The legal remedies available to right holders irrespective of ISP cooperation provide an important context for attempts to establish the Graduated Response by agreement. Right holders claim to have rights of action against ISPs under the general law. They argue that ISPs should come to terms with them in a consensual arrangement, so as to avoid the inconvenience of becoming defendants to actions brought by right holders to enforce their rights.

In the European Union, the main legal instruments are:

The key weapon of right holders to compel ISPs to assist them is contained in Article 8(3) of the 2001 Copyright Directive, which provides that:

“Member States shall ensure that rightholders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe a copyright or related right.”

Although the Electronic Commerce Directive provides exemptions from liability for ISPs in certain circumstances, these immunities do not apply to claims for injunctions. The right to an injunction has been implemented in the EU’s 27 Member States in a wide variety of forms. The courts have issued injunctions against ISPs in various cases, but the jurisprudence is still developing.

In the United States, the key statutory text is section 512 of Title 17 U.S.C. – the online liability provisions of the Digital Millennium Copyright Act. Judge-made law plays a large part in the liability analysis. While the US does not have a provision analogous to Article 8(3) of the EU’s Copyright Directive, strong common-law concepts of contributory and vicarious liability arguably implicate ISPs quite readily in liability for the infringements of their subscribers. Although this is merely a national provision, the US law has been influential in the design of other national laws, especially in Asia.

An unsuccessful attempt to create international norms relevant to the Graduated Response was the draft Anti-Counterfeiting Trade Agreement, the final version of which was published on 3 December 2010. ACTA set out minimal standards for content protection on the Internet. It did not propose any explicit Graduated Response scheme. However, it required parties to “endeavour to promote cooperative efforts within the business community to effectively address trademark and copyright or related rights infringement” and provided that parties “may” provide its competent authorities “with the authority to order an online service provider to disclose expeditiously to a right holder information sufficient to identify a subscriber whose account was allegedly used for infringement”.

However, on 4 July 2012, the European Parliament voted to reject ACTA. On 10 May 2012, the Commission referred the draft text to the Court of Justice of the European Union for an opinion as to its compatibility with EU law. After much public debate the Commission withdrew its reference in December 2012, leaving ACTA effectively defunct.

Data Privacy

Opponents of the Graduated Response assert that data privacy laws are violated by the activities of right holders in detecting infringements or of ISPs in responding to reports of infringement or applying technical measures to prevent them. This is a discussion about subsisting law, not the policy issue whether data privacy or wire-tapping laws should apply to prevent what may or may not be socially worthwhile activities (see Policy).

The leading source of data privacy law is the European Union. EU data processing law subjects publicly-available, non-confidential information to comprehensive restrictions on its processing. “Processing” is essentially any operation capable of being applied to data. The basic law of this regime is the Data Privacy Directive 1995/46/EC. The EU has successfully promoted its approach in other countries, prohibiting the transfer of data from EU to non-EU states which do not adopt comparable restrictions on the use of public data.

On 25 January 2012, the European Commission published new proposals for the EU data privacy regime. The proposed Regulation would extend the reach of EU law to processors of data outside the EU which monitor the behaviour of EU residents (Article 3(2)(b)).