Is the IP address still a personal data in France?
Although the answer to this question may be obvious not only in France, but
also in Europe, two decisions from the Paris Appeal Court may well change
this established understanding.
The decisions, respectively published on 27 April and 15 May 2007, concern
individuals to the SCPP (a French collecting society of recording
companies), in two cases of music counterfeit using P2P networks. The two
appeal procedures included both civil and penal actions and were initiated
in the former case by the individual and the public prosecutor and in the
latter by the SCPP and the public prosecutor as well. In addition to the
first instance decisions made on the counterfeit claims, the Paris Appeal
Court had to decide on the conformity of the first instance procedures
regarding the collection of IP addresses on the P2P network. In both cases,
the individuals claimed that this collection should have been subject to
prior authorization by the CNIL (French Data Protection Authority), and
consequently concluded to the nullity of the procedure.
These claims were rejected by the Paris Appeal Court, which found that the
IP addresses collection was conducted in full compliance with the law in
both cases. The Court argued that ‘the IP address doesn’t allow the
identification of the persons who used this computer since only the
legitimate authority for investigation (the law enforcement authority) may
obtain the user identity from the ISP’ (27 April ruling). Surprisingly
enough, the Court recognized in the same decision that ‘it should also be
reminded that each computer connected to the Internet is identified by a
unique number called “Internet address” or IP address (internet protocol)
that allows to find it among connected computers or to find back the sender
of a message’. In its 25 May ruling, the Court considered that ‘this series
of numbers indeed constitutes by no mean an indirectly nominative data of
the person in that it only relates to a machine, and not to the individual
who is using the computer in order to commit counterfeit.’ The Court
conclusion was then that this collection of IP addresses does not constitute
a processing of personal data, and consequently was not subject to CNIL
prior authorization, as required by the French Data Protection Act.
The CNIL strongly reacted, expressing its worries after these decisions, and
asking the French Ministry of Justice to consider filing a Cassation case in
the interest of the law against these two rulings, a procedure that should
be introduced by the General public prosecutor, and which purpose is to
avoid either inconsistent jurisprudence or a jurisprudence not in harmony
with the law. The CNIL reminded that, according to the French Data
Protection Act, a personal data ‘means information relating to a natural
person who can be identified, directly or indirectly, by reference to an
identification number or to one or more factors specific to him. This is the
case with a car plate number, a telephone number or an IP address.’ The CNIL
also noted that the Article 29 Working Party of EU DPAs, ‘reminded in an
opinion of 20 June 2007 on the concept of personal data, that the IP address
attributed to an Internet user during her communications constitutes a
personal data.’
In the mean time, the Advocate General of the European Court of Justice, in
an entirely separate case lodged for reference by a Spanish Court under the
preliminary ruling procedure, took the position that the EU legislation on
personal data protection should prevail on the Community law on e-commerce,
copyright protection and IP enforcement. The CNIL has obviously duly noted
how much these conclusions from the Advocate General – which usually are
followed by the ECJ – may influence the future shape of copyright holders
actions both when they collect IP addresses and when they undertake
enforcement actions to subsequently have Internet users’ identity disclosed,
making them far more difficult than they currently are in France and
elsewhere in Europe. And wisely suggests that it would be appropriate to ask
to further ask the ECJ for reference on the nature of the IP address.
Paris Appeal Court decision – Anthony G. vs. SCPP (27.04.2007)
http://www.legalis.net/jurisprudence-decision.php3?id_article=1954
Paris Appeal Court decision – Henri S. vs. SCPP (15.05.2007)
http://www.legalis.net/jurisprudence-decision.php3?id_article=1955
IP address is a personal data for all the European DPAs (2.08.2007)
http://www.cnil.fr/index.php?id=2244
French Data Protection Act (English version, 6.08.2004)
http://www.cnil.fr/fileadmin/documents/uk/78-17VA.pdf
EU Article 29 Working Party Opinion 4/2007 on the concept of personal data
(20.06.2007)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf
ECJ Advocate General Conclusions on case C-257/06 (18.07.2006)
http://curia.europa.eu/jurisp/cgi-bin/form.pl?lang=EN&Submit=Rechercher$docrequire=alldocs&numaff=C-275/06
EDRI-gram: ECJ’s Advocate General says no handing traffic information in
civil cases (1.08.2007)
http://www.edri.org/edrigram/number5.15/traffic-data-civil-cases
(Contribution by Meryem Marzouki, EDRI-member IRIS – France)