ACS Law, Party Babes and the Information Commissioner: Here’s What’s Happening

ACS Law is a London based law firm specializing in file-sharing infringement cases. The firm’s practice includes acting for copyright holders, whom the firm advises on legal action against individuals allegedly guilty of unlicensed file sharing.

ACS Claim Process

Typically, the story begins with an individual receiving a letter from ACS Law alleging that a file (usually pornographic, the cases we have seen refer to “Party Babes”) belonging to ACS’ client has been illegally downloaded. ACS’ letter states that ACS has used a court order to oblige the relevant ISP to reveal the IP address to which the file was downloaded. The letter then identifies the individual as the owner of the IP address, claims that the owner has infringed ACS Law’s client’s copyright and points out the legal consequences. Letters that we have seen and advised upon contain a settlement offer, whereby in return for a sum (typically around £495) ACS’ client will drop the claim.

ACS has allegedly sent claim letters to thousands of people. Concerns have been raised that many individuals may be mistakenly accused, particularly given the fact that ACS’ case typically relies on identifying an individual via an IP address. An IP address may be used by someone other than the individual to whom the IP address relates, either by someone using the individual’s computer, or by third party access to the IP address via an unsecured wifi connection or a virus. Websites have been set up to offer assistance to genuinely innocent individuals, such as http://beingthreatened.yolasite.com/.

Concerns have grown into outcry on numerous sites and forums, with ACS Law apparently being scrutinized by the Solicitors Regulation Authority. Concerns turned into a full blown attack on ACS Law when hackers obtained details from ACS’ website of over 5,300 individuals the firm was pursuing for unlicensed filesharing.

Data Breach

The disclosure of the details of the individuals’ data, if it contained personal data, would potentially be a breach by ACS of UK data protection legislation: the Seventh Principle of the Data Protection Act 1998 requires that “appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data”.

The UK’s data protection watchdog, the Information Commissioner, has already expressed his concern about the situation (see interview here), and will want to establish whether ACS had put in place appropriate measures to prevent such disclosure. The Information Commissioner has the power to fine any organisation who breaches the data protection laws up to £500,000. The gravity of this situation, including in particular details of pornography allegedly downloaded by the individuals whose data has been disclosed, means that the ICO will take a particular interest in this case.

Defence

Ultimately, ACS may rely on an argument that the law firm had done everything appropriate and that even the best IT defence can’t protect against a determined hacker. This would be ironic, since many of the denials received by ACS from alleged file infringers rely on exactly the same defence.

By Rory Campbell