Wednesday, 18 January 2017

Internet legal developments to look out for in 2017

A preview of some of the UK internet legal developments that we can expect in 2017. Any proposed EU legislation will be subject to Brexit considerations and so may never happen in the UK.

EU copyright reform In 2016 the European Commission published
proposals for a Directive on Copyright in the Digital Single Market (widely viewed as being in the main internet-unfriendly), for a Regulation extending the country of origin provisions of the Satellite and Cable Broadcasting Directive to broadcasters' ancillary online transmissions and for a proposal to mandate a degree of online content portability within the EU. The legislative processes will continue through 2017.

EU online business As part of its Digital Single Market proposals the European Commission has published a proposal for a Regulation on "Geo-blocking and other forms of discrimination". It aims to prevent online retailers from discriminating, technically or commercially, on the basis of nationality, residence or location of a customer. 

UK criminal copyright infringement The
Digital Economy Bill is about to start its Lords Committee stage. Among other things the Bill implements the government’s decision to seek an increase in the maximum sentence for criminal copyright infringement by communication to the public from two years to ten years. The Bill also redefines the offence in a way that, although intended to exclude minor infringements, has raised concerns that it in fact expands the scope of the offence.

Pending CJEU copyright cases Several copyright references are pending in the EU Court of Justice. Issues under consideration include communication to the public and magnet links (
BREIN/Pirate Bay C-610/15), links to infringing movies in an add-on media player (BREIN/Filmspeler C-527/15), site blocking injunctions (BREIN/Pirate Bay), applicability of the temporary copies exception to viewing infringing movies (BREIN/Filmspeler) and cloud-based remote PVR (VCAST C-265/16).

Online pornography The
Digital Economy Bill would grant powers to a regulator (intended to be the British Board of Film Classification) to determine age control mechanisms for internet sites that make ‘R18’ pornography available; and to direct ISPs to block such sites that either do not comply with age verification or contain material that would not be granted an R18 certificate. These aspects of the Bill have been criticised by the UN Special Rapporteur on freedom of expression, by the House of Lords Delegated Powers and Regulatory Reform Committee and by the House of Lords Constitution Committee.

Net neutrality and parental controls The net neutrality provisions of the
EU Open Internet Access and Roaming Regulation potentially affect the ability of operators to choose to provide network-based parental control filtering to their customers. A transitional period for existing self-regulatory schemes expired on 31 December 2016. The government has said that although it does not regard the Regulation as outlawing the existing UK voluntary parental controls regime, to put the matter beyond doubt it will introduce an amendment to the Digital Economy Bill to put the parental controls scheme on a statutory basis.

TV-like regulation of the internet The review of the EU Audio Visual Media Services Directive continues. The
Commission proposal adopted on 25 May 2016 would further extend the Directive's applicability to on-demand providers and internet platforms.

Cross-border liability and jurisdiction
Ilsjan (Case C-194/16) is another CJEU reference on the Article 7(2) (ex-Art 5(3)) tort jurisdiction provisions of the EU Jurisdiction Regulation. The case concerns a claim for correction and removal of harmful comments. It asks questions around mere accessibility as a threshold for jurisdiction (as found in Pez Hejduk) and the eDate/Martinez ‘centre of interests’ criterion for recovery in respect of the entire harm suffered throughout the EU. Meanwhile significant decisions on extraterritoriality are likely to be delivered in the French Conseil d'Etat (CNIL/Google) and Canadian Supreme Court (Equustek/Google).

Online state surveillance The UK’s
Investigatory Powers Act 2016 is expected to be implemented in stages throughout 2017. The Watson/Tele2 decision of the CJEU has already cast a shadow over the data retention provisions of the Act, which will almost certainly mow have to be amended. The Watson case, which directly concerns the now expired data retention provisions of DRIPA, will shortly return to the Court of Appeal for further consideration in the light of the CJEU judgment. The IP Act (in particular the bulk powers provisions) may also be indirectly affected by pending cases in the CJEU (challenges to the EU-US Privacy Shield), in the European Court of Human Rights (ten NGOs challenging the existing RIPA bulk interception regime) and by a judicial review by Privacy International of an Investigatory Powers Tribunal decision on equipment interference powers. Finally, Liberty has announced that it is launching a direct challenge in the UK courts against the IP Act bulk powers. 


 

Monday, 2 January 2017

Cyberleagle on Surveillance

For over two years I have been blogging on surveillance, a topic that cuckoo-like has grown to crowd out most other IT and internet law topics on this blog. 

With the Investigatory Powers Act now on the UK statute book, this seems like a good moment to catalogue the 43 posts that this legislation and its preceding events have inspired.

20 August 2013: Everyman encounters Government. Prompted by reactions to Snowden. It's all about trust.


{8 April 2014: CJEU invalidates EU Data Retention Directive in Digital Rights Ireland. Validity of UK implementation by secondary legislation questionable.}

12 July 2014: Dissecting DRIP - the emergency Data Retention and Investigatory Powers Bill. Posted the day after the coalition government’s Friday publication of the DRIP Bill for introduction into Parliament on the Monday morning, on an emergency four day timetable. Still by far the most page views of any post on this blog. 

20 July 2014: The other side of communications data. Statistics on communications data acquisition errors with serious consequences: wrong accusations, search warrants, arrests. Updated since then with data from subsequent IOCCO Annual Reports. 

10 October 2014: Submissions to the Investigatory Powers Review. Various submissions (including mine) to David Anderson QC’s Investigatory Powers Review.

15 November 2014: Of straws and haystacks. Tracing the history of RIPA’s S.8(4) bulk interception power via the 1960s cable vetting scandal to S.4 of the Official Secrets Act 1920.

3 December 2014: Another round of data retention. The IP address resolution provisions of the Counter-Terrorism and Security Bill, amending DRIPA.

21 December 2014: A Cheltenham Carol. Five Ba-a-aack Doors.

2 January 2015: The tangled net of GCHQ’s fishing warrant. Detailed analysis of the S.8(4) RIPA bulk interception warrant.

2 February 2015: IP address resolution - a conundrum still unresolved? A short rant about the Counter-Terrorism and Security Bill.

{11 June 2015: "A Question of Trust" published.}

13 July 2015: Red lines and no-go zones - the coming surveillance debate. Discussion of  David Anderson Q.C.'s Investigatory Powers Review report "A Question of Trust".

12 August 2015: The coming surveillance debate. A 13 part series of posts analysing specific topics likely to feature in the forthcoming Investigatory Powers Bill.

5 September 2015: Predicting the UK’s new surveillance law. Nine predictions for the contents of the Bill covering bulk interception, broad Ministerial powers, browsing histories, digital footprints, data generation by decree, communications data/content boundary, third party data collection, request filter and judicial authorisation.

{4 November 2015: Draft Investigatory Powers Bill published.}

4 November 2015: Prediction and Verdict - the draft Investigatory Powers Bill. Contents of the draft Bill versus my 5 September predictions.

9 November 2015: From Oversight to Insight - Hidden Surveillance Law Interpretations. Arguing that the oversight body should proactively seek out and make public material legal interpretations on the basis of which powers are exercised or asserted.

23 December 2015: #IPBill Christmas Quiz. A bit of seasonal fun with the draft Bill, including the never to be forgotten definition “Data includes any information which is not data”. Five out of the ten points highlighted, including that one, have changed in the final legislation.

16 January 2016: An itemised phone bill like none ever seen. Adapted from my evidence to the pre-legislative scrutiny Joint Committee, analysing how internet connection records are richer, more far reaching and different in nature from the traditional itemised phone bill with which the government was at that stage inclined to compare them. 

7 February 2016: No Content: Metadata and the draft Investigatory Powers Bill. Highlighting the significance of communications data powers in the draft Bill.

16 February 2016: The draft Investigatory Powers Bill - start all over again? Discussion of the Joint Committee and ISC Reports on the draft Bill.

{1 March 2016: Investigatory Powers Bill introduced into Parliament.}

15 March 2016: Relevant Communications Data revisited. Parsing and visualising one of the most complex and critical definitions in the Bill.

19 March 2016: 20 points on the Investigatory Powers Bill, from future proofing to triple negatives. Storified 20 points tweeted immediately before publication of the Bill, with subsequent comments in the light of the Bill.

24 March 2016: All about the metadata. More visualisations of the Bill’s complex web of metadata definitions.

29 March 2016: Woe unto you, cryptographers! This little collection of Biblical quotations adapted to cryptography fell flat as a pancake…

1 April 2016: An official announcement. …but not as flat as this leaden attempt at an April Fool.

15 April 2016: Future-proofing the Investigatory Powers Bill. Arguing that the Bill’s attempt to future-proof powers by adopting a technologically neutral drafting approach repeats the error of RIPA. A better approach would be to future-proof the privacy-intrusion balance.

26 May 2016: The content v metadata contest at the heart of the Investigatory Powers Bill. A deep dive into the Bill’s dividing lines between content and metadata, including the new power of the intelligence agencies to extract some content and treat it as metadata. 

12 June 2016: The List. Dystopia looms, holding a clipboard.

19 July 2016: Data retention - the Advocate General opines. Summary of the Advocate General’s Opinion in the Watson/Tele2 case challenging DRIPA and the equivalent Swedish legislation.

11 August 2016: How secondary data got its name. An imagined Bill drafting committee meeting in Whitehall.

{19 August 2016: Bulk Powers Review published.}

7 September 2016: A trim for bulk powers? What might have been if the Bulk Powers Review had been commissioned and published at the start of the Parliamentary process.

{29 November 2016: Investigatory Powers Act gains Royal Assent.}

10 December 2016: Investigatory Powers Act 2016 Christmas Quiz. 20 questions to test your knowledge of the #IPAct. 

31 December 2016: The Investigatory Powers Act - swan or turkey? A post-legislative reflection on the Act.  

This marks the end of the beginning. Pending legal challenges, new legal challenges and Brexit will provide a rich seam of material for future blogging.

[Amended 21.25 2 Jan 2017 to add some {contextual events} and stylistic edits.]

Saturday, 31 December 2016

The Investigatory Powers Act - swan or turkey?

The Investigatory Powers Bill, now the newly minted Investigatory Powers Act, has probably undergone more scrutiny than any legislation in recent memory. Rarely, though, can the need for scrutiny have been so great.
 
Over 300 pages make up what then Prime Minister David Cameron described as the most important Bill of the last Parliament. When it comes into force the IP Act will replace much of RIPA (the Regulation of Investigatory Powers Act 2000), described by David Anderson Q.C.’s report A Question of Trust as ‘incomprehensible to all but a tiny band of initiates’. It will also supersede a batch of non-RIPA powers that had been exercised in secret over many years - some, so the Investigatory Powers Tribunal has found, on the basis of an insufficiently clear legal framework. 
 
None of this would have occurred but for the 2013 Snowden revelations of the scale of GCHQ’s use of bulk interception powers. Two years post-Snowden the government was still acknowledging previously unknown (except to those in the know) uses of opaque statutory powers. 
 
Three Reviews and several Parliamentary Committees later, it remains a matter of opinion whether the thousands of hours of labour that went into the Act have brought forth a swan or a turkey. If the lengthy incubation has produced a swan, it is one whose feathers are already looking distinctly ruffled following the CJEU judgment in Watson/Tele2, issued three weeks after Royal Assent. That decision will at a minimum require the data retention aspects of the Act to be substantially amended. 
 
So, swan or turkey?
 
Judicial approval
 
On the swan side warrants for interception and equipment interference, together with most types of power exercisable by notice, will be subject to prior approval by independent Judicial Commissioners. For some, doubts persist about the degree of the scrutiny that will be exercised. Nevertheless judicial approval is a significant improvement on current practice whereby the Secretary of State alone takes the decision to issue a warrant.
 
Codified powers
 
Also swan-like is the impressive 300 page codification of the numerous powers granted to law enforcement and intelligence agencies. A Part entitled ‘Bulk warrants’ is a welcome change from RIPA’s certificated warrants, which forced the reader to play hopscotch around a mosaic of convoluted provisions before the legislation would give up its secrets.
 
Granted, the IP Act also ties itself in a few impenetrable knots. Parts are built on shaky or even non-existent definitional foundations. But it would be churlish not to acknowledge the IP Act’s overall improvement over its predecessors. 
 
Parliamentary scrutiny
 
When we move to consider the Parliamentary scrutiny of bulk powers things become less elegant.
 
The pre-legislative Joint Committee acknowledged that the witnesses were giving evidence on the basis of incomplete information. In response to the Joint Committee’s recommendation the government produced an Operational Case for Bulk Powers alongside the Bill’s introduction into Parliament. That added a little light to that which A Question of Trust had previously shed on the use of bulk powers. 
 
But it was only with the publication of David Anderson’s Bulk Powers Review towards the end of the Parliamentary process that greater insight into the full range of ways in which bulk powers are used was provided from an uncontroversial source. (By way of example ‘selector’ - the most basic of bulk interception terms - appears 27 times in the Bulk Powers Review, five times in A Question of Trust and twice in the Operational Case, but not at all in either the Joint Parliamentary Scrutiny Committee Report or the Intelligence and Security Committee Report.)
 
By the time the Bulk Powers Review was published it was too late for the detailed information within it to fuel a useful Parliamentary debate on how any bulk powers within the Act should be framed. David Anderson touched on the timing when he declined to enter into a discussion of whether bulk powers might be trimmed:
 
“I have reflected on whether there might be scope for recommending the “trimming” of some of the bulk powers, for example by describing types of conduct that should never be authorised, or by seeking to limit the downstream use that may be made of collected material. But particularly at this late stage of the parliamentary process, I have not thought it appropriate to start down that path. Technology and terminology will inevitably change faster than the ability of legislators to keep up. The scheme of the Bill, which it is not my business to disrupt, is of broad future-proofed powers, detailed codes of practice and strong and vigorous safeguards. If the new law is to have any hope of accommodating the evolution of technology over the next 10 or 15 years, it needs to avoid the trap of an excessively prescriptive and technically-defined approach.”
In the event the legislation was flagged through on the Bulk Powers Review’s finding that the powers have a clear operational purpose and that the bulk interception power is of vital utility.
 
Fully equipped scrutiny at an early stage of the Parliamentary process could have resulted in more closely tailored bulk powers. As discussed below (“Vulnerability to legal challenge”) breadth of powers may come back to haunt the government in the courts.
 
Mandatory data retention
 
Views on expanded powers to compel communications data retention are highly polarised. But swan or turkey, data retention will become an issue in the courts. The CJEU judgment in Watson/Tele2, although about the existing DRIPA legislation, will require changes to the IP Act. How extensive those changes need to be will no doubt be controversial and may lead to new legal challenges. So, most likely, will the extension of mandatory data retention to include generation and obtaining of so-called internet connection records: site-level web browsing histories.  
 
Many would say that officially mandated lists of what we have been reading, be that paper books or websites, cross a red line. In human rights terms that could amount to failure to respect the essence of privacy and freedom of expression: a power that no amount of necessity, proportionality, oversight or safeguarding can legitimise.
 
Limits on powers v safeguards
 
The Act is underpinned by the assumption that breadth of powers can be counterbalanced by safeguards (independent prior approval, access restrictions, oversight) and soft limits on their exercise (necessity and proportionality). 
 
Those may provide protection against abuse. That is of little comfort if the objection is to a kind of intended use: for instance mining the communications data of millions in order to form suspicions, rather than starting with grounds for specific suspicion.
 
The broader and less specific the power, the more likely it is that some intended but unforeseen or unappreciated use of it will be authorised without prior public awareness and consent. That happened with S.94 of the Telecommunications Act 1984 and, arguably, with bulk interception under RIPA. Certainly, the coming together of the internet and mobile phones resulted in a shift in the intrusion and privacy balance embodied in the RIPA powers. This was facilitated by the deliberate future-proofing of RIPA powers to allow for technological change, an approach repeated (not to its benefit, I would argue) in the IP Act.
 
In A Question of Trust David Anderson speculated on a future Panopticon of high tech intrusive surveillance powers:
 
“Much of this is technically possible, or plausible. The impact of such powers on the innocent could be mitigated by the usual apparatus of safeguards, regulators and Codes of Practice. But a country constructed on such a basis would surely be intolerable to many of its inhabitants. A state that enjoyed all those powers would be truly totalitarian, even if the authorities had the best interests of its people at heart.”
 
He went on to say, in relation to controlling the exercise of powers by reference to fundamental rights principles of necessity and proportionality:
 
“Because those concepts as developed by the courts are adaptable, nuanced and context-specific, they are well adapted to balancing the competing imperatives of privacy and security. But for the same reasons, they can appear flexible, and capable of subjective application. As a means of imposing strict limits on state power (my second principle, above) they are less certain, and more contestable, than hard-edged rules of a more absolute nature would be.”
The IP Act abjures hard-edged rules. Instead it grants broad powers mitigated by safeguards and by the day to day application of soft limits: necessity and proportionality.
 
The philosophy of granting broad powers counterbalanced by safeguards and soft limits reflects a belief that, because the UK has a long tradition of respect for liberty, we can and should trust our authorities, suitably overseen, with powers that we would not wish to see in less scrupulous hands. 
 
Another view is that the mark of a society with a long tradition of respect for liberty is that it draws clear red lines. It does not grant overly broad or far-reaching powers to state authorities, however much we may believe we can trust them (and their supervisors) and however many safeguards against abuse we may install. 
 
Both approaches are rooted in a belief (however optimistic that may sometimes seem) that our society is founded on deeply embedded principles of liberty. Yet they lead to markedly different rhetoric and results.
 
Be that as it may, the IP Act grants broad general powers. Will the Act foster trust in the system that it sets up? 
 
The question of trust
 
David Anderson’s original Review was framed as “A Question of Trust”. Although we may believe a system to be operated by dedicated public servants of goodwill and integrity, nevertheless for the sceptic the answer to the question of trust posed by intrusive state powers is found in a version of the precautionary principle: the price of liberty is eternal vigilance.
 
Whoever may have coined that phrase, the slavery abolitionist Wendell Phillips in 1852 emphasised that it concerns the people at large as well as institutions:
 
“Eternal vigilance is the price of liberty; … Only by continued oversight can the democrat in office be prevented from hardening into a despot; only by unintermitted agitation can a people be sufficiently awake to principle not to let liberty be smothered in material prosperity.”
 
Even those less inclined to scepticism may think that a system of broad, general powers and soft limits merits a less generous presumption of trust than specifically limited, concretely defined powers. 
 
Either way a heavy burden is placed on oversight bodies to ensure openness and transparency. To quote A Question of Trust: “…trust depends on verification rather than reputation, …”. 
 
One specific point deserves highlighting: the effectiveness of the 5 year review provided for by the IP Act will depend upon sufficient information about the operation of the Act being available for evaluation.
 
Hidden legal interpretations
 
Transparency brings us to the question of hidden legal interpretations. The Act leaves it up to the new oversight body whether or not proactively to seek out and publish material legal interpretations on the basis of which powers are exercised or asserted
 
That this can be done is evident from the 2014 Report of Sir Mark Waller, the Intelligence Service Commissioner, in which he discusses whether there is a legal basis for thematic property interference warrants. That, however, is a beacon in the darkness. Several controversial legal interpretations were hidden until the aftermath of Snowden forced them into public light. 
 
David Anderson QC in his post-Act reflections has highlighted this as a “jury is out” point, emphasising that “the government must publicise (or the new Commission must prise out of it)” its internal interpretations of technical or controversial concepts in the new legislation. In A Question of Trust he had recommended that public authorities should consider how they could better inform Parliament and the public about how they interpret powers.
 
Realistically we cannot safely rely on government to do it. The Act includes a raft of new secrecy provisions behind which legal interpretations of matters such as who applies end to end encryption (the service provider or the user), the meaning of ‘internet communications service’, the dividing line between content and secondary data and other contentious points could remain hidden from public view. It will be interesting to see whether the future Investigatory Powers Commission will make a public commitment to implement the proposal.
 
Vulnerability to legal challenge
 
In the result the Act is long on safeguards but short on limits to powers. This structure looks increasingly likely to run into legal problems. 
 
Take the bulk interception warrant-issuing power. It encompasses a variety of differing techniques. They range from real-time application of 'strong selectors' at the point of interception (akin to multiple simultaneous targeted interception), through to pure ‘target discovery’: pattern analysis and anomaly detection designed to detect suspicious behaviour, perhaps in the future using machine learning and predictive analytics. Between the two ends of the spectrum are seeded analysis techniques, applied to current and historic bulk data, where the starting point for the investigation is an item of information associated with known or suspected wrongdoing.
 
The Act makes no differentiation between these different techniques. It is framed at an altogether higher level: necessity for general purposes (national security, alone or in conjunction with serious crime or UK economic well-being), proportionality and the like.
 
Statutory bulk powers could be differentiated and limited. For instance distinctions could be made between seeded and unseeded data mining. If pattern recognition and anomaly detection is valuable for detecting computerised cyber attacks, legislation could specify its use for that purpose and restrict others. Such limitations could prevent it being used for attempting to detect and predict suspicious behaviour in the general population, Minority Report-style. 
  
The lack of any such differentiation or limitation in relation to specific kinds of bulk technique renders the Act potentially vulnerable to future human rights challenges. Human rights courts are already suggesting that if bulk collection is not inherently repugnant, then at least the powers that enable it must be limited and differentiated.
 
Thus in Schrems the CJEU (echoing similar comments in Digital Rights Ireland at [57]) said:
 
“…legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage … without any differentiation, limitation or exception being made in the light of the objective pursued.” (emphasis added)
 
The same principles are elaborated in the CJEU’s recent Watson/Tele2 judgment, criticising mandatory bulk communication data retention:
 
“It is comprehensive in that it affects all persons using electronic communication services, even though those persons are not, even indirectly, in a situation that is liable to give rise to criminal proceedings. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences. Further, it does not provide for any exception, and consequently it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy ….
 
106 Such legislation does not require there to be any relationship between the data which must be retained and a threat to public security. In particular, it is not restricted to retention in relation to (i) data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime …” (emphasis added)
 
The CJEU is also due to rule on the proposed agreement between the EU and Canada over sharing of Passenger Names Records (PNR data). The particular interest of the PNR case is that the techniques intended to be applied to bulk PNR data are similar to the kind of generalised target discovery techniques that could be applied to bulk data obtained under the IP Act powers. As described by Advocate General Mengozzi in his Opinion of 8 September 2016 this involves cross-checking PNR data with scenarios or profile types of persons at risk:
 
“… the actual interest of PNR schemes … is specifically to guarantee the bulk transfer of data that will allow the competent authorities to identify, with the assistance of automated processing and scenario tools or predetermined assessment criteria, individuals not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security and who are therefore liable to be subjected subsequently to more thorough individual checks.”
 
AG Mengozzi recommends that the Agreement must (among other things):
 
- set out clear and precise categories of data to be collected (and exclude sensitive data)
 
- include an exhaustive list of offences that would entitled the authorities to process PNR data
 
- in order to minimise ‘false positives’ generated by automated processing, contain principles and explicit rules:
  • concerning scenarios, predetermined assessment criteria and databases with which PNR would be compared, which must
  • to a large extent make it possible to arrive at results targeting individuals who might be under a reasonable suspicion of participating in terrorism or serious transnational crime, and which must
  • not be based on an individual’s racial or ethnic origin, his political opinions, his religion or philosophical beliefs, his membership of a trade union, his health or his sexual orientation.
As bulk powers come under greater scrutiny it seems likely that questions of limitation and differentiation of powers will come more strongly to the fore. The IP Act’s philosophy of broad powers counterbalanced with safeguards and soft limits may have produced legislation too generalised in scope and reach to pass muster.
 
Success in getting broad generally framed powers onto the statute book, though it may please the government in the short term, may be storing up future problems in the courts. One wonders whether, in a few years’ time, the government will come to regret not having fashioned a more specifically limited and differentiated set of powers.

[Amended 31 December 2016 to make clear that not all of RIPA is replaced.]

Saturday, 10 December 2016

Investigatory Powers Act 2016 Christmas Quiz

[Updated 1 January 2017 with answers below]

Now that the Investigatory Powers Bill has received Royal Assent, here is a Christmas quiz on the IPAct and its history. 

For some questions the answer is precise, others may be less so. For some the correct answer may be “we don’t know”.

Answers in the New Year.

Q.1 How many new powers does the IPAct introduce: (a) None (b) One (c) Six (d) More than six?

Q.2 Which secret (until revealed in 2015) internal government interpretation of RIPA was described in the House of Commons as ‘a very unorthodox statutory construction’?

Q.3 The subject line of an email is part of its content for interception purposes. True or false?

Q.4 In the IPAct, how is the ban on revealing the contents or existence of a technical capability notice enforced?

Q.5 Under the IPAct, a service provider who wished to challenge a data retention notice in court could not do so because that would break the ban on revealing the notice’s existence or contents. True or false?

Q.6 Under the IPAct a university could be made to install interception capabilities on its internal network. True or false?

Q.7. How is ‘internet communications service’ defined in the IPAct?

Q.8. Who was Amy?

Q.9. Under the IPAct, information intercepted in bulk in order to obtain overseas-related communications needs a specific warrant to be accessed for domestic reasons. True or false?

Q.10. Under the IPAct a university could be made to generate and retain site-level web browsing histories of its academic staff and students. True or false?

Q.11. Can more or fewer bodies access communications data under the IPAct than under RIPA?

Q.12. In 2015 how many people were wrongly accused, arrested or subjected to search warrants as a result of communications data acquisition errors?

Q.13. How much time elapsed between the Home Secretary telling Parliament that the IPBill would not include powers to force UK companies to capture and retain third party internet traffic and this being written into the Bill?

Q.14. In the IPAct, what is the significance of inferred meaning?

Q.15. KARMA POLICE was (and may or may not still be) a GCHQ database of web browsing records revealed by the Edward Snowden documents. According to those documents how much data did it contain, representing what period of time?

Q.16. Which agency has used bulk data to analyse patterns of behaviour from which potential hostile actors could be identified?

Q.17. How many times does ‘proportionate’ appear in the text of the IPAct?

Q.18. For how long before the government publicly acknowledged its use was Section 94 Telecommunications Act 1984 utilised to collect bulk communications data from public electronic communications network providers?

Q.19. Was the government’s use of Section 94 for collecting bulk communications data legal or illegal?

Q.20. How frequently has Section 94 been used for collecting bulk communications data?


ANSWERS


Q.1 How many new powers does the IPAct introduce: (a) None (b) One (c) Six (d) More than six?
According the government the Act introduces one new power: retention of internet connection records. Of the four possibilities (b) One is the only answer that cannot be correct.

Internet connection records are a type of communications data. Powers to mandate retention of some kinds of communications data have existed since 2009. On one view, therefore, ICR retention is not a new power but an extension of an existing power. On that basis the correct answer is (a) None.

If, however, a new power includes extension of an existing power then several other extensions should equally be brought into account: retention of non-ICR communications data to include datatypes beyond current powers; retention extended to include generating and obtaining for retention; extension of most powers to include private telecommunications operators; power for agencies to extract some kinds of content from communications and treat it as metadata; extension of power to issue technical capability notices from interception to most other substantive powers. With ICRs that makes a total of (c) Six. You could argue that a more granular breakdown of these extensions yields a total of (d) More than six.

The total is also (d) More than six if we include powers previously exercised on the basis of opaque statutory provisions, such as S.94 of the Telecommunications Act 1984, that gave no indication they might be exercised in this kind of way.

Q.2 Which secret (until revealed in 2015) internal government interpretation of RIPA was described in the House of Commons as ‘a very unorthodox statutory construction’?
The interpretation of "person" so as to enable targeted interception warrants to be issued in respect of groups of persons (so-called thematic warrants) instead of named individuals or specific premises.

The remark was made by Joanna Cherry QC MP in Commons Committee on 12 April 2016:
“The current Home Secretary has apparently derived the authority to do so from a broad definition given to the word “person” that is found elsewhere in RIPA, despite the unequivocal reference to “one person” in section 8(1) of RIPA. I suggest that what has gone on in the past is a very unorthodox statutory construction.”
The existence of thematic warrants and the statutory basis asserted for them was revealed by the Intelligence and Security Services Committee in its report of March 2015:
“The term ‘thematic warrant’ is not one defined in statute. However, the Home Secretary clarified that Section 81(1) of RIPA defines a person as “any organisation or any association or combination of persons”, thereby providing a statutory basis for thematic warrants.”

Q.3 The subject line of an email is part of its content for interception purposes. True or false?
True, under RIPA. Under the IP Act it is more complicated.

The subject line would normally fall within the IP Act’s new definition of ‘content’ (S.261(6)) as an “element of the communication… which reveals anything of what might reasonably be considered to be the meaning (if any) of the communication…”.

However for interception the Act allows so-called ‘secondary data’ to be extracted from the content of a communication and treated as communications data instead of content. Secondary data could include, for instance, the date and time of a meeting set out in the subject line of an e-mail. The Act includes similar provisions for equipment interference.

Q.4 In the IPAct, how is the ban on revealing the contents or existence of a technical capability notice enforced?
A trick question, this one. Most of the IP Act’s secrecy provisions are accompanied by an enforcement mechanism: a criminal offence or injunction. Curiously, however, no enforcement mechanism is prescribed for the S.255(8) prohibition in respect of technical capability notices.

Q.5 Under the IPAct, a service provider who wished to challenge a data retention notice in court could not do so because that would break the ban on revealing the notice’s existence or contents. True or false?
The IPAct does not provide any secrecy exception for this situation. However the non-disclosure duty is enforceable by the Secretary of State’s application to court for an injunction. It is unlikely (to say the least) that a court would allow an injunction application to be used to prevent access to the courts or to frustrate the court’s own proceedings.

The same point arose in Commons Committee debate on 3 May 2016 in relation to technical capability notices. That provision (now S.255(8) – see Q.4) is differently worded in that it expressly allows for the Secretary of State to give permission for disclosure. Keir Starmer QC MP sought reassurance that the provision could not be used to prevent access to the court:
“I have no doubt that, if the Secretary of State exercised her power under clause 218(8) to prevent access to the courts, it would run straight into an article 6 access to courts argument that would succeed on judicial review. I had assumed that one could read into the clause by implication that permission would not be refused in a bona fide and proper case where access to court—or the relevant tribunal, which may be a better way of putting it—was an issue. If that were made clear for the record or by some redrafting of the clause, it would help. As I said, I think that, in practice, any court in this jurisdiction would strike down pretty quickly a Secretary of State who sought to prevent access to the court.”
The Solicitor General responded:
“I think that the hon. and learned Gentleman is right about that. On that basis, I will have another look at clause 218(8), to get it absolutely right. I reassure him that it is not the Government’s intention to preclude access to the court.”
Q.6 Under the IPAct a university could be made to install interception capabilities on its internal network. True or false?
True. However the Act provides a three layer structure for technical capability notices: the statute, regulations made under the statute, then notices issued by the Secretary of State within the regulations. Regulations have yet to be published, but could specify a narrower class of service providers to whom technical capability notices could be issued.

Q.7. How is ‘internet communications service’ defined in the IPAct?
It isn’t. The term underpins two of the conditions that determine when a mandatorily retained internet connection record can be accessed. Footnote 46 in the draft Communications Data Code of Practice is the closest we approach to an indication of what it is intended to cover. The same omission featured in predecessor DRIPA regulations.

Q.8. Who was Amy?
Amy was a fictitious “quiet, impressionable 14 year old schoolgirl” who featured in a series of National Crime Agency infographics supporting the case for retaining communications data and internet connection records.

Q.9. Under the IPAct, information intercepted in bulk in order to obtain overseas-related communications needs a specific warrant to be accessed for domestic reasons. True or false?
False. Although a targeted examination warrant is required in order for content to be selected for examination by reference to someone known to be within the British Islands at the time of the selection, that does not apply to non-content ‘secondary data’ (which itself can include some data extracted from content – see Q.3). 

Q.10. Under the IPAct a university could be made to generate and retain site-level web browsing histories of its academic staff and students. True or false?
True. A communications data retention notice can be issued against a public or a private telecommunications operator. A university operating its own network is a telecommunications operator. Communications data can include internet connection records, including site level browsing histories.

The draft Communications Data Code of Practice sets out factors that will be taken into account in deciding which operators in practice will receive notices.

Q.11. Can more or fewer bodies access communications data under the IPAct than under RIPA?
A like for like count is not easy, due to differences in nomenclature and organisation. The overall count appears to be more or less the same.

A cull of authorities entitled to acquire communications data under RIPA was carried out in February 2015, when 13 authorities had their powers removed. One of those removed, the Food Standards Agency, is reinstated under the IP Act together with its Scottish counterpart Food Standards Scotland. The Prudential Regulation Authority will no longer be able to acquire communications data under the IP Act.

A detailed comparison of existing and proposed powers (other than for the police and intelligence services) is contained in the government’s “Operational case for the use of communications data by public authorities” (July 2016).

Q.12. In 2015 how many people were wrongly accused, arrested or subjected to search warrants as a result of communications data acquisition errors?
Seventeen.

Q.13. How much time elapsed between the Home Secretary telling Parliament that the IPBill would not include powers to force UK companies to capture and retain third party internet traffic and this being written into the Bill?
11½ months (4 November 2015 to 19 October 2016).

Q.14. In the IPAct, what is the significance of inferred meaning?
The term does not appear in the statute itself. However the Draft Codes of Practice explain how this is an important concept in understanding the distinction between content and communications data.

Q.15. KARMA POLICE was (and may or may not still be) a GCHQ database of web browsing records revealed by the Edward Snowden documents. According to those documents how much data did it contain, representing what period of time?
17.8 billion rows, representing 3 months of data.

Q.16. Which agency has used bulk data to analyse patterns of behaviour from which potential hostile actors could be identified? 
MI6, according to example A11/2 annexed to the Bulk Powers Review.

Q.17. How many times does ‘proportionate’ appear in the text of the IPAct?
62 (compared with 48 in the draft Bill).

Q.18. For how long before the government publicly acknowledged its use was Section 94 Telecommunications Act 1984 utilised to collect bulk communications data from public electronic communications network providers?
About 12 years.

Q.19. Was the government’s use of Section 94 for collecting bulk communications data legal or illegal?
The Investigatory Powers Tribunal held that the use was within the scope of the S.94 power. However before November 2015 it infringed Article 8 of the European Convention on Human Rights because it was not foreseeable that S.94 would be used in that way and also through lack of an adequate system of oversight for most of that period.

Q.20. How frequently has Section 94 been used for collecting bulk communications data?
The Interception of Communications Commissioner’s July 2016 Review of Section 94 directions identified 15 extant bulk communications data directions under S.94. All those directions were for traffic data and required “regular feeds”.

 

Wednesday, 14 September 2016

Svensson and GS Media - Free to link or link at your risk?

This is a revised edition of my February 2014 post, which was published immediately after the CJEU's Svensson decision on copyright and linking.  This new version weaves in the 8 September 2016 judgment of the CJEU in GS Media (commentary on GS Media and other post-Svensson material is highlighted).

GS Media puts to rest any remaining illusions that Svensson legitimised linking to all freely available content. GS Media also introduces knowledge thresholds for linking liability, varying according to the commercial or non-commercial nature of the linking activity. (For a report of the GS Media decision see here.)

Summary

Svensson was issued on 13 February 2014. It established some important points about the legality of linking under EU copyright law:
  1. A clickable direct link to a copyright work made freely available on another website with the authority of the copyright holder does not infringe. (GS Media repeats this general principle at paragraph [40]).  
  2. It makes no difference if a user clicking on the link is given the impression that the work is present on the linking site. (Svensson [29] and [30], applied in Bestwater. The reasoned order in Bestwater has given rise to much confusion. In reality it does no more than confirm Svensson on this point.)
  3. The reasoning of Svensson suggests that a clickable link can infringe if the copyright holder has not itself authorised the work to be made freely available on the internet. (The UK Intellectual Property Office adopted this interpretation in its June 2014 Copyright Notice on Digital Images, Photographs and the Internet. GS Media has now confirmed ([41]) that Svensson did mean that a link could infringe if the rightholder had not consented to the work being made freely available on another website.  See discussion below, including as to whether 'another website' means only the website linked to or a website anywhere on the internet.)
  4. If the work is initially made available on the internet with restrictions so that only the site’s subscribers can access it, then a link that circumvents those restrictions will infringe (Svensson [31], GS Media [50]); and see further discussion below.
  5. A link can infringe where the work is no longer available on the site on which it was initially communicated, or where it was initially freely available and subsequently restricted, while being accessible on another site without the copyright holder’s authorisation. (Svensson [31]; no change in GS Media.)
It seemed to follow from the reasoning in Svensson, although the judgment did not address this factual situation, that a link to an infringing copy would not infringe if, and for so long as, a copy of the same work was freely available somewhere on the internet with the authority of the copyright holder. The reasoning in GS Media appears to keep this possibility open, albeit again this was not the factual situation before the court.  

In any event this reasoning would not exempt links to infringing copies of works that are not legitimately available on the internet at all (the factual situation in GS Media), or which have only been legitimately made available on the internet under restrictions.

In purely practical terms the Court in Svensson made a valiant attempt to balance the competing considerations of protecting rightsholders’ content without restricting reasonable user behaviour.  However commentators (see hereherehere and here - hat tip to these for some of the questions discussed below) very quickly suggested that the CJEU’s reasoning – giving a very wide meaning to an act of communication, then reining back the scope according to whether the link makes the work available to a ‘new public’ compared with that contemplated by the copyright holder – might store up trouble for the future.

GS Media is another pragmatic attempt to fix some of the problems that Svensson did indeed throw up.  However, it creates new uncertainties and the specifics of the solution that the CJEU has chosen will inevitably attract criticism.  Many people will be reinforced in their view that Svensson took a wrong turning and that linking should not amount to an act of communication at all (the position advocated by the European Copyright Society). Any liability for specific linking activities would then be left to secondary and accessory liability or unfair competition rather than trying to shoehorn such activities into the exclusive right of communication to the public.
 

Open questions

 
These are the questions that, in February 2014, I suggested that Svensson had left open for future decisions. Now with [commentary] on whether they remain open.
  1. "The Court draws a distinction between freely available content and, on the other hand, restricted content where a link circumvents the restrictions. Are those intended to be the only two possible categories, so that if a copyright work is not ‘restricted’ it is necessarily ‘freely available’? Or are they two ends of a spectrum, the middle of which has yet to be explored? What, for instance, would be the position if the copyright holder has authorised a licensee to make the content freely available on the internet, but the licensee makes it available only on a restricted basis?" [Not answered. This is a question about the meaning of 'freely available'. Although in GS Media it was argued before the Dutch referring court that one of the links circumvented a restriction, the CJEU judgment assumes that the linked-to unauthorised copy was freely available.]
  2. "Does ‘restricted’ refer only to technical restrictions (and how sophisticated?), or does it also encompass licence or contractual restrictions?" [Still an open question.]
  3. "The judgment refers only to clickable links.  What about other varieties of link, or analogous technologies? The logic of the judgment would seem to apply to inline links where, rather than awaiting the user’s click, the linked-to content is served up automatically to the user when the web page is requested." [Still an open question. Factually, GS Media concerned clickable website links.]
  4. "The judgment refers to links ‘to’ copyright works, affording ‘direct’ access to those works. Does the link have to be to the actual work itself in order to make it available, or does a link to a page containing the work suffice? So applying the Svensson reasoning a clickable link to the URL of a news page makes available the HTML text of that page. Does it also make available a photograph which loads automatically as part of the news page, but which is nevertheless a separate copyright work with its own URL capable of being separately linked to? What about a playable video within the page, or a PDF downloadable from that page? Each of those is a separate copyright work requiring a further click by the user to access it.  Might they be regarded as indirectly, rather than directly, accessible from a link to the news page containing them?" [GS Media glosses over this scenario (sometimes described as reference linking). The referring court framed its questions in terms of a hyperlink to "a [third party] website ... on which the work has been made available". That formulation is consistent with the facts recited by the CJEU at [10]: "By clicking on a hyperlink accompanying that text, users were directed to the Filefactory website, on which another hyperlink allowed them to download electronic files each containing one of those photos."  The nuance of two different hyperlinks was lost in the CJEU's reformulation of the question, referring to: "...the fact of posting, on a website, a hyperlink to protected works." The judgment goes on to refer in various places both to hyperlinks to a "work" and to a "website". Curiously (given the recited facts quoted above) it then states: "it is indisputed that GS Media ... provided the hyperlinks to the files containing the photos at issue, hosted on the Filefactory website..." (emphasis added).  The operative part of the judgment refers to "hyperlinks to protected works".  The distinction between direct and indirect links was not addressed in the judgment. From a freedom of expression perspective imposing liability for a link to a page on a website which may contain both infringing and non-infringing material has different consequences than for a link direct to a single infringing music or video file (although even that case may be nuanced since a single file can contain a mixture of infringing and non-infringing material).]  
  5. Does the reservation for subsequently removed or restricted works apply only to new links created after the initially freely available work was withdrawn or restricted, or do existing links to unauthorised copies automatically become infringing? [Not addressed]
  6.  What is the position where initially the work was lawfully made freely available on the internet under an exception to copyright, such as fair dealing? Is that different from when it was done with the authorisation of the copyright holder?  On the face of it the Svensson version of the 'new public' test would not of itself legitimise linking in the former situation. [Not addressed]
The CJEU's decisions only concern whether a link can amount to 'communication to the public' for the purposes of harmonised EU copyright law. They does not deal with other ways in which linking might infringe, for instance by authorising infringement or joint liability for someone else's infringement.  Nor do they say anything about non-copyright issues such as passing off or unfair competition.

Drilling down to the details

Authorising the initial internet communication

The most significant aspect of the Svensson judgment was, oddly, not mentioned in the operative part of the decision (in which the Court provides its definitive answer to the question posed by the referring national court). The operative part said:

“…the provision on a website of clickable links to works freely available on another website does not constitute an ‘act of communication to the public' … .”

Taken at its face, that could suggest that a link to any freely available work does not infringe, regardless of whether the copyright holder initially authorised the work to be made freely available on the internet. That would broadly legitimise most links. But if that is right it is difficult to understand the numerous references in the judgment to whether the copyright holders authorised the initial communication to the public on the internet, and the potential audience contemplated when they did so.  In my original February 2014 post I suggested that it was likely that the operative part should instead be understood to mean:

“…the provision on a website of clickable links to works freely available on another website, in circumstances where the copyright holder has authorised such works to be made freely available at [that]/ [an] internet location, does not constitute an ‘act of communication to the public' … .”

The alternatives ‘that’/‘an’ reflect the possible uncertainty about the effect of the judgment on links to unauthorised copies where the copyright holder has authorised the work to be freely available at some other location on the internet. 

GS Media confirms that the reasoning of Svensson, not the wording of the operative part, prevails:


"However, it follows from the reasoning of [Svensson and BestWater] that, by them, the Court intended to refer only to the posting of hyperlinks to works which have been made freely available on another website with the consent of the rightholder..." [41]
This and other passages in GS Media may still leave some room for debate over whether "another website" means only the website linked to or encompasses any website or other location on the internet.   

The curious case of the freelance journalist


The significance of the copyright holder’s authorisation of the initial internet communication is well illustrated by the facts of Svensson itself. According to the CJEU judgment the Swedish proceedings were between four journalists, Mr Svensson, Mr Sjögren, Ms Sahlman and Ms Gadd, who sued Retriever Sverige AB for compensation resulting from Retriever’s inclusion on its website of clickable links to press articles in which the journalists held the copyright.

The Court said:
[The journalists] wrote press articles that were published in the Göteborgs-Posten newspaper and on the Göteborgs-Posten website. Retriever Sverige operates a website that provides its clients, according to their needs, with lists of clickable Internet links to articles published by other websites. It is common ground between the parties that those articles were freely accessible on the Göteborgs-Posten newspaper site. …”
The journalists claimed that by linking to the articles on the newspaper website Retriever was making their articles available to its clients without their consent. When the CJEU discussed ‘new public’ it said:

“a communication, such as that at issue in the [Swedish] proceedings, concerning the same works as those covered by the initial communication and made, as in the case of the initial communication, on the Internet, and therefore by the same technical means, must also be directed at a new public, that is to say, at a public that was not taken into account by the copyright holders when they authorised the initial communication to the public ….
… it must be held that, where all the users of another site to whom the works at issue have been communicated by means of a clickable link could access those works directly on the site on which they were initially communicated, without the involvement of the manager of that other site, the users of the site managed by the latter must be deemed to be potential recipients of the initial communication and, therefore, as being part of the public taken into account by the copyright holders when they authorised the initial communication.
Therefore, since there is no new public, the authorisation of the copyright holders is not required for a communication to the public such as that in the main proceedings.” (emphasis added)
The assumption of the Court in coming to this conclusion on the facts appears to have been that the four copyright holder journalists all authorised the newspaper to make the articles freely available on the newspaper website - the site on which the initial communication on the internet was made and to which Retriever linked.  

But what if the journalists had authorised publication only in the print newspaper and not on the newspaper website? It then seems inescapable that since the initial communication on the internet would not have been authorised by the journalists, a public link to the newspaper website article would be caught, even though the article was freely available on the newspaper website and not subject to any restriction.

Curiously, that scenario may have had some relevance to the Svensson case itself. In his judgment in Paramount Home Entertainment v BSkyB, Mr Justice Arnold summarised the facts of Svensson based on English translations of the Swedish judgments provided by Paramount. He said this:

“14.The claimants were four journalists who between them had written 13 articles published by the Göteborgs-Posten newspaper. Three of the journalists were employed by the newspaper, while one was freelance. All of the articles had all been published not only in print, but also online on the newspaper's website. In the case of one of the articles, which was written by the freelance author, the online publication by the newspaper was not licensed by the author.” (emphasis added)

If that is right, then for one of the 13 articles the copyright holding journalist who wrote it did not authorise initial communication to the public on the internet. For that article (assuming that the journalist had not authorised freely available publication elsewhere on the internet) the CJEU’s conclusion that the link did not amount to a communication to a new public would have been thrown into doubt.

 

Does Svensson pass the 'reasonable internet user' test?


Whatever the precise facts of Svensson may have been, this example illustrated a fundamental difficulty with the CJEU's judgment, assuming that the 'authorisation of initial communication' reading was correct (as GS Media has now confirmed). Ordinary internet users would be put in the position of publicly linking at their risk to any freely available content on the internet, however reputable the site may be, because they could not be certain and would have no practicable way of finding out whether the site owned copyright in its material, or had properly licensed it in, or whether a third party copyright owner had authorised the same material to be made freely available elsewhere on the internet.

Thanks to the long reach of digital copyright (which Svensson's interpretation of 'making available' arguably extended even further) primary copyright infringement impinges directly on end users.
 
End users are in no position to clear rights before, for instance, posting links to public discussion forums or on social media platforms. We make decisions to send public tweets, including links, in a matter of seconds.  If we are retweeting, we may not even visit the location to which the original tweet links.  If we are expected to embark on some investigation to satisfy ourselves that our link won’t infringe, for instance because someone’s unlicensed copyright might be lurking behind a reputable site – worse still if there is no practicable investigation that we can make - then we have a regime that risks chilling freedom of expression. 

It is no answer to suggest that if the links are harmless no-one will ever complain.  That would repeat the UK format-shifting episode, where the gap between copyright principle and reality has been so great as to bring copyright into disrepute.  Nor is it an answer to say that you don’t have to tweet links.  That is exactly the kind of chilling effect that copyright law should avoid.

Of course copyright law does contain some built-in freedom of expression accommodation.  Many linking tweets may find refuge in, say, the UK fair dealing exceptions for criticism, review and news reporting (although a passing comment at [53] of GS Media would seem to preclude this).  However these contain their own technicalities and limitations. For instance the UK news reporting exception does not apply to photographs. And the exceptions vary from one country to another, even within the EU. That is problematic for a user given the inherently cross-border nature of the internet. Is a tweeter expected to consider which countries her tweet may be thought to be targeting before tweeting a link?


At least in the UK, civil liability for primary copyright infringement is strict. You can infringe by accident, in situations where you are blameless. It is no excuse that you did everything you could to avoid infringement, or that you had no reason to think you were infringing. GS Media has introduced knowledge thresholds based on a distinction between ordinary and commercial internet use. But in doing so it will have infuriated copyright purists for whom primary infringement of exclusive rights should always be a matter of strict liability. The distinction between non-commercial and commercial use may also create its own problems, not least of identifying what is and is not a linking activity pursued for financial gain. Would it cover a blog that takes advertising? Does the commerciality have to be closely tied to the particular link in question? 

The introduction by GS Media of knowledge thresholds represents a pragmatic attempt to address the obvious problems that Svensson represented for ordinary end-users. The CJEU specifically acknowledges these:

"it may be difficult, in particular for individuals who wish to post such links, to ascertain whether website to which those links are expected to lead, provides access to works which are protected and, if necessary, whether the copyright holders of those works have consented to their posting on the internet. Such ascertaining is all the more difficult where those rights have been the subject of sub-licenses." [46]
However, is the threshold for non-commercial linkers as helpful as it seems?   The test in the operative part of the judgment is whether the user "did not know or could not reasonably have known the illegal nature of the publication of [the linked-to] works on that other website." The use of the negative might suggest that the burden is on the user to prove that it does not satisfy the knowledge test. Contrariwise, at [14] the CJEU referred to the situation where it is "established that the user knew or ought to have known...". That would be closer to secondary copyright infringement in the UK, where a claimant has to prove that the defendant knew or had reason to believe that e.g. the copy was infringing.   
 
More fundamentally, what contextual facts is the user taken to be aware of in assessing whether s/he could not reasonably have known of the illegal nature of the linked-to work? The judgment at [49] gives the example of where the user has been notified by the copyright holder. That instance apart, is the user assumed to have visited the website before making a link? (How many people check the links in a tweet that they are retweeting?) If so, how much of the website is the user taken to have visited? Does the assumption vary depending on whether website is well known to be reputable or, on the contrary, notorious? What about the vast population of websites that are neither?

The greater the knowledge of surrounding factual circumstances that is imputed to the user, the nearer the regime would move towards placing a diligence obligation on the ordinary user. But that would undermine the contrast that the CJEU drew with commercial users, discussed below.

A good test when evaluating copyright judgments that directly affect the general public, especially internet users, is this: 
  1. Can I explain to a user with confidence exactly what rules s/he has to follow?
  2. Will a reasonable internet user think those rules are sensible?
  3. In any given situation can the user readily ascertain whether what s/he wants to do will infringe?
Svensson just about passed the first question, probably fails the second and certainly fails the third.

GS Media improves the position of non-commercial users on the second and third questions, but does not necessarily convert a fail into a pass. It certainly does not do so for commercial users.

Commercial internet users


In my original February 2014 post I said: "Strict liability has always been the case in the UK for primary infringement (reproduction, communication to the public and some other types of restricted act).  It is a hangover from the hard copy days when copyright was almost entirely a commercial matter and hardly impinged on end users. It was reasonable to expect commercial publishers and broadcasters to clear rights first. Even then dealers, such as commercial distributors, were subject only to secondary infringement: they did not infringe copyright unless they had reason to believe they were handling an infringing copy."
 
It is instructive to compare that with paragraph [51] of GS Media:

"Furthermore, when the posting of hyperlinks is carried out for profit, it can be expected that the person who posted such a link carries out the necessary checks to ensure that the work concerned is not illegally published on the website to which those hyperlinks lead..."
There is, however, no comparison between the commercial publisher or broadcaster of yesteryear, who may have had months in which to clear the rights for a TV programme, book or music production, and a commercial internet actor who may have minutes or at best hours in which to decide whether to include a link on its website.  That is even without revisiting the fundamental question of whether a link is akin to including material in a book, for which clearance might have been required, or referencing it in a footnote for which it would not. 
 
GS Media has now laid down that where links are provided for "the pursuit of financial gain" there is a rebuttable presumption that the posting has occurred with "the full knowledge of the protected nature of that work and the possible lack of consent to publication on the internet by the copyright holder".  Commercial actors and their legal advisers will be giving close consideration to what constitutes posting of links for pursuit of financial gain and to how the presumption of full knowledge might be rebutted. 

From a broader perspective, a diligence duty runs the risk that rather than go though whatever hoops are required to satisfy the diligence standard, commercial actors will simply refrain from creating links. That brings us neatly to the relevance of fundamental rights and the question whether the GS Media judgment may result in a classic chilling of freedom of expression. 
 

Whatever happened to Article 10?

One of the more startling aspects of Svensson was the omission of any reference to the impact on the fundamental right of freedom of expression. Notwithstanding that it adopted an interpretation of ‘making available’ of such breadth that it must engage Article 10 ECHR/Article 11 EU Charter, the CJEU conducted no proportionality assessment. In fact there was no mention of Article 10/11 at all in Svensson; this after SABAM v Scarlet and Donald Ashby, in which the CJEU and European Court of Human Rights respectively held that copyright has to be balanced against other fundamental rights.

GS Media remedies the omission to some extent:

"44 GS Media, the German, Portuguese and Slovak Governments and the European Commission claim, however, that the fact of automatically categorising all posting of such links to works published on other websites as ‘communication to the public’, since the copyright holders of those works have not consented to that publication on the internet, would have highly restrictive consequences for freedom of expression and of information and would not be consistent with the right balance which Directive 2001/29 seeks to establish between that freedom and the public interest on the one hand, and the interests of copyright holders in an effective protection of their intellectual property, on the other.
45 In that regard, it should be noted that the internet is in fact of particular importance to freedom of expression and of information, safeguarded by Article 11 of the Charter, and that hyperlinks contribute to its sound operation as well as to the exchange of opinions and information in that network characterised by the availability of immense amounts of information."

However GS Media's balancing of the different fundamental rights involved appears to go no further than the introduction the knowledge qualification for non-commercial makers of links. There is no attempt to balance any chilling effect on the impartation of speech by commercial actors, nor the resulting interference with the freedom of ordinary internet users to receive information from commercial actors through hyperlinks. 
 

What could the CJEU have done differently?


The CJEU could have avoided these problems had it adopted a narrower view of “making available” at the outset in Svensson. It could have restricted it to material intervention in the actual or putative transmission, so that but for the intervention no transmission would take place.  This was the position advocated by the European Copyright Society.  Questions of liability for linking could then have been left to secondary and accessory liability and perhaps to unfair competition.