CJEU - C‑470/21 - La Quadrature du Net and Others (Personal data and action to combat counterfeiting)

From GDPRhub
CJEU - C‑470/21 La Quadrature du Net and Others (Personal data and action to combat counterfeiting)
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 15(1) Directive 2002/58
Article L331-21 Code de la Propriété intellectuelle
Decided: 30.04.2024
Parties: La Quadrature du Net
Fédération des fournisseurs d’accès à Internet associatifs
Fédération des fournisseurs d’accès à Internet associatifs
French Data Network
Case Number/Name: C‑470/21 La Quadrature du Net and Others (Personal data and action to combat counterfeiting)
European Case Law Identifier: ECLI:EU:C:2024:370
Reference from: CE (France)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: nzm

The CJEU held that a national law which authorises the general and indiscriminate retention of IP addresses in order to allow an authority to identify people who make protected works available to download on the Internet does not necessarily constitute an interference with fundamental rights.

English Summary

Facts

In order to protect works covered by copyright against their communication on the Internet without the authorization of the holder of the rights, France adopted Decree n. 2010-236, which introduced in particular, Article L. 331-21 in the French Intellectual Property Code (‘CPI’). This Article establishes that the High Authority for the dissemination of works and the protection of rights on the Internet (‘Hadopi’) may request the identity, postal address, email address and telephone number of a person who made protected works available to download on the Internet, from internet service providers. The purpose of this access is to enable Hadopi to initiate a procedure against the identified person, combining educational and punitive measures. In particular, the sending of a first and second recommendation and then a letter notifying them that that activity is liable to constitute gross negligence. The matter may be referred to the public prosecution service in the most serious cases.

Four associations, including La Quadrature du Net, sought the annulment of this Decree, claiming that Article L. 331-21 CPI was contrary to EU law, in particular Article 15 ePrivacy Directive and Articles 7, 8 and 11 of the Charter.

Regarding the alleged infringement of EU law, La Quadrature du Net submitted that this Article permits access to any connection data in a disproportionate manner for non-serious copyright offences committed on the Internet, without any prior review by a judge or an authority. In particular, they indicated that the offences did not fall within the scope of 'serious crime'.

First, the Conseil d’Etat pointed out that the CJEU held that Article 15(1) ePrivacy Directive does not preclude legislative measures which, for the purposes of safeguarding national security; combating crime and safeguarding public security, provide for the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems (CJEU, 6 October 2020, La Quadrature du Net and Others).

Second, the Conseil d’Etat referred to CJEU case law in which the Court held that the access to the data retained should, as a general rule, be subject to a prior review carried out by a court or an administrative independent body. The Conseil d’Etat noted that Hadopi has issued over 12,7 million recommendations to subscribers under the procedure provided for in Article L. 331-25 of the CPI. Therefore, Hadopi have necessarily had to collect a considerable volume of data relating to the civil identity of the users concerned.

The Conseil d’Etat decided to stay the proceedings and referred three questions to the CJEU, which the Court considered appropriate to examine together. Therefore, the CJEU examined the following question:

  • Does Article 15(1) ePrivacy Directive preclude a national legislation which authorises a public authority to access data retained by providers of publicly available electronic communications services, relating to the civil identity associated with IP addresses in order to identify the holders of these addresses – which have been used for activities liable to constitute infringements – and may take measures against them, all this, without any prior review by a Court or an administrative body?

Holding

Preliminarily, the CJEU clarified that the questions raised by the Conseil d’Etat only concern the downstream processing. This processing takes place in two stages: (i) the IP addresses collected are matched with the holders of those addresses and (ii) a set of personal data and information relating to the holders, in particular their civil identity, is made available to the public authority (§55 and 58 of the Judgement).

The CJEU added that the collection of IP addresses, with certain quantitative limits and under certain conditions, with a view to their transmission to Hadopi for the purposes of their potential use in administrative or judicial proceedings to combat activities which infringe copyright related rights, constitutes ‘processing’ within the meaning of Article 4(2) GDPR (§62 of the Judgement).

Retention of data relating to civil identity and associated IP addresses by Internet service providers

The Court noted that although, formally, Hadopi is authorised to access only data relating to the civil identity associated with an IP address, the access first requires the Internet service providers to match the IP address with the civil identity data of the holder of that address. This presupposes that the providers have the IP addresses as well as the data relating to the identity of the holders of those addresses (§71 of the Judgement).

In particular, Hadopi seeks access to those data for the sole purpose of identifying the holder of an IP address which has been used for activities liable to infringe copyright or related rights, since they have made protected works available on the internet for downloading by others. The CJEU therefore considered that the data relating to civil identity must be regarded as being closely linked to the IP address and the information that Hadopi has concerning the work made available on the Internet (§72 of the Judgement).

According to the Court’s case-law, IP addresses constitute traffic data, but are distinct from other categories of traffic and location data. Thus, IP addresses do not, as such, disclose any information about third parties who were in contact with the person who made the communication, and are therefore less sensitive than other traffic data (CJEU, 6 October 2020, La Quadrature du Net and Others, §152).

Nonetheless, IP addresses may, when used to ‘track an internet user’s complete clickstream’ enable a detailed profile of the user to be produced. This does in fact constitute a serious interference with the fundamental rights of the Internet user enshrined in Articles 7 and 8 of the Charter (§78 of the Judgement). However, the CJEU considered that the general and indiscriminate retention of a set of static and dynamic IP addresses does not necessarily constitute, in every case, a serious interference with fundamental rights (§79 of the Judgement).

The CJEU found that a Member State which seeks to impose on providers of electronic communications services an obligation to retain IP addresses in a general and indiscriminate manner in order to combat criminal offences must ensure that it is not possible to draw conclusions about the private life of the person by combining the IP addresses with other data (§83 of the Judgement). Thus, there must be clear and precise rules relating to the retention agreements in such a case.

The CJEU added that the legislative framework must provide a retention period limit to what is strictly necessary. It must also ensure by means of clear and precise rules that the retention of data is subject to compliance with applicable substantive and procedural conditions. Finally, the persons concerned must have effective safeguards against the risk of abuse and any unlawful access to those data (§93 of the Judgement).

Access to data relating to the civil identity associated with an IP address retained by Internet service providers

It follows from the CJEU’s case law that, in the field of combating criminal offences, only the objectives of combating serious crime or preventing serious threats to public security justify the interference with fundamental rights entailed by access to a set of traffic or location data (CJEU, 2 March 2021, Prokuratuur, C-746/18, §35).

However, when the public authority’s access to data relating to civil identity cannot be associated with information on the communications made, the interference with fundamental rights is not serious. The CJEU considered that those data do not allow precise conclusions to be drawn concerning the private life of the person. Therefore, the access may be justified by an objective of prevention, investigation, detection and prosecution of criminal offences in general (CJEU, 2 October 2018, Ministerio Fiscal, C-207/16, §54, 57 and 60).

The CJEU found that in the present case, the national French legislation does not allow Hadopi to have access to a ‘set of traffic or location data’. Therefore, in principle, it cannot draw precise conclusions about the private lives of the persons concerned (§99 of the Judgement). The Court also held that the national legislation must lay down clear and precise rules which ensure that IP addresses retained can only be used to identify the person while precluding any use that allows the surveillance of that person’s online activity (§101 of the Judgement).

Furthermore, the CJEU noted that it cannot be ruled out that said access, combined with an analysis of even limited information on the content of the work made unlawfully available by the person, may reveal certain aspects of the private life of the person, including sensitive information (§110 of the Judgement). In the present case, the CJEU ruled that in view of the nature of the limited data and information made available to Hadopi, only in rare cases would they reveal potentially sensitive information which would allow the authority to draw precise conclusions about their private life (§111 of the Judgement).

Additionally, the CJEU considered that the interference with the privacy of the person suspected is not necessarily of a high degree of seriousness. Firstly, Hadopi’s access is restricted to a limited number of authorized and sworn officials. Secondly, the sole purpose of the access is to identify a person suspected of having engaged in an activity infringing copyright when the protected work has been unlawfully made available from that person’s internet connection. Thirdly, Hadopi’s access to the personal data is strictly limited to the data necessary for that purpose (§113 of the Judgement). Lastly, Hadopi officials who have access to the data are bound by an obligation of confidentiality which prohibits them from disclosing the data, except for the sole purpose of referring the matter to the public prosecution service (§114 of the Judgement).

The CJEU held that if the national legislation sets out clear and precise rules that do not allow the surveillance of the person’s online activity, e.g. Hadopi tracking the clickstream of a person via IP addresses, the authority’s access cannot be classified as a serious interference with their fundamental rights (§115 of the Judgement).

Prior review by a court or an independent administrative body of the access request

The CJEU held that in the present case, a prior review must take place before Hadopi can link the civil identity data of a person associated with an IP address obtained from a provider of electronic communications services, and the file relaying to the work made available on the Internet for downloading by others. The review must take place before sending a notification letter declaring that that person engaged in conduct liable to constitute gross negligence (§141 of the Judgement).

Moreover, the CJEU added that a prior review may in no case be automated since balancing the various legitimate interests and rights concerned requires human intervention.

Safeguards against abuse and unlawful access by the public authority to data relating to the civil identity associated with the IP address

The CJEU pointed out that the French Government confirmed that Hadopi’s access to data relating to civil identity is the result of essentially automated data processing (§154 of the Judgement).

The Court noted that such automated processing is likely to involve a certain number of false positives, and there is a risk that a significant amount of personal data may be misused by third parties. Therefore, it is important that under a legislative measure, the data processing system used is subject to a review by an independent body (§156 of the Judgement).

The CJEU also excluded the processing by Hadopi from the scope of the GDPR, as Article 2(2)(d) GDPR provides that the regulation does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences (§160 of the Judgement). Therefore, the CJEU concluded that a national provision that authorises a public authority to access data relating to civil identity associated with IP addresses, retained by Internet service providers, in order to identify the holders of the addresses which have been used for activities liable to constitute infringements is compatible with Article 15 ePrivacy Directive. However, this legislation must ensure that:

  • The data does not allow precise conclusions to be drawn about the private life of the IP address holder, for example by establishing a detailed profile of the person. Therefore, an obligation must be imposed on Internet service providers to retain the various categories of data in a way that ensures a watertight separation of these different categories;
  • The public authority’s access to data serves exclusively to identify the person suspected of having committed the criminal offence;
  • The possibility of linking the data with the title of the protected work made available on the Internet is subject, in cases where the person repeats an activity infringing copyright, to review by a court or an administrative body;
  • The data processing system used by the public authority is subject to review to verify the integrity of the system.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!