In June 2005, the Swedish Data Inspection Board – a public authority protecting individuals’ privacy in the information society – decided that the activities of the Swedish anti-piracy bureau (Antipiratbyrån) went against the Personal Data Act.
The act in question defines who is eligible to store information on individuals and the inspection board’s justification for the decision was that IP addresses can be tied to a specific person and that only government agencies may store that kind of information in criminal cases.
Since collecting IP numbers (and suing the owners) is the core business for Antipiratbyrån, they appealed the decision to the County Administrative Court which agreed with the inspection board’s stance. Antipiratbyrån appealed again, with the same result, and then once again. Today, the highest instance, the Supreme Administrative Court said it will not try the case which means the previous decision is upheld.
Antipiratbyrån’s method for chasing filesharers by logging and storing their IP addresses is thereby in violation of the Personal Data Act.
However, while some prematurely celebrated the result as the death of IPRED (and have since rewritten their article), the truth is a little more sobering.
On his blog, Swedish Pirate Party’s Rick Falkvinge writes that a paragraph in IPRED specifically says that you don’t need to be granted exception from the Personal Data Act in order to retrieve the names of IP address holders from ISPs.
8.2.11 Exception from 21 § Personal Data Act
In the copyright law, additions are made that means no specific exception from 21 § Personal Data Act is needed to handle personal information regarding immaterial rights breach, when handling such information is necessary in order to present a legal claim.
Translated: Antipiratbyrån can do as they please…