The well-known World Data Protection Law Report has asked me write a short article about the OCoJ’s Promusicae decision. You will find the article, which is translation of a compressed version of the text I wrote for the Tijdschrift voor Internet, here.
ECJ 29 January 2008, C-275/06 (Promusicae/Telefónica)
Gerrit-Jan Zwenne *
When it comes to infringements committed via peer-to-peer programs, such as KaZaA or Bittorent, it isn’t always clear who the infringer is. This is why copyright holders regularly request internet service providers to disclose the personal data of the subscriber who-through their network-would have infringed their copyrights. In the Judgement of Promusicae/Telefónica the question was what Member States were allowed or required to put in place about this. The Court was asked whether Community law should be interpreted in such a way that Member States should be required to put in place legislation allowing internet user data and other subscriber data to be disclosed by the internet service providers to copyright holders enabling the copyright holders to start civil procedures against the alleged infringers.
Leading up to this question was the case that copyright holding organisation Promusicae had brought against Telefónica in front of a Spanish court. Subscribers of this internet service provider had allegedly infringed the rights of its subscribers with the aid of KaZaA. Promusicae wanted to challenge these subscribers by means of a civil lawsuit and demanded that Telefónica disclose the subscriber data for that particular purpose. Telefónica refused. Quite logically: internet service providers are generally quite reluctant when they are being requested to help infringe the privacy rights of their subscribers.
Whilst posing the question, the Spanish court indicates the framework within which it feels its question should be answered. It refers to several provisions from the Electronic Commerce Directive 2000/31, the Copyright Directive 2001/29 and the Enforcement of Intellectual Property Rights Directive 2004/48-amongst others in light of Articles 17 and 47 of the Charter of Human Rights of the EU. These are all provisions that require that intellectual property rights are adequately protected.
It is intriguing that the Spanish court by asking its question does deliberately not refer to the Data Protection Directive 95/46 and the Electronic Communications Directive 2002/58, or even to Article 7 of the Charter, where privacy rights are laid down. Either way, when reading the Courts Decision one might get the impression that the court appears to point in the direction where privacy interests of the subscribers are neglected. The ECJ, however, does not let this happen, rightly so, and asks a primary question whether the Privacy Directive actually allows these details to be disclosed for the purpose of civil proceedings.
May the data, in view of the privacy directives, be disclosed at all?
The case clearly showed that it involved personal data and therefore the disclosure of such data would fall within the scope of both privacy directives. The first relevant provision is Article 5, first paragraph of Directive 2002/58. This provision states that the confidentiality of internet user data (so-called traffic data), must be guaranteed and this data may not be disclosed without consent. This is further developed in Article 6 of the same directive. On this basis data must be removed if the internet service provider no longer needs this data for the delivery or invoicing of the electronic communications service, which includes the disclosure of information to subscribers, the search for fraud, traffic management etc. This does not include the disclosure of data to third parties, like Promusicae, to help it bring civil proceedings against subscribers.
There are however (as always) some exceptions. Contrary to afore mentioned provisions, Article 15 first paragraph of the Directive states that the data may be stored and disclosed to third parties if that data is necessary for the benefit of national security and defence etc. This is however of no use to Promusicae. In its Lindqvist judgement (Case C 101/01), the Court had already decided that this exception only applies to specific state activities, and definitely not to individual activities.
The Court, nevertheless, does appear to consider a possibility through a not very obvious argument. The same Article 15 of Directive 2002/58/EC permits governments to provide for the possibility that data may be disclosed to third parties if this is necessary for the prevention, investigation, detection and prosecution of criminal offences as well as the unauthorised use of electronic communications. In this respect, the Article refers to a provision of the Privacy Directive 96/46, ie Article 13 first para. On the basis of this Article, the disclosure of data can be permitted if this is necessary for the protection of rights of third parties, parties other than the subscribers in question. The Court then argues that the Community legislator made it possible via this reference to Article 13, that data may be disclosed to individuals, for the benefit of civil litigation.
The primary question as formulated by the Court whether the privacy directives allow data to be disclosed to third parties, has thus been confirmed.
There is some logic to the reasoning of the Court The Court seems to assume that instigating civil proceedings against possible infringers falls within the scope of "prevention, investigation, detection and prosecution of criminal offences [..] unauthorised use of electronic communication". The fact that in the situation of Promusicae there might actually be "unauthorised use of electronic communications" is plausible. Less compelling however is the notion that the instigation of civil proceedings can fall within the scope of "prevention, investigation, detection and prosecution". This terminology seems to indicate a criminal law context rather than a civil law context within which Promusicae intends to use the data.
Should the data be disclosed?
The actual question of the Spanish court was whether the Member States should be required to put in place legislation that data should be disclosed to copyright stakeholder organisations. As a framework for the response to this question, the court refers to the Electronic Commerce Directive 2000/31, the Copyright Directive 2001/29 and the Enforcement of Intellectual Property Rights Directive 2004/48 as well as Articles 17 and 47 of the Charter.
Several provisions in aforementioned directives require governments to establish remedies allowing the protection of copyright to be enforced. Article 8 of the Copyright Directive thus states that Member States must provide for appropriate sanctions and remedies with regard to copyright infringements. In addition they are required that these sanctions and remedies are in fact applicable. Other provisions from these directives also offer governments the possibility of forcing internet service providers to disclose data to right holders for that purpose. For instance, Article 8 of the Enforcement Directive states that the court can order information, such as subscriber data, about infringing goods or services to be disclosed.
The Court runs through all these provisions and subsequently concludes that none of them require that the data disclosure obligation be included in the law, as requested by Promusicae. The Court states that it is about striking the right balance between on one hand the right to a private life and on the other hand the right to protection of intellectual property. This balance must be found within the framework of the directives mentioned by the Spanish court as well as the privacy directive 2002/58/EC. All these directives leave a margin for intepretation to national governments. And all of them, including the copyright directives, require privacy rights to be included when balancing the different interests.
Contrary to what Promusicae had hoped for, and contrary to what the Spanish court appeared to hint at, there is no obligation for national governments to provide for an obligation such as requested by Promusicae.
Member States are not required to put in place legislation allowing for subscriber data to be disclosed to copyright holders when an alleged copyright infringement has occurred. There is no obligation though there is room to allow it, provided that human rights and other principles of Community law, such as the principle of proportionality are respected.
So, what else is new?
The Court judgement is hardly surprising. Community law protects both the privacy interests of subscribers as well as copyright holders. And in situations where those interests conflict, a balance has to be struck. That’s all yesterday’s news.
In the meantime, several years after the Promusica/Telefonica case was first brought to court, Community law has changed. The so called Data Retention Directive 2006/24 requires Member States to force internet service providers to retain internet subscriber details- and other traffic data- for a period of at least 6 months and a maximum of 24 months, in order to ensure that those details are available for the prevention, investigation, detection and prosecution of criminal offences. This data may only be disclosed to national authorities, according to this directive and only in accordance with procedures as laid down by the Member States in national law, taking into account the relevant provisions of the European Union of international law, such as the ECHR.
An interesting question is whether data, which should be retained on the basis of the new laws implementing the Data Retention Directive, can be disclosed to right holders in the framework of civil proceedings against alleged infringers. It seems that the text of directive does not allow for such a possibility. Most likely. copyrightholders are not likely to share this view If so, new proceedings, possibly even before the European Court, seem inevitable.
Sorry, the comment form is closed at this time.