The fight against online counterfeiting requires access to data that can identify individuals in counterfeiting activities. However, this must be balanced with protecting individual privacy and adhering to legal standards. This blog analyzes La Quadrature du Net and Others (C-470/21) , which set the legal requirements that ensure public authorities can access civil identity data linked to IP addresses lawfully and proportionately.
The CJEU examines whether Article 15(1) of e-Privacy Directive, which allows national legislation to authorize a public authority to access civil identity data linked to IP addresses, prevents national legislation from authorizing such access.
IP addresses are considered both traffic data under e-Privacy Directive and personal data under GDPR. The collection of IP addresses by right holder agents is not covered by e-Privacy Directive but must comply with GDPR. Downstream processing by telecommunication service providers falls under e-Privacy Directive as it involves providing electronic communication services.
This case involves two data processing stages by Hadopi, an independent public authority responsible for safeguarding copyrighted works and related rights from online infringements. The case focuses on the downstream processing of data, not the initial collection of IP addresses by right holder agents.
General and indiscriminate retention of IP addresses for general criminal offences by electronic communication services: Less sensitive but only possible with safeguards
The CJEU highlighted that the storage of IP addresses by electronic communications service providers is regarded as less sensitive than other traffic data, yet it still constitutes an less serious interference with fundamental rights, taking into account the following factors. It is imperative for national laws to unambiguously establish the terms for retaining data, guaranteeing that each type of information is stored separately and in a secure manner. Access to linked data requires an efficient technical procedure that ensures the division is maintained, and a public authority must periodically assess the dependability of this division. If the legislation of a Member State fulfils these stringent criteria, the retention of IP addresses for the purpose of combating criminal offences can be deemed justifiable, as long as the retention period is restricted to the absolute minimum required and measures are implemented to prevent misuse and unauthorised access.
The CJEU sets the requirements for public authorities to access
data linked to an IP address to a civil identity retained by
electronic communications providers for combating criminal
offenses. Access can only be justified by objectives of combating
serious crime or preventing serious threats to public security due
to significant interference with fundamental rights under Articles
7 (right to privacy), 8 (right to data protection), and 11 (freedom
of expression and information) of the Charter. However, if the data cannot be
associated with the communications made, thus not allowing precise
conclusions about private life, the access may be justified for
general criminal offenses.
The retention of IP addresses must adhere to specific criteria: it
should only preserve data that is essential for marketing, billing,
or value-added services, and it must be both necessary and
proportionate. The legislative measure must guarantee a strict
segregation of data categories to avoid drawing accurate inferences
about an individual's personal life. It is imperative for
national laws to unambiguously establish the rules regarding the
retention of IP addresses, with the specific purpose of using them
solely for identifying individuals suspected of copyright or
related rights infringement. The access should be restricted to
specific data and should not permit monitoring of the
individual's online activities.
Data access by Hadopi for civil identity of possible infringers of IP rights: Possible with strict safeguards
Hadopi, the public authority in question, only accesses civil
identity data to identify the holder of an IP address used for
unlawful activities, not to monitor online activity of the holder
of IP address. The legislation must ensure that officials who
access this data maintain confidentiality, not disclosing
information or using it for other purposes. The access to civil
identity data associated with IP addresses must also align with the
principles established in the case-law concerning the 'right of
information' in intellectual property infringement cases (see
Promusicae, C‑275/06), balancing the
protection of privacy and the need for effective criminal
investigation.
The French Government has verified that the retrieval of civil
identity data is predominantly automated as a result of the
extensive number of fraudulent cases identified on peer-to-peer
networks. The main task of Hadopi officials is to verify if the
reports include all the necessary information. This process is then
supplemented by reviews conducted by individuals to guarantee
accuracy and compliance with legal standards. To mitigate the
potential risks of false positives and unauthorised use of personal
data by external entities, it is imperative that Hadopi's data
processing system undergoes periodic independent evaluations. These
evaluations are crucial to ensure the system's reliability and
effectiveness in preventing abuse and unlawful access, as well as
in accurately identifying repeated offences that may involve gross
negligence or counterfeiting.
The CJEU decided that the processing of personal data by Hadopi
must comply with Law Enforcement Directive (2016/680) (LED
Directive), which sets out the safeguards for protecting
individuals concerning the processing of personal data by competent
authorities for law enforcement purposes. This is because Hadopi is
recognized as a public authority involved in preventing,
investigating, detecting, or prosecuting criminal offenses
according to Article 2(1) of the LED Directive.
Individuals involved in the graduated response procedure must
enjoy substantive and procedural safeguards, including rights of
access, rectification, and erasure of their personal data processed
by Hadopi. They should also have the possibility of lodging
complaints with an independent supervisory authority and seeking
judicial remedies where appropriate.
Hadopi's access to civil identity data must be strictly
limited to identifying individuals suspected of copyright
infringement, with the use of such data being targeted and limited
to necessary information to avoid undue intrusion into individual
privacy. These safeguards aim to balance the need for combating
online counterfeiting offenses with the protection of individual
privacy rights, ensuring that access to personal data is justified,
proportionate.
Conclusion
Ultimately, the CJEU ruling in the case of La Quadrature du Net and Others (C-470/21) underscores the significance of striking a delicate equilibrium between safeguarding personal data and implementing strategies to combat online counterfeiting. The court underscores the importance of ensuring that access to civil identity data associated with IP addresses is both legal and proportionate, and that robust measures are in place to safeguard individual privacy. If national legislation satisfies stricter criteria, such as clearly defining retention protocols and implementing safeguards against abuse and unlawful access, the retention of IP addresses for combating criminal offences can be justified. Public authorities, such as Hadopi, have the ability to access civil identity data. However, they are required to maintain confidentiality, comply with legal standards, and undergo periodic independent evaluations to ensure the reliability and efficiency of their data processing systems. Those participating in the process should have access to substantial and procedural protections, including the rights to view, correct, and delete their personal information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.