January 30, 2008 | By Gwen Hinze

EU Law does not require ISP to hand over customers' identity data in alleged filesharing case

Can a rightsholder force an ISP to hand over a subscriber's identity in a civil copyright infringement lawsuit? In the U.S., the answer is a clear yes - as evidenced by the music industry's more than 20,000 lawsuits against alleged individual filesharers. In Spain (and perhaps other EU countries) the answer is no, at least for now.

In a much-anticipated decision, the European Court of Justice ruled yesterday that European Community law does not require EU Member States to impose an obligation on ISPs to divulge customer data in response to a request from a copyright holder who alleges that copyright infringement has taken place. The decision in Promusicae v. Telefonica involved a request made by a Spanish music rightsholder association (Promusicae) to Spain's leading ISP (Telefonica) for personal data about Telefonica subscribers using particular dynamic IP addresses, which Promusicae alleged were engaged in filesharing.

The European Court of Justice was asked to interpret a mesh of overlapping EU Community laws and answer the question: does European community law require EU Member States that are implementing this suite of EU directives to impose an obligation on ISPs to divulge their customers' personal data to rightsholders in a civil copyright lawsuit? The court ruled no, but with some qualifications. Thus, the Spanish law is valid and Telefonica will not be forced to divulge its customers' data.

More on what this means, after the jump.

Privacy rights are taken seriously in Europe. European Community Directives from 1995 and 2002 require protection of citizens' personal data and communications privacy. The Spanish law implementing those directives precluded the disclosure of personal data to rightsholders in a civil lawsuit, such as this case (but permitted disclosure in criminal cases). European law also requires protection of intellectual property. The 2001 Copyright directive requires harmonization of rightsholder rights across EU Member States. The 2000 EU Electronic Commerce directive sets out the obligations of ISPs that act as mere conduits to the Internet for Internet users and rightsholders. And the 2004 Intellectual Property Rights Enforcement Directive (IPRED1) was intended to create harmonized rightsholder enforcement rights and remedies. In particular, IPRED1 created a right of information, permitting rightsholders to request identity information about alleged copyright infringers from anyone in the “chain of infringement”, including ISPs.

While the ECJ has made clear that EU Member States are not required to impose an obligation on ISPs to disclose their subscribers' personal data in a civil copyright case, the ruling left open the question whether EU Member States can choose to impose such an obligation in their national implementation law. The touchstone, according to the Court, is balance. As the ECJ's accompanying statement notes, EU Member States need to “reconcile the requirements of the protection of different fundamental rights, namely the right to respect for private life on the one hand and the rights to protection of property and to an effective remedy on the other”. The Court concluded that:

Community law requires that, when transposing those directives, the Member States take care to rely on an interpretation of them which allows a fair balance to be struck between the various fundamental rights protected by the Community legal order. Further, when implementing the measures transposing those directives, the authorities and courts of the Member States must not only interpret their national law in a manner consistent with those directives but also make sure that they do not rely on an interpretation of them which would be in conflict with those fundamental rights or with the other general principles of Community law, such as the principle of proportionality

The ECJ's ruling is welcome news for European citizens' privacy rights. In the short term, it suggests that the recorded music industry may be less inclined to pursue high-volume individual copyright infringement lawsuits in Spain and could follow a different strategy in Europe than in the U.S.

However, at the same time, the ECJ's decision is likely to accelerate the music industry's recent European efforts to increase Internet intermediary liability. Instead of focusing on individual Internet users, major copyright owners are likely to put greater pressure on ISPs to filter and monitor their networks for copyright infringing material, block protocols and terminate subscribers' Internet connections, following the three-tier graduated response recently adopted in the French rapportolivennes231107.pdf">Olivennes proposal.

It may also increase pressure on the Council of Ministers to adopt IPRED2, the criminal IPR sanctions directive that passed through European Parliament last April, to ensure that IPR infringements are treated as criminal offences for the purposes of “effective” copyright enforcement. Meanwhile, it will be interesting to see how the ECJ's decision figures into the European Commission's review of the eCommerce directive later this year.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

New research shows a link between Internet shutdowns and state violence in Syria: https://eff.org/r.l03h

Jul 1 @ 10:22am

The FISA Court reauthorized bulk surveillance of phone records for 6 more months. Here's what you need to know: https://eff.org/r.ja6h

Jul 1 @ 9:31am

Join us for EFF's 25th Anniversary Party on July 16 in San Francisco! https://www.eff.org/25th-anniversary-party

Jun 30 @ 7:57pm
JavaScript license information