Over the last couple of years, music and film copyright owners have obtained several website-blocking orders under UK copyright rules (section 97A of the Copyright, Designs and Patents Act 1988). However, as there is no equivalent legislative provision for trade mark infringement, website-blocking orders have not been used in respect of trade mark infringement… that is, UNTIL the famous judgement of Mr Justice Arnold from the High Court of Justice (Chancery Division) in the case of Cartier et al v Sky et al of 17 October 2014.

Readers might recall that the facts of this case concerned Richemont International SA, which owns a large number of UK registered trade marks, including the luxury brands Cartier and Montblanc. Richemont applied for orders requiring five internet service providers (ISPs) – Sky, BT, EE, TalkTalk and Virgin – to block access to six websites that advertised and sold counterfeit goods targeted at UK consumers infringing its registered trade marks. The court was satisfied that this was a clear case of trade mark infringement, but it needed to determine whether it had jurisdiction to order the ISPs to block access to those websites.

Arnold J. decided that the Court did have jurisdiction to grant an injunction against ISPs to require them to block access by their subscribers to these websites under certain conditions.

Reading once again the judgement, I stopped on an interesting paragraph, that is paragraph [25] which reads as follows: Deep packet inspection (DPI)-based URL blocking “involves monitoring traffic by means of Deep Packet Inspection (DPI) and blocking requests for specific Uniform Resource Locators (URLs). A URL is a web address, which usually consists of the access protocol (e.g. http), the domain name (e.g. http://www.example.com ) and the specific resource (i.e. the page e.g. main-page), separated by a colon and slashes. This method does not involve detailed, invasive analysis of the contents of the packets in the traffic (and for that reason it is sometimes referred to Shallow Packet Inspection rather than Deep Packet Inspection). It is typically implemented using proxy servers. It can also be used to implement IP address blocking as an alternative to the router method described above”.

Although the making of this distinction by Arnold J might have been motivated by the need to justify the absence of privacy concerns generated by the use of DPI-based URL blocking technologies, such a finding is really striking. This is true for one important reason explained in a joint paper (co-authored by Tim Chown, Evangelia Papadaki and myself) on DPI technologies and practices.

A URL is an application data contained in the payload of packets. Strictly speaking, therefore, the fetching of URLs does not amount to Shallow Packet Inspection but to Deep Packet Inspection as elements of the payload are inspected. Other examples of application data are the content of emails… In addition – and this is important as well when it comes to access to communications data by law enforcement agencies – URLs are considered to be content data, i.e. part of the content of communications and getting access to URLs requires a warrant (See the most recent version of the Acquisition and Disclosure of Communications Data Code of Practice ).

In the end Arnold J. might be saying that if DPI-based URL blocking is only looking for a specific pattern in the payload (a bad URL) then other parts of the payload are not being retrieved (only matched against). [Note however, there may be personally identifiable information in the data that is being accessed to match against, which depending on the way in which the blocking is being implemented may include (user) names, cookies or (parts of) identifiable browser fingerprints].

So the question is really whether inspecting the payload of packets (e.g. to fetch application data such as URLs) is really non-invasive? Said otherwise, whether inspecting the payload of packets (e.g. to fetch application data such as URLs) does amount in principle to a violation of the principle of confidentiality of communications?

If it is a prima facie violation of the principle of confidentiality of communications then it would need to be justified under Article 8(2) of the European Convention on Human Rights and eventually Articles 7 and 8 of the European Charter.

Arnold J. does not directly address this question as he follows Case-314/12 UPC v Constantin of 2014, which is only concerned about freedom to conduct a business (Article 16 of the European Charter) and freedom expression and information (Article 11 of the European Charter)…. although a few years ago in Case-70/10 Sabam v Scarlet the right to protection of personal data had been mentioned by the CJEU.

He writes: “In the present case, Richemont rely on trade marks, which are also intellectual property rights within art.17(2) of the Charter. The other rights which are engaged by the orders sought by Richemont are (i) the ISPs’ freedom to conduct business under art.16 of the Charter and (ii) the freedom of information of internet users under art.11 of the Charter”…. “Accordingly, I consider that the orders are proportionate and strike a fair balance between the respective rights that are engaged, including the rights of individuals who may be affected by the orders but who are not before the Court”.

Is it fair to exclude the right to respect of private life and the right to protection of personal data from the balancing test when DPI technologies are at stake?

Including these rights into the balancing test would make it possible to assess the degree of intrusiveness of different DPI practices and maybe check whether some are followed by for example retention practices…but who really retains data these days you might say….ironically…

Sophie Stalla-Bourdillon