March 19, 2024

FOIA: When the Exemptions Swallow the Rule

I’ve been researching and writing over the last few years on privately ordered—what the government calls “non-regulatory”—approaches to online IP enforcement. The gist of this approach is that members of trade groups representing different types of online intermediaries (broadband providers, payment processors, ad networks, online pharmacies) agree in private contracts or less formal “voluntary best practices” documents to sanction or cut services to alleged IP infringers. I put quotes around “non-regulatory” not only because that’s the government’s word, but because the descriptor masks the fact that the government, at the behest of corporate rights owners, leans heavily on targeted intermediaries to negotiate and accept these agreements, all the while holding the threat of regulation over their heads. It has proven to be a very effective strategy. Many of the website blocking provisions in SOPA, which so memorably went down in flames of public outrage, have subsequently been implemented through these agreements, which belong to a broad category of regulatory practices that governance scholars call soft law.

Soft law arrangements between corporate rights owners and online intermediaries raise lots of concerns about due process and First Amendment rights, because such arrangements generally don’t provide for any neutral adjudication of accusations of infringement. (The “six strikes” protocol for deterring unlawful P2P file-sharing, about which you can read more here, is a notable exception.) Moreover, there is no occasion for judicial scrutiny of the constitutional issues arising from these private arrangements, because there is no state action to trigger review. The arrangements have the effect of public law, insofar as they impact millions of members of the public, but without accountability to the public.

The way most of these arrangements work is as follows: A corporate rights owner makes an accusation of infringement or counterfeiting to a participating online intermediary. The complaint triggers some form of investigation internal to the intermediary.  Following the investigation, a sanction is imposed if the accused website operator cannot prove his or her innocence to the intermediary’s satisfaction. The sanction can be as severe as termination of service by the participating intermediary. Unlike in a civil court case, where the burden of proof is on the complainant, the burden under these protocols is on the accused to prove that she is not an infringer.

My current work in this area focuses on a code of voluntary best practices adopted by payment processors like Visa, MasterCard, and PayPal. The document is referenced multiple times in the Office of the Intellectual Property Enforcement Coordinator’s 2013 Joint Strategic Plan. In connection with my research, I asked a librarian with whom I work to submit a FOIA request to IPEC. I was curious to know the nature and extent of IPEC’s role as a midwife for these private enforcement arrangements. The request submitted was for “any documents pertaining to the development or drafting of a code of voluntary best practices for payment processors or intermediaries with respect to online transactions.”

IPEC recently responded to the request. It said that it had located 60 relevant documents, including the four-page best practices document. It refused, however, to produce any of the responsive documents, citing Exemptions 4 and 5 of FOIA. Exemption 4 is basically for trade secrets entrusted to the government by third parties. Exemption 5 covers documents relating to the “deliberative process” of an agency engaged in rule-making. Given IPEC’s own claim that the voluntary best practices approach is non-regulatory, it seems highly questionable for IPEC to have invoked the deliberative process privilege. This is particularly true in light of President Obama’s directive to agency heads that a presumption of disclosure should apply to all decisions involving FOIA.

I was ultimately able to get the four-page best practices document from the International Anti-Counterfeiting Coalition (IACC), which operates as the point of intake for complaints by corporate rights owners. Given that the document is a collection of industry-embraced “best practices” that applies to every website operator that accepts third-party payments, it should be openly available. And IPEC’s role in its development should be a matter of public record.