Productores de Música de España SAU v Telefónica de España SAU (C-275/06)

  • This European Court of Justice (ECJ) decision was in the context of unlawful music file sharing via the internet. The ECJ confirmed that Community law recognises both data privacy and copyright as fundamental rights and requires a balance to be struck between them. (Click here for a copy of the judgment).
  • The question asked was whether the effective protection of copyright meant Community law required Member States to lay down an obligation for ISPs to disclose personal traffic data in order for an IP holder to bring civil proceedings.
  • The ECJ ruled that there was no obligation to disclose, nor an obligation to withhold such information - Member States should themselves strike an appropriate balance between these two rights.
  • By finding, in effect, that personal traffic data may be available to copyright owners for civil proceedings, this may have tipped the balance further in favour of IP holders than perhaps the EU had intended.


Productores de Música de España SAU (Promusicae) is an organisation of producers and publishers of music recordings and music videos which promotes and protects the copyright in works belonging to its members. In 2005 it commenced proceedings against Telefónica de España SAU (Telefonica), one of Spain's larger Internet Service Providers (ISPs). Promusicae wanted disclosure of the names and addresses of the internet users behind certain dynamic IP addresses that it claimed had been used at particular times to infringe its members' copyrights, by sharing music files using the peer-to-peer file-sharing software 'Kazaa'. (An IP address is a number, analogous to a telephone number, which enables networked devices to identify and communicate with each other).

Telefonica resisted, arguing that the Spanish law, implementing the provisions of several copyright and data protection Directives, only permitted personal data of this kind (i.e. the names and addresses of the file sharers) to be disclosed in cases of criminal prosecutions or threats to national security. (In Spain copyright infringement only incurs criminal liability if done with the intention to make a profit). The Spanish court considered that this appeared to be a correct view of national law, but that the result appeared to be incompatible with Community law.

The ECJ was asked whether, in light of the Information Society Directive (Directive 2000/31/EC), the Copyright Directive (Directive 2001/29/EC), the Intellectual Property Enforcement Directive (Directive 2004/48/EC) and the Charter of Fundamental Rights of the European Union, it was permissible for Member States to limit the duty of telecommunications network operators to retain personal traffic data, and make those data available, to those circumstances in which the data are required in connection with criminal proceedings or the need to protect national security, thereby preventing disclosure for the purposes of civil proceedings.

Advocate General's Opinion: Community law does not permit disclosure of personal traffic data for civil matters and in fact prohibits such disclosure

In her opinion dated 18 July 2007, Advocate General Kokott focused on the two main Directives relating to data protection. These are (1) the Privacy Directive (Directive 2002/58/EC) which applies to the processing of personal data in the provision of publicly available telecommunications networks in the EU and (2) the Data Protection Directive (Directive 95/46/EC) which applies more generally and where the first does not.

The Advocate General appears to have accepted that the personal data sought were "traffic data" and concluded that this placed the matter solely within the scope of the Privacy Directive, rather than the Data Protection Directive. This was significant because the Data Protection Directive permits disclosure of personal data for the purpose of bringing civil proceedings in certain circumstances, whereas, on its clear language, the Privacy Directive does not. "Traffic data", broadly, is information used to convey a communication on a network, e.g. phone number, IP address, duration, time, date; it does not include the contents of the communication.

She concluded that in principle the Privacy Directive prohibited both the disclosure and the storage of personal traffic data by persons other than users without the consent of those users, subject to the exceptions in Article 15, namely: where such storage or disclosure is a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system (the last was construed as only covering use that jeopardises the integrity of the system).

The Advocate General found that not merely did Community law permit Member States to prohibit the disclosure of internet traffic data to copyright holders seeking to protect their copyright against infringers sharing files over the internet, but that it actually required such a prohibition to be put in place, implying that Spain had implemented the law correctly. This approach was not followed by the ECJ.

ECJ Decision: Community law neither precludes disclosure of personal traffic data in civil matters nor mandates it

The ECJ's judgment on 29 January 2008 disagreed with the Advocate General's literal approach to the Article 15 exceptions in the Privacy Directive and adopted a purposive approach, which had regard to broad principles of Community law. It concluded that there was nothing in the Privacy Directive that prevented Member States from making provision for internet traffic data to be disclosed for the purposes of enabling civil proceedings to be brought. However, at the same time the ECJ noted that no provision of Community law compelled Member States to permit such disclosure. Instead, it was a matter for Member States to implement the various copyright and data protection Directives into national law in such a way as to allow a fair and proportionate balance to be struck between the various fundamental rights protected by the Community legal order.


The ECJ's judgment is difficult to follow, being couched in terms of proportionality and the balancing of rights rather than engaging with the arguments in the Advocate General's opinion. The ECJ appears to be saying that Community law requires additional exceptions to be "read in" to the Privacy Directive by Member States, in order to preserve the potential for personal traffic data to be disclosed for the civil enforcement of property rights. Member States which have transposed Article 15 of the Privacy Directive literally into national law (like Spain) are left wondering precisely what is expected of them to achieve the balance proposed by the ECJ. This seems likely to result in further references in future.

Although not raised before the ECJ or Advocate General, it could be argued that the names and addresses sought are not "traffic data" but rather "personal data" within the meaning of the Data Protection Directive. This would avoid the difficulties arising from the limited exceptions in the Privacy Directive. As matters stand, the ECJ's finding that personal traffic data may be available to copyright owners for civil proceedings appears to have tipped the balance further in favour of rights owners than perhaps the EU had intended.