Monday, November 21, 2011

Will the ECJ stymie attempts to identify internet users?

PHILIPS SHP1900 Headphones

This time last year I blogged about Bonnier Audio v. Perfect Communication, the Swedish case which questioned whether data retained under the Data Retention Directive could be used in litigation to identify users accused of infringing copyright. In that case five audiobook companies brought an action against Perfect Communication, an ISP, seeking the details of a user who was said to be sharing many popular audiobooks. The ISP, however, resisted the application and argued (in essence) that data retained under the Data Retention Directive could only be used for the purposes of that Directive and not for unrelated purposes such as civil litigation. In a preliminary reference, the Swedish court asked the ECJ the following questions:
* Whether the Data Retention Directive prevents the application of a national rule based on the EU IP Rights Enforcement Directive (2004/48/EC), which provides that an ISP in a civil case can be ordered to provide a copyright owner or a rights holder with information on which subscriber holds a specific IP address assigned by the ISP, from which address the infringement is alleged to have taken place.

* Whether the answer to the first question is affected by the fact that the state has not yet implemented the Data Retention Directive, although the deadline for implementation has passed.
As I said at the time, this has the potential to be a very important case - one in which a ruling against the copyright plaintiffs might well force a revision of the entire approach which Irish and English law takes to identifying internet users. I am surprised therefore that there hasn't yet been much reaction to the Advocate General's opinion, issued last Thursday, which comes down largely on the side of the ISP.

While there's no official English translation yet, the key part of the decision appears to be in paragraphs 60-62 which build on Promusicae to hold that (irrespective of the Data Retention Directive) the disclosure of information about internet users in civil proceedings is only permissible in accordance with the provisions of Article 15 of the e-Privacy Directive - that is, only where there are "legislative measures" in place which are "necessary, appropriate and proportionate... within a democratic society". Pending the official translation, the following is an auto-translated version, tidied up slightly by myself:
60. EU law requires that before the disclosure of personal data is possible, a retention obligation must be provided for by national legislation which sets out the categories of data to be kept, the purpose for which it may be kept, the retention period and those who can access the data. It would contradict the rules governing personal data protection principles to draw on data sets that have been collected for purposes other than those set by the legislature.

61. Therefore, for the preservation and transmission of personal data to be consistent with Article 15 of Directive 2002/58, in a situation such as that described in the main proceedings, national legislation should include, at advance and in detail, the limitations on the scope of rights and obligations under Articles 5, 6, 8, paragraphs 1 to 4, and 9 of the Directive (20). A limitation so established must be a necessary, appropriate and proportionate. However, a disclosure obligation, imposed on Internet service provider and relating to personal data kept for another purpose, is not sufficient to meet these requirements.

62. In conclusion, it should be noted that the human rights protection of personal data and privacy on the one hand, as well as protection of intellectual property on the other, shall enjoy equal protection. There is no reason to favor the owners of intellectual property rights by allowing them to use personal data that have been lawfully obtained or retained for purposes unrelated to the protection of their rights. The collection and use such data for such purposes in compliance with EU law on the protection of personal data would require the prior adoption by the national legislature, of detailed provisions, in accordance with Article 15 of Directive 2002/58. (Emphasis added.)
The Advocate General's approach, if followed by the ECJ, will undoubtedly be extremely significant on a number of fronts. From my perspective, the most significant aspect would be the requirement that identification of users requires "legislative measures". Under the existing Norwich Pharmacal jurisdiction as applied to the internet in Ireland (EMI v. Eircom) and England and Wales (Totalise v. Motley Fool) there are no such legislative measures - instead the courts are relying on an inherent equitable jurisdiction which has been developed through caselaw. This would be thrown into disarray by the Bonnier Audio reasoning. Some litigants might not be too badly affected - for example, many intellectual property litigants could fall back on their rights under the various implementations of the IPR Enforcement Directive (e.g. SI 360/2006 in Ireland) - but this result would be fatal to other cases such as online defamation claims. (One example being the current litigation against RateYourSolicitor.)

I'll be watching with interest to see whether the ECJ follows the AG's opinion - if it does, expect the cat to be put among the pigeons at national level.


  1. Missed it myself- but thanks for pithy analysis!

  2. I completely agree. Its really significant, though it doesn't go quite as far as I argued in the Digital Economy Act judicial review. I am afraid I'm waiting for the CJEU to speak before getting very excited.