The CJEU recently had to rule on a case involving a variety of issues. A request for the disclosure of user data due to alleged copyright infringements turned into proceedings that provides answers to the question of an infringement via peer-to-peer-networks, misuse of rights by copyright trolls and lawfulness of the data collection by access-providers.
Background of the case
In 2019, the claimant requested the defendant, an Internet access provider, to hand over data identifying customers who allegedly shared copyrighted content using the BitTorrent protocol.
The Belgian court dealing with the claimant’s request had doubts as to whether the users' actions were illegal. Users who had downloaded the works shared the work with other users. However, this sharing feature was done automatically by the software used by the platform. In addition, the files were divided into small pieces that could only be used when all pieces were downloaded.
In addition, the court wondered whether the claimant should be excluded in general from requesting the disclosure of the users' identification data because the claimant was not actually using the assigned rights, but was limiting itself to claiming damages from abusive infringers. According to the Belgian court, this business model would correspond with the definition of a "copyright troll".
As a final question, the court wanted to know whether the collection of IP addresses by the rights holder was lawful with regard to the General Data Protection Regulation 2016/679 ("GDPR").
The decision of the CJEU
The CJEU answered the questions raised by the Belgian court in favour of the claimant, i.e. the right holder.
Filesharing leads to communication to the public
The CJEU ruled that individual users who share files on the peer-to-peer network communicate the relevant works to the public.
It is irrelevant for the CJEU that the pieces of the file being transferred were unusable individually – and instead could only be used once the user had downloaded all pieces. The CJEU argued that the single pieces contain the protected work. It was also irrelevant whether users had accessed the pieces of the file or not. What matters in view of the CJEU is that the pieces are provided on the platform. The CJEU also found it irrelevant that no further user action was required to share the file.
The CJEU argued the users acted "in full knowledge of the consequences" of using the program. It was to be assumed that the user had been duly informed about the functioning of the program, to which he or she had agreed in the context of the license to use the program. This deliberate act of communication was also directed at the general public and there was no permission from the rights holders.
High hurdles for misuse of rights
The CJEU said the fact that the claimant was not using its IP rights, i.e. no exploitation of the rights took place, and was only seeking compensation for damages resulting from the infringement of its rights would not lead to a misuse of rights. The CJEU pointed out that the Enforcement Directive does not require the IP rights to be actually used. Such a requirement would also run counter to the objective of the Directive to ensure a high level of protection of intellectual property in the Internal Market. It is also necessary to prevent right holders who outsource the pursuit of claims for damages, from being disadvantaged.
The pursuit of a pre-litigation settlement, which the claimant in principle sought instead of main proceedings, was also not in itself an abuse of rights. However, such an abuse of rights could arise if the claimant was in fact only trying to generate economic income with the help of out-of-court damages payments without wanting to actually tackle the copyright infringements committed. In this respect, it would be relevant whether the claimant also filed lawsuits if an amicable solution was rejected.
Disclosure of personal data to the claimant
The claimant requested that the identification data of the users suspected of infringing its rights, specifically their IP addresses, be disclosed to it to enable it to bring claims against such users. The CJEU confirmed that IP addresses could constitute personal data to the extent they allowed the identification of individuals. The Court went on to look at the limits to privacy rights set out in the Directive 2002/58/EC on Privacy and Electronic Communications ("E-privacy Directive") , particularly the right for member states to adopt restrictive legislative measures where necessary, appropriate and proportionate within a democratic society to safeguard the "prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC". The CJEU indicated that Article 13(1) of the said Directive corresponded, in essence, to Article 23(1) GDPR, which allows EU and state law to restrict the scope of the obligation of confidentiality of personal data in the electronic communications sector, where such restriction constitutes a necessary and proportionate measure "in a democratic society to ensure, amongst others, the enforcement of civil law claims". The Court confirmed the Promusicae ruling (C-275/06) and held that the right to property and situations in which authors seek to obtain such protection in civil proceedings have never been excluded from the scope of Article 15(1) of the E-privacy Directive.
As disclosure of an IP address constitutes an act of processing personal data, the CJEU also examined the right, granted under Article 6(1)(f) of the GDPR, to process personal data without the data subject's consent where such processing is justified by the pursuit of a legitimate interest of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
The CJEU held that data controllers, such as the claimant, or third parties had a legitimate interest in obtaining the personal information of a person who allegedly damaged their property in order to sue that person for damages.
The Court concluded that Article 6(1)(f) of GDPR read in conjunction with Article 15(1) of the E-privacy Directive precluded neither the systematic recording, by right holders (or third parties acting on their behalf), of IP addresses of users of peer-to-peer networks whose internet connections have allegedly been used in infringing activities, nor the communication of the names and of the postal addresses acquired by means of the IP addresses for the purpose of bringing copyright infringement claims, so long as such actions are justified, proportionate and not abusive and have their legal basis in a national legislative measure, within the meaning of Article 15(1) of the E-privacy Directive.
Comment and Outlook
The decision has high practical relevance. File sharing via peer-to-peer networks has steadily increased again in recent years. In 2019, the share of traffic through shared files in BitTorrent transfers in Europe was 44.2%. By comparison, the traffic on social media combined was responsible for only 9.4% of this in the same period. Globally, file sharing as such has also been responsible for 30.2% of traffic (see here). Nevertheless, the question of the individual user's responsibility has occupied the courts for a long time. In Germany, too, it was disputed whether the data packets should be regarded as data junk if completion of the download does not occur. In addition, it is intrinsic to P2P software that users do not know each other, but the view of the CJEU as well as the German Federal Court of Justice, is that they nevertheless work together. Each user contributes willingly to the offered download of the entire file by providing a file piece that is subsequently combined by the used program. The CJEU has now ruled on these questions uniformly for the EU in favour of the rights holders, so the ruling is a clear strengthening of the latter in this respect.
In addition, the CJEU sets the hurdle for misuse of rights high. It is not necessary for the holder of rights to exploit the work. To decide otherwise, would have led to a situation where rights holders could only have "outsourced" the fight against copyright infringement to a limited extent. Nevertheless, the CJEU’s ruling is not a carte blanche. In P2P cases where the claimants do not actively enforce their claims in court but exclusively by out of court claims to obtain payments for damages, it is likely that courts will consider such practice as misuse of rights.
With regard to the disclosure by platforms or intermediaries holding the data of infringing parties in a non-accessible format or manner, since the GDPR became applicable in 2018, a number of platforms have reluctantly granted rights holders or their representative access to contact information of alleged infringing parties on the basis of legitimate interest. Others are still categorically refusing to disclose such data absent a court order. This decision provides clarity, under the GDPR, by confirming the CJEU's position, held under the now repealed Data Protection Directive 2015, that disclosure of such data under the legal basis of legitimate interest is not prohibited.
Authored by Morten Petersenn, Aissatou Sylla and Nils Peters
