Is There a Right to Anonymity? — The Legal Situation at the European Union Level and the National Level in Selected Countries

Introduction

Dictionaries generally define “anonymity” as a state of being unknown through lack of identification, personality or individuality. The internet has provided the public with an unprecedented ability to communicate and share ideas while keeping identities private. It is also uniquely suited to anonymous or pseudonymous communication. Online users can choose how much information about them will be given out — they may choose to remain anonymous, or they may choose to shelter behind a pseudonym¹.

In the early years of the medium, there was a widespread belief that internet use was essentially untraceable — a belief summed up in the famous New Yorker cartoon which showed two dogs sitting in front of a computer, with one saying to the other, “On the Internet, nobody knows you’re a dog”². This has had mixed effects. On the one hand, anonymity on the internet allows people to engage in legitimate and often socially beneficial activities that they would not otherwise engage in for fear of embarrassment, social ostracism, retribution or persecution. For example, communicating under a pseudonym or anonymously allows individuals to explore their creative side, human rights workers to communicate with each other, employees to “blow the whistle” on harmful corporate practices without the fear of retaliation, members of persecuted minorities to share experiences and consumers to search for information on sensitive topics. On the other hand, anonymity can encourage wrongdoing and in particular create a perception that the user cannot be held accountable for his/her actions or words. It can also be used to mask illegal behaviour.

When technology was more primitive and expertise and tools for tracing were less developed, it was easier to remain anonymous. However, it is now increasingly difficult to remain anonymous. For example, users’ internet service providers (“ISPs”) may keep logs of what websites their internet protocol (“IP”) addresses visited on the internet. The IP address is the identification given to a user’s machine each time he or she logs onto the internet. In addition, the websites users visit may track the IP addresses of their visitors. This means that, although a website owner will not know a user’s name through his or her IP address, it is not very difficult for the website owner to match the user’s IP address to the ISP the user has subscribed to. So while the technology that enables anonymity has improved, so too has the technology that traces internet activity to the anonymous source. The battle, therefore, is that of balancing the right of privacy against the right to identify an (anonymous) individual involved in an illegal action in order to defend and enforce intellectual property rights.

In this Special Report, I will explain how this conflict is addressed at the European Union level and at the national level in selected countries.

European Union — The Legal Framework

The European Convention on Human Rights provides that everyone has the right to respect for his/her private and family life (Article 8), but this must be balanced against the right to freedom of expression under Article 10(1) (including the right to hold an opinion and receive and impart information), restricted as necessary as prescribed by law and are necessary in a democratic society to promote a legitimate aim (including the protection of the reputation or the rights of others or for preventing the disclosure of confidential information). Furthermore, the Charter of Fundamental Rights of the European Union 2000/C 364/01 (the “Charter”) provides, amongst other things, that 1) everyone has the right to respect for private and family life (Article 7); 2) everyone has the right to protection of personal data (Article 8); and 3) intellectual property shall be protected (Article 17(2)). In addition, Article 52(1) of the Charter provides that “any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”.

Relevant EU Directives which have been enacted into national law by EU Member States include:

• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Data Protection Directive”);

• Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (the “e-Privacy Directive”);

• Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (the “e-Commerce Directive”);

• Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society (the “Copyright in the Information Society Directive”); and

• Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights (the “IP Enforcement Directive”).

Article 8(1) of the IP Enforcement Directive requires Member States to:

ensure that, in the context of proceedings concerning an infringement of an intellectual property right and in response to a justified and proportionate request of the claimant, the competent judicial authorities may order that information on the origin and distribution networks of the goods or services which infringe an intellectual property right be provided by the infringer and/or any other person who: (a) was found in possession of the infringing goods on a commercial scale; (b) was found to be using the infringing services on a commercial scale; (c) was found to be providing on a commercial scale services used in infringing activities; or (d) was indicated by the person referred to in point (a), (b) or (c) as being involved in the production, manufacture or distribution of the goods or the provision of the services.

However, under Article 8(3), this right to information:

shall apply without prejudice to other statutory provisions which: … (e) govern the … processing of personal data.

The majority of cases where the conflict arises are file-sharing or defamation cases. File-sharing is the practice of making files available for other individuals to download. It can be as simple as sharing a file for general consumption via My WebSpace or enabling file-sharing on your computer’s operating system so that you can access your home computer files at work. The most common and controversial method of file-sharing is the use of peer-to-peer (“P2P”) software. This includes software such as Limewire, Morpheus and BitTorrent. P2P software packages are installed by the computer owner and appear somewhat innocuous in their behaviour; the user installs them and then uses these programs to download “free” music, videos, etc. However, this “free” music is generally copyrighted material that is downloaded from other individual computers across the network. In addition, the user’s computer becomes part of this network as well, enabling other individuals on the internet to begin downloading music from his/her computer. The user is then responsible for downloading and distributing copyrighted material illegally.

Many people are ignorant of the fact that this practice is illegal, while others feel that they have a “right” to “free” music. One of the main problems, though, in catching the culprits of P2P sharing is that it is extremely difficult to discover the identity of the wrongdoer.

However, are EU Member States required to impose an obligation on ISPs to divulge customer data when requested to do so by rights holders who allege infringement of their intellectual property rights so that they can bring civil proceedings?

According to the Court of Justice of the European Union (“CJEU”), the answer is no. In Productores de Música de España (Promusicae) v Telefónica de España SAU (C-275/06, January 29, 2008), a Spanish non-profit-making music rights holder association made a request to Telefónica, Spain’s leading ISP, for personal data about its subscribers using particular dynamic IP addresses which Promusicae alleged were engaged in file-sharing. The CJEU stated that Member States are not required to impose an obligation on ISPs to disclose their subscribers’ personal data in a civil copyright case. The touchstone, according to the CJEU, is balance. It stated that each Member State had to reconcile the requirements of the protection of different fundamental rights, namely, the right to respect for private life, on the one hand, and the right to protection of property (including intellectual property rights) and to an effective remedy, on the other. Furthermore, it stated that the authorities and courts of the Member States must not only interpret their national law in a manner consistent with the Directives, but must also make sure that they do not rely on an interpretation which would be in conflict with those fundamental rights or with the other general principles of European Community law, such as the principle of proportionality.

In LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v. Tele2 Telecommunication GmbH (C-557/07) [2009] OJ C113/14 (the “Tele2” case), LSG (a collecting society) applied for an order requiring Tele2 to disclose the names and addresses of the persons to whom it had provided an internet access service and whose IP addresses, together with the day and time of the connection, were known. Tele2 believed that it was entitled to refuse the request. The CJEU considered the issue of whether Article 8(3) of the IP Enforcement Directive and Articles 6 and 15 of the e-Privacy Directive should be interpreted as not permitting the disclosure of personal traffic data to private third parties for the purposes of civil proceedings for alleged copyright infringements. The CJEU held that European Community law — in particular, Article 8(3) of the IP Enforcement Directive, read in conjunction with Article 15(1) of the e-Privacy Directive — does not preclude Member States from imposing an obligation to disclose to private third parties personal data relating to internet traffic in order to enable them to bring civil proceedings for copyright infringement, but nor does it require those Member States to lay down such an obligation. However, the CJEU also found that European Community law nevertheless requires Member States to ensure that, when transposing into national law the e-Commerce Directive, the Copyright in the Information Society Directive, the e-Privacy Directive and the IP Enforcement Directive, they strike a fair balance between the various fundamental rights involved. Moreover, the authorities and courts of Member States must not only interpret their national laws in a manner consistent with those Directives, but must also make sure that they do not rely on an interpretation of them which would conflict with those fundamental rights or with the other general principles of European Community law, such as the principle of proportionality.

In Bonnier Audio AB and others v Perfect Communication Sweden AB (“ePhone”) (Case C-461/10, April 19, 2012), the CJEU stated that the Data Retention Directive (2006/24/EC) does not preclude Member States from enacting laws that allow an ISP to be ordered to supply information about subscribers whose IP addresses have allegedly been used for intellectual property infringing purposes. The case revolved around the plaintiffs, who were all publishing companies that held exclusive rights to the reproduction, publishing and distribution to the public of 27 works in the form of audio books. They claimed that their exclusive rights were infringed by the public distribution of the 27 works, without their consent, by means of a file transfer protocol server which facilitated online file-sharing and data transfer between computer users via ePhone. They sought a court order to disclose the identities of alleged copyright infringers, which was granted. ePhone appealed to the Stockholm Court of Appeal, which held that there was nothing in the Data Retention Directive to prevent a party to a civil dispute being ordered to disclose subscriber data to someone other than a public authority. However, the plaintiffs had not adduced clear evidence that there was an infringement of an intellectual property right, so the order was set aside. The plaintiffs appealed to the Swedish High Court, which asked the CJEU whether, assuming such a measure was proportionate, the Data Retention Directive (and in particular Articles 3 to 5 and Article 11) precluded the application of a national provision which is based on Article 8 of the IP Enforcement Directive, which requires appropriate and proportionate disclosure orders to enable rights to be enforced and which permits an ISP in civil proceedings, in order to identify a particular subscriber, to be ordered to give a copyright holder or its representative information on the subscriber to whom the ISP provided a specific IP address, which address, it is claimed, was used in the infringement?

The CJEU held that the Data Retention Directive did not preclude the application of national legislation based on Article 8 of the IP Enforcement Directive, which permits an ISP in court proceedings to be ordered to give a copyright holder or its representative information on a subscriber to whom the ISP provided an IP address which was allegedly used in an infringement. Furthermore, it held that the e-Privacy Directive and the IP Enforcement Directive must be interpreted as not precluding national legislation such as that at issue, as that legislation enables the national court to weigh the conflicting interests involved, on the basis of the facts of each case and taking due account of the requirements of the principle of proportionality.

The decisions of the CJEU confirm that there is no direct conflict as such between data protection and online copyright enforcement in the European Union legal framework. The European Union legal framework does not preclude Member States from imposing an obligation to disclose to third parties personal data relating to internet traffic in order to enable them to bring civil proceedings for intellectual property infringement, but it also does not require the Member States to lay down an obligation to communicate personal data in order to ensure effective protection of intellectual property in the context of civil proceedings.

The European Union legal framework and its interpretation by the CJEU seems to leave open several important questions, such as how to apply the proportionality principle in practice and strike a fair balance between the various rights involved (such as the right to data protection and the right of protection of intellectual property rights), and how to implement and apply the rights specified in Article 8 of the IP Enforcement Directive. However, these questions must be balanced with considerations such as maintaining the legal regime applicable to ISPs.

Member States have been left to decide these issues, as there is little or no harmonisation at the European Union level.

Below, I will examine the position in Ireland, the United Kingdom, France, Germany, the Netherlands and Spain, as well as the United States, Canada and Israel.

Ireland

There is a constitutional right to privacy under the Irish Constitution (Article 40.3) which is a qualified right in that the State guarantees to respect, as far as is practicable, from unjust attack, and where injustice is caused to vindicate, the life, person, good name and property rights of every citizen. This right is balanced against the right to freedom of expression under Article 40.6.1(i) of the Constitution and Article 10 of the European Convention on Human Rights.

There have been a number of cases in which plaintiffs have sought to identify anonymous or pseudonymous internet users, most usually in the context of defamation or file-sharing. The route to seek disclosure is through the equitable jurisdiction of the court which was established in the UK case, Norwich Pharmacal v Customs and Excise [1974] A.C. 133 and approved of in Ireland by Megaleasing (UK) Limited v Barrett [1993] I.L.R.M. 497.

The first case that considered this issue was EMI v Eircom [2005] IEHC 233. A Norwich Pharmacal application was brought by a number of record companies in order to compel ISPs to identify users accused of file-sharing. A Norwich Pharmacal order requires a respondent to disclose certain documents or information to the applicant. The respondent must be a party involved or mixed up in a wrongdoing, whether innocently or not, and is unlikely to be a party to the potential proceedings. The court accepted that the ISPs acted properly in not volunteering this information and that they owed duties of confidentiality and data privacy to their users. It held that the court should act sparingly in ordering identification, but, in this case, that there was a prima facie case against the users and that the balance lay in favour of disclosure. However, the court imposed safeguards, directing that the information disclosed could only be used to seek redress for the users’ alleged copyright infringement activities and that the identities of the alleged infringers could be made public only after the plaintiffs had started proceedings³.

A similar approach was taken in Ryanair v Johnston
⁴. The defendants operated a bulletin board for Ryanair pilots. Ryanair brought a Norwich Pharmacal action for discovery, seeking to compel them to identify the users behind comments which were alleged to have been threatening and abusive. At the interlocutory stage, an order was granted requiring the information to be preserved. However, at trial, the High Court found that the comments were not wrongful or actionable, and the court also looked to the motive behind the action, finding that the real purpose was to break the resolve of pilots who were in dispute with the plaintiff. However, a very different approach was taken in Maguire v Gill
⁵, where an order for third party discovery was made against an ISP requiring it to identify a user but without giving the ISP an opportunity to be heard, without considering whether or not the balance lay in favour of disclosure and without explicitly ordering safeguards in respect of the use of this information.

While the Eircom judgment has since been relied upon in a number of applications to court to disclose user identities, there is a significant limitation to that judgment from a privacy perspective, as it does not require that the user be notified in advance. Consequently, there is a real risk that hearings to disclose user identities will be determined based entirely on the case of the plaintiff, as there is generally no incentive for the ISP to fight such applications. For example, in March 2008, the major music labels sued Ireland’s largest ISP, Eircom, demanding that it install filters to prevent users from illegally sharing or downloading music⁶. After initially fighting the action, Eircom settled out of court on the basis that it would introduce a “three strikes” system for internet users accused of illegal file-sharing and would also block access to The Pirate Bay website. Under the settlement agreement, Eircom would be provided with IP addresses which are claimed to be involved in illegal file-sharing. The subscriber would then be issued a series of warnings by Eircom before ultimately being disconnected if further accusations are received⁷. This agreement was the subject of strong criticism, as it was purely a private agreement with no settlement or legislative basis and no judicial oversight⁸.

Implementation of the system was delayed after the Data Protection Commissioner claimed that the processing of IP addresses and user data involved in the system was in breach of data protection law. The High Court was asked a number of questions, including: whether IP addresses processed by the music industry constituted “personal data”; whether processing of IP addresses by Eircom would be unwarranted processing; and whether the “three strikes” process could be implemented where it involved the processing of personal or sensitive personal data (insofar as the data can be considered to relate to the commission of a criminal offence), and a user’s subscription is terminated on the basis of his or her having committed an offence, without a determination by a court. The High Court answered questions 1 and 2 in the negative, and, in respect of question 3, held that the graduated response was lawful⁹.

The matter ended back in the High Court when the Data Protection Commissioner issued an enforcement notice against Eircom directing it to cease implementing the “three strikes” policy (the “Protocol”) on the basis that it breached data protection and privacy laws. The current issue arose when an Eircom subscriber complained to the Data Protection Commissioner after receiving such a notification. When Eircom reviewed the matter, it discovered that, due to a minor technical issue, the notification sent to the complainant as well as to a number of other subscribers was incorrectly issued. It accordingly amended its records and wrote to all affected customers explaining the error. Notwithstanding this, the original complainant restated his complaint, which included a complaint that Eircom’s monitoring of his internet use breached his data protection rights. The Data Protection Commissioner was of the view that the monitoring activity carried out by Eircom under the settlement agreement was not permitted without the consent of its subscribers. Therefore, an enforcement notice was issued directing Eircom to take all necessary steps within 60 days to comply with data protection legislation, to cease obtaining subscriber data so as to operate the Protocol and to destroy any subscriber data processed by it for the purposes of the Protocol. Eircom appealed the notice to the Circuit Court, those proceedings being stayed pending the outcome of judicial review proceedings to the High Court. When the judicial review proceedings were heard by the Commercial Court (being a division of the High Court), it quashed the enforcement notice, stating that the notice was invalid due to the failure by the Data Protection Commissioner to give reasons why it had been issued. It stated that, while privacy was central to the arguments by the Data Protection Commissioner during the trial, due to the lack of reasons in the notice, the motivation behind the Data Protection Commissioner’s condemnation of a music company protecting its own interest against illegal downloading was not clear. This decision is now on appeal to the Supreme Court, which is being asked by the Data Protection Commissioner to refer certain questions to the CJEU. Amongst these is the question whether Eircom’s policy is compatible with European Union law, having regard to the balance it strikes (or purports to strike) between the protection of the intellectual property rights enjoyed by the record companies and the fundamental rights of customers to protection of their personal information and the freedom to impart and receive information.

The United Kingdom

A copyright owner may seek to compel disclosure of the identity of a wrongdoer by seeking to rely on the discretionary jurisdiction of the court which was established in Norwich Pharmacal v Customs and Excise
¹⁰. This allows the court to order a third party to reveal the identity of a wrongdoer where that third party has become mixed up in the tortuous acts of another through no fault of its own (a Norwich Pharmacal order). As a Norwich Pharmacal order is equitable, the court is free to consider all the relevant circumstances. Some of the relevant circumstances were set out in the judgment, in particular, whether disclosure would be contrary to the public interest:

such matters as the strength of the applicant’s case against the unknown alleged wrongdoer, the relation subsisting between the alleged wrongdoer and the respondent, whether the information could be obtained from another source and whether the giving of the information would put the respondent to trouble which could not be compensated by the payment of all expenses by the applicant.

The above jurisdiction was applied to anonymous internet users in Totalise plc v The Motley Fool [2001] E.M.L.R. 29 (HC). In that case, two defendants operated websites which included discussion boards for business information. A user under the name of “Z Dust” made various defamatory postings concerning the plaintiff firm. The plaintiff contacted the defendants seeking to have the postings removed, the user’s rights revoked and the identity of the user revealed. Both defendants declined to reveal the identity of the user without a court order, relying on the combined effect of their own privacy policies and UK data protection legislation. Both defendants were ultimately ordered to reveal the identity of the user (by way of a Norwich Pharmacal order). In the case, the High Court and the Court of Appeal took differing views on how the Norwich Pharmacal principles should apply in an internet context. The High Court held that there was no doubt but that disclosure was appropriate, and gave short shrift to the privacy concerns raised by the defendant. The Court of Appeal, however, sounded a more cautious note, pointing out that “the court must be careful not to make an order which unjustifiably invades the right of an individual to respect for his private life, especially when that individual is in the nature of things not before the court”. The Court of Appeal, therefore, recognised that anonymity is not merely a mask for wrongdoers but has social values in its own right. However, it criticised the Norwich Pharmacal procedure, and suggested that a user should be put on notice of the application and given the opportunity to put his or her case before the court. It stated that “… the website operator can, where appropriate, tell the user what is going on and offer to pass on in writing to the claimant and the court any worthwhile reason the user wants to put forward for not having his or her identity disclosed. Further, the Court could require that to be done before making an order. Doing so will enable the court to do what is required of it with slightly more confidence that it is respecting the law laid down in more than one statute by Parliament and doing no injustice to a third party, in particular not violating his convention rights”.

In Sheffield Wednesday Football Club Ltd v Hargreaves [2007] EWCH 2375 (QB), the Sheffield Wednesday football club applied for an order against the owner of a website to disclose the identities of the authors of comments about the club’s directors posted on the website’s chat room, which it felt were defamatory. The judge considered that it was not right to make an order for the disclosure of the identities of users who had posted messages which are barely defamatory or little more than abusive or understood as jokes, since this would be “disproportionate and unjustifiably intrusive” to the individuals’ Article 8 rights. However, in the case of more serious comments which could “reasonably be understood to allege greed, selfishness, untrustworthiness and dishonest behaviour on the part of the claimants”, the website owner was ordered to reveal the identity of the authors. The basis for the decision was that the right for the club’s directors to maintain their reputations outweighed the right of the authors to protect their anonymity.

Website operators do not usually voluntarily disclose user details because they often have contractual confidentiality obligations or are concerned that such disclosure may be in breach of statutory obligations under UK data protection legislation not to disclose personal data without the consent of the data subject or an order of the court. However, many are now adopting the strategy of not contesting a Norwich Pharmacal application when made. For example, in Helen Grant v Google [2005] EWHC 3444 (Ch), Google refused to voluntarily provide details of a user advertising free downloads of a draft of an unpublished book called “Unlock Reality” to the copyright owner, but suggested that the applicant apply for an Norwich Pharmacal order, which it would not resist. The court granted the order and ordered the applicant to pay Google’s costs.

In Clift v Martin Clarke [2011] EWHC 1164 (QB), the High Court held that commentators’ right to privacy was more important than a woman’s right to take legal action about comments that were little more than “pub talk”. The facts of the case were as follows: Jane Clift sued Slough Council after it put her on its list of potentially violent people following her complaint to the council about the anti-social behaviour of a man in a park. Clift won her case and was paid libel damages. The Daily Mail’s website carried a report on the story and a year after its publication Clift saw it. She objected to remarks made by two readers in the comments section of the web page. She asked the High Court to order the Daily Mail to give her information which could help identify the people so that she could sue them for defamation. Her case was against Martin Clarke, editor of the website known as Mail Online. The court stated that the potential disclosure to Clift “of personal information … engages (the commentators’) right to a private life under Article 8 ECHR. It also constitutes processing for the purposes of the [Data Protection Act 1998].... Taking all these matters into consideration … it would be disproportionate to grant the application”.

In a recent significant High Court judgment, ISP Telefonica UK Ltd, trading as O2, was ordered by means of a Norwich Pharmacal order to disclose the customer details belonging to a portion of 9,124 IP addresses. These addresses supposedly used BitTorrent to illegally download pornographic films created by the British Ben Dover Productions (and licensed to Golden Eye International Ltd) and 12 other copyright holders¹¹. In its decision, the High Court provided a comprehensive review of the Norwich Pharmacal regime and how it should be applied to file-sharing cases. When deciding whether to grant a Norwich Pharmacal order in file-sharing cases, the court stated that one of the key factors to resolve is the balance of the rights of rights holders and consumers’ rights to data protection and privacy.

In reaching its decision, the High Court relied on the test laid down by Tugendhat J in Rugby Football Union v Viagogo Ltd [2011] EWCA Civ 1585, namely:

• Had arguable wrongs been committed against the Rugby Football Union?

• Was Viagogo mixed up in those arguable wrongs?

• Was the Rugby Football Union intending to try to seek redress for those wrongs?

• Was disclosure of the information which the Rugby Football Union required necessary for it to pursue that redress?

• Should the court exercise its discretion in favour of granting relief?

In addition, the High Court considered the principle of proportionality. Article 3(2) of the IP Enforcement Directive imposes a general obligation on the court to consider proportionality in assessing remedies for intellectual property infringements, including orders for the disclosure of the identities of infringers. National courts are also required to strike a fair balance between the protection of intellectual property rights guaranteed by Article 17(2) of the Charter and the protection of the fundamental rights of individuals who are affected by such measures, in particular the rights safeguarded by Articles 7 and 8 of the Charter¹². When balancing the competing rights, the court stated that the approach to adopt was as follows: 1) neither has precedence over the other; 2) where the values of both rights are in conflict, an intense focus on the comparative importance of the specific rights being claimed in the individual case is necessary; 3) the justifications for interfering with or restricting each right must be taken into account; and 4) the proportionality test — or “ultimate balancing test” — must be applied to each. In this case, the balance of competing rights led the High Court to make an order in favour of Golden Eye and Ben Dover Productions, but not the other claimants, as they had delegated the responsibility for conducting litigation to Golden Eye. If these claimants had applied, the High Court stated that it would have granted orders in their favour.

From this case, the key points for rights holders are:

• Robust evidence of potential infringement is needed to support a Norwich Pharmacal application;

• Norwich Pharmacal orders will be granted only once a balancing exercise has been carried out between the privacy and data protection rights of the internet users concerned and those of rights holders; and

• Norwich Pharmacal orders will be granted only to claimants who are owners or legitimate licensees, and control of proceedings cannot be delegated to another party.

In June 2012, in what is believed to be the first case of its kind, a woman (Nicola Brookes) successfully secured an order against Facebook to reveal the identities of cyberbullies¹³. Ms Brookes was falsely branded a paedophile and drug dealer by anonymous Facebook users who set up a fake profile page on the website. The High Court held that Facebook should reveal the names, email addresses and IP addresses of those behind the abusive messages.

The Digital Economy Act 2010 has now introduced a new set of obligations on ISPs aimed at reducing online copyright infringement. These include:

• An obligation on ISPs to notify internet subscribers, within one month, if the IP addresses associated with them have been reported by copyright owners as infringing their copyright. If a subscriber receives three notifications from the same copyright owner within a year, the subscriber will be placed on a copyright infringement list.

• An obligation on ISPs to provide copyright owners with copyright infringement lists which can be requested on a monthly basis. The list does not identify the subscriber. A copyright owner would have to seek a Norwich Pharmacal order to obtain names and addresses of the relevant subscribers.

The Office of Communications (Ofcom), the independent UK communications regulator, has published its proposed Initial Obligations Code (which includes an appeal process), consultation on which ended on July 26, 2012. The Code will be notified in draft to the European Commission in accordance with the requirements under the Technical Standards Directive so that the European Commission can consider whether the Code presents a barrier to trade. That approval process should take around 12 weeks. Ofcom will make any required revisions to the Code and then publish the final statement. The Code will then be laid before Parliament. This should commence in late 2012, with a view to the Code coming into force by January 2013.

France

The “Hadopi Law” is named after the acronym of the government agency created to administer it. The Hadopi Law¹⁴ provides a graduated response as a means to encourage compliance with copyright laws. The process operates as follows:

1. Once notified by a relevant body¹⁵ or by the public prosecutor, the Hadopi Commission decides whether to send an email message to the subscriber of the internet access which is used to commit the infringing act.

• 2) If, within six months following the notification, a new act of copyright infringement is identified using the same internet access, the Hadopi Commission may send a second notification by email and registered mail.

• 3) If, within one year of the second notification, a further infringement act is identified and it appears that the internet subscriber has, without any legitimated reason, failed to implement the relevant security measure, the Hadopi Commission may send a registered letter to the subscriber, who has 15 days to provide her/his observations or to request a hearing. The Hadopi Commission can transmit the case to the public prosecutor, who may decide to prosecute the subscriber for negligence in the implementation of security measures, and this offence is subject to a fine of €1,500 (U.S.$1,906) (which may be increased fivefold if the subscriber is a legal entity) and suspension of the internet access for a maximum of one month. If the subscriber is the same person as the online copyright infringer, the public prosecutor will prosecute him or her for online copyright infringement¹⁶.

ISPs may disclose data revealing the identity of an internet user either to a judicial authority in the course of legal proceedings or to a sworn agent investigating a copyright infringement on behalf of the Hadopi Commission. Rights holders and their representatives cannot cooperate directly with ISPs to obtain data from them that identifies the user for the purpose of copyright enforcement.

Pursuant to Article L.336-2 of the Intellectual Property Code, a first instance court can order, upon request of a rights holder or its representative, any measures necessary to prevent or cease copyright infringement, against any person contributing to such violation, by way of a summary court order (référé). After a claim has been submitted to the judge, ISPs can only be compelled to disclose the IP addresses of subscribers by a court. The court may authorise the use of IP addresses for the purposes it defines in favour of a rights holder. The court may further allow the rights holder to access personal data through an ISP. A court may also use the summary procedure (référé) of Article 145 of the Code of Civil Procedure in order to preserve evidence.

In addition, a rights holder may obtain a summary order issued by a court (en référé or sur requête) requiring a technical provider to take all appropriate measures necessary to prevent or terminate harm caused by the content of a publicly available online communications service (Article 6-I-8 Confidence in the Digital Economy Act)¹⁷.

Furthermore, pursuant to Article L.331-21 of the Intellectual Property Code, the Hadopi Commission may obtain, for the purpose of its investigation, any documents, regardless of the support used, including data stored and processed by electronic communications operators, ISPs and hosting service providers. In particular, the Hadopi Commission can request information from electronic communications operators, including but not limited to the identity, postal address, electronic address and telephone number of the subscriber, that is necessary to establish evidence of a copyright infringement.

The Hadopi Law is now under review after France’s new culture minister branded the regime “expensive” and stated that it has “not fulfilled its mission”. In an interview with the French magazine Le Nouvel Observature, Aurélie Filippetti said that she did not know what would become of Hadopi, and that, in “financial terms, €12 million (U.S.$15.25 million) a year and 60 officers is expensive just to send a million emails”¹⁸. According to Hadopi’s July 2012 newsletter, the Commission has sent 1 million warning emails to (alleged) infringing users under the first stage, with 99,000 follow-up emails being issued under the second stage, and 314 cases have been referred to the courts. To date, no one has been disconnected.

Although the Hadopi Law has been in operation for three years, in September 2012, a French court for the first time fined an internet user relating to his online activities. A 40-year-old man was fined €150 [U.S.$190] despite his wife admitting that she had downloaded the music, as he was the owner of the internet account from which the files were downloaded. It has been reported that there are a further 13 similar cases before the courts¹⁹.

The French government has launched a consultation, led by businessman Pierre Lescure, to decide how to revise Hadopi. It will hear from groups including the creative industry and consumers, and Mr. Lescure is expected to produce a report detailing recommendations within six months. According to reports, ministers want a new-look Hadopi in place by 2013²⁰.

Germany

According to Section 101(1) of the German Copyright Act, a rights holder may bring a claim to request disclosure of the identity of users. The condition for bringing such a claim is that there has been a breach of copyright on a “commercial scale”. The commercial scale may be determined by the number of violations as well as their gravity. In addition, the breach is limited to “obvious” cases and requires that a claim has been brought by the rights holder against the infringer. Varying views have been adopted by the regional courts as to what constitutes a breach on a commercial scale. For example, in OLG Karlsruhe, Beschluss v. 1st September 2009 (AZ. 6 W 47/09), a complete movie file, a music album or audio book that is illegally made available before or directly after publication in Germany to an undefined number of people was deemed to be a breach on a commercial scale, whereas in LG Köln, Beschluss v. 30 April 2009 (Az. 9 OH 388/09), making available a protected work via file-sharing was held not to suffice for determining commercial scale²¹. While Section 101 was intended to strengthen the position of rights holders, the enforcement of such claims is extremely limited in most cases.

There is no procedure in place that compels ISPs to disclose the identity of users, except in cases where the ISP receives a judicial order issued by a law enforcement authority or a court to disclose the data. ISPs may not process IP addresses to pass on infringement warning notices to users unless the data subject gives his or her explicit and free consent. In general, any use of an IP address must either have a statutory legal basis, or consent by the user must be received. This concerns the storage of IP addresses in log-files, linking an IP address to a particular user and the disclosure of the data to rights holders. The user must consent explicitly and freely to the relevant data processing. For consent to be valid, the user must be informed about the purposes of the processing and the categories of recipients.

The Netherlands

There is no specific procedure other than a civil action to compel ISPs to disclose the identity of users. In cases concerning the identity of an infringing website owner, such disclosure has already been ordered by courts (see below).

ISPs can, under certain circumstances, disclose a user’s details to rights holders voluntarily without being liable for any damages suffered by the user as a result of such disclosure. Whether or not such disclosure is allowed was decided by the Dutch Supreme Court in Lycos/Pessers, (HR (Supreme Court), November 25, 2005, NJ 2006, 9). The Dutch Supreme Court ruled that Dutch data protection law does not generally prohibit the disclosure of personal data by ISPs to third parties wishing to initiate civil proceedings. Whether or not such disclosure is allowed depends on the specific circumstances of the case, in particular: 1) it must be likely that the user acted unlawfully towards the applicant; 2) the applicant must have a real interest in obtaining the name and address of the user; 3) there may be no less intrusive means of tracing the data than through the ISP; and 4) in light of a balancing of the interests involved, those of the applicant must prevail.

The criteria have been applied in several other court cases. For example, in Stichting BREIN/KPN, Rechtbank Den Haag, January 5, 2007 (Computerrecht, 2007/46), Stichting BREIN requested KPN (an ISP) to disclose personal data of a website owner offering BitTorrent files (i.e., films, music, etc.) for downloading. The court concluded that the unlawful actions of the website owner were obvious and that Stichting BREIN had made sufficient (unsuccessful) efforts to retrieve the personal data in another way. Also, in Stichting BREIN/Leaseweb, Hof Amsterdam, July 3, 2008 (Intellectuele Eigendom & Reclamerecht, 2008/67), Stichting BREIN requested Leaseweb (an ISP) to disclose personal data of a website owner intentionally improving P2P file-sharing, and therefore facilitating copyright infringement through its website. The Court of Appeal concluded that the unlawful nature of the activities was evident. It ruled that the interests of Stichting BREIN — the protection of copyright of the rights holders — outweighed the interests of the website host, not wasting time assessing the legitimacy of the request of the rights holder²².

I am not aware of any court judgment ordering the disclosure of the identity of a user, but it is likely that a court will order such disclosure if the Lycos/Pessers criteria are applicable.

Spain

ISPs cannot voluntarily disclose users’ details to rights holders in order to bring a civil action. Data disclosure is regulated by Article 11 of the Spanish Data Protection Act. The Data Protection Act does not allow data disclosure to initiate a civil action, nor does the e-Commerce Act.

Furthermore, there is no procedure in place that compels ISPs to disclose the identity of users within the framework of civil enforcement by rights holders. Regarding civil enforcement by judicial authorities, this issue was the focus of a case which led to the Promusicae case. The Commercial Court No. 5 of Madrid asked the CJEU for a preliminary ruling on whether Spanish law, which prohibits the disclosure of the identity of P2P users within the framework of civil enforcement by rights holders, was compliant with EU law. On January 29, 2008, the CJEU held that the e-Commerce Directive, the Copyright in the Information Society Directive, the IP Enforcement Directive and the e-Privacy Directive

do not require the Member States to lay down … an obligation to communicate personal data in order to ensure effective protection of copyright in the context of civil proceedings. However, Community law requires that, when transposing those directives, the Member States take care to rely on an interpretation of them which allows a fair balance to be struck between the various fundamental rights protected by the Community legal order. Further, when implementing the measures transposing those directives, the authorities and courts of the Member States must not only interpret their national law in a manner consistent with those directives, but also must make sure that they do not rely on an interpretation of them which would be in conflict with those fundamental rights or with the other general principles of Community law, such as the principle of proportionality.

Following the CJEU’s judgment, the Commercial Court No. 5 of Madrid declared that the relevant provisions of the Spanish Data Protection Act and the e-Commerce Act did not contain any obligation to disclose personal information in the context of civil enforcement. Consequently, the court held that Telefónica did not have any obligation to provide the information requested.

The United States

There have been numerous cases in the United States seeking the identity of anonymous users, and, as a consequence, the courts have rapidly evolved guidelines as to when disclosure is appropriate. One of the most important aspects of the U.S. case law is the strong protection the First Amendment of the Constitution gives to anonymous speech. The Supreme Court has held in a number of cases that the right to speak anonymously is an aspect of freedom of expression²³. This protection of anonymity has also been extended to the internet. In Columbia Insurance v Seescandy.com
²⁴, it was recognised that online anonymity:

can foster open communication and robust debate.... People who have committed no wrong should be able to participate online without fear that someone who wishes to harass or embarrass them can file a frivolous lawsuit and thereby gain the power of the court’s order to discover their identity.

However, the courts have recognised that special safeguards should apply to the disclosure of users’ identities to ensure that there is no effect on their First Amendment rights.

No federal court, though, has articulated a standard for when unmasking an anonymous internet user is appropriate. Most courts look to state court tests for guidance, and they have applied three distinct tests to determine when a plaintiff has made a sufficient showing to merit a court-issued motion to compel disclosure. Courts have required plaintiffs to demonstrate either:

• a good faith basis warranting disclosure (the Good Faith Standard);

• evidence sufficient to survive a motion to dismiss before allowing disclosure (Prima Facie Case Standard); or

• evidence sufficient to survive a hypothetical motion for summary judgment (Summary Judgment Standard)²⁵.

Good Faith Standard

This standard was espoused in In re Subpoena Duces Tecum to America Online, Inc. No. 40570, 2000 WL 1210372 (Va. Cir. Ct. 2000), which requires the plaintiff to show only that his/her claim was made in good faith and not out of an intent to harass the defendant. Other courts have rejected the standard as setting the bar too low to protect a defendant’s First Amendment right to speak anonymously on the internet.

Prima Facie Case Standard

Dendrite International, Inc. v John Doe No. 3
²⁶ applied the prima facie case standard. In this case, a company that developed and serviced software for the pharmaceutical industry brought a John Doe lawsuit in a New Jersey state court against 14 unnamed defendants for critical messages they posted on Yahoo! message boards. Dendrite claimed the messages were defamatory and revealed trade secrets, and the company sought permission from the court to take discovery from Yahoo! regarding the identity of certain of the anonymous posters. The trial court allowed Dendrite to conduct limited discovery to find out the identities of John Does 1 and 2, who were current or former employees of the company, but rejected its request for an order compelling Yahoo! to identify John Doe 3. Dendrite appealed and the New Jersey appellate court affirmed the lower court’s ruling. The court set out guidelines for lower courts to follow when faced with a request for an order compelling an ISP to reveal the identity of an anonymous internet poster. The test to be applied was as follows:

• The anonymous user must be given notice of the application (as far as possible) and a reasonable opportunity to oppose it.

• The plaintiff must specify precisely the statements which are alleged to be defamatory.

• There must be evidence to support a prima facie case against the user.

• The court will balance the interests of the plaintiff in identifying the user against the First Amendment rights of the defendant, taking into account the strength of the plaintiff’s claim.

Applying the above test, the court held that Dendrite had failed to produce sufficient evidence for each element of its defamation claim because it had not produced evidence of harm resulting from John Doe 3’s statements. The above is a strict test but is not insurmountable. In Immunomedics, Inc v Jean Doe
²⁷, the court accepted that the test had been met. In this case, the anonymous user had posted confidential material on the internet and appeared to be an employee of the plaintiff. The court found it likely that she was in breach either of her contract of employment or her common law duty of confidentiality, and held that the plaintiff firm had made a sufficiently strong case to justify her identification.

Similar approaches were also taken in Doe v 2themart.com
²⁸ and America Online Ltd v Anonymous Publicly Traded Corporation
²⁹.

Summary Judgment Standard

In Doe v Cahill
884 A.2d 451, 457 (Del. 2005), the Supreme Court of Delaware held that, to disclose the identity of a user, plaintiffs must survive a hypothetical motion for summary judgment by making a prima facie showing for each element of the claim. In the case, the plaintiff (a city councillor) sought the identity of bloggers who posted defamatory comments on a local political website alleging that his mental condition was deteriorating and his leadership failing. The court found the Dendrite test unnecessary. However, in order to satisfy the summary judgment standard, a plaintiff must establish a prima facie case for each element and give notice to the user.

In the case of file-sharing and other online copyright infringement lawsuits, the most commonly used method to discover the identity of an alleged infringer is the Digital Millennium Copyright Act (“DMCA”). The DMCA allows for owners of copyrighted material who allege that their material has been infringed online to send a notice in a statutorily defined format to the ISP which hosts the content. The ISP then forwards that notice to the person responsible for having uploaded the material, and the uploader is given a chance to respond. If the uploader does not respond, the ISP will keep the material from being made available any longer.

In addition to the above, the DMCA provides rights holders who allege intellectual property infringement to take advantage of an easier subpoena process. Usually, lawsuits against an anonymous person, or “John Doe”, must be conducted during the discovery period of a civil action, meaning that a lawsuit must have already been filed. If a person who owns a copyright sends a DMCA notice, however, he or she is able to obtain a subpoena from a court clerk without even commencing a lawsuit. In such cases, the defendant is unlikely to remain anonymous. Firstly, under the subpoena, the ISP will be obliged to expeditiously disclose to the copyright owner or person authorised by the copyright owner the information required by the subpoena. The only exception is if they successfully move to quash the subpoena, and, as set out in Sony Music Entertainment Inc v Does 1-40 326 F. Supp.2d 556 (S.D.N.Y. 2004), the court will uphold a subpoena where:

• a prima facie case of copyright infringement is made;

• the request for identifying information of subscribers is specific;

• there is no alternative means to obtain the subpoenaed information;

• the information is needed for the case; and

• the defendants have no expectation of privacy.

The above test was relied on in Arista Records, LLC and others v Doe 3 604 F.3d 110 (2010), where the Second Circuit upheld a district court ruling rejecting the defendants’ request to quash the plaintiff record companies’ subpoena to the defendants’ ISP for confidential information which would identify the defendants. The defendants argued, amongst other things, that the First Amendment’s right to privacy and right to anonymous speech protected them from such disclosure. The Second Circuit disagreed, holding that, when such anonymous use of the internet involved copyright infringement, the copyright holders’ need for the infringers’ identities to enforce their intellectual property rights outweighed the defendants’ First Amendment right to anonymous internet use. This case reinforces the notion that the First Amendment may not be used to defend against a claim of copyright infringement (at least as far as anonymity is concerned).

Canada

In Canada, there is no general right to anonymity. However, the Supreme Court of Canada has found that individuals have a right to a reasonable expectation of privacy in certain instances, such as where there is a threat to one’s life or safety³⁰. It also recognised a right to privacy subsumed in Sections 7 and 8 of the Charter of Rights and Freedoms³¹. In addition, Section 14.1(1) of Canada’s Copyright Act gives authors the right to remain anonymous in connection with the publication of their works.

There are two ways for a plaintiff to compel third parties to disclose the identity of anonymous defendants — by seeking the equitable remedy known as a Norwich order or by seeking pre-action discovery or production under the applicable rules of civil procedure.

Norwich Orders

Norwich orders were introduced in the UK case Norwich Pharmacal Co. v Customs and Excise Commissioners
³², in which it was held that, where a third party becomes involved in the tortious acts of others, that third party has a duty to disclose the identity of the tortfeasor. This was approved of in Canada, and the factors on whether to grant a Norwich order in the internet defamation context were set out by the Ontario Superior Court of Justice in York University v Bell Canada Enterprises
³³. The factors are as follows:

• whether the applicant has provided evidence sufficient to raise a valid, bona fide or reasonable claim;

• whether the applicant has established a relationship with the third party from whom the information is sought, such that it establishes that the third party is involved in the acts;

• whether the third party is the only practicable source of the information;

• whether the third party can be indemnified for costs to which it may be exposed because of the disclosure; and

• whether the interests of justice favour obtaining the disclosure.

In the above case, the plaintiff sought a Norwich order to compel ISPs to disclose the identity of the anonymous author of allegedly defamatory emails and web postings that accused a university president of committing academic fraud. After concluding that the first four factors were met, the court proceeded to consider the fifth factor, which, in the court’s words, required it to “balance the benefit to the applicant of revealing the desired information against the prejudice to the alleged wrongdoer in releasing the information”. The court concluded that the interests of justice favoured the disclosure of the author’s identity primarily because the author could not have had a reasonable expectation of privacy with respect to his identity due to the terms of his ISP’s privacy policy. Significantly, while the court concluded that the plaintiff had demonstrated a prima facie case under the first factor, it did not require the plaintiff to demonstrate more than a bona fide case³⁴.

The same approach was taken in the earlier case of BMG Canada Inc. v John Doe
³⁵, albeit in a different context. In that case, the plaintiffs, a group of music recording industry companies, commenced action against internet users who were alleged to have engaged in illegal file-sharing. The trial court applied the Norwich order analysis and concluded that the application should be denied. In doing so, the court held that the plaintiffs were required to demonstrate a prima facie case under the first factor. Although the Federal Court of Appeal affirmed the trial court’s decision, it clarified that the first factor requires plaintiffs to demonstrate only a bona fide belief of wrongdoing. The court expressed the concern that the imposition of the higher prima facie standard would effectively strip plaintiffs of a remedy, because plaintiffs could not know the case that they wished to assert against the defendants until they knew the identity of the persons that they wished to sue and the nature of their involvement in the file-sharing activities.

Rules of Civil Procedure

The rules of civil procedure in most provinces impose a low threshold for plaintiffs to meet before disclosure will be ordered. For example, in Ontario, courts may order ISPs to disclose subscriber information where it would be unfair to require the plaintiff to proceed to trial without the subscriber’s identity (Rule 30.10, Ontario Rules of Civil Procedure). Courts may also allow a plaintiff to cross-examine an ISP in order to get information about its subscriber, as long as the plaintiff cannot get that information from another source, it would be unfair to require the plaintiff to proceed to trial without the subscriber’s identity and the examination will not cause undue delay, entail unreasonable expenses for other parties, or result in unfairness to the ISP (Rule 31.10). In Irwin Toy v Doe [2000] O.J. No. 3318 (S.C.J.), an Ontario court also required that the plaintiff make out a prima facie case against the defendant (namely, whether the allegations appear, upon an initial review of the facts and law, to have merit) before ordering the ISP to disclose the name of a subscriber³⁶, thereby offering protection to the privacy of internet users beyond that provided in the Rules.

However, recent decisions have held that the Charter of Rights and Freedoms requires courts to strike a balance between the competing interests by requiring plaintiffs to 1) meet an evidentiary threshold; 2) establish the necessity of the disclosure sought; and 3) demonstrate that disclosure is favoured by a weighing of competing interests³⁷. In Warman v Wilkins-Fournier [2010] O.J. No. 1846, the court set out four considerations, aimed at respecting the privacy of internet users, that should be considered by courts in deciding whether to order disclosure:

• whether the unknown alleged wrongdoer could have a reasonable expectation of anonymity in the particular circumstances;

• whether the plaintiff has established a prima facie case against the unknown alleged wrongdoer and is acting in good faith;

• whether the plaintiff has taken reasonable steps to identify the anonymous party and has been unable to do so; and

• whether the public interests favouring disclosure outweigh the legitimate interests of freedom of expression and right to privacy of the persons sought to be identified if the disclosure is ordered.

Furthermore, the court noted that the second and fourth Norwich factors are not relevant to the Rules approach because they apply only to third party respondents rather than co-defendants. However, the other Norwich factors are practically identical to the considerations set out above. In addition, the court stated that the concern expressed by the Federal Court of Appeal in BMG Canada does not arise in internet defamation cases because the plaintiffs will inevitably know the details of the allegedly defamatory acts at issue.

The courts in other provinces have followed Warman. In A.B. v Bragg Communications Inc.
³⁸, the Nova Scotia Court of Queen’s Bench applied the considerations set out in Warman and ordered the ISP to disclose the identity of an anonymous user who created a false Facebook profile which contained the plaintiff’s picture, a variation of her name, personal information and offensive sexual commentary. Likewise in Doucette v Brunswick News
³⁹, the New Brunswick Court of Queen’s Bench ordered the disclosure of the identity of a person who posted allegedly defamatory comments on the newspaper website.

As Norwich orders are equitable remedies with principles that should be applied flexibly, it is possible that this approach (requiring the demonstration of a bona fide case) is less onerous than that under the Rules (requiring the demonstration of a prima facie case). However, the conflict will be resolved on a case-by-case basis.

Israel

Prior to Brokertov v Google Israel, two different approaches emerged. The first gave priority to users’ privacy concerns and the public interest in freedom of speech. Disclosure would be ordered only in serious cases where it gave rise not only to civil liability but also to criminal liability. The second set a lower threshold, with claimants required to show only that they had a viable cause of action against the (alleged) wrongdoer and that there existed an “additional element” that justified disclosure and outweighed privacy concerns. The claimant was also required to show that he or she took meaningful steps to reveal the identity of the wrongdoer and exhausted the options to discover it alone prior to seeking the court’s assistance⁴⁰.

On January 7, 2009, the Tel Aviv District Court ordered Google Israel and a local ISP to disclose information relating to subscribers suspected of online piracy. This was the first time that an Israeli court allowed rights holders to obtain disclosure orders against ISPs in intellectual property litigation.

The decision established the criteria against which pre-action disclosure applications will be judged⁴¹. The court applied a more flexible approach. It held that all the claimant needed to show in order to succeed was a “real reason to suspect” that an infringement was taking place. This meant that the claimant could merely establish that he or she has a viable cause of action in his/her main claim. By adopting this approach, the court significantly lowered the threshold previously set by the courts for disclosure applications.

In RPA (Haifa) 850/06 Rami Mor v Yedioth Internet (March 2010), a health care practitioner, Mor, sought disclosure of the identity of a blogger who (allegedly) defamed him. The Israeli Supreme Court ruled that the blogger was entitled to his anonymity and that “John Doe” applications contradict due process. It stated that the veil of anonymity is sometimes a constitutional right.

Furthermore, in Football Association Premier League Limited v John Doe (Civil Appeal 9183/09, May 13, 2012), while the Supreme Court held that the filming of sporting events, including the production, directing and editing of the film, amounts to an original work of art protected by the Israeli Copyright Law (thereby overturning a controversial decision issued by the District Court), it was divided over whether to reveal the identity of the respondent. The majority opinion ruled against it but referred to the legislator, stating that these issues should be determined by law. While the plaintiff won the case, the outcome is of little effect, since John Doe remains anonymous, allowing him to escape liability.

As Israel has no judicial procedure in place to order ISPs to give up the identities of their subscribers, and as there is no process to unmask commentators who post comments anonymously, this effectively grants unconditional anonymity to anyone on the Israeli internet until the government can come up with a legal procedure to force ISPs to release the information requested.

Conclusion

There is a battle going on in the courts across almost every jurisdiction between protecting online anonymity and the equally privacy-related question of accountability when one individual’s postings defame or infringe the intellectual property rights of another. In certain countries, such as the United States, the veil of anonymity will be lifted in certain instances (notwithstanding the First Amendment), whereas in Israel there is no procedure in place to unmask infringers, thereby allowing them to escape liability.

In the European Union, there is no harmonisation, and so it is left to the individual Member States to decide how to apply the proportionality principle in the context of intellectual property infringement and how to strike a fair balance between data protection law and online intellectual property enforcement.

As a consequence, the onslaught of legal actions, pending cases and unanswered questions is set to continue.

Maureen Daly is a Partner and Head of Technology And Brands at Beauchamps Solicitors, Dublin, Ireland. She may be contacted at m.daly@beauchamps.ie.

While all reasonable care has been taken in the preparation and completion of this Special Report, no responsibility is accepted for any inaccuracies, errors or omissions. This Special Report has been prepared for information purposes only and does not constitute legal advice. © Beauchamps 2012.