Personal data protection and IP rights enforcement: two worlds apart?

Author: Riccardo Sciaudone (Grimaldi e Associati)

Bonnier Audio AB and others v Perfect Communication Sweden AB, Case C-461/10, Court of Justice of the European Union (ECJ), Advocate General's Opinion, 17 November 2011

Journal of Intellectual Property Law & Practice (2012), doi: 10.1093/jiplp/jps005, first published online: January 30, 2012

Directive 2006/24 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks does not preclude the application of a national provision, based on Directive 2004/48 on the enforcement of IP rights, according to which an internet service provider (ISP) may be ordered to give a copyright holder information on a subscriber in civil proceedings, provided that this information should have been preserved to be communicated and used for this purpose in accordance with detailed national legislation complying with EU law on the protection of personal data.

Legal context

A preliminary reference to the ECJ from the Swedish Supreme Court deals with the ability of copyright owners to obtain details about the identity of users connected to a certain Internet Protocol address which was used to infringe copyright.

Directive 95/46, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, was adopted to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when this processing is lawful.

Directive 2002/58, concerning the processing of personal data and the protection of privacy in electronic communications, imposed on Member States the obligation to ensure the confidentiality of communications made over a public electronic communications network. Article 15(1) provided for the possibility for Member States to derogate from that principle of confidentiality, including under certain conditions the retention of, and access to and use of, data for law enforcement purposes.

Lastly, Directive 2006/24 imposed on Member States an obligation for providers of publicly available electronic communications services and public communication networks to retain communication data for the purpose of the investigation, detection, and prosecution of serious crime, as defined by each Member State in national law. It also amended Directive 2002/58 by stipulating that Article 15(1) does not apply to data retained under Directive 2006/24.

Directive 2004/48 provides a legal framework to combat infringements of IP rights. Article 8 of that Directive provides, in particular, that judicial authorities may order that information concerning the origin and distribution networks of the goods or services which infringe an IP right shall be provided by the infringer and/or any other person who possessed, used, or was involved in the production of the goods or services. This information may include the names and addresses of such persons and information on the quantities produced.

Directive 2004/48 was transposed into the Swedish legal order by amending the Swedish Copyright Act. The new provisions came into force on 1 April 2009.


Five audio book publishers, after discovering that several of their books were being made available online in the early hours of the same day in which the new provisions of the Swedish law came into force, applied to the judicial authority in Solna to obtain from the Swedish ISP ePhone the identity of the subscriber who had shared the infringing material.

After the Solna district court decided in favour of the companies, ePhone appealed to the Court of Appeal, which reversed its decision on the basis that the publishers were unable to prove the infringement of their IP rights. The publishers appealed to the Swedish Supreme Court, which decided to stay the proceedings and ask the ECJ:

whether Directive 2006/24 precludes the application of a national provision based on Directive 2004/48, according to which an ISP may be ordered to give a copyright holder information on a subscriber in civil proceedings, thus facilitating the identification of a particular subscriber claimed to have committed an infringement;

whether the fact that Sweden has not implemented, in the prescribed period, Directive 2006/24, had an impact on the previous question.

The Advocate General Niilo Jääskinen (‘the AG’) has now provided his opinion on these questions.


In order to answer those questions, the AG looked at the material scope of Directive 2006/24 and taking into account that the procedure at hand was a civil one and that information had been requested by private parties, not by the competent national authority, the AG concluded that Directive 2006/24 was not applicable in this specific circumstance. This being so, the second question was dismissed as devoid of purpose.

Having said that, the AG investigated further the limits of the protection of personal data in relation to legislation, such as the Swedish approach which aimed to protect IP rights. This is where the AG's opinion gets really interesting.

The starting point of this part of the AG's reasoning is that, according to Article 6(b) of Directive 95/46, personal data must be collected for specified, explicit, and legitimate purposes and must not be further processed in a way that is incompatible with those well-defined purposes. Collection of personal data, methods used in order to do so, as well as its purposes must be decided in advance. Further processing of personal data in a way that is incompatible with those purposes is therefore not permitted.

This being the guiding principle, the AG turned to verify whether such provisions had been adopted at EU or national level.

As regards EU legislation, the AG observed that neither Directive 2002/58 nor Directive 2006/24 provided a possibility or an obligation to retain or to use personal data for cases of infringement of IP rights when such infringements are invoked by private parties, nor to use already existing data retained for different purposes. The AG also noted that, although Article 8 of Directive 2004/48 did make some reference to personal data, that provision specified neither the kind of personal data referred to nor the purpose or duration of its retention or the nature of the subjects entitled to access it in the case of infringement of IP rights.

The AG thus concluded that current EU legislation does not provide a discipline for the retention of personal data generated in connection with electronic communications and for their transmission in the case of infringement of IP rights invoked by private parties.

As regards Member States' legislation, the AG, drawing on Case C-275/06 Promusicae [2008] ECR I-271, affirmed that the basic and main principles of both the right to protection of IP rights and the right to data protection must be fully respected.

On this premise, the AG observed that, in order lawfully to transmit personal data, EU law requires that national legislation must expressly provide an obligation to retain personal data with a view to specifying the categories of data to be retained, purpose and duration for their retention, and the categories of people that can access the data. Using personal data retained for purposes different from those provided by the legislation would be contrary to personal data protection principles.

The AG's opinion seems to suggest a (questionable) watertight subdivision between IP rights and data protection. It seems that the AG excludes any (natural) reciprocal interference unless expressly provided. Further, the AG's opinion apparently underestimates the circumstance that, although requested by a private party, the access to personal data is ordered by a judge. Would the AG apply the same kind of test to other areas of EU law?

Practical significance

Should the ECJ follow the AG's opinion, publishers will be denied the right to obtain, in the course of civil proceedings, details about the identity of users connected to a specific Internet Protocol address that has been used to infringe copyright, such data having been clearly retained for purposes different from those at stake in the case at hand.

It is easily foreseeable, as emerged from the arguments put forward by the Member States that intervened in this preliminary reference, that many other EU Member States have copyright legislation similar to the Swedish Copyright Act and that therefore a not inconsiderable number of copyright owners could face the same obstacles to access personal data in similar circumstances. Should this be the case, national legislatures will soon be requested to address the issues raised by this case and to provide IP rights holders with adequate legal remedies. In the meantime, there is a considerable potential for an increase in litigation.

No comments:

Post a Comment