The European Court of Justice (ECJ) rendered on January 29, 2008, its long-awaited decision in the Promusicae case.

The case was originally brought before the Commercial Court in Madrid, Spain, because the Spanish ISP Telefonica refused to disclose to Promusicae, an association representing music rightholders, the names of subscribers corresponding to certain IP addresses collected by Promusicae. Telefonica objected on the ground that it could not disclose subscribers’ names outside the context of a criminal procedure.

The Commercial Court therefore asked the ECJ whether community law “permit[s] Member States to limit to the context of a criminal investigation or to safeguard public security and national defense, thus excluding civil proceedings, the duty of operators of electronic communications networks and services, providers of access to telecommunications networks and providers of data storage services to retain and make available connection and traffic data generated by the communications established during the supply of an information society service.”

The Opinion of the Advocate General

Rightholders across Europe were initially concerned that civil copyright enforcement actions would be thwarted if the ECJ were to follow the opinion Advocate General Juliane Kokott. In her opinion of July 18, 2007, the Advocate General took the position that subscriber data held by ISPs are traffic data under ePrivacy Directive 2002/58 and that such traffic data can be disclosed to third parties based on limited grounds (listed in Art. 15(1) of the ePrivacy Directive) only, i.e.:

  • national security (i.e., state security), 
  • defense, 
  • public security,
  • the prevention, investigation, detection, and prosecution of criminal offenses or of unauthorized use of the electronic communication system.

The Advocate General found that civil copyright cases did not generally rise to the level of public security and that the other exceptions in Article 15(1) of the ePrivacy Directive did not apply. The Advocate General did not consider the reference in Article 15(1) to certain exemption possibilities provided by Data Protection Directive 95/46/EC, and concluded that the communication of subscribers’ names must be limited to criminal procedure or at least must involve the participation of public authorities.

The Judgment

The ECJ ruled that the relevant European legal framework does not “require the Member States to lay down, in a situation such as that in the main proceedings, an obligation to communicate personal data in order to ensure effective protection of copyright in the context of civil proceedings.” Although the court emphasized the absence of any obligation, at the same time it specified that this “does not preclude the possibility for the Member States of laying down an obligation to disclose personal data in the context of civil proceedings.” Rightholders breathed a sigh of relief because the ECJ basically gave a green light to national laws that require ISPs to hand over subscriber data to rightholders who make a justified request in civil copyright infringement cases.

The court gave significant leeway to Member States, only requiring that they “take care to rely on an interpretation of [the directives] which allows a fair balance to be struck between the various fundamental rights protected by the Community legal order” and to interpret their national laws “not only in a manner consistent with those directives but also make sure that they do not rely on an interpretation of them which would be in conflict with those fundamental rights or with the other general principles of Community law, such as the principle of proportionality.”

Conclusions

Unlike the Advocate General, the ECJ paid a great deal of attention to the last nine words of Article 15(1) of the ePrivacy Directive, explaining that the reference to Data Protection Directive 95/46/EC created in fact an additional exception relating to the protection of the data subject or of the rights and freedoms of others. The ECJ held that such rights included the protection of the right to property or situations in which authors seek to obtain that protection in civil proceedings and therefore applied to the case in point.

ISPs are regularly asked to provide such information and the tendency is only increasing. The ECJ paved the way to increase powers of civil courts to order ISPs to disclose subscribers’ names in the context of civil proceedings relating to copyright infringement cases. This appears consistent with the provisions of Directive 2004/48/EC on the enforcement of intellectual property rights, which provides for a right of information compelling the infringer as well as other persons to provide extensive information on the origin and distribution networks of the goods or services which infringe an intellectual property right.

Nevertheless, the data protection aspects underlying the communication of subscribers’ names in civil proceedings cannot be underestimated. Several national Data Protection Authorities have taken the position that, when the processing of personal data relating to copyright infringement could lead to criminal proceedings, such processing warrants a higher level of privacy protection. Consequently, even with the ECJ decision, ISPs will remain reluctant to disclose information for fear of violating data protection rules as interpreted by national data protection authorities.