The majority were BitTorrent users and the plan was to use evidence of their piracy activities as a basis for escalating actions including warnings, fines, and ultimately, internet disconnections.
Operating the program for a decade cost French taxpayers 82 million euros ($86.5 million) but according to digital rights group La Quadrature du Net, Hadopi’s “mass internet surveillance” destroyed citizens’ fundamental right to privacy.
In its quest to hold Hadopi to account, La Quadrature du Net highlighted one of the program’s implementing decrees, which authorizes the creation of files containing internet users’ IP addresses plus personal identification data obtained from their internet service providers.
In the belief that represents a breach of EU data protection laws, the digital rights group, ISPs, and other like-minded supporters, took their fight to the French legal system.
Referral to the EU’s Highest Court
In the vast majority of cases, senior judges in EU member states have little need to consult Europe’s highest court. At least in theory, all countries are already in compliance with EU law but every now and again, the gravity of specific cases becomes apparent, resulting in a referral seeking clarification on how EU law should be interpreted.
In advance of a full ruling, the conundrum posed by the French referral was evident in a non-binding opinion handed down last October by CJEU Advocate General Maciej Szpunar.
Under EU law, member states may not pass national laws that allow for the general and indiscriminate retention of citizens’ traffic and location data. Retention of such data is permitted on a targeted basis, but only as a “preventative measure” for the purposes of fighting “serious crime.” In respect of the information held by Hadopi, the Advocate General found that when the data points are combined, it’s possible to link French citizens’ identities with the content they access.
The CJEU’s top legal advisor described the Hadopi situation as “serious interference with fundamental rights” but short of accepting “general impunity for offenses committed exclusively online,” something would have to give. The compromise suggested last year would require “readjustment of the case-law of the Court” to allow rightsholders to enforce their rights when an IP address is the only means by which an infringer can be identified (CJEU, pdf).
Advocate General Delivers Opinion (Case C-470/21)
The opinion delivered Thursday begins with an overview of Hadopi and the methods it uses to deter online piracy. By monitoring initial and subsequent acts of infringement and maintaining relevant databases, it’s possible to identify repeat infringers eligible for the next deterrent steps. A decree adopted in 2010 allows Hadopi to request subscriber information from ISPs in response to the provision of IP addresses, mostly obtained from BitTorrent swarms.
The legal proceedings brought by La Quadrature du Net and the Federation of Associative Internet Service Providers, French Data Network, and Franciliens.net, seek to establish whether the collection of civil identity data corresponding to IP addresses, and subsequent automated processing of data to protect of intellectual property, are compatible with EU law absent a review by a court or independent administrative body.
The short answer from the AG’s opinion is that Article 15(1) of Directive 2002/58 (pdf) must be interpreted as not precluding national legislation which allows ISPs and other electronic communications services to retain, and an administrative authority such as Hadopi to access, civil identity data corresponding to IP addresses for the purposes of identifying suspected infringers.
No court or review body needs to be involved, but use of such data is only permitted when it is the only means of investigation that can enable a suspected infringer to be identified.
Discussion and Reasoning
In the opinion of AG Szpunar, there is a need to reconcile the rights at issue; the protection of private life and personal data on one hand, and the right to property enshrined in Article 17 of the Charter, which the graduated response mechanism seeks to uphold by protecting copyright and related rights.
The opinion notes that “the great majority” of the IP addresses communicated by Hadopi are dynamic IP addresses, which only correspond to a specific identity at a single moment, which preclude any exhaustive tracking.
“I must emphasise that the protection of fundamental rights on the internet does not in my view justify access to the data relating solely to the IP address, the content of a work and the identity of the person who made it available in breach of copyright not being permitted, but means only that the retention of and access to those data must be accompanied by guarantees,” his opinion continues.
“To my mind, an analogy with the real world is telling: a person suspected of having committed theft cannot rely on his or her right to protection of his or her private life to prevent those responsible for prosecuting that offense from ascertaining what the content stolen is. On the other hand, that person may rightly rely on his or her fundamental rights to ensure that, during the proceedings, access will not be provided to more extensive data than just the data necessary for the classification of the alleged offense.”
No Mass Surveillance But a Proportionate Response
The digital rights groups’ legal action characterizes the Hadopi program as a general surveillance and data retention scheme, operating contrary to fundamental rights. AG Szpunar finds otherwise, noting that there doesn’t even appear to be general surveillance of the users present in peer-to-peer networks.
“That procedure does not involve monitoring their entire activity on a given network in order to determine whether they have made a work available in breach of copyright, but rather determining, on the basis of a file identified as counterfeit, the holder of the internet access through which the user made the content available,” his opinion reads.
“[I]t is not a question of monitoring the activity of all users of peer-to-peer networks, but only that of persons uploading infringing files, as the uploading of those files reveals much less information about the person’s private life because files may be uploaded for the sole purpose of enabling those users then to download other files.”
Inevitable Outcome in Favor of Rightsholders
The overall conclusion reached by the Attorney General considers the purpose for which the data is harvested and the challenges of identifying suspected online infringers by other means. The inability to establish a detailed profile of a person’s private life via a dynamic IP address is cited on one hand, while the critical value of an IP address in an investigation sits somewhat uncomfortably on the other.
“[I]t follows from the actual case-law of the Court that, where an offense is committed exclusively online, such as an infringement of copyright on a peer-to-peer network, the IP address may be the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the infringement to be identified,” the AG continues.
In closing, the retention and access to civil identifying data, corresponding to an IP address for the purposes of prosecuting online infringements, is described as “strictly necessary” and “wholly proportionate” to the objective pursued
“Such an interpretation is in my view inevitable,” the AG notes, “unless it is accepted that a whole range of criminal offenses may evade prosecution entirely.”
CJEU note: The Advocate General’s Opinion is not binding on the Court of Justice. It is the role of the Advocates General to propose to the Court, in complete independence, a legal solution to the cases for which they are responsible. The Judges of the Court are now beginning their deliberations in this case. Judgment will be given at a later date