Advocate General of the Court of Justice of the European Union (CJEU) Maciej Szpunar considers that a national authority should be able to access civil identity data linked to internet protocol addresses – IP addresses – where such data is the only method of investigation to identify the holders of those addresses suspected of infringing intellectual property rights.
In its view, such a proposal fully meets the requirement of proportionality and respects the fundamental rights guaranteed by the Charter of Fundamental Rights of the European Union.
These are its main conclusions on case C-470/21 (personal data and the fight against infringement of intellectual property rights), which it has submitted to the Luxembourg-based Court today.
The role of the Advocates General of the CJEU is to provide a neutral legal opinion, in the form of a conclusion, which may assist the court in the case, which will now begin its deliberations on the case.
They are not binding, although the courts of this European judicial body tend to follow them in 67% of cases.
The figure of Advocate General does not exist in the Spanish legal system. It originated in French law and was originally adopted by the CJEU.
The CJEU has a total of ten Advocates General, the head of which is Szpunar, a Pole.
THE CASE UNDER CONSIDERATION
The question of the retention of certain internet user data and access to such data is a constantly topical issue and is the subject of recent but already abundant case law of the CJEU.
Four associations defending Internet rights and freedoms (La Quadrature du Net, Fédération des fournisseurs d’accès à Internet associatifs, Franciliens.net and French Data Network) have brought an action before the French Council of State – Conseil d’État – for annulment of the tacit decision by which the Prime Minister refused their request for the repeal of a decree. In order to protect certain intellectual works on the internet, automated processing of personal data has been introduced.
The purpose of this processing is to address to individuals the warning provided for in the Intellectual Property Code, the aim of which is to combat the infringement described as “serious negligence” whereby a person fails to prevent his or her access to the Internet from being used to commit acts that infringe intellectual property rights. The recommendations sent to the subscribers concerned are issued under the so-called ‘graduated response’ procedure.
These associations argue that this decree authorises access to connection data in a disproportionate manner for copyright infringements committed on the internet and which are not serious, without prior control by a judge or an authority offering guarantees of independence and impartiality, as advocated by the case-law of the CJEU.
The French Council of State has noted that, in order to issue such recommendations, the agents of the High Authority for the Dissemination of Works and the Protection of Rights on the Internet (Hadopi) collect each year a considerable amount of data relating to the civil identity of the users concerned.
Given the volume of these recommendations, subjecting this collection to prior checking could make it impossible to implement them.
He therefore asked the CJEU about the scope of such a prior check and whether civil identity data corresponding to an IP address are subject to such a check.
“Are civil identity data corresponding to an IP address among the traffic or location data subject, in principle, to the obligation of prior checking by a court or an independent administrative body with binding powers,” he asked the CJEU in July 2021 in the questions referred for a preliminary ruling.
In the event of an affirmative answer to the first question, “in view of the limited sensitivity of data relating to the civil identity of users, including their contact details”, it asked whether Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector should be interpreted in the light of the Charter of Fundamental Rights of the European Union, “as precluding national legislation which provides for the collection of such data corresponding to the IP address of users by an administrative authority, without prior control by a court or an independent administrative body with binding powers”.
First Advocate General Maciej Szpunar considers that EU law must be interpreted as not precluding measures providing for the general and undifferentiated retention of IP addresses attributed to the origin of a connection for a period of time limited to the strict minimum necessary to ensure the prevention, investigation, detection and prosecution of online crimes in respect of which the IP address constitutes the sole method of investigation for identifying the person to whom that address was attributed at the time when the crime was committed.
In so doing, he proposes to the CJEU a certain adaptation of the case-law relating to national measures for the retention of IP addresses interpreted in the light of EU law, without, however, calling into question the requirement of proportionality imposed on the retention of data, given the serious nature of the interference it entails with the fundamental rights enshrined in the Charter of Fundamental Rights of the European Union.
Szpunar adds that Hadopi’s access to civil identity data linked to an IP address also appears to be justified by the public interest objective for which such retention was imposed on providers of electronic communications services, so that access to such data should be made possible in order to pursue the same objective, unless general impunity for offences committed exclusively online is accepted.
In his view, EU law does not require prior control of Hadopi’s access to civil identity data linked to users’ IP addresses by a court or an independent administrative body.
There are two reasons for this
First, as it explains, Hadopi’s access is limited to linking civil identity data to the IP address used and the file consulted at a given time, without enabling the competent authorities to reconstruct the online browsing sequence of the user concerned or, consequently, to draw precise conclusions about his private life beyond knowledge of the specific file consulted at the time of the infringement.
Moreover, he points out that Hadopi’s access to civil identity data linked to IP addresses is strictly limited to what is necessary to achieve the objective pursued, namely to enable the prevention, investigation, discovery and prosecution of online offences in respect of which the IP address constitutes the sole method of investigation for identifying the person to whom that address was attributed at the time when that offence was committed, an objective which is the purpose of the graduated response mechanism.
Finally, Szpunar points out that the graduated response procedure remains subject to the provisions of Directive (EU) 2016/680, so that the natural persons targeted by Hadopi enjoy a set of material and procedural safeguards.
In the coming days, the Court of Justice of the European Union will deliver its judgment.
It does not settle the national dispute, it is for the national court to do so in accordance with the CJEU’s decision. And the judgment of the Court of Justice of the EU will also bind other national courts dealing with a similar problem.