A recent Federal Supreme Court decision which relied on data protection law to end the systematic private investigation of pirates on peer-to-peer networks has upset copyright holders. The defendant company - the Swiss firm Logistep AG - specialised in searching for copyright violators on peer-to-peer networks by means of specifically designed software. Logistep used the software for the systematic collection of internet protocol (IP) addresses and other data relating to peer-to-peer users.

The company regularly transmitted user data corresponding to illegal offers for downloads of material under copyright protection, in particular music and videos, to copyright owners. The copyright owners could then file a criminal complaint against unknown parties in order to ascertain the identity of the pirates. Once the criminal investigation authorities had required the internet service providers to reveal the identity of the individuals behind the temporary IP address, the copyright owners could discover the identity of the pirate by exercising their right to access the investigation files. Having discovered the identity of the infringer, the copyright owners could file a claim for damages before a civil court using the data provided by Logistep as proof of the infringement.

The Federal Supreme Court was asked by the Federal Data Protection Commissioner to rule on Logistep's methods. The Commissioner's claim had been rejected at first instance by the Federal Administrative Court.

In a first step, the Federal Supreme Court stated that IP addresses constitute 'personal data' in the sense of the Federal Act on Data Protection because they allow the identification of a web user, albeit only indirectly, by means of a criminal complaint. According to the court, information qualifies as personal data if, according to general life experience, it allows the identification of the person concerned with an effort that may reasonably be expected from a person interested in his or her identity. This was considered the case here as the IP addresses did actually allow the clients of Logistep to ascertain the users' identities. In this regard, the Federal Supreme Court also relied on the fact that IP addresses have been considered as personal data by the independent EU Advisory Body on Data Protection and Privacy. Interestingly, a German court in Hamburg ruling on the same question recently stated that IP addresses were not protected by German data protection law because they do not allow personal identification with the usual means and without additional information.

The court held that the collection of personal data by Logistep without the knowledge of the data owner was illegal pursuant to the act.

In a second step, the court examined whether the infringement of data protection law could be justified by the private interests of the copyright owners, weighing their legitimate interest in identifying pirates in order to protect their copyright against the interests of peer-to-peer network users in protecting their privacy. According to Article 13(1) of the act, the collection of data which infringes data protection provisions is not illegal if it is justified by an overriding private interest. The existence of such legal justification depends on the circumstances of the individual case.

In its statement of reasoning, the court held that the defendant, pursuing commercial interests only, used practices that resulted in insecurity as to the methods used on the internet and the scope and type of online data collection. The interest in the fight against copyright infringements could not balance the resulting infringement of personality rights and the insecurity regarding data collection on the internet. The thinking behind this brief reasoning seems to be that the interests of web users in having their privacy protected must be valued higher than the merely commercial interests of copyright owners. The court considered the data protection infringement to be serious, as data from a large number of users was collected without their knowledge. The judges were apparently concerned that the collection of the data relating to so many users had led to so few convictions. They also found that Logistep's methods infringed the principle of telecommunications secrecy, which is protected by the Constitution.

As a result, the court ordered Logistep to cease the collection and processing of data. It stated that its decision did not purport to give data protection priority over copyright protection in general but that it is the legislature's responsibility to enhance online copyright protection. The decision may also be interpreted as demonstrating a reluctance to allow private investigation that trespasses on data protection rules in an area where legal measures should be taken by the state. The scope of the decision will presumably be limited to cases of systematic search for infringers of IP rights by means of specialised software which result in a systematic collection of personal data.

For further information on this topic please contact Laurent von Niederhäusern or Nicola Benz at Froriep Renggli by telephone (+41 44 386 6000), fax (+41 1 383 6050) or email ([email protected] or [email protected]).