The revised Copyright Act will introduce the right to information in civil proceedings, the issuing of warnings, and the implementation of stay-down filters in specific cases, all of which are problematic from the point of view of data protection.
The revision of the Federal Act on Copyright and Related Rights (CopA), currently in progress, will in particular take account of the measures proposed by the AGUR12 working group on improving copyright protection on the internet (see our 21st annual report 2013/2014, section 1.3.1). Some of these measures raise data protection issues:
The revision of the Copyright Act will introduce the right to obtain information in a civil action for performance. A copyright holder wishing to take action against an alleged infringer of those rights and who is only in possession of the latter's IP address (which happens frequently in the case of material that can be downloaded in peer-to-peer networks, for example) will be able to find out from the internet providers who owned the IP address at the time in question.
Under the current Federal Act on the Surveillance of Postal and Telecommunications Traffic (SPTA), this information is retained for six months and is protected by telecommunications secrecy. The obligation to retain data, introduced in order to prevent serious offences, is legally controversial; it represents a serious intervention in the personal rights of the internet user, whose data are retained without obvious justification. This essentially constitutes unreasonable data processing. Following the enactment of the SPTA and in the discussions on the current revision of the SPTA (see section 1.4.1 of the annual report) it was repeatedly stressed that such an intervention was only justified in the case of serious offences. It was repeatedly reiterated that it is necessary to restrict the use of retained data to criminal proceedings. In its judgment on data retention of 8 April 2014, the European Court of Justice (EuCJ) also ruled that prosecution authorities should only have access to this data under strict conditions. The FDPIC also considers data retention to be justified when such restrictions are applied.
Despite the above, this data is now to be used to enforce civil claims in connection with infringement of copyright and to be made accessible to copyright holders. This is a drastic departure from the original purpose of data retention, and contradicts the assertions made when it was introduced. It is also a departure from the restrictions set by the EuCJ judgment cited above. As there can be no real objective justification for regarding copyright claims as more important than other civil claims, it may furthermore be assumed that such data will sooner or later be accessible in all civil claims cases.
As data retention can constitute a serious infringement of the personal rights of all internet users, we are of the decided opinion that the enforcement of civil claims does not justify the violation of telecommunications secrecy that this would entail. Such a provision would infringe the principles of proportionality and purpose limitation.
We believe the same to be true of the planned measure to require internet providers, if the rightholders so demand, to issue their clients with a warning if copyright is infringed from their IP connection. This measure would also require allowing access to data originally collected for the purposes of prosecuting serious offences, and so what is stated above also applies in this situation.
In future, hosting providers will not only be obliged to delete content that infringes copyright - there is no objection to this from the point of view of data protection - in certain cases they will also have to ensure that this content is not uploaded again. In our opinion, this so-called stay-down procedure can only be enforced if the questionable users are monitored, a measure that infringes on the personal rights of those concerned to an even greater extent than the rightholders' right to information. When weighed up, the interests pursued are of too little importance to justify such an intervention. We therefore judge this measure to be disproportionate. What is more, users would be monitored by private entities at the request of private entities (i.e. by the providers), making it problematic in constitutional terms.
For these reasons we rejected these measures in the ongoing revision process.