The Claimants in Mircom International Content Management & Consulting Ltd & Ors v Virgin Media Ltd & Anor [2019] EWHC 1827 (Ch) were a combination of pornographic production companies and claim farmers who brought applications against Virgin Media for the pre-action disclosure [1] of tens of thousands of names and addresses of persons registered to IP addresses that the Claimants had identified as having downloaded pornographic films in breach of copyright.
If and when disclosure was provided, the claim farmers would write to the individuals threatening to sue them (with the likely embarassment and publicity that entails) while offering to settle for a fixed sum.
As Recorder Campbell QC in the Business and Property Court of the High Court noted, mustering diplomacy that most professionals can only aspire to:
The names of the relevant films are listed in various schedules and leave little to the imagination.
The Claimants argued that the correct approach to such applications had been established in the case of Golden Eye (International) Ltd v Telefónica UK Ltd (Open Rights Group intervening) [2012] EWCA Civ 1740 (a case about alleged copyright infringement due to Peer-to-Peer or ‘P2P’ filesharing of pornographic films via BitTorrent).
However, since then, the GDPR [2] and the Data Protection Act 2018 (‘DPA 2018’) have introduced some slight tweaks to the protection of individual privacy rights and the obligations of those who hold or process personal data. Unsurprisingly, GDPR raised several issues here and although Virgin Media were a ‘neutral’ party in the dispute, they made extensive submissions resisting the Claimants’ approach.
RELATED: When is a company liable for mis-describing its services online?
Are IP addresses ‘personal data’?
Article 4(1) of the GDPR defines an individual’s ‘personal data‘ as:
…any information relating to an identified or identifiable natural person (‘data subject’);…
Recital 26 talks about when an individual is likely to identifiable from data about them. (It’s quite lengthy but stick with it):
The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments…
Under the pre-GDPR framework [3], the European Court of Justice had previously considered whether dynamic (or temporarily assigned) IP addresses amounted to ‘personal data‘ in the case of Breyer v Federal Republic of Germany [2017] 1 WLR 1569.
There, the ECJ concluded that IP addresses were ‘personal data‘ because online service providers (ie. websites) had a legal means (via the German criminal justice system) of identifying individual data subjects from their IP addresses using further information obtainable from internet service providers (‘ISPs’).
RELATED: Law Society to face negligence claim over its “Find a Solicitor” search engine
Consistent with Breyer, the High Court held that the IP addresses held by the Claimants were ‘personal data‘ due to the fact that it was possible for the Claimants to obtain further information from Virgin Media following a Court order that would allow the Claimants to identify specific individuals from their IP address.
Were the Claimants ‘data controllers’?
A ‘data controller‘ is defined by Article 4(7) of the GDPR as:
…the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
A data controller must ensure that they comply with the obligations and protections in the GDPR, including the need to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation‘ and to review such measures as appropriate (see Article 24(1)).
A ‘data recipient‘ under Article 4(9) is defined as:
…a natural or legal person… to which the personal data are disclosed, whether a third party or not.
Unlike data controllers, data recipients are not subject to the same obligations and privacy safeguards in the GDPR.
RELATED: Did they really say that?? 🤐 Professionals, regulators and social media misuse
The Claimants argued that upon disclosure of the names and addresses, they did not determine the ‘purposes and means of the processing of personal data‘. That was a matter governed by the Civil Procedure Rules as applied by the Court. (They added that the effect of Schedule 2, Part 1, paragraphs 5(2) and (3) of the DPA 2018 was to exempt parties to legal proceedings from many parts of the GDPR).
Recorder Campbell QC agreed with the Claimants. If disclosure was ordered, the Claimants would be mere ‘data recipients‘ and not ‘data controllers‘.
In my view, this conclusion sits uneasily with the preceeding finding.
If the IP addresses were already ‘personal data‘ in the hands of the Claimants, then it seems to me that the Claimants were ‘data controllers‘ when they used software to monitor, identify and collate the IP addresses prior to bringing legal proceedings against Virgin Media. That form of activity seems to fall outside of the ‘legal proceedings’ exemptions in the DPA 2018, which are limited to allowing parties to seek legal advice and comply with their disclosure obligations by law unhindered by GDPR, (rather than removing other forms of data processing from the safeguards of GDPR).
Should disclosure be granted?
No, said the High Court.
The evidence in support of the application was shambolic in places. The Claimants relied on witness statements with missing Exhibits. An expert’s report on the technology used to identify the IP addresses was some 9 years old, referred to a ‘trial’ that nobody seemed to know about and was missing a statement of truth.
Other witness statements for the Claimants confused matters further by referring to different softwares and static IP addresses rather than dynamic ones. Another witness was alleged to be ‘a former detective who was arrested and dismissed after receiving a controlled substance‘.
Virgin argued that applying the approach in the Golden Eye litigation, the application should be refused because the Claimants had no genuine intention to bring claims against anybody but was operating a ‘shakedown’ scheme to extort money from its broadband subscribers.
The High Court held that it needed more information on how the Claimants had used the personal data that they had obtained in previous litigation 7 years ago (in the Golden Eye case). On the available information, despite sending 749 letters to potential defendants following Court orders, the Claimants had not sued anyone of the alleged copyright infringers.
Comment
While blocking the claim farmers from accessing tens of thousands of names and addresses, the High Court has given its view that:
- Anonymised IP addresses can be ‘personal data‘ under the GDPR where website operators have a legal means of obtaining further information from ISPs which would enable a person’s identification; and
- The recipient/s of personal data disclosed via Court proceedings are not ‘data controllers‘ subject to the obligations and protection requirements laid out in GDPR. This is quite an interesting finding although it is not reasoned at much length in Recorder Campbell QC’s judgment. It will be interesting to see how far the ‘legal proceedings’ exemption can be stretched under GDPR and the DPA 2018. Personally I have my doubts about the conclusion that the Claimants were ‘data recipients‘ and not data controllers from the outset.
While the claim farmers were unsuccessful on this occasion due to some obvious defects in their evidence, it’s worth noting that GDPR does not raise impossible hurdles to better organised claimants seeking pre-action disclosure in this way, provided they can give the necessary re-assurances to a Court as to the genuine need to obtain the data and strike a fair balance between individual privacy rights and the protection of intellectual property.
If you or your organisation have queries about GDPR, technology law or data rights, contact me here for your no obligation fixed fee quote. I help businesses, individuals and public authorities navigate these complex areas of law on a regular basis.
Notes:
[1] Also known as Norwich Pharmacal applications, after the case of Norwich Pharmacal Co v Customs and Excise Commissioners [1973] UKHL 6.
[2] Regulation (EU) 2016/679.
[3] Directive 95/46/EC.
[…] RELATED: Data-grab by porn company claim farmers blocked by High Court, post-GDPR […]
[…] RELATED: Data-grab by porn company claim farmers blocked by High Court, post-GDPR […]