Peter Hustinx, the European Data Protection Supervisor, has released an opinion (EDPS pdf; archive pdf) criticizing the Anti-Counterfeiting Trade Agreement (ACTA) between the European Union, Australia, Canada, Japan, the Republic of Korea, the United Mexican States, the Kingdom of Morocco, New Zealand, the Republic of Singapore, the Swiss Confederation and the United States of America. The EDPS has released an opinion in Feb. 2010 on ACTA, but that was before the full agreement was made public. The 2010 EDPS opinion had focused on the proposal that “ACTA would contain online enforcement measures having an impact on data protection rights, notably the three strikes mechanism.”
In a press release (pdf), the EDPS notes that this latest opinion “underlines that many of the measures to strengthen IP enforcement online could involve the large scale monitoring of users’ behaviour and of their electronic communications.”
The opinion says:
Many of the measures that could be implemented in the context of Articles 27(3) and 27(4) of ACTA would involve a form of monitoring of individuals’ use of the Internet, whether by detecting actual IP rights infringements or by trying to prevent any future infringements. […]
Measures that entail the generalised monitoring of Internet users activities are highly invasive of the individualsâ€™ private sphere. They are usually carried out unnoticed and may affect millions of individuals or even all users, irrespective of whether they are under suspicion. They may involve the monitoring of electronic communications exchanged over the Internet and the review of the content of individuals’ Internet communications, including emails sent and received, websites visited, files downloaded or uploaded, etc. Furthermore, such monitoring usually entails the systematic recording of data, including the IP address of suspected users. All this information can be linked to a particular individual through the ISP, who can identify the subscriber to whom the suspected IP address was allocated. It therefore constitutes personal data as defined in Article 2 of the Data Protection Directive 95/46/EC22.
As a result, these measures will often constitute an interference with individuals’ fundamental rights and freedoms, such as the rights to privacy, to data protection, and to the confidentiality of communications, protected in Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the Charter of Fundamental Rights of the EU23.
Read the full opinion for more details.