of al
leged inń-ingers by copyright holders constitutes processing of personał data under European Union
L..,
2.3. Collection of users” data
A copyright holder, after obtaining an lP address, needs to proye that the in-ingement occui-red,
therefore the graduated response leads to the systematic recording of data. The data related to lP
addresses may constitute a good transcript of our liyes. Online suryeillance creates a risk of collect
„ ing a significant amount of data beyond what was originally sought by priyate entities. Recorded
data may show what types of moyies are downloaded by particular user, what websites be or she
. yisits on a regułar basis, with whom he or she comrnunicates. The information retrieyed by copy
right holders extends thereby beyond the purpose of their search. Moreoyer, it is not only the copy
right holders that are in possession of the data rełated to a particular user. In order to coilect eyi
dence, right holders usually hire specialised entities. Agam, contracts concluded with these compa
nies are usually subject to contidentiality. Most of them deriye direct fmaiicial benefh from fmding
as much eyidence related to copyright infringement as possibłe. Therefore, there is a risk that the
application in practice ofthe graduated response policy will ultimately lead to massiye collection of
personał data by yarious parties in an absolutely non-transparent marmer.
3. Less intrusiye measures and alternatiyes to graduated response
There are seyeral ałternatiyes to priyate suryeillance of Internet users” actiyities, which guarantee
proper protection of Internet users” personał data. The alternatiyes ensure the maintenance of ap
propriate balance26 between copyright enforcement and personał data protection. Howeyer, for
some reasons they seem to be ignored by copyright holders.
3.1. Public interest inforniation
Some concepts aimed at dealing with online piracy are based on the assumption that Internet users
are often not aware that they infhnge copyrights. Seyeral priyacy adyocates argue that there is no
need for cyber-suryeillance or the identifcation of users as it would be enough to raise Internet us
ers” awareness about copyrights. For example, the European Data Protection Superyisor as a less
intrusiye measure, an alternatiye to the graduated response system, suggests an obligation for the
EU Member States to produce standardised public interest information on infringements of copy
right and related rights and their legał consequences. According to tbe EDPS, the Member States
can request ISPs to distribute such information to their customers27, The law that giyes basis for
such an obligation to be imposed on ISPs ałready exists in the European Union. According to the
Directiye 2009/136/EC28 Member States may require ISPs to distribute public interest information
Republic of Korea, the United Mexican States, the Kingdom of Moroeco, New Zealand, the Republic of Singapore,
the Swiss Confederation and the United States ofAmerica —201 2/C 215/08 adopted on 24 April 2012, at 19.
25Atticle 29 Working Party, Workirig document on data protection issues related to intellectual property rights (WP
104) adopted on 18 January 2005.
26The rieed ofestablishing a fair balance between these two rights was mentioned in the CJEU”s ruling in Case 275/06
Promusicae y. Telefonica de Espana.
27Opinion of the European Data Protection Superyisor on the current negotiations by the European Union of an Anti
Counterfeiting Trade Agreement (ACTA) — 2010/C 147/01 adopted on 22 Februazy 2010, at 37.
2Directiye 2009/136/EC of the European Parliament and of the Council of 25 Noyember 2009 amending Directiye
2002/22/EC on universal seryjce and users” rights relating to eleetronic communications networks and seryices,
Directiye 2002/58/EC concerning the processirig of personał data and the protection of priyacy in the electronic
-553-

6. free of charge to existing and aew subscribers by the same means as those ordinariły used by them
in commuriications with subscribers. Such information shall be proyided by the releyant public au
thorities in a standardised format and shall coyer topics related to the most common uses of elec
tronic communications seryices to engage in unlawful actiyities or to disseminate harmfui content,
particularly where it may prejudice respect for the rights aid freedoms of others, including in.
fhngements of copyright and related rights, and their legał consequences”29. This instrument not
only would heip in combating massiye online copyright infingement but ałso would haye an im
portant educational aspect.
3.2. Notice-and-notice
Some priyacy adyocates find certain cyber-suryeillance based measures that ensure high data pro.
tection staridards acceptable. An example of such a measure is a notice-and-notice system30. Under
the notice-and-notice system, copyright holders monitor Internet actiyities, as in the graduated re
sponse, in order to identify those users who inńinge copyrights, in particular by uploading or down
loading copyrighted content. This system also requires a copyright holder to file a notification con
taining the lP address of an alleged infringer. Then, it is the ISP that forwards the notification to the
subscriber, but it takes no other action and does not pass along subscriber” s personal data. The data
remains with the ISP — the entity that obtamed the subscriber”s freely giyen consent to the pro.
cessing ofpersonał data. The ISP does not take any action other than passing the notice.
The idea underlying the notice-and-notice policy is something legisiators ofen forget about — that
the yast majority ofthe Internet users do not want to infiinge copyrights. The system is based on the
yery simple idea that indiyiduais will stop downloading or uploading copyrighted content if they
become aware that copyright holders haye knowledge of their actions. No enforcement actions will
be needed. A suryey made by the New Zealand Federation Against Copyright Theft proyed that
more than 70% ofNew Zealand youth would stop accessing illegal yersions of copyright material if
they receiyed a notice from their ISP31. In 2010 one of the biggest Canadian32 ISPs, Rogers, tested
notice-and-notice solution and also proyed its efficiency33. Of course it would be naiye to imagine
that persistent infringers, being aware that the notice will not be followed by any kind of sanction,
will stop copyright infringing actiyities. But the issue of persistent copyright irifringers is also the
weakness of ali solutions proposed by copyright holders, including the graduated response system
(the graduated response is ineffectiye for example against indiyiduals using yirtuał priyate networks
communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsiblc
for the eriforcement of consumer protection laws.
Artic1e 21.4(a) ofthe Directiye 20091136JEC.
30According to Michael Geist As priyacy adyocates began to react to the graduał deterioration of priyacy protectioas
in the name of security, they realized that it was necessary to promote a policy agenda tbat sought to protect both
priyacy and security. With a similar trend emerging in the intellectual property field, the priyacy community musi
consider how it can promote a balanced approach that ensures respect for both intellectual property rights nid
persorial priyacy”, Geist, Michael, Web priyacy ys. identifying infringers, Toronto Star, http://www.michaelgeist.cal
resclhtml_bkup/oct62003.html last accessed 20 December 2013 (2003).
31New Zealand”s Ornce ofthe Minister ofCommerce, Cabinet Economic Growth and Infrastructure Committee, Illegal
Peer-to-Peer File Sharing, at 29.
32Notjcedno system shall be soon implemented in Canada on the basis of Bill C-11 (Copyright Modernization
Act), the copyright reform bill enacted in June 2012.
33According to Karaganis, Joe, and Renkema, Lennart, Copy Culture in the US 8 Germany, pp. 45-46 (2013), who
analysed situation in Germany, due to yarious other factors, such as free streaming seryices, it is unclear how
notifications affect iHegal music downloading. On the other hand, Michael Geist stated that the data reported by
Rogers (Canadian ISP) shows that „67% of recipients (...) do not repeat infringe after receiying a notice wid 89%
cease allegedly inftinging actiyity after a second notice”, Geist, Michael, Rogers Proyides New Eyidence on
Effectiyeness of Notice-and-Notice System, http://www.michaelgeist.ca/contentlyiew/5703/125/ last accessed
20 December 2013 (2011).
-554-

7. L
or routing systems that obseure lP addresses, such as TOR). Persistent copyright iningers, in par
icular those with some technical knowledge, will be always able to fmd ways to illegally share con
with legal iinpunity.
1.3. Targeted monitoring
Another less intrusiye measure, supported by some priyacy adyocates aud the European Data Pro
tection Superyisor, is targeted monitoring. It is based on the belief that copyrights may be success
.iI1y enforced by monitoring of only a limited number of indiyiduals34. The supporters of this eon
cept state that by obserying selected websites (for example online forums dedicated to fiie-sharing)
or by posing as file sharers in peer-to-peer networks, copyright holders may identify a smali group
: of users that is responsibie for the majority of uploading and fUe-sharing of copyrighted content in
Ihe Internet aud that deriye corninercial benefits from copyright infhngement. The idea behind the
targeted monitoring is to limit the scope of online suryeillance and not direct it at other Internet us
ers, including those who commit triyial copyright infringements. Under the targeted monitoring
system copyright holders are ailowed to engage in monitoring of certain lP addresses if its purpose
is to yerify the scale of the infringement. If they cannot proye that in particular case an infringement
on commercial scale took place, they shall cease their actions. In accordance with this concept, ali
copyright holders” operations aud procedures related to data processing aimed at gathering eyidenc
es of infringement shall be authorised by national data protection authorities. The approyai of an
authority shall be granted prior to the processing of any data. This requirement shali constitute ari
additional guarantee that data protection laws aud priyacy of Internet users are properly respected.
4. Conclusions
The currently popular concept of graduated response, based on priyate monitoring, is not contrib
uting to the deyelopment of an open Internet and the information society, but may become its undo
ing. It creates a dangerous precedent, which may resuit in the introduction of online suryeillance
coyeririg ali spberes of Internet actiyities. Therefore, the debate around the graduated response poii
cy is not only about copyright or digital market. It is about the type of Internet we will haye in the
future.
Copyright holders definitely need a tool that will help them in protecting their interests. Many of
them would like to act as gatekeepers that control access to works ontine. Howeyer, online suryeil..
lance will not eliminate copyright infringementś, but as a side effect it might eliminate priyacy on
the Internet. The notion of graduated response is eyolying — Hadopi law in France was reyoked and
will be replaced, the graduated response schemes in Ireland aud USA were implernented not as a
law but tbrough priyate ordering, which also mearis they lack judicial reyiew aud suffkient trans
parency. It is elear that the main aim of the system is to meet the needs of copyright holders, not
Internet users. Howeyer, there are yarious alternatiyes to graduated response which are worth eon
sidering. Priyacy adyocates and scholars haye deyeloped measures, such as public interest infor
mation, notice-and-notice policy or targeted monitoring, aimed at dealiug with online piracy aud
allowing effectiye enforcement of copyright law on the Internet. These solutions may contribute to
combating massiye online copyright infringement, without haying a negatiye impact on users” right
to protection ofpersonal data and without imposing intrusiye oniine suryeiilance measures. Howey
er, for some reasons, these instruments stili continue to be ignored by copyright holders and legisia
tors35 worldwide.
4Opinion of tbe European Data Protection Superyisor on the current negotiations by the European Union of an Anti
Counterfeiting Trade Agreemerit (ACTA) — 2010/C 147/01, at 43.
35With a singie exception — see supra note 32.
- 555 -

8. 5. References
Articie 29 Working Party, Working document on data protection issues related to intellectual property rights (WP 104)
adopted on 18 January 2005
Bendrath, Ralf Global technology trends and national regulation: Explaining Variation in the Goyernance of Deep
Packet Inspection, http://userpage.fu-berlin.dekbendrath!Paper_Ralf-BendrathDPl_yl-5.pdf last accessed 20.12.2013
(2009)
Bridy, Annemarie, Graduated Response Americari Style: „,Six Strikes Measured Against Fiye Norrns, Fordham
tntellectuai Property, Media Sc Entertainment Law Joumal, Vol. 23, No. 1(2012)
Brid-, A,rnemarie, Graduated Response and the Turn to Priyate Ordering In Online Copyright Enforcemerit, Oregon
Law Reyiew no. 89 (2010)
European Data Protection Snperyisor, Opinion of the European Data Protection Superyisor on the current negotiations
by the European Unjon f an Anti-Counterfeiting Trade Agreement (ACTA) — 2010/C 147/01 adopted on 22 Februaiy
2010
European Data Proteciion Superi”isor, Opinion of the European Data Protection Superyisor on the proposal for a
Council Decision on the Coriciusion of the Anti-Counterfeiting Trade Agreement between the European Union md its
Mernber States, Australia, Canada, Japan. the Republic of Korea, the United Mexican States, the Kingdom of Morocco,
New Zealand, the Republic of Singapore, the Swiss Confederation and the United States ofAmerica — 2012/C 215/08
adopted on 24 April 2012
Geist, Michael, Rogers Proyides New Eyidence on Effectiyeness of Notice-and-Notice System,
http://www.michaelgeistca/contentlyiew/5703/1 25/ last accessed 20.12.2013 (2011)
Geist, Michael, Web priyacy ys. identifying infringers, Toronto Star, http://www.michaelgeist.ca
/resc/htrnl_bkiip/oct62003 .html last accessed 20.12.2013 (2003)
Karaganis, Joe, and Ren/teina, Lennart, Copy Culture in the US St Germany (2013)
Lessig, Lawrence, Code 2.0, Basie Booka. New York (2006)
Lyon, David, Editorial. Suryeillance Studies: Understanding yisibility, mobility and the phenetic fx, Suryeilimce and
Socjety no. 1 (2002)
Lyon, David, Suryciilance Socjety: Monitoring Eyeryday Life, Open Uniyersity Press, Philadelphia (2001)
Meyer, David, Europe will not accept three strikes in ACTA Treaty, http://www.zdnet.com/europe-wil1-not-accept
three-strikes-in-acta-treaty3040057434/ last accessed 20.12.2013 (2010)
Meyer, Trisha, end Van Audenhoye, Leo, Suryeillance and regulatirig code: an analysis ofgraduated response in France,
Suryeillance and Society no. 9(2012)
New Zealand”s Office of the Minister of Commerce, Cabinet Economic Growth and Infrastructure Committee, 11/ego!
Peer-to-Peer File Sharing (C”abinet Paper,,J
Patry, William, Moral Panics and the Copyright Wars, Oxford Uniyersity Press US, Oxford (2009)
Serbin, Danielle, The Graduated Response: Digital Guiliotine or a Reasonable Plan for Combating Online Piracy?,
Intellectual Property Brief no. 3 (2012)
Soloye, Daniel J. A Taxonomy ofPriyacy, Uniyersity ofPennsylyania Law Reyiew no. 3 (2006)
Strowel, Alain, Internet Piracy as a Wake-up Cali for Copyright Law Makers — Is the „Graduated Response” a Good
Reply?, WIPO Journal no. I (2009)
Strowel, Alain, The „Graduated Response” in France: Is I.t the Good Reply to Online Copyright Infringeinents?
Iti: Copyright Enforcement and the Internet, edited by Stamatoudl, Inni, Kluwer Law International, Alphen aan den
Rijn (2010)
-556-