Site Meter

Category: International & Comparative Law

0

The data retention judgment, the Irish Facebook case, and the future of EU data transfer regulation

On April 8 the Court of Justice of the European Union (CJEU) announced its judgment in the case C-293/12 and C-594/12 Digital Rights Ireland. Based on EU fundamental rights law, the Court invalidated the EU Data Retention Directive, which obliged telecommunications service providers and Internet service providers in the EU to retain telecommunications metadata and make it available to European law enforcement authorities under certain circumstances. The case illustrates both the key role that the EU Charter of Fundamental Rights plays in EU data protection law, and the CJEU’s seeming disinterest in the impact of its recent data protection rulings on other fundamental rights. In addition, the recent referral to the CJEU by an Irish court of a case involving data transfers by Facebook under the EU-US Safe Harbor holds the potential to further tighten EU rules for data transfers, and to reduce the possibility of EU-wide harmonization in this area.

In considering the implications of Digital Rights Ireland for the regulation of international data transfers, I would like to focus on a passage occurring towards the end of the judgment, where the Court criticizes the Data Retention Directive as follows (paragraph 68):

“[I]t should be added that that directive does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data…”

This statement caught many observers by surprise. The CJEU is famous for the concise and self-referential style of its opinions, and the case revolved around the legality of the Directive in general, not around whether data stored under it could be transferred outside the EU. This issue was also not raised in the submission of the case to the Court, and first surfaced in the advisory opinion issued by one of the Court’s advocates-general prior to the judgment (see paragraph 78 of that Opinion).

In US constitutional law, the question “does the constitution follow the flag?” generally arises in the context of whether the Fourth Amendment to the US Constitution applies to government activity overseas (e.g., when US law enforcement abducts a fugitive abroad and brings him back to the US). In the context discussed here, the question is rather whether EU data protection law applies to personal data as they are transferred outside the EU, i.e., “whether the EU flag follows EU data”. As I explained in my book on the regulation of transborder data flows that was published last year by Oxford University Press, in many cases EU data protection law remains applicable to personal data transferred to other regions. For example, in introducing its proposed reform of EU data protection law, the European Commission stated in 2012 that one of its key purposes is to “ensure a level of protection for data transferred out of the EU similar to that within the EU”.

EU data protection law is based on constitutional provisions protecting fundamental rights (e.g., Article 8 of the EU Charter of Fundamental Rights), and the CJEU has emphasized in cases involving the independence of the data protection authorities (DPAs) in Austria, Germany, and Hungary that control of data processing by an independent DPA is an essential element of the fundamental right to data protection (without ever discussing independent supervision in the context of data processing outside the EU). In light of those previous cases, the logical consequence of the Court’s statement in Digital Rights Ireland would seem to be that fundamental rights law requires oversight of data processing by the DPAs also with regard to the data of EU individuals that are transferred to other regions.

This conclusion raises a number of questions. For example, how can it be reconciled with the fact that the enforcement jurisdiction of the DPAs ends at the borders of their respective EU Member States (see Article 28 of the EU Data Protection Directive 95/46)? If supervision by the EU DPAs extends already by operation of law to the storage of EU data in other regions, then why do certain EU legal mechanisms in addition force the parties to data transfers to explicitly accept the extraterritorial regulatory authority of the DPAs (e.g., Clause 5(e) of the EU standard contractual clauses of 2010)? And how does the Court’s statement fit with its 2003 Lindqvist judgment, where it held that EU data protection law should not be interpreted to apply to the entire Internet (see paragraph 69 of that judgment)? The offhand way in which the Court referred to DPA supervision over data processing outside the EU in the Digital Rights Ireland judgment gives the impression that it was unaware of, or disinterested in, such questions.

On June 18 the Irish High Court referred a case to the CJEU that may develop further its line of thought in the Digital Rights Ireland judgment. The High Court’s judgment in Schrems v. Data Protection Commissioner involved a challenge by Austrian student Max Schrems to the transfer of personal data to the US by Facebook under the Safe Harbor. The High Court announced that it would refer to the CJEU the questions of whether the European Commission’s adequacy decision of 2000 creating the Safe Harbor should be re-evaluated in light of the Charter of Fundamental Rights and widespread access to data by US law enforcement, and of whether the individual DPAs should be allowed to determine whether the Safe Harbor provides adequate protection (see paragraphs 71 and 84). The linkage between the two cases is evidenced by the Irish High Court’s frequent citation of Digital Rights Ireland, and by the CJEU’s conclusion that interference with the right to data protection caused by widespread data retention for law enforcement purposes without notice being given to individuals was “particularly serious” (see paragraph 37 of Digital Rights Ireland and paragraph 44 of Schrems v. Data Protection Commissioner). The High Court also criticized the Safe Harbor and the system of oversight of law enforcement data access in the US as failing to provide oversight “carried out on European soil” (paragraph 62), which seems inspired by paragraph 68 of the Digital Rights Ireland judgment.

The Irish referral to the CJEU also holds implications for the possibility of harmonized EU rules regarding international data transfers. If each DPA is allowed to override Commission adequacy decisions based on its individual view of what the Charter of Fundamental Rights requires, then there would be no point to such decisions in the first place (and the current disagreement over the “one stop shop” in the context of the proposed EU General Data Protection Regulation shows the difficulty of reaching agreement on pan-European rules where fundamental rights are at stake). Also, one wonders if other data transfer mechanisms beyond the Safe Harbor could also be at risk (e.g., standard contractual clauses, binding corporate rules, etc.), given that they also allow data to be turned over to non-EU law enforcement authorities. The proposed EU General Data Protection Regulation could eliminate some of these risks, but its passage is still uncertain, and the interpretation by the Court of the role of the Charter of Fundamental Rights would still be relevant under it. Whatever the CJEU eventually decides, it seems inevitable that the case will result in a tightening of EU rules on international data transfers.

The referral by the Irish High Court also raises the question (which the High Court did not address) of how other important fundamental rights, such as freedom of expression and the right to communicate internationally (meaning, in essence, the freedom to communicate on the Internet), should be balanced with the right to data protection. In its recent jurisprudence, the CJEU seems to regard data protection as a “super right” that has preference over other ones; thus, in its recent judgment in the case C-131/12 Google Spain v. AEPD and Mario Costeja Gonzalez involving the “right to be forgotten”, the Court never even refers to Article 11 of the Charter of Fundamental Rights that protects freedom of expression and the right to “receive and impart information and ideas without interference by public authority and regardless of frontiers”. In its zeal to protect personal data transferred outside the EU, it is important that the CJEU not forget that, as it has stated in the past, data protection is not an absolute right, and must be considered in relation to its function in society (see, for example, Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke, paragraph 48), and that there must be some territorial limit to EU data protection law, if it is not to become a system of universal application that applies to the entire world (as the Court held in Lindqvist). Thus, there is an urgent need for an authoritative and dispassionate analysis of the territorial limits to EU data protection law, and of how a balance can be struck between data protection and other fundamental rights, guidance which unfortunately the CJEU seems unwilling to provide.

0

EU and US data privacy rights: six degrees of separation

The EU and the US have often engaged in a “tit for tat” exchange with regard to their respective systems of privacy protection. For example, EU academics have criticized US law as reflecting a “civil rights” approach that only affords data privacy rights to its own citizens, whereas US commentators have argued that privacy protection in the EU is less effective than its status as a fundamental right would suggest.

I am convinced that neither the EU nor the US properly understands each other’s approach to data privacy. This is not surprising, given that a sophisticated understanding of the two legal systems requires language skills and comparative legal knowledge that few people have on either side of the Atlantic. The close cultural and historical ties between the EU and the US may also make mutual understanding more difficult, since concepts that seem similar on the surface seem may actually be quite different in reality.

I like to think of the difference between the EU and US concepts of data privacy rights as reflecting the differing epistemological views of the rationalist philosophers (e.g., Descartes) versus those of the empiricists (e.g., Hume and Locke) who influenced development of the legal systems in Europe and the US. EU data protection law derives normative rules based mainly on reason and deduction (as do the rationalists), while US privacy law bases legal rules more on evidence drawn from experience (like the empiricists). It is thus no surprise that the law and economics approach that is so influential in US jurisprudence is largely unknown in EU data protection law, while the more dogmatic, conceptual approach of EU law would seem strange to many US lawyers. An illustration is provided by the recent judgment of the Court of Justice of the European Union dealing with the “right to be forgotten” (C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez), where the Court’s argumentation was largely self-referential and it took little notice of the practical implications of its judgment.

Here is a brief discussion of six important areas of difference between data privacy law in the EU and US, with a particular focus on their systems of constitutional rights:

Omnibus vs sectoral approach: The EU has an overarching legal framework for data privacy that covers all areas of data processing, based on EU constitutional law (e.g. the EU Charter of Fundamental Rights), the European Convention on Human Rights, the EU Data Protection Directive, national law, and other sources. In the US, there is no single legal source protecting data privacy at all levels, and legal regulation operates more at a sectoral level (e.g., focusing on specific areas such as children’s privacy, bank data etc).

Constitutional rights as the preferred method of protection: The US Supreme Court has interpreted the US Constitution to create a constitutional right to privacy in certain circumstances. However, from a US viewpoint, constitutional rights are only one vehicle to protect data privacy. Commentators have described the strengths of the US system for privacy protection as comprising a myriad of factors, including “an emergent privacy profession replete with a rapidly expanding body of knowledge, training, certification, conferences, publications, web-tools and professional development; self regulatory initiatives; civil society engagement; academic programs with rich, multidisciplinary research agendas; formidable privacy practices in leading law and accounting firms; privacy seals; peaking interest by the national press; robust enforcement by Federal and State regulators, and individual and class litigation”. In contrast, in the EU the key factor underlying data protection is its status as a fundamental right (see, e.g., Article 1 of the EU General Data Protection Regulation proposed by the European Commission in 2012).

Different conceptions of rights: In the US, a constitutional right must by definition derive from the US Constitution, while in the EU, fundamental rights are considered “general principles of law” that apply to all human beings within EU jurisdiction even if they do not derive from a specific constitutional source. The concept of fundamental rights in the EU is thus broader and more universal than that of constitutional rights in the US.

Positive and negative rights: In the US, privacy is generally protected as a “negative” right that obliges the government to refrain from taking actions that would violate constitutional rights. In the EU the state also has a constitutional obligation to affirmatively protect privacy rights (see the next point below).

Requirement of state action: US law protects constitutional rights only against government action, while in the EU the state also has a duty under certain circumstances to protect the privacy of individuals against violations by nongovernmental actors. An example from outside the area of privacy is provided by the decisions of the European Court of Human Rights (ECHR) in Case of Z and Others v. United Kingdom (2001) and the US Supreme Court in DeShaney v. Winnebago County (1989). Both cases involved the issue of whether the state has a duty under constitutional law to protect a child against abuse by its parents; in essence, the ECHR answered “yes” and the US Supreme Court answered “no”.

Requirement of “harm”: In the EU, the processing of personal data is generally prohibited absent a legal basis, and the CJEU has ruled that a data protection violation does not depend on “whether the information communicated is of a sensitive character or whether the persons concerned have been inconvenienced in any way” (para. 75 of the Rechnungshof case of 2003). In the US data processing is generally allowed unless it causes some harm or is otherwise restricted by law.

The EU and US systems of privacy rights have each developed in a democratic system of government based on the rule of law, and have been shaped by unique cultural and historical factors, so there is little point in debating which one is “better”. However, the fact that the two systems are anchored in their constitutional frameworks does not mean that practical measures cannot be found to bridge some of the differences between them; I am part of a group (the EU-US “Privacy Bridges” project) that is trying to do just that. The two systems may also influence each other and grow closer together over time. For example, the call for enactment of a “consumer privacy bill of rights” in the framework for protection of consumer privacy released by the White House in February 2012 seems to have been inspired in part by the status of data protection as a fundamental right in EU law.

The central role played by constitutional factors in the EU and US systems of data privacy rights means it is essential that more attention be given to the study of privacy law from a comparative constitutional perspective. For example, I wonder why there is so little opportunity in US law schools to study EU data protection law, and vice-versa? Efforts must be increased on both sides of the Atlantic to better understand each other’s systems for protecting data privacy rights.

1

The right to be forgotten and the global reach of EU data protection law

It is a pleasure to be a guest blogger on Concurring Opinions during the month of June. I will be discussing issues and developments relating to European data protection and privacy law, from an international perspective.

Let me begin with a recent case of the Court of Justice of the European Union (CJEU) that has received a great deal of attention. In its judgment of May 13 in the case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez, the Court recognized a “right to be forgotten” with regard to Internet search engine results based on the EU Data Protection Directive 95/46. This judgment by the highest court in the EU demonstrates that, while it is understandable that data protection law be construed broadly so that individuals are not deprived of protection, it is also necessary to specify some boundaries to define when it does not apply, if EU data protection law is not to become a kind of global law applicable to the entire Internet.

I have already summarized the case elsewhere, and here will only deal with its international jurisdictional aspects. It involved a claim brought by an individual in Spain against both the US parent company Google Inc, and its subsidiary Google Spain. The latter company, which has separate legal personality in Spain, acts as a commercial agent for the Google group in that country, in particular with regard to the sale of online advertising on the search engine web site www.google.com operated by Google Inc. via its servers in California.

The CJEU applied EU data protection law to the Google search engine under Article 4(1)(a) of the Directive, based on its finding that Google Spain was “inextricably linked” to the activities of Google Inc. by virtue of its sale of advertising space on the search engine site provided by Google Inc, even though Google Spain had no direct involvement in running the search engine. In short, the Court found that data processing by the search engine was “carried out in the context of the activities of an establishment of the controller” (i.e., Google Spain).

Since the Court applied EU law based on the activities of Google Spain, it did not discuss the circumstances under which EU data protection law can be applied to processing by data controllers established outside the EU under Article 4(1)(c) of the Directive (see paragraph 61 of the judgment), though the Court did emphasize the broad territorial applicability of EU data protection law (paragraph 54). Since the right to be forgotten has effect on search engines operated from computers located outside the EU, I consider this to be a case of extraterritorial jurisdiction (or extraterritorial application of EU law: I am aware of the distinction between applicable law and jurisdiction, but will use “jurisdiction” here as a shorthand to refer to both).

The Court did not limit its holding to claims brought by EU individuals, or to search engines operated under specific domains. An individual seeking to assert a right under the Directive need not be a citizen of an EU Member State, or have any particular connection with the EU, as long as the act of data processing on which his or her claim is based is subject to EU data protection law under Article 4. The Directive states that EU data protection law applies regardless of an individual’s nationality or residence (see Recital 2), and it is widely recognized that it may apply to entities outside the EU.

Thus, it seems that there would be no impediment under EU law, for example, to a Chinese citizen in China who uses a US-based Internet search engine with a subsidiary in the EU asserting the right to be forgotten against the EU subsidiary with regard to results generated by the search engine (note that Article 3(2) of the proposed EU General Data Protection Regulation would limit the possibility of asserting the right to be forgotten by individuals without any connection to the EU, since the application of EU data protection law would be limited to “data subjects residing in the Union”). Since only the US entity running the search engine would have the power to amend the search results, in effect the Chinese individual would be using EU data protection law as a vehicle to bring a claim against the US entity. The judgment therefore potentially applies EU data protection law to the entire Internet, a situation that was not foreseen when the Directive was enacted (as noted by the Court in paragraphs 69-70 of its 2003 Lindqvist judgment). It could lead to forum shopping and “right to be forgotten tourism” by individuals from around the world (much as UK libel laws have lead to criticisms of “libel tourism“).

It is likely that the judgment will be interpreted more restrictively than this. For example, the UK Information Commissioner’s office has announced that it will focus on “concerns linked to clear evidence of damage and distress to individuals” in enforcing the right to be forgotten. However, if one takes the position that Article 16 the Treaty on the Foundation of the European Union (TFEU) has direct effect, then the ability of individual DPAs to limit the judgment to situations where some “damage or distress” has occurred seems legally doubtful (see paragraph 96, where the Court remarked that the right to be forgotten applies regardless of whether inclusion of an individual’s name in search results “causes prejudice”). Google has also recently announced a procedure for individuals to remove their names from search results under certain circumstances, and the way that online services deal with implementation of the judgment will be crucial in determining its territorial scope in practice.

In any event, the Court’s lack of concern with the territorial application of the judgment demonstrates an inward-looking attitude that fails to take into account the global nature of the Internet. It also increases the need for enactment of the proposed Regulation, in order to provide some territorial limits to the right to be forgotten.

0

The Long Arm of US Law Enforcement

Joaquin_Guzman-Loera

The front page of today’s NY Times reports on yesterday’s arrest of the notorious drug lord Joaquín Guzmán Loera, aka “El Chapo.” Although the raid was carried out by Mexican forces, the Times reports that they were “aided by information from the United States Drug Enforcement Administration, immigration and customs officials and the United States Marshalls Service . . . .”  It is unclear whether Guzmán will be extradited to the United States.

The raid brings back memories of when the US took a more direct route to capturing fugitives in Mexico: the 1990 capture and transfer to the United States of Humberto Álvarez-Machaín by Mexican nationals at the behest of the US Government. Read More

0

Who’s a Pirate?

occupations_pirate

For anyone who served as a faculty advisor or judge for the recent Jessup International Law Moot Court Competition pirates have likely been on your mind because of the issue in this year’s compromis as to whether Oscar de Luz is a pirate.

Pirates are also in the news as well, and not just because of Captain Phillips’ Best Picture nomination. As Milena Sterio writes over at IntLawGrrls, “United States’ prosecutors have decided to drop charges against Ali Mohamed Ali, who had been charged with piracy, as well as with hostage-taking, for his alleged role as translator/negotiator after the seizure of a Danish vessel in 2008.”

Turning to another piracy case, the opinion in U.S. v. Said makes for fun class discussion when teaching statutory interpretation as part of a Criminal Law course. It turns out neither owning a parrot nor saying “Yarrrr, Matey!” are necessary or sufficient for piracy. So have fun on September 19 each year for “International Talk Like a Pirate Day” without fear of prosecution!

0

Xi and Putin BFF?

China Flag Russian Flag

Images of Chinese President Xi Jinping sitting cozily with Russian President Vladimir Putin at the Sochi Olympics opening ceremony not only emphasized that a number of heads of state were not in attendance, but also highlighted the complex Sino-Russian relationship. Putin—certainly not the most gregarious or affable of world leaders—even equated Xi’s trip to a “visit to good friends.” And China’s official People’s Daily newspaper reports, “Mr. Putin cheerfully recalled the experience when he and Mr. Xi drank vodka together to celebrate his birthday last year. ‘I know that I have many friends in China,’ Putin said. ‘It is not surprising, because we have special relations with China, and I have special feelings for China.’”

Sino-Russian relations have not always been so cordial. Upon tossing out all of the bourgeoisie laws of the capitalist running dogs when founding the People’s Republic of China in 1949, Mao Zedong understandably looked north to the USSR for inspiration in shaping the PRC’s legal system. The influence remains today, for example in the use of a procuratorate (or “procuracy”) to prosecute cases and oversee other aspects of the legal system. Since Khrushchev’s process of de-Stalinization diminished Mao’s confidence in his neighbors to the north (and created concerns about possible de-Maoization at home), Sino-Russian relations have periodically waxed and waned. Today, China and Russia are the two largest members of the Shanghai Cooperation Organization and China is Russia’s largest trading partner.

In late 2012 when Xi Jinping took over as General Secretary of the Communist Party of China—his more important title than “President”—questions understandably arose about what type of leader he would be. Xi’s first state visit was to Russia, and Xi has commented that he and Putin have similar personalities. It is too early in Xi’s tenure to say whether he will closely emulate Putin’s strong man persona. Nonetheless, it is looking increasingly unlikely that he will be China’s Gorbachev.

0

UCLA Law Review Vol. 61, Issue 2

Volume 61, Issue 2 (January 2014)
Articles

Negotiating Nonproliferation: International Law and Delegation in the Iranian Nuclear Crisis Aslı Ü. Bâli 232
Detention Without End?: Reexamining the Indefinite Confinement of Terrorism Suspects Through the Lens of Criminal Sentencing Jonathan Hafetz 326
Transparently Opaque: Understanding the Lack of Transparency in Insurance Consumer Protection Daniel Schwarcz 394

 

Comments

California’s Unloaded Open Carry Bans: A Constitutional and Risky, but Perhaps Necessary, Gun Control Strategy Charlie Sarosy 464
Exclusion, Punishment, Racism and Our Schools: A Critical Race Theory Perspective on School Discipline David Simson 506

 

 

 

1

The TPP and Copyright

This is my second post about the leaked draft of the Trans-Pacific Partnership Agreement.  Here, I address some of the copyright provisions. This is not an exhaustive analysis, and I’ve tried to make it complimentary to what’s already out there. For analysis of additional provisions, see KEI, Public Citizen, Ars Technica, Kimberlee Weatherall for an Australian perspective, and EFF. [Note: I have updated this post .]

First, there are major splits between countries. The United States consistently takes the position of pushing for stronger IP, while others—especially Canada and New Zealand— advocate a more balanced approach.  The divisions are particularly prominent when it comes to preliminary statements about the public domain and public health, none of which the U.S. supports.  These analyses are on one subset of proposed language, not finalized language, and a lot of the agreement could change. I focus my analysis primarily on the U.S. proposed language.

Second, the U.S. proposals look very similar to our past Free Trade Agreements, including the earlier texts of ACTA.  Whatever message was sent when the EU refused to ratify ACTA, the U.S. Trade Representative did not receive it.  Many of the provisions that appeared in ACTA are also areas of proposed reform in the United States—the U.S. proposed text for the TPP would internationally bind this country and prevent many proposed reforms to our copyright law.

Third, and this is an important point: U.S. proposals are less balanced than U.S. domestic law. As I noted in my previous post, this is because a subset of IP industries provide the USTR advice, leaving out important balancing viewpoints and sometimes misrepresenting U.S. law.

Similarities to ACTA:

Intermediary liability (Article QQ.I.1): As in ACTA, the central copyright argument in TPP is over what kind of intermediary liability regime will be internationally required.  Currently, online intermediary liability is not governed at an international level.  Michael Geist has done a great job of outlining the basic differences in the TPP proposals for intermediary liability. The United States is pushing for notice-and-takedown, with a coalition of countries, including Canada and New Zealand, pushing instead for a notice-only provision.  These regimes offer different levels of due process for Internet users.

Statutory damages (ARTICLE QQ.H.4.Y(15)): As in ACTA, countries are fighting over statutory (or “pre-established”) damages: damages awarded to copyright owners without a showing of actual harm.  Australia opposes this provision because it does not have statutory damages. Statutory damages are an often-criticized part of the U.S. regime, enabling disproportionately large awards in copyright cases.

Criminal liability (Article QQ.H.7(2)): As in ACTA, countries have split over the definition of criminal copyright infringement.  The U.S. proposal, like U.S. law, pushes to criminalize very low level infringement, to go after even low level filesharing.  Other countries want to keep it at the international requirement, which requires a motive of financial gain or commercial advantage.  The United States lost a recent WTO case on criminal copyright, and has since been trying to ratchet up international criminal copyright law through free trade agreements.

Criminal Intermediary liability (Article QQ.H.7(6)): As in ACTA, the TPP criminalizes aiding and abetting infringement. This allows authorities to go after websites under criminal law, rerouting around protections from civil liability. Coupled with a low underlying threshold for criminal infringement, this could sweep in a lot of activity. Thanks to Kimberlee Weatherall for catching this.

Asset Forfeiture (Article QQ.H.7(c) p. 79): As in ACTA, the TPP allows the seizure of “any related materials and implements used in the commission of the alleged offense”. In the United States, asset forfeiture has been used to seize websites before trial.

DRM/Technological Protection Measures (Article QQ.G.10): As in ACTA, the United States is trying to export the DRM provisions of the DMCA, as its version of implementation of the WIPO Copyright Treaty. As I note below, however, what’s proposed is a worse version of what we have at home. The recent conflict over cell-phone unlocking shows that this is likely to be the focus of domestic policy reform. Some suggest that the DRM provisions here criminalize unlocking even when the underlying purpose is fair use.

De minimis border measures (the “Ipod search”)( Article QQ.H.6(8)): As in ACTA, the United States is pushing to shrink the “personal use” border exception that currently exists in international law, in TRIPS Article 60.  For now, however, it looks as though the de minimis provision is functionally the same as TRIPS, due to a strategic footnote (235).  This is something to watch.

Account termination (Article QQ.I.1(p. 88)): In U.S. copyright law, there’s a provision requiring online intermediaries to have a termination policy in place for repeat copyright infringers. Similar language has been proposed in the draft TPP. As Annemarie Bridy has pointed out, this language may have different implications in different countries.  It probably does not require graduated response.  However, its inclusion can also be read as endorsing recently developed private-ordering graduated response in the United States: agreements between private companies to kick infringing users offline. And transplanting this language into other countries might lead them to push for similar or more draconian policies.

Things that differ from US law:

Fair Use/Exceptions and Limitations language (Article QQ.G.Y): There‘s no fair use. The broadened copyright exceptions language that the USTR bragged about earlier this year is not very broad. And it’s not fair use.  This may harm our exporting businesses.  Google just won the Google Books case, where Google books was found to be fair use; TPP shows no evidence of extending that kind of exception abroad.

International First Sale Doctrine (Article QQ.G.3,  Article QQ.G.17):  Despite the fact that the Supreme Court held in Kirtsaeng in March that first sale doctrine applies abroad—and trumps the importation right—the USTR is exporting the opposite. The USTR also opposes saying that countries are encouraged to establish international exhaustion of rights. All other countries (except Canada, which is neutral) want international first sale doctrine. It’s not clear to me why the USTR thinks it can bind the US to law contrary to Kirtsaeng—and this draft is from months after the Kirtsaeng opinion came down. I’m happy to be convinced otherwise, but I can’t see how the two are reconcilable.

Temporary reproductions (Article QQ.G.1): Despite the fact that there is a circuit split over whether temporary reproductions are considered “fixed” enough to be copyrightable, the USTR proposes exporting a requirement that temporary reproductions are covered by copyright.

Standard technical measures (Article QQ.I.1(p. 88)):  In the DMCA, there is a requirement that intermediaries accommodate “standard technical measures.”  However, those measures must be arrived at through a multi-industry process that is open and fair. In practice, this means that there are no standard technical measures in the United States. The words “multi-industry” and “fair” get left out of the TPP, which means that standard technical measures may get developed  abroad, and online intermediaries will have to accommodate them there, where they don’t have to at home.

Criminal liability ((Article QQ.H.7(2)):  U.S. criminal copyright law contains a numerical threshold for criminal copyright infringement that is done without commercial motivation- $1000 of infringement in 180 days. The TPP proposal substitutes the word “significant” for an actual number. This difference could go either way.

Notice-and-takedown misuse & attorneys’ fees (Article QQ.I.1 (p.89)): In the DMCA, people who misuse notice-and-takedown can be sued, and are subject to attorneys’ fees.  Even though the US proposal clearly asks for attorneys’ fees in other places, it does not include attorneys’ fees in the material misrepresentation provision.

Reverse engineering exemption to TPM/DRM (Article QQ.G.10): Thanks to Jonathan Band for pointing this one out to me originally. The reverse engineering exception to DRM exported by the US is not as broad as the one available domestically.

Privacy (Article QQ.I.1): TPP barely mentions privacy.  There are some discussions of a no-duty-to-monitor provision, but no broader assertion of privacy principles that I can find.  We don’t normally think of U.S. law as containing a nod to balancing copyright enforcement with privacy, but it turns out that 512(m)(2), which says providers shall not access content contrary to law, was intended to bolster the “no monitoring necessary” requirement to mean “no monitoring necessary, AND don’t violate wiretap law.” This didn’t make it in.

0

Capture, sunlight, and the TPP leak

Yesterday, Wikileaks leaked the draft IP chapter of the Trans-Pacific Partnership Agreement (TPP).  This is the first of two posts I’ll make on the significance of the leak.  In this post, I discuss why the leak matters from the process perspective.  In the next, I’ll point out detailed substantive issues in the draft’s copyright provisions.  Unsurprisingly, the process and the substance are closely intertwined.

Up until this leak, only a subset of domestic IP stakeholders has had access to the TPP text.  The U.S. Trade Representative has shown the draft text to its closed advisory committees, but not to anybody else.  Content industries and pharmaceutical industries sit on the IP advisory committee.  Internet industries, smaller innovators, generics companies, and public interest groups do not.

This is no accident.  When Congress established the trade negotiating system, it exempted the Trade Representative from requirements of an open government law that was enacted to prevent agency capture, the Federal Advisory Committee Act (FACA).  FACA requires transparency, a limited term length for industry advisory committees, and balanced membership on those committees.  The trade advisory committee on IP does not have balanced membership.  It is not subject to public oversight.   And it has an extended term limit, at the discretion of the USTR.  Other open government laws also don’t apply—the USTR exempts itself from the Freedom of Information Act (FOIA) by claiming a national security exemption, and the Administrative Procedure Act (APA) doesn’t apply to international lawmaking. As a consequence, the U.S. role in international IP lawmaking is captured through one-sided industry advice.

The USTR is supposed to be exporting US IP law.  But what the USTR exports is not US law.  The USTR paraphrases US law; it doesn’t export our statutes.  This process allows information capture to have substantive consequences.

The paraphrasing USTR sends out is worse than our law. It’s less balanced, and it’s missing things. In places, the USTR misrepresents that one side of a current circuit split is the authoritative word on issues that deeply divide domestic constituents.

These skewings and omissions are not an accident. Some are directly requested by the IP advisory committee—you can see the requests in past advisory committee reports on other free trade agreements.  Others are the result of the USTR’s failing to consult public interest, academics, or opposing industries, who would point out what must be included, what’s wrong, and which omissions matter.

Balanced advice is necessary at the level of the text.  The USTR recently conducted a series of “stakeholder phone calls,” where it takes questions on broad policy issues.  These calls are transparency theater, not transparency.   They lump together stakeholders on an impossibly wide range of issues—from dairy to textiles to IP.  Discussions are high-level, where many of the problems with USTR’s policies are textual problems.  The devil, in law, is very much in the details.

The USTR is captured in other ways, too.  There is a significant revolving door problem. USTR negotiators come from and leave for employment in the same IP industries that sit on its advisory committee.  But the crux of the problem is that nobody outside of the advisory committees sees the text.

This is why the TPP leak is so important: it levels the playing field.  It lets those who aren’t on the advisory committees, like me, find and point to misrepresentations the USTR is making.  If there is one thing I’d say to our negotiating partners, it’s this: find yourself a good U.S. lawyer who can tell you what is actually in U.S. IP law.  And let them read what you’re negotiating.

Our domestic IP law is the result of democratic political process.  Even if that process has been subject to significant collective action problems, it still shows compromise.  Constituents on opposing sides of an IP issue arrive at legal meaning through statutory and regulatory compromise, and litigation.  Courts play an important role in reinserting balance into the system.  The international agreements we negotiate and sign are produced by a closed and captured process.  What little balance we achieve domestically is not what we are sending abroad.

This approach will have consequences.  As many rightfully point out, it will harm developing countries.  But it will also harm domestic constituents.  Google now makes over 50% of their profits overseas, and we export copyright law that will make it more difficult for them to operate abroad.  What’s more, the Internet is global—digital copyright law made abroad affects online content available to people here.  And the law the USTR exports affects our policymaking process at home.  It binds us to detailed IP law created by advising incumbents.  Deviations from that law may result in threats of trade sanctions.

Killing fast track is one way to change the system.  If fast track is stopped, Congress will have much more input into the trade process.  It will be able to amend trade agreements.  But this is a blunt instrument, and it might kill international trade.  A more tailored combination of changing the advisory system, giving the USTR precise and enforceable negotiating objectives, and increasing transparency could produce the changes we need.  This is why I signed the law professors’ letter calling for transparency in trade, issued today. One leak won’t fix things, but it’s certainly a start.

Sunlight is the best disinfectant. Many thanks to Wikileaks for doing what we rightfully expect our government to do.