New ECJ judgment on the confidentiality of electronic communications | Hadopi case

Geplaatst op 18 mei 2024 door Ellen Timmer

On 30 April, the CJEU issued an important judgment in a case on the confidentiality of electronic communications, the Hadopi case C‑470/21.
Before that Advocate General Szpunar on 28 September 2023 issued an opinion.

The court ruled:

Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union,

must be interpreted as not precluding national legislation which authorises the public authority responsible for the protection of copyright and related rights against infringements of those rights committed on the internet to access data, retained by providers of publicly available electronic communications services, relating to the civil identity associated with IP addresses previously collected by rightholder organisations, so that that authority can identify the holders of those addresses – which have been used for activities liable to constitute such infringements – and may, where appropriate, take measures against them, provided that, under that legislation:

– those data are retained in conditions and in accordance with technical arrangements which ensure that the possibility that that retention might allow precise conclusions to be drawn about the private life of those IP address holders, for example by establishing a detailed profile of those persons, is ruled out – which may be accomplished, in particular, by imposing on providers of electronic communications services an obligation to retain the various categories of personal data, such as data relating to civil identity, IP addresses and traffic and location data, in such a way as to ensure a genuinely watertight separation of those different categories of data, thereby preventing, at the retention stage, any combined use of those different categories of data – and for a period not exceeding what is strictly necessary;

– that public authority’s access to such data retained separately and in a genuinely watertight manner serves exclusively to identify the person suspected of having committed a criminal offence and is subject to the necessary safeguards to ensure that that access cannot, except in atypical situations, allow precise conclusions to be drawn about the private life of the IP address holders, for example by establishing a detailed profile of those persons, which entails, in particular, that the officials of that authority authorised to have such access are prohibited from disclosing, in any form whatsoever, information on the content of the files consulted by those holders, except for the sole purpose of referring the matter to the public prosecution service, from tracking the clickstream of those IP address holders and, more generally, from using those IP addresses for any purpose other than that of identifying their holders with a view to the potential adoption of measures against them;

– the possibility, for the persons responsible for examining the facts within that public authority, of linking such data with files containing information that reveals the title of protected works the making available of which on the internet justified the collection of IP addresses by rightholder organisations is subject, in cases where the same person again repeats an activity infringing copyright or related rights, to review by a court or an independent administrative body, which cannot be entirely automated and must take place before any such linking, as such linking is capable, in such circumstances, of enabling precise conclusions to be drawn about the private life of the person whose IP address has been used for activities that may infringe copyright or related rights;

– the data processing system used by the public authority is subject at regular intervals to a review, by an independent body acting as a third party in relation to that public authority, intended to verify the integrity of the system, including the effective safeguards against the risks of abusive or unlawful access to or use of those data, and its effectiveness and reliability in detecting potential offending conduct.

Privacy advocates are disappointed.

It is interesting to see that the protection of works covered by copyright or related rights against offences committed on the internet is important enough for this type of access to electronic communications. Wouldn’t it be more important to put all energy into tracking down data protection violators, who harvest personal data and sell it to the highest bidder? Is copyright more important than data protection?

 

More information:

Judgment of 30 April 2024
ECLI:EU:C:2024:370, Case C‑470/21, La Quadrature du Net and others / French government:

  • press release English, Dutch;
  • judgment of 30 April 2024: page;
  • judgment of 30 April 2024 in English: html;

Opinion of 28 September 2023
Advocate General Szpunar, ECLI:EU:C:2023:711:

Privacy advocates

Other articles

Over Ellen Timmer

Weblog: https://ellentimmer.com/ ||| Microblog: https://mastodon.nl/@ellent ||| Motto: goede bedoelingen rechtvaardigen geen slechte regels
Dit bericht werd geplaatst in English - posts in English on this blog, Europa, Fraude, witwasbestrijding, Wwft, Grondrechten, ICT, privacy, e-commerce en getagged met , , , , , , . Maak dit favoriet permalink.

Plaats een reactie