La gestion des DRM en perspective

§2 - personal data protection in prospect

The French legislation rests on the base of the law Informatique and Freedoms of January 6, 1978. However, this one must be put in agreement with the various provisions of the Directive of October 24 1995^94(*) which should already have been transposed, within the time limit, in French right insofar as, unlike the directly applicable payments, the directive binds the Member States as for the result to reach while leaving with national authorities competence as for the form and with the means.^95(*) In the same way, the directive on the electronic trade of June 8, 2000 and one of the directives Paquet Telecom (2002/58) must be the subject of a transposition to be in conformity with the requirements European.

With- the right to the personal data protection

In February 2003, the EUCD.INFO underlined in front of the CSPLA that « the electronic systems of management of the rights («DRM») could not cause for object or to make it possible at private organizations to operate automated processings of personal data for the identification of possible infringements to the royalty and the close rights. In accordance with the provisions of law and order of the law known as «data-processing and freedoms», people not invested morals of private law of a mission of public utility could not in no case to replace for the police force or justice by assuming capacities of investigation which come under the exclusive responsibility of the State ».^96(*)

In that, it was based on article 30 of the law Informatique and Freedoms of January 6 1978 which indicates that « except contrary legislative provisions, the jurisdictions and public authorities acting within the framework of their legal attributions like, on assent of the national commission, the people morals managing a public utility can only carry out the automated treatment of personal information relating to the infringements, judgments or measurements of safety (...) ».^97(*) One of the other difficulties inherent in the installation of a system of GDN being adequacy and balance to be found for the respect of the private life and the personal data protection.

One will note what Pamela Samuelson understands by DRM : « Year alternative phrases digital for DRM is «restrictions management,» given its uses by copyright industries to restrict to use rights »^98(*) what will give us to reflect on the implications in terms of management and protection of the person. Alliances between industrialists, necessary to make emerge standards and interworking in particular, must be looked at with caution.^99(*) Because behind those, and the DRM, is profiled technologies « that will Al more perfect control over accesses to and uses digital files off. The same capabilities that enable more perfect control also implicate the privacy interests off users off information goods (...). They also create the potential for vastly increased collection off information butt individuals' intellectual clothes and preferences. Thesis technologies therefore space affect both and informational dimensions off the privacy that individuals customarily cuts enjoyed in their intellectual activity ». ^100(*)

What is obstructing so much a legal and ethical point of view is the fact that technologies of GDN, can create data records which even if they are generally made automatically via « robots » without any human intervention are likely to threaten the respect of the private life of the users. In particular if these data collected are accessible to others and that they can be used with fine marketing and/or that these data, like specifies it Julie Cohen, can be « gathered through monitoring [and] later Be used to generate detailed profile users' revealed intellectual preferences off. The information provider edge uses the resulting profile to market additional information goods to users, but edge salt it to third left who may uses it for has wide variety off other purposes ». ^101(*)

Moreover, the European Commission recalls its attachment to these values by explaining that if the goal first technical protection measures is to preserve the rights of ownership intellectual and the economic rights associated, it does not remain about it less than : « However, in so far have DRMs may involve the collection and further processing off personal off dated in order to curry out the essential function protecting the works, but in so far have they may content also Al owners to closely monitor and track the uses off digital content, to consume organizations, privacy advocates, national supervisory authorities and the Commission are also concerned butt DRMs affecting the fundamental rights to privacy and personal dated ace guaranteed by the HAVE Charter one fundamental rights^102(*) and the HAVE dated protection directives ». ^103(*)

It is certain that the use of the DRM must be completely compatible and in direct bond with the principles resulting from Directive 95/46.^104(*)

The CSPLA returned a report/ratio in June 2003 in which it points the risks related to the management of the DRM. It will be retained in particular that they : « could allow «to know in a very precise way of the whole sides of the private life^105(*) of the individuals»^106(*), «to collect data going beyond what is simply necessary to the exercise of the rights of the author's copyright and artistic», «to be coupled with [information] gathered on other sites thanks to single systems of identifiers, such as that of system .NET Passport developed by Microsoft», and problems in the event of repurchase of companies would pose, making it possible these last to constitute «files relating to a great number of characteristic ». ^107(*)

« Technology is neutral but the use that one does it is not and must thus be guided by ethics and not only by economic interests. Massive deployment of technical measurements of protection « new generation », communicating with central waiters or being pressed on intelligent labels (RFID), presents consequent risks of attack at the personal freedoms (like the CNIL A raised besides) ». ^108(*)

Contrary and one will not be astonished any, having them rights and their partners estimate that the DRM do not pose problems in term of attack to the private life and one can be astonished that the CSPLA gives him reason when it indicates in his opinion of June 26 2003 that « these systems lie within the general scope of the electronic trade and the rules, including penal, applicable as regards personal data protection ».^109(*)

More still, in an opinion of March 2, 2004, the CSPLA^110(*) if it is conscious of the potential risks related to « collect and the consolidation of precise data on cultural consumption of interested and their possible use in not desired ends » indicates that on the matter the these risk assessment is difficult... and inherent in emergent technologies... are common in the cybermonde !

This opinion is interesting insofar as it systematically will ask for and/or reinforce the means of fights against the hacking and the illicit exchanges of works between users by indicating that :

- the rules of administration of the proof in the penal lawsuit do not make obstacle with the launching of requests on the Internet by the authorities or having them right (in particular by the means of the sworn in agents of the article L. 331-2 of the code of the intellectual property) for purposes to note the offers of files carried out in violation of the rights of author's copyright and artistic.

- [if] character only indirectly personal of IP addresses^111(*), (...) gives access the real identity interested parties only after bringing together with the data of connection held by the technical operators, within the framework of a legal procedure, [It] insists on the need for having the right, have regard to the massive character of the counterfeit on line, to be able to resort to such treatments, with an aim as well preventive as repressive. [the CSPLA] wishes that the Parliament find (...) a solution allowing to the holders rights and the organizations acting for their account to proceed to the constitution of such files, with an only aim of ensuring the protection of these rights [and] to adopt a formulation which makes it possible without ambiguity to look it like including, on the one hand, among the finalities of the collection, prevention and the repression of the violations of the rights of author's copyright and artistic, on the other hand, with the number of the people concerned, professional organizations and companies of collection and distribution of the duties, when they act on behalf of having the right.

The bill reforming the Data-processing Law and freedoms^112(*) adopted by the deputies on last 29 April seems to go in this direction when it indicates : « «Art 9. - The processings of data in personal matter relating to the infringements, judgments and measures of safety can be taken only by:

(...) «3° (new) the people morals victims of infringements, for the strict needs for the fight against the fraud and under the conditions envisaged by the law ».^113(*) Thus, the solution required by the CPSLA should allow for example compared to the illegal remote loading music on Internet to authorize the people morals, therefore the companies of royalty « victims of the counterfeit, to constitute their own files of infringements in order to collect personal data, as IP addresses ».^114(*) One will await the confirmation of this measurement during the examination of the text by the senators in 2nd reading.

- Being finally the identification of the counterfeiters, the higher Council underlines the need for implementation an effective of the obligation of conservation, by the operators of telecommunications and the service providers on line, for the needs for research, the observation and the continuation of the penal infringements, of the data allowing such an identification (...) Being more particularly the data of connection, the higher Council estimates than, have regard in particular to the guarantees of which their conservation is surrounded, the time of this one would not have, in the current state of the legislation, being lower than one year, (...). A lengthening, for certain categories of data ;

- under certain conditions, the engagement of the responsibility for the intermediate people receiving benefits of services on line when they abstain from taking measurements making it possible to put an end to the illicit activities of which they are informed, envisage the possibility, for the administrative or legal authorities proper, to require these same people receiving benefits that they put a term at such activities, in particular by withdrawing the litigious contents or while making them inaccessible, and invite the Member States to set up of the recourse jurisdictional effective, including in summary procedure. ^115(*)

With the reading of this opinion one will be able to wonder about the degree of freedom left to the users of the networks and the real legitimacy of this arsenal of repressive measurements and attentatoire with the freedom and the respect of the private life. The framework favourable with a blooming serene and balanced electronic trade is not yet clearly fixed !! Overall, one will wonder about the stakes existing between right and technique bus in the long term, like specifies it daN L Burke, « content owners may Be relatively unconcerned butt obtaining gold enforcing intellectual property rights have such rights cuts previously existed. Where accesses and uses off edge Be controlled by built-in technological restrictions, regulation the content via legal sanctions becomes far less gravitational. Indeed, content owners may prefer, rather than relying one copyright law to prohibit some statutorily determined use off the work, to rely one anti-circumvention laws to prohibit tampering with the technological controls, leaving the technology to prohibit whichever use the content owner unilaterally chooses. Such anti-circumvention laws, acting have year adjunct to technological controls, confer upon content owners A dismantles control never attainable under off has mode off traditional copyright ». ^116(*)

Following the interrogation which one posed within the framework of address IP^117(*), one will be interested particularly in the actions pursuant taken within the framework of the fight against the hacking to the amendment n°8^118(*) which would seem to allow « people morals mentioned with the articles L. 321-1 and L. 331-1 of the code of the intellectual property, acting under the rights of which they ensure management " [] to carry out the personal data acquisition ». Thus, if this amendment were retained, it is the opened possibility, for the trust companies of the royalties to be used for itself of IP addresses (indirectly personal) to obtain information on the people operating on the networks and particularly within the problematic framework of the P2P.^119(*)

* ⁹⁴ One will be able to read, on the transposition by Germany  : Thomas Ramsauer, Germany' S Law Copyright one the Edge off the Information Age, e.Copyright Bulletin, December 2003, 9p.

* ⁹⁵ Denys Simon, the Community legal system, 2001, PUF, p. 325.

* ⁹⁶ EUCD.INFO, electronic Systems of management of the rights («DRM») and personal data protection, February 7, 2003, http://eucd.info/

* ⁹⁷ CNIL, Data-processing Law and Freedoms, Article 30, www.cnil.fr/index.php?id=301#Article30

* ⁹⁸ Pamela Samuelson, DRM {AND, GOLD, VS.} THE LAW, Communications off the ACM, April 2003/vol. 46, No 4 p.42. www.sims.berkeley.edu/~pam/papers/acm_v46_p41.pdf

* ⁹⁹ In particular the initiative of Microsoft and its new system renamed Longhorn, Next Generation Secure Computing Bases www.theregister.co.uk/content/4/25852.html and Trusted Computing Platform Alliance (TCPA) the purpose of which is to even set up systems of DRM at the level of the infrastructure.

* ¹⁰⁰ Julie E. Cohen, DRM and Privacy, 2003, The Berkeley Technology Law Newspaper, p. 1.

https://www.law.berkeley.edu/institutes/bclt/drm/papers/cohen-drmandprivacy-btlj2003.pdf

* 101 Ibid, p. 11. In the same direction: «  Too many businesses, including many off the leading-edge entrepreneurial companies emerging one the Internet, cuts off not focused enough one the been worth customer profile. The winners and losers off this new will era will Be determined by who has rights to on-line customer profile " and «There will eventually Be acquisitions that are based one to consume dated, where the primary ace that' S being bought is the to consume dated. (...) Consumer dated right now is the currency off E-trade in A batch off ways. Those are valuable customers because they' ve shown that they' Re buyers, and they' ve bought from has competing blind. (...) Names in A database save has company from spending marketing dollars to acquire has customer - usually butt $100 per customer  ». HALPERN and HARMON,

www.datenschutz-berlin.de/doc/eu/gruppe29/wp37_en/wp37en04.htm

* ¹⁰² Article 8 of the Charter of the basic rights recalls the principle of the data protection in personal matter. 18/12/2000, www.info-europe.fr/doc02/223/g000d992.pdf

* ¹⁰³ European Commission, DIGITAL RIGHTS Background, Systems, Have, 14.02.2002, p. 14.

http://europa.eu.int/information_society/newsroom/documents/drm_workingdoc.pdf

* ¹⁰⁴ In this respect it will be noted that considering it 57 of Directive 2001/29/EC indicates  : «  The systems relating to information on the mode of the above-mentioned rights also can, according to their design, to treat data in personal matter relating to the spending patterns of the private individuals as regards the protected objects and to allow the observation of the behaviors on line. These average techniques must, in their technical functions, to incorporate the principles of protection of the private life, in accordance with directive 95/46/EC of the European Parliament and the Council of October 24, 1995 relating to the protection of the physical people with regard to the processing the data in personal matter and to freedom of movement of these data  ».

http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=fr&numdoc=32001L0029

* ¹⁰⁵ One also conscious of the problems binding will be given personal and addresses IP since it is advisable to agree on the fact that «  address IP of the Net surfer can be described as indirectly personal data  ». Quoted in Sophie Lalande, address IP of your computer, a personal data concerned with the mode of protection of the community system of protection  ?, p. 10. www.droit-tic.com. The CNIL considering for this reason that «  only the public people or the private people in charge of a public utility can, under the terms of article 30 of the law of January 6, 1978, to constitute files while containing  ». But, the CSPLA wishes that the Parliament find, within the framework of the reform of the law of January 6, 1978, and in the respect of the directive of October 24, 1995, a solution allowing the trust companies and having the right to proceed to the constitution of such files with an only aim of ensuring the protection of these rights.

www.culture.gouv.fr/culture/cspla/avislibertes.htm

* ¹⁰⁶ Even «  to know with precision the contents themselves, including, being in particular written works, concerning the aspects sensitive of the private life enumerated to article 31 of the law of January 6, 1978: political or philosophical opinions, religion, trade-union membership, manners of the people  ». CSPLA, Commission Report on the author's copyright and artistic and personal freedoms, June 26, 2003, p. 6. www.culture.gouv.fr/culture/cspla/raplibertesindiv.pdf

* ¹⁰⁷ Ibid, p.6.

* ¹⁰⁸ Christophe Espern, Interworking: Arlésienne of the DRM, http://eucd.info/ddm.fr.php. One will study these aspects, as a partulier within the framework of Directive IP Enforcement.

* ¹⁰⁹ CSPLA, Opinion of June 26, 2003, www.culture.gouv.fr/culture/cspla/avislibertes.htm

* ¹¹⁰ CSPLA, OPINION N° 2004-1 relating to the author's copyright and the personal freedoms, March 2, 2004, www.culture.gouv.fr/culture/cspla/avis04-1.htm

* ¹¹¹ In this respect, the CNIL indicates that in accordance with article 30 of the Data-processing Law Freedoms of January 6, 1978, only the public people or the private people in charge of a public utility can carry out such treatments the ends of prevention and repression of the infringements

* ¹¹² Bill relating to the protection of the physical people with regard to the processings of data in personal matter and amending the law n° 78-17 of January 6, 1978 relating to data processing, the files and freedoms. http://www.assemblee-nationale.fr/12/projets/pl0762.asp

* ¹¹³ Ibid

* ¹¹⁴ Philippe Crouzillacq, representatives of the artists authorized to drive the pirates, 3/05/2004, www.01net.com

* ¹¹⁵ CSPLA, OPINION N° 2004-1 relating to the author's copyright and the personal freedoms, March 2, 2004, www.culture.gouv.fr/culture/cspla/avis04-1.htm

* ¹¹⁶ DaN L. Burk Anti-Circumvention Misuse, 2002, p. 10

http://intel.si.umich.edu/tprc/papers/2002/29/misuse.pdf

* ¹¹⁷ Note 105, p. 29.

* ¹¹⁸ http://www.assemblee-nat.fr/12/rapports/r1537-01.asp

* ¹¹⁹ Arnaud Devillard, Christophe Pallez (Cnil): «We will have the possibility of giving fines» 19/04/2004, www.01net.com and Christophe Lagane, the data-processing law and freedoms in the course of recasting, April 14, 2004, http://www.vnunet.fr