As part of anti-piracy scheme featuring warning letters, fines, and ISP disconnections, France has monitored and stored data on millions of internet users since 2010.
Digital rights groups insist that as a general surveillance and data retention scheme, the ‘Hadopi’ program violates fundamental rights.
Any program that monitors citizens’ internet activities, retains huge amounts of data, and then links identities to IP addresses, must comply with EU rules. Activists said that under EU law, only “serious crime” qualifies and since petty file-sharing fails to make the grade, the whole program represents a mass violation of EU citizens’ fundamental rights.
Surveillance and Serious Crime
Seeking confirmation at the highest level, La Quadrature du Net, Federation of Associative Internet Service Providers, French Data Network, and Franciliens.net, began their challenge in France. The Council of State referred the matter to the Constitutional Council, which in turn referred questions to the Court of Justice of the European Union (CJEU) for interpretation under EU law.
EU member states may not pass national laws that allow for the general and indiscriminate retention of traffic and location data. Retention of traffic and location data is permitted on a targeted basis as a “preventative measure” but only when the purpose of retention is to fight “serious crime.”
In his non-binding opinion, CJEU Advocate General Szpunar described Hadopi’s access to personal data corresponding to an IP address as a “serious interference with fundamental rights,” the clearest sign yet that the right to privacy had already taken a blow.
CJEU judgments have balanced citizens’ rights and rightsholders’ right to copy many times over the years but here, case law was deemed potentially problematic. In fact so much so, AG Szpunar proposed “readjustment of the case-law of the Court” to ensure that rightsholders would not be left in a position where it was impossible to enforce their rights on BitTorrent and similar networks.
EU Law Shouldn’t Rule Surveillance Out
By last September, it was clear that a legal basis needed to be found to allow Hadopi and similar programs to continue. For example, the fluid nature of dynamic IP addresses was mentioned as an obstacle to comprehensive tracking.
Well-constructed arguments stated that balance could be found in securing the harvested data and, to protect fundamental rights, limitations on how much data could be used in the event an alleged file-sharer was prosecuted.
Ultimately, however, when infringement occurs exclusively online, an IP address may be the only means to track down an alleged infringer, leading to the conclusion that retention and access to civil identifying data is both “necessary” and “wholly proportionate.”
Copyrights Trump Privacy Rights
In its decision handed down Tuesday, initially only in French, the CJEU leaves no stone unturned in delivering a win for rightsholders. Despite the problematic case law, the judgment builds a framework for how monitoring and data retention can be conducted within the requirements of EU law.
The judgment deals with three key questions, summarized as follows:
1. Is civil identity data corresponding to an IP address included among the traffic and location data which, in principle, requires prior review by a court or administrative entity?
2. If yes, is EU law to be interpreted as precluding national legislation that provides for the collection of such data, corresponding to users’ IP addresses, without prior review by a court or administrative entity?
3. If yes, does EU law preclude the review from being performed in an adapted fashion, for example as an automated review?
In other words, are member states precluded from having a national law that authorizes a copyright authority to access stored IP addresses and civil identity data relating to users, collected by rightsholders monitoring their activities on the internet, for the purpose of taking further action, without a review by a court or administrative body?
Data collected includes date and time of alleged infringement, IP address, peer-to-peer protocol, user pseudonym, details of copyright works, filename, ISP name.
Ensuring Privacy and Data Security
The judgment notes that IP addresses can constitute both traffic data and personal data. However, IP addresses that are public and visible, as they are in file-sharing swarms, are not being used in connection with the provision of an ‘electronic communication service’.
The judgment also states that, if Member States seek to impose “an obligation to retain IP addresses in a general and indiscriminate manner, in order to attain an objective linked to combating criminal offenses in general”, they should lay down clear and precise rules in legislation relating to retention of data, meeting strict requirements.
IP and civil identity data must be separated from each other and all other data, in a secure and reliable computer system. When IP addresses and civil data need to be linked, a process that does not undermine the “watertight separation” should be used, and regularly inspected for effectiveness. When these rules are followed, even citizens’ data gathered indiscriminately cannot result in “serious interference” to fundamental rights.
The judgment notes that EU law does not “preclude the Member State concerned from imposing an obligation to retain IP addresses, in a general and indiscriminate manner, for the purposes of combating criminal offenses in general.”
Balancing Competing Rights
The CJEU says that while EU citizens using internet services “must have a guarantee that their privacy and freedom of expression” will be respected, those fundamental rights are not absolute. The prevention of crime or the protection of the rights and freedoms of others may see those rights deemed less important.
Then, with some fluidity, the CJEU pulls the rug on excuses and upgrades petty file-sharing to something, well, a bit more serious.
To prevent crime, it may be strictly necessary and proportional for IP addresses to be captured and retained for “combating criminal offenses such as offenses infringing copyright or related rights committed online.”
Indeed, not allowing the above “would carry a real risk of systemic impunity not only for criminal offenses infringing copyright or related rights, but also for other types of criminal offenses committed online or the commission or preparation of which is facilitated by the specific characteristics of the internet.”
Pirate Privacy? Not Here
The judgment adds that despite the strict security guarding private information, there’s always a chance that a person might find themselves profiled. And that, the court suggests, may be of their own making.
[S]uch a risk to privacy may arise, inter alia, where a person engages in activities infringing copyright or related rights on peer-to-peer networks repeatedly, or on a large scale, in connection with protected works of particular types that can be grouped together on the basis of the words in their title, revealing potentially sensitive information about aspects of that person’s private life.
Thus, in the present case, in the context of the graduated response administrative procedure, a holder of an IP address may be particularly exposed to such a risk to his or her privacy where that procedure reaches the stage at which Hadopi must decide whether or not to refer the matter to the public prosecution service with a view to the prosecution of that person for conduct liable to constitute the minor offense of gross negligence or the offense of counterfeiting.
Throughout the course of the next few paragraphs, the judgment mentions processing data for the “prevention, investigation, detection or prosecution of criminal offenses,” and a quote from the French government stating that “the measures adopted by Hadopi in the context of the graduated response procedure ‘are of a pre-criminal nature directly linked to the judicial proceedings’.”
That leads to the predictable conclusion that EU law does not preclude national legislation that allows for the surveillance of internet users and the retention of their data, for the purpose of identifying users and taking legal action against them.
Member states just need to follow the rules to ensure that those who didn’t have their privacy breached when their data was collected, don’t have it breached or leaked as they wait for whatever punishment arrives in the mail.
La Quadrature du Net says it’s disappointed with the judgment.
“[T]his decision from the CJEU has, above all, validated the end of online anonymity. While in 2020 it stated that there was a right to online anonymity enshrined in the ePrivacy Directive, it is now abandoning it.
Unfortunately, by giving the police broad access to the civil identity associated with an IP address and to the content of a communication, it puts a de facto end to online anonymity.”
The judgment is available here
