European Court of Justice ruling in the Bonnier case
This article is also available in:
Deutsch: [Entscheidung des Europäischen Gerichtshofs in der Rechtssache Bonnier | https://www.unwatched.org/EDRigram_10.8_Entscheidung_des_Europaeischen_Gerichtshofs_in_der_Rechtssache_Bonnier?pk_campaign=edri&pk_kwd=20120507]
Bonnier Audio took the Swedish Internet service provider (ISP) Perfect
Telecommunication to court, to obtain an order to disclose the
identities of alleged infringers of their intellectual property (IP)
rights. As a result, the Swedish High Court asked the Court of Justice
of the European Union (CJEU) if, assuming such a measure was
proportionate, a Member State could introduce legislation which would
require telecommunications data to be made available for such purposes.
More specifically, would such a national measure be in breach of the
Data Retention Directive?
In this important decision, the CJEU ruled it was indeed possible,
albeit subject to far more challenging safeguards than currently in
force in certain EU Member States, most particularly in the UK and
Germany. The ruling therefore reaffirms the importance of making sure
that the interpretation of EU law is done in a way which is not in
conflict with the fundamental rights of EU citizens.
Background
In the Bonnier Audio case, a Swedish audio book publisher, Bonnier
Audio, sued a Swedish Internet service provider (ISP), Perfect
Communication, because 27 audio books had been made available via a
file-sharing service. On the basis of Article 8 of the intellectual
property rights enforcement directive (2004/48/EC), Bonnier Audio wanted
a court order to have Perfect Communications disclosing the identities
of the alleged infringers. The ISP contested this request, arguing that
the request was not in line with the data retention directive (2006/24/EC).
The question to be answered by the Court of Justice of the European
Union was whether the data retention directive preclude Member States
from permitting court orders against ISPs that require the disclosure of
information on alleged infringers of intellectual property rights on
request of rightsholders.
Somewhat unusually, the question partially answers itself by stating
that it was assumed that adequate evidence of an infringement was
available and assuming that access to the data was proportionate. The
Court accepted this premise and explicitly made an assumption that the
national legislation was in line with the European law.
The second question asked was whether the non-transposition of the data
retention directive was having any influence on the answer given by the
Court.
In summary, the question was, assuming access to the data is
proportionate, does the data retention directive prevent the application
of Article 8 of the IP rights enforcement directive to order the
disclosure of identities of alleged infringers to rightsholders in civil
proceedings?
The Court ruled that as long as the order of disclosure was based on
evidence and that it was proportionate and necessary, nothing in the
data retention directive and in the E-Privacy Directive precludeed a
Member State to adopt such a rule.
Does it mean that data retention for enforcement of IP rights is
required by the CJEU?
No.
The decision does not mean that data retention is required for the
purpose of enforcement of IP rights. The ruling means that it is
theoretically possible, in certain circumstances, to access consumer
data, in particular where the exceptional conditions described in
Article 15(1) of the E-Privacy Directive (2002/58/ec) are met; where
(contrary to current practice in, for example, Germany and the UK), the
data is being accessed to facilitate an investigation and;
where a fair balance between the various interests at stake is genuinely
met.
The European Court said that the appraisal of whether such conditions
were met by national legislation was a matter for national courts.
Deeper issues, such as the proportionality, necessity and, therefore,
legality of data retention as a policy were not assessed.
On what ground did the CJEU rule?
1. Access to retained data.
The Court ruled that, assuming the legality of the instrument used to
justify the storage of the data, assuming the proportionality of the
procedures, rules and purpose of accessing the data and assuming that
the storage and access of the data maintains a fair balance between the
fundamental rights at stake, it is theoretically possible for a national
court to implement a national provision permitting access to
communications data.
2. The Court did not rule on the legality of non business-related
storage of data using the exception provided in Article 15 of the
E-Privacy Directive.
3. The Court did not rule on the legality of non business-related
storage of data under the Data Retention Directive.
Consequently, the only formal position taken by any part of the Court on
data retention is that of the General in the Telefonica/Promusicae case
– “(i)t may be doubted whether the storage of traffic data of all users
without any concrete suspicion – laying in a stock, as it were – is
compatible with fundamental rights.”
What is the impact of this ruling on the recent Scarlet/SABAM and
Netlog/SABAM cases?
There is no impact.
The balance between the various rights at stake still needs to be
demonstrably achieved in all cases. Unlike in the SABAM cases, the Court
did not rule on the legality of the practical application of specific
provisions in this case, but on whether a legal implementation was
theoretically possible.
In Scarlet/SABAM and SABAM/Netlog cases, the Court said that the
protection of IP rights should not outweigh the protection of privacy,
freedom of communication and freedom to conduct business. Today’s
decision does not change the outcome of those cases. The legality of the
practical implementation of the Swedish legislation was not assessed, as
the Court ruled that this was a matter to be ruled upon by the national
court.
What does this mean for the upcoming referral to the Court from Ireland
asking whether data retention per se is legal or not?
The questions in the Bonnier Audio case deliberately avoided the core
question regarding the legality of data retention per se, whereas the
Irish case will assess the basic principle of data retention as a policy.
The Swedish referral was asked in a way that the fundamental aspect of
the case was avoided, while in the Irish case the legality of data
retention per se will be the central aspect of the question. The focus
of the question in the Irish case is different, so today’s case does not
provide any clue on the forthcoming referral from the Irish supreme
court on the legality per se of data retention.
What does the ruling mean for current practices in Germany and the UK?
The European Court of Justice appears to be, consciously or not,
highlighting the questionable practices in Germany and in the UK in
several parts of the ruling. For instance, the Court emphasised that the
use of data retained is only permitted in individual cases, for the
purpose of investigation and where the requirement of the principle of
proportionality is taken into account.
In Germany, however, none of these three requirements are currently
taken into account, since:
1. around 100.000 IP addresses per month are transmitted to rightsholders;
2. the principle of proportionality is not respected and in most cases,
the (often clueless) end-user has to pay a significant amount (or face a
court proceeding); and
3. the data transmitted is rarely used in order to launch an
investigation but rather to send directly a notification to the end user.
Access to IP addresses in Germany (only in German, 31.05.2011)
http://www.eco.de/2011/pressemeldungen/300-000-adressen-pro-monat-erfolgreicher-kampf-gegen-illegale-downloads.html
Abuse of data in the UK
http://en.wikipedia.org/wiki/ACS:Law
Court ruling Bonnier case (19.04.2010)
http://curia.europa.eu/juris/document/document.jsf?text=&docid=121743&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1441103
(Contribution from EDRi Brussels office)