Processing of data collection in the face of European limits

The European Union introduced in 2016 the General Data Protection Regulation, as its name suggests, its purpose is to regulate the processing of personal data. This protection applies to many processing operations: collection, recording, consultation, use, dissemination, etc.

Yet like any right, the right to the protection of personal data must be weighed against other rights, in particular intellectual property rights. It is to this problem that the Court of Justice of the European Union has responded in a judgment of June 17, 2021 by which it came to specify the application of Regulation (EU) 2016/679 on data protection . It lays down the following principle: the systematic recording, by a rights holder, of the IP addresses of users of peer-to-peer networks complies with the GDPR.

In this judgment, the Cypriot company Mircom holds certain rights for a large number of films. She found that some of these films were illegally downloaded from peer-to-peer networks. The Mircom company collected the IP addresses that were used to share content on these networks. She then appealed to the Antwerp Company Court to order Telenet to produce the identification data of customers whose internet connections had allegedly been used to share on a peer-to-peer network. peer films owned by Mircom. The Antwerp court put several preliminary questions to the CJEU.

The first question he asked himself was that of the interpretation of paragraphs 1 and 2 of article 3 of the directive 2001/29 / CE [1] : the Are individual Internet users who participate in a peer-to-peer network carrying out an act of communication within the meaning of this directive?

The European judges answered positively: participation in a peer-to-peer network is an act of communication. They clarified that in this type of networks, shared files are divided into data packets, which are downloaded in random order and by different paths from Internet sowing computers. Consequently, the latter do not make available the entire work, nor part of the work, but only segments of files which are unusable individually. The Court considered that ‘ For the purposes of establishing that there is’ making available’, within the meaning of Article 3 (1) and (2) of Directive 2001/29, in such a situation , it is not necessary to prove that the user concerned has previously downloaded a number of segments representing a minimum threshold. ”. Thus, given that the European judges consider that the provision of these files constitutes an act of communication within the meaning of Directive 2001/29, each of the sowers may be considered responsible for the uploading of a file on a network. peer-to-peer illegally, it doesn’t matter if these segments are usable in themselves only from a certain download rate.

Owners of intellectual property rights

Next, the Belgian court wished to know whether the fact that the uploading of the segments of a file can be done automatically, via the technology of the program used, has an impact on the recognition of the user’s guilt. The CJEU considers that this element does not influence the guilt, it affirms that the users of a peer-to-peer network “ must be considered as acting in full knowledge of their behavior and the consequences that it may have ”once they are aware of the characteristics of the software and have consented to its use. The judges believe that “ the deliberate nature of their behavior is not at allnegated by the fact that the upload is automatically generated by this software . “. Accordingly, to characterize an act of communication to the public, jurisdictions need only ensure that the user has consented to the sharing software, it is not necessary that the user has performed the sharing manually.

Then the following problem arose: can rights holders who do not actually use them enjoy the protection granted by the directive 2004/48 / CE relating to the respect of intellectual property rights ? This question concerns the copyright trolls , which, under the model of the patent trolls [2]  , only use their copyright to claim, sometimes abusively, damages and not to organize the exploitation of the work.

According to European judges, in principle all persons who fall under one of the categories of Article 4 of Directive 2004/48 can act. One of these categories corresponds to “ holders of intellectual property rights, in accordance with the provisions of applicable law “, but this provision in no way provides that such holder must actually use his rights to to be able to request the application of the measures, procedures and remedies of the directive. Indeed, “such an exclusion would run counter to the general objective of Directive 2004/48 which is, as is clear from its recital 10, in particular to ensure a high level of protection of intellectual property in the internal market ‘. But the Court sets a limit to this protection: the abusive use of the procedures, remedies and measures of the directive is prohibited. It is for the referring court to assess whether the company is abusing its rights “ on the basis of a global and detailed examination “. Consequently, a patent troll company can quite act against the people who would violate the rights so it disposes of its patent without actually exploiting the work which is protected by this patent, but it does must not act in an abusive manner in claiming its protection. It will be up to the judge to rule on the abusive character according to the elements at his disposal.

What about the principle of proportionality between the right to property and respect for privacy and personal data?

The last question that arose is the following: does the systematic recording and general processing of IP addresses by the licensee comply with Article 6 (1), f) of General Regulation 2016/679 [3] on data protection (RGPD) as well as the principle of proportionality between the right to property and respect for privacy and personal data?

The European judges note that it is necessary to fulfill three cumulative conditions for the processing of personal data to be lawful.

First of all, it is necessary that the controller pursues a legitimate interest. In the present case, the Court considers that this condition is met: “ the recovery of debts in good and due form may constitute a legitimate interest justifying the processing of personal data “.

Then the data processing must be necessary in order to achieve this interest. The judges believe that the identification of the holder of the connection can only be done on the basis of the IP address and the information provided by the Internet service provider, therefore, this condition does not pose a problem in the ‘species.

Finally, the interests or freedoms and fundamental rights of the data subject must not prevail. The judges specify that “ the mechanisms allowing a fair balance to be found between the various rights and interests involved are enshrined in Regulation 2016/679 itself “. Therefore, for such data processing to be considered lawful it must meet the requirements of the GDPR, but also Directive 2002/58, as stated by the Court. However, Article 15 of this directive provides that “ Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period when this is justified by one of the reasons set out in this paragraph </ em> ”, one of these reasons being the prevention of unauthorized use of the electronic communication system. Therefore,it is necessary to refer to the national law to which the applicant is subject to assess the legality of data retention.

To conclude, the judges affirm that article 6 paragraph 1 f) of the RGPD “ does not preclude, in principle, neither the systematic registration, by the holder of intellectual property rights as well as by a third party for its account, IP addresses of users of peer-to-peer networks whose Internet connections have allegedly been used in infringing activities ”. It does not oppose either “ the communication of the names and postal addresses of these users to this holder or to a third party in order to allow him to bring an action for compensation before a civil court. for damage allegedly caused by said users ”. But the European judges set conditions: “ the initiatives and requests in this direction of the said holder or of such a third party are justified, proportionate and not abusive and find their legal basis in a national legislative measure, within the meaning of Article 15 (1) of Directive 2002/58 ”.

With this judgment, the CJEU gives indications on the balance that the national judge must seek between the protection of intellectual property rights and the protection of personal data.

Respect for private life and protection of personal data

Regarding the legislative measures that States can introduce to keep data (Article 15 of Directive 2002/58, the majority of States have introduced this type of measure. This is the case of Luxembourg, it is provided for in Article 9 of the law of 1 August 2018 relating to the protection of natural persons with regard to the processing of personal data in criminal matters as well as in matters of national security that “ The processing of personal data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning sexual life or sexual orientation of a natural person are authorized only in the event of of absolute necessity, subject to appropriate guarantees for the rights and freedoms of the data subject […] ”. Likewise, in French law, numerous obligations are laid down on providers of electronic communication services as well as on internet access providers and hosts: possibility of data retention to ensure the security of their networks. (article L34-1 of the postal and electronic communications code); the prevention of terrorism, the major economic, industrial and scientific interests of France, the major interests of foreign policy, etc. may justify the collection of data, in particular from electronic communications operators.

But how can the proliferation of these data disclosure authorizations be compatible with respect for privacy and the protection of personal data?

The CJEU commented on this question in a judgment of 6 October 2020 and considered that in order to comply with the proportionality requirement, the regulations of a Member State must provide for the following guarantees: “ clear and precise rules governing the scope and application of the measure in question and imposing minimum requirements, so that the persons whose personal data are concerned have sufficient guarantees to effectively protect such data against the risk of abuse. These regulations must be legally binding in domestic law and, in particular, indicate under what circumstances and under what conditions a measure providing for the processing of such data can be taken, thus ensuring that the interference is limited to what is strictly necessary . “Consequently, the regulations relating to the use of data must be extremely precise and establish guarantees for the taxpayer to be compatible.e with European rules and the fundamental rights of data protection and respect for privacy. For example, article L851-3 of the French Internal Security Code imposes on electronic communications operators and technical service providers “ the implementation on their networks of intended automated processing, according to parameters specified in the authorization, to detect connections likely to reveal a terrorist threat ”. This technique involves collecting for a limited period of time and among all the connection data processed by these operators and service providers, only those that would be linked to a terrorist threat. This requirement seems to comply with the principle of proportionality between data protection and the fight against terrorism because only data that could be useful for the achievement of this objective are collected and only for a fixed period.

Companies must be extremely vigilant in the exploitation and use of user data because they must be reconciled with other rights but always in accordance with the principle of proportionality, there is therefore a fine line between a data processing operation justified by reasons of general interest and real violation of the principle of protection of personal data and privacy.

Eternoscorp remains at your disposal to ensure that the processing of your users’ data is carried out in accordance with European regulations but also with the national regulations applicable to you .

[1] “ 1. Member States shall provide for authors the exclusive right to authorize or prohibit any communication to the public of their works, by wire or wireless, including making their works available to the public in such a way that everyone can do so. access from where and when he chooses individually.

2. Member States shall provide for the exclusive right to authorize or prohibit the making available to the public, by wire or wireless, so that everyone can have access to it from where and when ‘he chooses individually:
3. a) for performers, fixations of their performances;
4. (b) for producers of phonograms, of their phonograms;
5. (c) for the producers of the first fixations of films, of the original and of copies of their films;
6. (d) for broadcasting organizations, fixations of their broadcasts, whether broadcast by wire or wireless, including cable or satellite . “

[2] It is a company with no real economic activity that acquires patents so that it can then attack companies that infringe the acquired patents.

[3] Processing is only lawful if, and insofar as, at least one of the following conditions is met: 

1. f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject prevail which require protection of personal data, in particular when the data subject is a child.