Copyright and data protection

Anti-piracy activities run by copyright holders or specialised bodies established by right- holders aim at gathering evidence of alleged infringements and obtaining disclosure of the identity of supposedly infringing users. These activities entail the monitoring of electronic communications (which might extend to inspection of the contents of such communications by means of ‘deep packet inspection’ technologies) and enable the collection and storage of Internet Protocol (IP) addresses of alleged infringers. Collecting such addresses, processing them and identifying the individuals acting behind each IP address gives rise to a form of personal data processing.130 _{EU data protection law makes these activities subject to} restrictions such as the obligation to collect personal data only for specified, explicit and legitimate purposes and to processing such data in a way that is proportionate to the objective pursued.131

In Promusicae v. Telefonica the CJEU acknowledged that copyright enforcement is a legitimate purpose to justify the treatment of personal data. However, such treatment must be proportionate in order to ensure a balance in the enforcement of conflicting fundamental rights.132 _{Privacy-related problems also emerge under so-called ‘three-strikes’ laws, where} ISPs have to process IP addresses, identify infringing users, and store and monitor infringers’ data. As a consequence of the necessity to strike a balance between copyright and privacy protection, a systematic collection and identification of users’ IP addresses and analysis of all content they exchanged is likely to be found disproportionate, whereas a request by right- holders to obtain a specific set of data through judicial proceedings would comply with the above-mentioned principle.

127 _{Joined Cases C-236/08 and C-238-08 Google France & Google v. Louis Vuitton and Others, par. 114-120;} C-324/09 L’Oréal v. eBay International (2011), par. 113.

128 _{See L’Oréal v. eBay International, par. 114-116.} 129 _{See Google France & Google v. Louis Vuitton, par. 117.}

130 _{As acknowledged by the CJEU in Scarlet Extended v. SABAM, par. 51, user IP addresses should be} treated as personal data under EU law since these data allow users to be identified precisely.

131 _{See Article 6 of Directive 95/46/EC of the European Parliament and of the Council of 24 October} 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L281/31.

Additional problems might arise when ISPs are requested to disclose the identity of supposedly infringing users of their networks. The fact that ISPs can technically identify users does not allow them to give copyright owners direct access to user personal data. The e- Privacy Directive regulates access to users’ confidential information in the context of electronic communications and their retention and processing.133 _{This Directive allows} disclosure of personal data only under the exceptional circumstances spelt out under Article 15(1).134 _{The CJEU in Promusicae v. Telefonica clarified that the only obligation created under} EU law for the Member States and national courts is that of interpreting and transposing the relevant EU Directives in order to ensure a fair balance between the various fundamental rights and a principle of proportionality in the enforcement of these rights. The CJEU interpreted this provision as not obliging Member States to force under their laws ISPs to disclose user personal data in order to enable an effective protection of copyright through civil proceedings.135

Promusicae v. Telefonica clearly evidenced the need for better coordination at EU level between data protection and online copyright enforcement. The absence of a uniform interface between these two bodies of law has inevitably made it possible that, in certain EU countries, the protection of user privacy systematically prevails over requests for injunctions aimed at disclosing the identity of large-scale infringers of copyright. Here a lack of coordination between intellectual property law and data protection law is apparent, if one considers that the right to information ex Article 8 of the IPRED would allow the disclosure of the identity of Internet users found in possession of infringing goods on a

133 _{See Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002} concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L201/37 (referred to as ‘e-Privacy Directive’) which ensures confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, Article 5 provides that Member States shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1) of the same Directive.

134 _{The e-Privacy Directive (Article 15) allows Member States to adopt legislative measures to restrict} user privacy rights when such restrictions constitute a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system.

135 _{In the decision, the CJEU interpreted the exceptions to user privacy rights broadly, emphasising a} reference that the e-Privacy Directive makes to the 1995 Data Protection Directive. According to such reference, Member States are given the option to restrict user privacy rights also in situations that may give rise to civil proceedings, in particular when the processing of personal data is necessary, inter alia, ‘…for the protection of rights and freedoms of others…’ See Promusicae v. Telefonica, par. 52. Article 13(1)(g) of the 1995 Data Protection Directive provides that Member States are allowed to restrict the right to privacy in relation to the processing of personal data where the restriction is necessary for ‘…the protection of the data subject and of the rights and freedoms of others…’ The CJEU concluded that, due to this reference, the two Directives should be interpreted as expressing the intention of EU lawmakers not to exclude from their scope the protection of the right to intellectual property or situations in which copyright holders seek to obtain protection through civil proceedings. See

commercial scale or providing services used in infringing activities.136 _{However, IPRED} requires that such right should apply without prejudice to other EU law provisions which “…govern the protection of confidentiality of information sources or the processing of personal data”, which includes IPRED and the harmonisation-related problem this Directive creates in the context of civil proceedings (Article 8(3)(e)).