ACTA's Digital Enforcement Provisions

Guest Blogger

The Anti-Counterfeiting Trade Agreement (ACTA)’s digital enforcement provisions were just renegotiated in the most recent round of negotiations in Lucerne, Switzerland.

There hasn’t been much public discussion of ACTA’s Article 2.18 “Enforcement Procedures in the Digital Environment”, because the proposed language in the officially released draft from April is both provisional and overly complicated. There probably won’t be another draft released for public comment before the final text of ACTA is released at the end of this year.

These are parameters for open discussion of ACTA’s Internet section and its provisions.

In short: ACTA envisions an active, pro-rightsholder role for ISPs and other online intermediaries. This role is established not only by law, but also under government pressure for cooperation between intermediaries and rightsholders. ACTA may also limit the type of services that can fall into a “mere conduit” exception to notice-and-takedown.

Such cooperation combined with a change in definition of “mere conduit” will likely result in what Annemarie Bridy terms private ordering graduated response: graduated response by agreement between private companies, outside of government process.

ACTA does not, contrary to earlier discussions, export the letter of U.S. law. You can read ACTA as leaving room for the current DMCA—but it’s also possible to read conflicts. USTR should explain these differences. More importantly, the elements of U.S. law being exported are not accompanied by balancing provisions present in U.S. law.

ACTA’s Digital Enforcement Provisions

The officially released draft text proposes not one but essentially two options for digital enforcement provisions: one proposed by the U.S. and one by the EU.

Each option proposes 1) a categorization system for different kinds of intermediary activity, and 2) a system of actions by intermediaries to remedy infringement and escape liability, such as notice and takedown. It may be possible to combine, say, the EU’s categorization system with U.S.-proposed notice and takedown, but as the draft is written, that’s not strictly possible.

I analyze each provision below, including questions from the perspective of U.S. law.

A) The U.S.-proposed provisions

This language isn’t taken from the DMCA; it describes a system looking like the DMCA, but not identical, and without balancing provisions.

-Applies to “patent, industrial design and trademark, copyright or related rights infringement”. Proposed language includes extending all of the DMCA-like provisions to other IP rights online. In the U.S., the DMCA system applies to copyright only.

-Establishes three (3) categories for intermediary activity: The U.S.-proposed provisions categorize ISP /OSP activity in three categories: 1) automatic technical processes, 2) independent actions of a provider’s users, and 3) hyperlinking (which might also refer to search engines). U.S. law provides four (4) categories of intermediary activity; how does this system map on to U.S law? U.S. law provides for 1) transitory digital network communications (aka ISPs); 2) caching; 3) information residing on systems at the direction of users (hosting); 4) information location tools (search engines, hyperlinking). How, for example, is caching meant to be categorized?

-Knowledge standard: Two categories, independent actions and hyperlinking, require that the provider “does not have actual knowledge of the infringement, and is not aware of facts or circumstances from which infringing activity is apparent”. This is the U.S. standard of knowledge for hosting and information location tools, but not for caching. 17 U.S.C. 512(c)(1)(A). If caching is considered automatic technical process, this doesn’t differ from U.S. law. But if it’s considered independent actions of a provider’s users, then this does.

-Requires implementation by ISP/OSP of a policy “to address the unauthorized storage or transmission of materials protected by copyright or related rights”. This references termination policies: the U.S. law to which this refers states “a policy that provides for the termination in appropriate circumstances of subscribers and account holders… who are repeat infringers.” 17 U.S.C. 512(i)(1).

-Only potentially includes U.S. language on “no monitoring”. As in U.S. law, this provision does not prevent ISPs from monitoring; it prevents governments from conditioning safe harbors on requiring ISPs to monitor user activity. But right now, it might not even be included. If it’s not included, and the text includes the “actual knowledge/facts and circumstances” language, then ISPs will effectively be encouraged to actively monitor for copyright infringing activity.

-Establishes notice-and-takedown without balancing provisions from U.S. law. Requires ISPs/OSPs to 1) remove or disable access to material or activity upon 2) receipt of legally sufficient notice/an order from a competent authority, 3) in absence of a legally sufficient response from the subscriber indicating that notice was a mistake or misidentification. This lacks the balancing provisions of U.S. law for 1) sanctions against rightsholders who abuse the system (512(f)), and 2) incentives for ISPs/OSPs to contact subscribers to provide them with an opportunity to protest takedown (512(g)(2)).

-Complicates and confuses the “mere conduit” category for ISPs. In U.S. law, DMCA notice-and-takedown provisions do not apply to the first category of ISP activity (transitory digital network communications). But in ACTA, notice-and-takedown does apply to “automated technical processes”, with an exception stating that it shall not be applied “to the extent that the online service provider is acting solely as a conduit for transmissions through its system or network”. This use of two different standards—automatic technical processes and “solely as a conduit”—indicates that ISPs conducting network management (ie not being “solely a conduit”) may be subject to notice-and-takedown under ACTA.

B) The EU-proposed provisions

Much of this language comes from the E-Commerce directive, but there are differences.

-Applies to all intellectual property, not just copyright. This again would include patents and trademarks, which are not covered by such provisions in U.S. law.

-Establishes three (3) categories for ISP/OSP activity. These differ from the U.S.-proposed categories, replacing the above U.S.-proposed category of hyperlinking with storage. A footnote shows that the EU envisions these three categories mapping onto its law (the E-Commerce Directive) as follows: automatic technical processes are meant to be “mere conduits”, (ii) refers to caching, and (iii) storage refers to hosting. This footnote would place caching in the second category, which if read into the U.S.-proposed law may make caching subject to knowledge requirements and complete notice-and-takedown, which is not the standard for caching in the U.S. It is also unclear where hyperlinking would fit in.

-Potential language proactively establishing more interference by ISPs. Bracketed language includes in the definition of “automatic technical processes” that such processes must actually “keep the provider from taking measures to prevent the infringement”. In other words, if the technology doesn’t prevent ISPs from monitoring, then they should monitor.

-Vaguer “takedown” provisions. This could be a good thing, or a bad thing. The EU provisions require that OSPs hosting or caching act “in accordance with applicable law… to remove or disable access to infringing material upon obtaining actual knowledge of the infringement”.

-Proposes a lower knowledge standard for takedown. The EU-proposed provisions also include bracketed language requiring the removal or disabling of access when OSPs have “reasonable grounds to know that the infringement is occurring.” The E-Commerce standard is more like the U.S. standard: actual knowledge or awareness of “facts and circumstances from which illegal activity is apparent”, NOT “reasonable grounds”.

-Unlike the E-Commerce directive, permits graduated response. The EU-proposed provisions state that parties may establish “procedures governing the removal or disabling of access to information”. In the E-Commerce directive, this language does not apply to mere conduits, and here it does. ACTA’s EU-proposed provisions therefore envision that countries may establish procedures for disabling access to the entire Internet, via ISPs, not just access to a particular website or infringing activity.

-Lacks nods to freedom of expression. The E-Commerce directive recognizes that “the removal or disabling of access has to be undertaken in the observance of the principle of freedom of expression”.

-The no-monitoring provision is narrower than in EU law, and might not be included in ACTA. The no-monitoring provision is similar to the U.S.-proposed provision, stating that parties shall not “impose a general monitoring requirement on providers when acting in accordance with this paragraph”. In other words, both provisions proposed here prevent governments from imposing monitoring only with respect to safe harbors. ISPs/OSPs not seeking safe harbors may be required to monitor. The E-Commerce directive contains broader no-monitoring language preventing member states from imposing a general obligation to monitor “the information which they transmit or store”, not related to compliance with safe harbors.

C) ACTA and Online Intermediaries More Generally

ACTA as a whole envisions a more active role for intermediaries such as ISPs or websites, by repeatedly addressing intermediary liability.

-Requires that governments encourage cooperation with rightsholders. Each Party “shall promote the development of mutually supportive relationships between online service providers and rights holders”. This applies to all IP rights, not just copyright.

-Allows rightsholders to contact ISPs directly for user information, without going through courts.

-Defines third-party liability. ACTA attempts to define third-party liability, a standard that in the U.S. has been defined by courts, not the legislature. This provision doesn’t map on to U.S. law.

-Proposes sanctions for “Inciting, Aiding and Abetting” infringement. Gwen Hinze of EFF points out that this comes from a proposed and rejected EU law.

-Proposes sanctions for “legal persons” for the equivalent of criminal violations. This may make it easier to go after OSPs for direct infringement. Since the ACTA standard for criminal copyright involves “significant willful infringement” with no motivation of financial gain, this could be a very low standard when applied to corporations. Does “significant” infringement need to be per-person? Or “significant” in relation to the company as a whole? In U.S. law, “significant” is defined by actual numbers, which makes applying the standard to companies very low.