By EDRi

Ruling

Bonnier Audio took the Swedish Internet service provider (ISP), Perfect Telecommunication, to court to obtain a court order to disclose the identities of alleged infringers of their intellectual property (IP) rights. As a result, the Swedish High Court asked the Court of Justice of the European Union (CJEU) if, assuming such a measure was proportionate, a Member State could introduce legislation which would require telecommunications data to be made available for such purposes. More specifically, would such a national measure be in breach of the Data Retention Directive?

In this important decision, the CJEU was indeed possible, albeit subject to far more challenging safeguards than currently in force in certain EU Member States, most particularly in the UK and Germany. The ruling therefore reaffirms the importance of making sure that the interpretation of EU law is in done in a way which is not in conflict with the fundamental rights of EU citizens.

Background

In the Bonnier Audio case, a Swedish audio book publisher, Bonnier Audio, sued a Swedish Internet service provider (ISP), Perfect Communication, because 27 audio books had been made available via a file-sharing service. On the basis of Article 8 of the intellectual property rights enforcement directive (2004/48/EC), Bonnier Audio wanted a court order to have Perfect Communications disclosing the identities of the alleged infringers. The ISP contested this request, arguing that the request was not in line with the data retention directive (2006/24/EC).

The question to be answered by the Court of Justice of the European Union, was whether the data retention directive preclude Member States from permitting court orders against ISPs that require the disclosure of information on alleged infringers of intellectual property rights on request of rightsholders.

Somewhat unusually, the question partially answers itself by stating that it was assumed that adequate evidence of an infringement was available and assuming that access to the data was proportionate. The Court accepted this premise and explicitly made an assumption that the national legislation was in line with European law.

The second question asked was whether the non-transposition of the data retention directive was having any influence on the answer given by the Court.

In summary, the question was, assuming access to the data is proportionate, does the data retention directive prevent the application of Article 8 of the IP rights enforcement directive to order the disclosure of identities of alleged infringers to rightsholders in civil proceedings?

The Court ruled that as long as the order of disclosure is based on evidence and that it is proportionate and necessary, nothing in the data retention directive and in the E-Privacy Directive precludes a Member State to adopt such a rule.

Does it mean that data retention for enforcement of IP rights is required by the CJEU?

No.

The decision does not mean that data retention is required for the purpose of enforcement of IP rights. The ruling means that it is theoretically possible in certain circumstances to access consumer data, in particular where
*the exceptional conditions described in Article 15(1) of the E-Privacy Directive (2002/58/ec) are met;
*where (contrary to current practice in, for example, Germany and the UK), the data is being accessed to facilitate an investigation and;
*where a fair balance between the various interests at stake is genuinely met.

The European Court said that the appraisal of whether such conditions were met by national legislation was a matter for national courts. Deeper issues, such as the proportionality, necessity and, therefore, legality of data retention as a policy were not assessed.

On what ground did the CJEU rule?

1. Access to retained data.

The Court ruled that, assuming the legality of the instrument used to justify the storage of the data, assuming the proportionality of the procedures, rules and purpose of accessing the data and assuming that the storage and access of the data maintains a fair balance between the fundamental rights at stake, it is theoretically possible for a national court to implement a national provision permitting access to communications data.

2. The Court did not rule on the legality of non business-related storage of data using the exception provided in Article 15 of the E-Privacy Directive.

3. The Court did not rule on the legality of non business-related storage of data under the Data Retention Directive.

Consequently, the only formal position taken by any part of the Court on data retention is that of the General in the Telefonica/Promusicae case – “(i)t may be doubted whether the storage of traffic data of all users without any concrete suspicion – laying in a stock, as it were – is compatible with fundamental rights.”

What is the impact of this ruling on the recent Scarlet/SABAM and Netlog/SABAM cases?

There is no impact.

The balance between the various rights at stake still needs to be demonstrably achieved in all cases. Unlike in the SABAM cases, the Court did not rule on legality of practical application of specific provisions in this case, but on whether a legal implementation was theoretically possible.

In Scarlet/SABAM and SABAM/Netlog, the Court said that protection of IP rights should not outweigh the protection of privacy, freedom of communication and freedom to conduct business. Today’s decision does not change the outcome of those cases. The legality of the practical implementation of the Swedish legislation was not assessed, as the Court ruled that this was a matter to be ruled upon by the national court.

What does this mean for the upcoming referral to the Court from Ireland asking whether data retention per se is legal or not?

The questions in the Bonnier Audio case deliberately avoided the core question regarding the legality of data retention per se, whereas the Irish case will assess the basic principle of data retention as a policy.

The Swedish referral was asked in a way that the fundamental aspect of the case was avoided, when in the Irish case the legality of data retention per se will be the central aspect of the question. The focus of the question in the Irish case is different, so today’s case does not provide any clue on the forthcoming referral from the Irish supreme court on the legality per se of data retention.