Advocate General recklessly calls for watering down privacy protections
On 27 October, the Advocate General (AG) Szpunar of the Court of Justice of the European Union (CJEU) released his opinion on the French ‘HADOPI’ system against online copyright infringements. The case has potentially important implications for the ongoing political debate on data retention by private companies for access by law enforcement authorities.
On 27 October, the Advocate General (AG) Szpunar of the Court of Justice of the European Union (CJEU)released his opinion on the ‘HADOPI’ case, putting at stake France’s legislative framework to combat the online exchange of copyrighted material without permission from right-holders.
The case was brought in front of courts by four associations, including EDRi member La Quadrature du Net.
The case has potentially important implications for the ongoing political debate on the retention of telecommunications and location data by private companies for access by law enforcement authorities. Worryingly, the AG, who is tasked with delivering a non-binding opinion that will influence the Court’s final decision, calls for a “readjustment” of the case law that the CJEU has built over the years to protect the fundamental right to privacy and data protection against mass surveillance.
Identifying the user of an IP address is not access to civil identity data
In the La Quadrature du Net judgment of October 2020, the CJEU made an important distinction between traffic data and location data on one hand and civil identity data (e.g. name and address of the user) on the other.
Since civil identity data does not, in itself, reveal information about actual communications, retention and other processing of such data is not considered a serious interference with fundamental rights. Civil identity data can therefore be retained and disclosed to law enforcement for all criminal offences.
By contrast, retention of traffic data constitutes a serious interference with fundamental rights. For traffic data and location data in general, only targeted data retention is allowed for the objective of combatting serious crime. In the La Quadrature du Net judgment, the CJEU clarified that the IP address assigned to the source of an internet connection can be retained for a limited time for all users.
The CJEU’s rationale for this is twofold: the source IP address is less sensitive than other traffic data, and access to retained IP address data might be the only means of investigations for some crimes committed online. However, in light of the seriousness of the interference, only serious crimes can justify the general and indiscriminate retention of source IP addresses.
When investigating online offences, authorities typically first collect the dynamic IP address used by the unknown offender from log files of the online service provider where the offence was committed. The next step is to order the internet service provider (ISP) to disclose the name and address of the user of the IP address.
The information disclosed is civil identity data, but the disclosure requires processing of traffic data by the ISP. At the oral hearing, France, Denmark, Sweden, Finland and Norway argued that this disclosure should be regarded solely as disclosure of civil identity data, which means that it is not limited to serious crime. The new Danish data retention law relies on that interpretation of EU law.
The questions referred by the French court also seem to assume that only civil identity data is concerned. The AG rejects this interpretation as he notes in points 43-44 that disclosure of civil identity data in such cases requires the linking of those data with retained IP addresses. Therefore, it constitutes access to traffic data which, under the current case law of the CJEU, would limit disclosure to combatting serious crimes.
A clarification along these lines in the judgment by the CJEU will have important implications not only for national data retention laws where the disclosure of IP addresses is (still) regarded solely as access to civil identity data, but also for the ongoing trilogues on the e-Evidence Regulation.
In the Commission’s legislative proposal and the current trilogue text, production orders for access to traffic data for the sole purpose of identifying the user can be issued for all criminal offences, which is not in accordance with the CJEU case law as interpreted by the AG. In the Second Additional Protocol to the Cybercrime Convention of the Council of Europe, this use of traffic data is also regarded as access to subscriber information.
However, the expected clarification from the CJEU in the forthcoming judgment could also go in the other direction. The AG proposes a substantial change of the case law which effectively will permit access to retained IP addresses for all offences without any regard to the seriousness of the offence, whether criminal or civil (e.g. copyright infringement).
Undermining privacy protections to curb ‘online impunity’
As in his opinion in the M.I.C.M. case C-597/19, the AG highlights a tension in the CJEU’s case law between the retention and disclosure of IP addresses and the positive obligation of Member States to ensure that holders of intellectual property rights can obtain compensation for infringement of those rights.
The AG rightfully notes that infringements of intellectual property rights cannot amount to a serious crime (point 74). Therefore, access to IP addresses retained for the purpose of fighting serious crimes in order to sanction copyright violations is contrary to EU law as it currently stands.
However, this conclusion is “unsatisfactory” for the AG as he fears “systemic impunity for offences committed exclusively online” such as the unauthorised distribution of movies via file sharing or online defamation. AG Szpunar believes EU law should not go against national measures that force the mass retention of IP addresses to combat any type of offences, even very minor ones.
The only condition for retention of source IP addresses should be that investigation and prosecution of the alleged offence is not possible by other means than access to this data.
The proposed “only means of investigation” criterion completely disregards the seriousness of the interference (retention of IP addresses), which does not seem compatible with the principle of proportionality enshrined in Article 52(1) of the Charter of Fundamental Rights. When the CJEU permitted general and indiscriminate retention of source IP addresses in the October 2020 judgment, but only for the objective of combatting serious crime, it was a careful balancing act between the conflicting rights and interests at issue: the serious interference with fundamental rights that such retention of IP addresses constitutes and the recognition that access to retained IP address might be the only means to investigate some online crimes.
An intrusive measure which may be justified by serious criminal offences such as online distribution of images depicting sexualised violence against children should not automatically be extended to other offences, just because they are difficult to investigate when committed online.
The French HADOPI law requires individual subscribers to “secure“ their internet connection against use for committing copyright violations, and imposes a maximum fine of €3000 for repeated failure of that obligation. This is very far from any notion on a serious offence, whether criminal or civil. Moreover, the enforcement of the HADOPI law involves access to sensitive traffic data on an industrialised scale.
Since 2009, the HADOPI authority has issued 12.7 million recommendations (warning letters), each of which requires access to traffic data that under current EU law can only be retained for the objective of fighting serious crime. The principle of proportionality seems to have been completely lost in this quest for copyright maximalism. There must be less intrusive ways to protect the interests of rights-holders, for example enforcement measures targeted at disrupting the internet servers that facilitate unauthorised sharing of copyrighted works.
In a broader context than the HADOPI law, the AG’s concern relating to “systemic online impunity” relies on a myth. In many cases, the identification of a suspect can be done via other means of investigations and the possibility to remain completely anonymous and untraceable online is, in practice, very limited.
For example, persons hiding their IP address to spread illegal hate speech online could be identified via their username as users often pick the same username across different online platforms and services, some of which retain more personal data than others for commercial reasons. For example, the FBI successfully investigated a case of death threats against Anthony Fauci sent from an anonymous ProtonMail account because the perpetrator used the same email address on his Instagram account.
Stating that, for broad categories of offences, mandatory retention of IP addresses by ISPs is always the only means to identify the perpetrator is far from matching the reality of today’s online realities which have rightfully been described as the golden age of surveillance for law enforcement.
Lowering the bar for granting access to retained IP addresses could very easily lead to a race to the bottom for fundamental rights protection online, notably with the risk of creating chilling effects on freedom of expression and information. The possibility for anonymous speech is important, even more so with the unfortunate trends towards criminalising public protest also seen in European democracies. Offences such as defamation and insults of politicians are ripe for abuse by powerful actors against already oppressed minorities or other marginalised persons. Both the CJEU and the European Court of Human Rights (e.g. in the Benedik v Slovenia case) have highlighted the reasonable expectation of remaining anonymous online.
Focusing narrowly on the possible risk of impunity for certain offences, as the AG does, misses the broader picture of fundamental rights protection in the digital world, and could put society on an Orwellian path where the online infrastructure is designed so that every activity can be traced by state authorities.
No independent review required for access to IP addresses
In the AG’s view, EU law does not require a prior review of HADOPI’s access to civil identity data linked to users’ IP addresses by a court or an independent administrative body. This conclusion stands at particular odds with the Court’s recent case law, which strongly emphasizes the need for such prior independent review to ensure the full respect for the necessary conditions and procedures to access data.
In the October 2020 ruling, the CJEU permitted generalised retention of IP addresses for combatting serious crime subject to strict compliance with the substantive and procedural conditions which should regulate the use of the retained data. In the Prokuratuur case C-746/18, the CJEU held that access to traffic data must be subject to prior review by a court or independent administrative authority to ensure that the substantive and procedural conditions are fully observed.
Prior independent review is even more critical if the conditions for retention and access to IP addresses are to be extended with the “only means of investigation” criterion, as the AG proposes. Only a court or independent administrative authority can verify whether law enforcement has truly exhausted all other investigative options, and this assessment will invariably depends on the specific facts of each individual investigation.
The AG justifies his interpretation by arguing that access to civil identity data linked to an IP address used to share a protected file is not that sensitive as it does not enable authorities to reconstruct the online clickstream of users and, therefore, to draw precise conclusions concerning their private life.
With this interpretation of the CJEU case law, the AG creates an odd distinction between a serious interference with the right to private life, which would correspond to HADOPI’s access to civil identity linked to an IP address, and a “particularly serious interference”, which requires independent authorisation (point 99).
In doing so, the AG plays down the level of privacy intrusion that identifying the person who has viewed certain online files may entail. Files including photos, videos or text are susceptible to reveal the person’s sexual orientation, political, religious or philosophical opinion. There is no need to reconstruct the entire clickstream of the user in order to deduce very intimate information on their life.
Last but not least, there seems little point in requiring strict compliance with substantive and procedural conditions for access to retained IP addresses if the access can simply be authorised by law enforcement itself. Only a court or an independent administrative authority can ensure compliance with these conditions and protect against abuse.
It is really concerning for the state of digital rights that the AG proposes to adjust the interpretation of the law to a system designed to protect rights-holders to the detriment of privacy and data protection. The consequences of changing the case law could be very far-reaching. Hopefully, the Court maintains the jurisprudence it has developed at length in recent years and which ensures that privacy and data protection are sufficiently safeguarded in the area of law enforcement.
Contribution by: Jesper Lund, Chairman of EDRi memberIT-Pol & Chloé Berthélémy, Senior Policy Advisor, EDRi