European Court: Governments May Require ISPs To Disclose Data On Suspected Pirates

By Dugie Standeford for Intellectual Property Watch
The European Court of Justice (ECJ) avoided a potential upheaval in copyright enforcement by ruling on 29 January that governments can, but are not required to, order Internet service providers (ISPs) to disclose personal data about subscribers suspected of online piracy, according to Hogan & Hartson Paris attorney Winston Maxwell.

The ruling, though founded on European Union law, could influence other courts seeking to balance privacy and property rights online, said Cedric Manara, a law professor at the EDHEC Business School in Nice, France.

The case, which has been closely watched by the content industry and ISPs, arose when Spanish music producers group Promusicae sought a court order requiring telecommunications provider Telefonica to disclose the identities and addresses of several subscribers whose Internet Protocol addresses and connection dates and times were known, the ECJ said. Promusicae claimed the users were downloading music tracks illegally on the Kazaa peer-to-peer network and wanted their contact information in order to bring civil proceedings against them, the court said.

When the Spanish court granted the request, Telefonica appealed, saying Spanish law allows ISPs to reveal personal data only in criminal investigations or for public safety or national defence purposes. The court then sought a ruling from the ECJ on whether European Community law mandates that member states, in order to ensure effective copyright protection, require ISPs to provide personal data in the context of civil cases.

The ECJ analysed EU privacy, e-commerce, IP enforcement and copyright laws, holding that they allow, but do not require, member states to mandate that ISPs disclose personal data in civil proceedings. Governments must ensure that property and privacy rights are fairly balanced, the court said, and that whatever laws they enact are not in conflict with other general principles of Community law.

In an earlier, advisory opinion, ECJ Advocate General Juliane Kokott said ISPs could only turn over Internet Protocol addresses in the course of criminal proceedings, Maxwell said. Many feared that if the court agreed with her, the decision would “put an end to civil copyright enforcement actions, as well as proposals like those made recently by the Olivennes Commission in France to create a ‘graduated response’ regime for online copyright infringement,” he said.

The ECJ agreed with Kokott that the communication of names and addresses corresponding to Internet Protocol addresses amounted to the processing of “traffic data” covered by the directive on processing of personal data and the protection of privacy in the electronic communications sector (Directive 2002/58/EC), Maxwell said. The measure allows ISPs to use traffic data in limited circumstances to market value-added services to customers but not to transmit it to third parties. However, an exception to that principle permits ISPs to give third parties personal data to ensure network or national security or in criminal proceedings, he said.

That same article, however, contains a loophole which the court seized on, Maxwell said – a provision in the older data protection directive (Directive 95/46/EC) which refers to limitations on confidentiality of data which are needed to protect others’ rights and freedoms. Copyright protection is equivalent to protecting such rights and freedoms, the court said, so handing over traffic data to authorised persons in connection with copyright protection is permitted, even in civil matters.

The ECJ “was able to stop a free-fall by grabbing onto the rather thin Article 13(1) branch,” Maxwell said. Its decision “has given a green light to national laws that require ISPs to communicate the names of their subscribers to third parties,” an outcome in line with the Copyright Enforcement Directive, he said.

Although the case centres on Spanish legislation, the ECJ decision could “inspire or influence” courts elsewhere, said Manara. “The ‘privacy vs. IP’ issue is a universal one in the digital era,” he said.

The decision sends a clear signal that EU countries must strike the right balance between IP and privacy, said the International Federation for the Phonographic Industry. It means that music rights owners can still act to enforce their rights and that member states cannot ignore IP rights, said IFPI Chairman John Kennedy.

The ruling reaffirms the principle established by the e-commerce, copyright and data protection directives that ISPs are intermediaries, said a spokesman for the European Telecommunications Network Operators’ Association. ISPs will continue their efforts to fight online piracy within the existing legal framework, he said, but the best way to stop illegal downloads is to make more legitimate online content offerings available.

Dugie Standeford may be reached at info@ip-watch.ch.