As the reach of the Internet expands, governments increasingly seek to introduce initiatives aimed at controlling individuals' online activity. One such initiative, aimed, inter alia, at introducing enhanced online copyright enforcement standards, is the Anti-Counterfeiting Trade Agreement (ACTA). The paper analyses a possible effect of Art. 27(3) of the agreement on the data protection and privacy rights, as spelled out in the EU legal order. Firstly, the EU legal framework on Internet surveillance for copyright enforcement will be addressed. Next, the principles and safeguards applicable to data processing in the context of communications surveillance will be illustrated with reference to the jurisprudence of the European Court of Human Rights. It will be argued that ACTA, if interpreted broadly and implemented without safeguards, would provide an incentive for graduated response systems, which, as it will be shown on the example of the French graduated response, may trump privacy rights on a massive scale.