The adoption and the transposition into the national laws of EU Member States of Directive 2004/48/EC on the enforcement of intellectual property rights (OJ L 157, 30.04.2004, 1, hereinafter “IPRs Enforcement Directive”) has strongly encouraged and facilitated purposes of effective enforcement targeted at individuals. The Directive aimed at providing all EU jurisdictions with effective and harmonized enforcement measures against infringements of intellectual property rights. In the specific field of digital copyright law, Article 8(1) of the IPRs Enforcement Directive seems to ensure that copyright holders are entitled to ask courts throughout the European Union to compel Internet Service Providers (ISPs), and possibly other on-line intermediaries, including certain peer-to-peer software providers, to disclose the identities of Internet users found in possession of infringing goods on a commercial scale or providing services used in infringing activities.
Article 8(2) of the IPRs Enforcement Directive enables judicial authorities, upon request copyright owners, to identify and prosecute users whose computers are found to work as “super-nodes” in fully decentralized peer-to-peer architectures. This provision makes clear that information on the origin and distribution networks of infringing goods comprises the names and addresses of distributors and suppliers of infringing goods as well as information on the quantities delivered or received. After having identified direct infringers, copyright owners may be given broad and prompt access to civil proceedings which grant interlocutory measures intended to prevent any imminent infringement or continuation of infringements and other measures such as the seizure of goods suspected of infringing copyright (cf. Article 9 of the IPRs Enforcement Directive).
In this legislative framework, it is unclear how the protection of confidentiality of information sources and the prohibition of the processing of user personal data commanded under Article 8(3)(e) of the IPRs Enforcement Directive (“Paragraphs 1 and 2 shall apply without prejudice to other statutory provisions which […] (e) govern the protection of confidentiality of information sources or the processing of personal data”) will interplay in the on-line environment with the powerful measures of investigation and enforcement created by the above-mentioned provisions.
In interim measures proceedings in July 2007, the District Court of Rome (see Techland and Peppermint Jam Records v. Wind Telecomunicazioni, Tribunale Ordinario di Roma, N. 26125/2007, 16 July 2007, available at: http://www.altroconsumo.it/images/17/173003_Attach.pdf) held that the protection of confidentiality in electronic communications, as laid down in Article 5 of the Directive 2002/58/EC on privacy and electronic communications (OJ L 201, 31.07.2002, 37) took priority over digital copyright enforcement undertaken through precautionary measures aimed at compelling disclosure of the identity and other personal data of unauthorized file-sharers. The Rome Court rejected the claim of two copyright owners (i.e., Techland and Peppermint Jam Records) who sought to compel an ISP (i.e., Wind Telecomunicazioni) to reveal the personal data of a few subscribers that were supposedly infringing copyright in their videogames and music works. The Court emphasized that the phrasing of Article 8(3) of the IPRs Enforcement Directive provided explicitly that the civil proceedings remedies made available under Article 8(1) should apply “without prejudice to other statutory provisions which […] govern the protection of confidentiality of information sources or the processing of personal data.” As a result, the Rome Court concluded that, in the EU legal system, access to users’ confidential communications and personal data and their retention and processing was permitted only under the exceptional circumstances spelt out under Article 15(1) of Directive 2002/58, which does not include the enforcement of subjective rights (e.g., copyrights) through civil proceedings. This provision, instead, makes it clear that national laws may provide for the retention of personal data for a limited period in order to enable prevention, investigation, detection and prosecution of criminal offences. Article 15 of Directive 2002/58/EC provides that Member States may adopt legislative measures to restrict user privacy-related rights “when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC.”
Therefore, as suggested by the Rome judgment, courts may recognize the right to information disclosure regarding unauthorized file-sharers’ personal data where their conduct is punishable by criminal sanctions under the applicable national laws. Obviously, if this interpretation becomes mainstream in the European case law, the objective of copyright enforcement targeted at individuals by means of the precautionary measures created by Article 8 of the IPRs Enforcement Directive with regard to civil proceedings would largely be frustrated.