By the judgement issued on April 30 2024 (case C-470/21) the EU Court of Justice dealt, upon request of the French State Council, with the repression of online copyright violation.
With this decision, by balancing the protection of privacy with the investigation needs in the context of the fight against cybercrime, the Court has authorized the public authority responsible for protecting copyright to trace the civil identity of the users through IP addresses used to perpetrate online offences, in order to take against them the measures provided for in the national regulation.
The case
On the basis of the French internal regulations, the Hadopi – the independent public authority responsible for the protection of copyright and the condemn of violations committed on electronic communication networks – is authorized to obtain from online services providers the identity, postal address, email address and telephone numbers of the user who used the online service to play, represent, put at disposal or communicate to the public protected works without the authorization of the copyright holders.
The data and addresses allow Hadopi to take against the responsible users some measures, known as “graduated response measures” based on the entity of the infringement. Such measures consist in the sending of a first “recommendation” (similar to a warning) which, if the infringement is repeated, is followed by a second recommendation and, lastly, if the requirements of the law are met, the matter is referred to the judicial authority.
To discover the identity of guilty users, a series of operations on users’ data are carried out that, in brief, consist in the collection of IP addresses used for activities that can constitute copyright infringement, together with further information which includes the date and time of the activities, the protocol used, the pseudonym used by the subscriber, the information related to the infringed works and Internet service provider through which arranged the access or that supplied the IP technical resource.
With all this data, the IP addresses are associated to the owner of such addresses, to thus trace their civil identity.
The preliminary ruling and the principles stated by the CJEU
The referring Judge asked the Court to clarify if the access by a public authority to data relating to the civil identity, correspondent to an IP address, can be justified under the EU law, considering the fundamental rights to respect for private life, freedom of expression and privacy (provided for by articles 7,8 and 11 of the Charter of Fundamental Rights of the European Union and the GDPR).
Once examined the issue, the Court stated that, in case of online offences, the access to IP addresses can constitute the only mean of investigation able to identify the person to whom that address was associated when committing the offence. This implies that the storage of and the access to IP addresses are strictly necessary to reach the goal, for what concerns the fight against criminal offences committed online.
On the contrary, to deny the access to such data would represent a real risk of systemic impunity not only for offences regarding copyright and related rights, but also other types of offences committed online or which commission or preparation of is facilitated by the specific characteristics of the internet.
Therefore, according to the Court, the existence of a such type of risk constitutes a factor to keep into consideration in balancing different rights and interests in question.
This being said, the Court concluded that the law of the European Union “does not preclude a national legislation which authorizes the public authority responsible for the protection of copyright and related rights against infringements of those rights committed on the internet to access data, retained by providers of publicly available electronic communications services, related to the civil identity associated with IP addresses previously collected by rightholder organizations, so that that authority can identify the holders of those addresses – which have been used for activities liable to constitute such infringements – and may, where appropriate, take measures against them”.
Nevertheless, the Court pointed out that the activity of the authority must be carried out in compliance to specific conditions, accurately indicated in the judgment, aimed at ensuring a safe, limited and proportionated access to data, subjecting the activity of the authority to the regular control by a third and independent body.
Ilaria Feriti