Dutch anti-piracy group BREIN is constantly engaged in investigations to deter or take down piracy operations, including those involved in the supply of unlicensed IPTV subscriptions.
These investigations can be extremely complicated, something revealed in documents detailing BREIN’s mission to unmask the person in control of the bank account used to handle money for the Netherlands’ largest IPTV supplier.
Background – GoFastIPTV.eu
According to court documents, GoFastIPTV.eu is an IPTV provider that violates the rights of the companies represented by BREIN. It provides unauthorized access to movies, TV shows and live streams of pay TV channels, plus more than 85,000 on-demand titles.
The provider offers 1-month packages at 15 euros, 3-months at 30 euros, and 80 euros for a year, and BREIN believes that it’s the largest pirate IPTV supplier in the Netherlands. As a result, BREIN has gone to great lengths to identify its operators, meeting significant resistance on the way.
BREIN reports carrying out test purchases and says it was told to transfer funds to PayPal or directly to an account at Rabobank in the Netherlands. BREIN subsequently sent summons letters to various email accounts related to the service but could not identify the owner.
The anti-piracy group also sent summons letters to companies hosting the IPTV service’s website but the address and phone numbers both led to people unconnected with the matter. Research on various company names in the UK and Brazil also led to dead ends as did an investigation into IPTVGo.eu, a site operating identically to GoFastIPTV.eu. This trail ran cold when the domain was traced to a hotel in Lisbon, Portugal.
After BREIN’s substantial efforts failed to provide a clear lead, the anti-piracy outfit put pressure on Rabobank to hand over its customer’s personal details, considering this an important step to learn his or her true identity. Rabobank refused on privacy groups so BREIN took the matter to court.
Court Rules The Bank’s Refusal to Provide Data Was Unlawful
BREIN reports that since it had tried hard to obtain the account holder’s identity by other means, Rabobank should have provided the name and address of the relevant account holder. BREIN argued that despite the account now being closed, it had a valid interest in obtaining the information. The court agreed.
The decision was based on a ruling from the Netherlands Supreme Court dating back to November 2005. The landmark case saw the Court uphold a previous verdict that compelled internet portal Lycos to hand over the personal details of one of its subscribers to Dutch stamp trader Pessers.
According to BREIN, the assessment criteria are that the unlawfulness (in this case infringement) must be sufficiently plausible, that the applicant (BREIN) must have a valid interest in obtaining the information, and that there are no less severe options available to obtain the data. Also, when it comes to a weighing of interests between those of BREIN, Rabobank, and the account holder, the balance must be in favor of BREIN.
Rabobank argued that the GDPR prevented it from handing over data. The bank also said that the account holder could’ve been put there for the purposes of shielding the identity of another person, so his/her privacy would need to be protected. BREIN argued that even if the person was indeed acting as some kind of proxy, obtaining their personal details would help them get closer to the main target. The court accepted this argument.
The bank’s arguments that BREIN had unused opportunities to identify the person elsewhere also failed.
“The judge ruled that it is not the case that there has to be no other option available before the bank should provide data,” a statement from BREIN reads.
“BREIN has made extensive efforts to establish the identity of the infringer. It is not expected that the summons of foreign parties will provide a result within an acceptable period of time with a sufficient chance of success, according to the judge. Filing a criminal report is no less drastic and is by no means always followed up by the authorities.
“Just like hosting and access providers, a bank cannot demand that all other options for retrieving personal data are exhausted first,” BREIN concludes.
The court gave Rabobank five days to provide BREIN with all identifying name and address information relating to its former account holder and pay BREIN’s costs of 1,775 euros.
The full decision can be found here (pdf)