The European Court of Justice (EUCJ) establishes a three-step test to allow the processing of IP addresses in case of copyright infringement
The European Court of Justice (“EUCJ”) with its judgment of 17 June 2021 in the Microm case (In Case C‑597/19 which can be found here) has ruled once again on the permissibility under the General Data protection Regulation (“GDPR”) of an enforcement practice which is widely used by copyright holders in order to identify online infringers of their protected works.
Two different types of personal data processing
In order to seek compensation of damages from infringers of copyrighted content perpetrated online by way of dissemination of it through P2P sharing software, right-holders, as Microm in the commented case, typically seek to carry out two different types of personal data processing and namely:
- one upstream, performed on behalf of the right-holder, in the context of peer-to-peer networks, consisting of the recording of the IP addresses of users whose internet connections were used for the uploading of protected works on those networks. To this effect, third parties’ software designed to record such IP addresses are used;
- one downstream which the right-holders demand of the providers of electronic communication services, consisting, first, of the identification of those users by means of a match between the IP addresses recorded for the right holder and those which the communication service provided had allocated to those users for the purpose of carrying out that uploading and, second, of the communication to the right-holder of the names and postal addresses of the same users.
No doubt that IP addresses, even dynamic, qualify as personal data, to the extent that the communication service provider is able, as was in the Microm case, to match IP addresses and individual users.
The legal issue addressed by the EUCJ
The referring court of Antwerp in the main proceedings, on the basis on Microm’s demand to have the internet service provider disclose the identity of the users with whom IP addresses could be associated, in essence asked the EUCJ to determine whether, in circumstances such as those above described, point (f) of the first subparagraph of Article 6(1) of the GDPR must be interpreted as precluding the second downstream processing, even though that request satisfies the conditions laid down in Directive 2004/48 (the so-called “Enforcement Directive”). This Directive in particular vests in IP right-holders the right to request and obtain from third parties information on those responsible of IP right infringement, when such a request is proportionate, justified and not abusive.
The relevant provision of the GDPR
The provision of the GDPR that is of relevance, point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679, concerns the “legitimate interest” as a legitimate ground for personal data processing. Legitimate interest provides a valid ground for processing provided that such processing is necessary for the pursuit of such an interest and provided further that no processing may in any event occur, when such legitimate interest is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. In other words, the law calls for a balancing of interests and rights exercise, because there are instances in which the interests and fundamental rights and freedoms of data subjects do take precedence, even when processing may in abstract terms be necessary under the legitimate interest ground.
The court’s findings
The EUCJ in its judgment has determined that:
- the interest of the controller or of a third party in obtaining the personal information of a person who allegedly damaged their property in order to sue that person for damages can be qualified as a legitimate interest for GDPR purposes. This statement is consistent with settled case-law;
- the identification of the owner of an Internet connection is often possible only on the basis of the IP address and the information provided by the internet service provider. Therefore the “necessity” requirement under art. 6.1(f) of the GDPR may also be considered satisfied;
- The balancing of rights must be performed on the basis of the specific circumstances of the case. Yet as IP addresses also constitute “traffic data” under the E-privacy Directive (Directive 2002/58), the specific interests pursued for the protection of privacy in the context of electronic communications should also be taken into account. To this end, the following should be considered:
- The protection of confidentiality of electronic communications is set out in article 15 of the E-privacy Directive, as a fundamental right, which can only be restricted by means of legislative measures, where that restriction respects the essence of the freedoms and the fundamental rights and that it constitutes a necessary and proportionate measure in a democratic society to ensure, in particular, the protection of the rights and freedoms of others and the enforcement of civil law claims;
- While the Court, for want of enough factual details, has been unable to provide precise guidance as to the application of this principle to the upstream processing (i.e. collection of “anonymous” IP addresses upstream), the same Court has however provided some more guidance with respect to the downstream processing (i.e. the disclosure of the users’ identity by the electronic communication service provider). In essence, the EUCJ has not excluded per se the compatibility of the disclosure of the identity of IP addresses’ users with the principle of the E-privacy Directive and the GDPR, because it would not disclose the content of the communication nor information about the addressee of such communication. At the same time, the EUCJ has stated that a three-step analysis must be performed in order to consider the IP addresses related personal data processing lawful under the GDPR. Namely such analysis is to ascertain whether:
- i) there are applicable legislative measures, within the meaning of Article 15(1) of Directive 2002/58, which limit the scope of the rules laid down in Articles 5 (concerning confidentiality of communications) and 6 (concerning the retention of traffic data) of the same Directive. In this connection, the Court has recalled that restrictive legal measures could be justified under art. 15 of the E-privacy Directive, also to ensure, in particular, the protection of the rights and freedoms of others and the enforcement of civil law claims, as would be the case for the prosecution of copyright infringement
- ii) it is apparent that the right-holder legal standing to bring proceedings and
iii) the right-holder’s request for information is justified, proportionate and not abusive under the meaning of the Enforcement Directive 2004/48.
The European Supreme Court has made it clear that it is would not be per se an incompatible measure with the fundamental principles of a democratic society to allow the recording of IP addresses and the subsequent disclosure of the identity of those addresses’ users, when such acts are instrumental to the enforcement of civil law claims and provided that there is a legislative measures allowing such disclosure and recording. At the same time, the EUCJ has made it clear that neither the general IP Enforcement Directive (2004/48), nor the provisions of the GDPR provide for such a legislative measures, which must be looked for in the legal framework of the individual member States. Should in any event any such legislative measures exist, then, if the right-holder has standing to bring a claim, another filter is requested, that of making sure the request is proportionate and justified. In Italy there is no legislative measures specifically dealing with the registration and disclosure of IP addresses, therefore unfettered harvesting of IP addresses of users suspected of IP rights infringement should not be permissible.