It’s the summer of 2008 and the owner of a fairly new streaming site based in the north of England is on his way to a London hotel to meet a potential investor.
Two surveillance teams are already in place; one covertly video recording the meeting from a table in the restaurant, another monitoring the exits. After the meeting, the site owner returns to the north by train, a surveillance team in tow.
After getting off the train, a new surveillance team takes over and shadows the site owner home. No investment was forthcoming; the ‘investor’ was actually a private investigator working for copyright holders. A high-profile police raid followed just a month later, a lengthy prison sentence four years after that.
Piracy Investigations Take Place in ‘Real Life’
Fifteen years ago, covert piracy investigations were mostly the stuff of rumors and rarely documented in public. That the investigation detailed above was conducted by private companies, rather than the police, was controversial but not controversial enough to stop them.
Indeed, private companies conducting their own anti-piracy investigations today have the ability to peer into private lives as they go about protecting and enforcing their intellectual property rights. Since this necessarily involves the collection of personal data, companies like the Premier League sometimes disclose the type of information they collect as part of their privacy policies.
Documentation reveals that the Premier League collects and uses personal data about “individuals who have, might have or are likely to infringe the Premier League’s intellectual property rights.” Depending on the circumstances, that might also entail collecting personal data on others related to them.
Open Source Research, Third-Party Investigators
Given the wealth of information available online today covering billions of people, it’s no surprise that the Premier League leverages ‘open source’ data when defending its rights. The pool of information available online today is alarmingly deep and as long as there is a lawful basis to process personal data, companies are allowed to do so.
The Premier League’s ‘lawful basis’ for processing personal data mainly relies on its ‘legitimate interests’ when conducting anti-piracy investigations. This information spans the most basic of identifiers, such as a name, through to suspects’ leisure time activities.
Prime Data, Ripe for Collection
Being able to put a name to a suspected pirate is crucial in most investigations, but oftentimes it’s not the first piece of personal data to become available. Premier League says that it obtains names using open source research, “on-the-ground” investigations, and via discussions with potential defendants and other third parties. The same is true for contact details, such as email address and telephone numbers. IP addresses are also collected.
Other major pieces of information useful to an investigation include physical addresses, both residential and other premises. Open source research will play a roll but affiliates of infringers may also hand over location data, perfect for when the Premier League needs to hand over important paperwork regarding legal claims.
Affiliates and Social Media
While it’s not uncommon for pirates to operate in groups, any type of close affiliate risks having their information processed by the Premier League.
Friends, family and work colleagues may or may not be part of the scheme but to rule them in or out, the Premier League needs to “understand the relationship between them and who is liable, and to identify residential addresses for service of claims.”
Before identifying any colleagues, it’s possible the suspect’s job will have been scoped out in advance, but sequences of discovery aren’t determined in advance or set in stone. The goal here is to “establish level of involvement/extent of liability.”
Any photographs obtained from the internet, including those posted on social media, could help to “counter claims by individuals denying involvement, and to identify person to be served and prove personal service has occurred.”
Time to Get Personal
Other data that can be legally collected and processed include personal characteristics, such as physical descriptions of age, gender, height, stature, plus skin and hair colour. This information helps to “counter claims by individuals denying involvement, and to identify person to be served and prove personal service has occurred.”
Other categories include lifestyle data – hobbies, interests, and expenditures. This type of information can be useful in many ways but Premier League lists only two purposes for collection. “To ascertain ability to make payments in respect of infringements and the scale of an infringer’s operation.”
Finally, in a document dated 2020, the Premier League notes that in order to successfully operate an enforcement program, personal data needs to be shared with third parties including its legal advisors, investigators (including anti-piracy companies Friend MTS and Irdeto), industry enforcement operators (FACT) and law enforcement authorities (Trading Standards and the Police).
Some involved in piracy have tried to challenge the collection, processing and/or use of this type of data. At least as far as we know, most (if not all) attempts were completely unsuccessful.