Copyright infringements: ECJ allows data retention in principle

The European Court of Justice (ECJ) has significantly extended the possibilities for member states to log IP addresses without cause in order to prosecute criminal offenses. A landmark ruling published on Tuesday shows that the general and indiscriminate retention of IP addresses does not necessarily constitute a serious infringement of fundamental rights. It is permissible if national regulations prescribe storage modalities that strictly separate different categories of personal data. This would rule out "the possibility of drawing precise conclusions about the private lives" of those affected.

The case concerns the "3-strikes" system of the French authority Hadopi, which is responsible for enforcing copyright law on the internet and online blocking. Under this "graduated response" model, users suspected of copyright infringements are initially warned twice. After a third infringement, Hadopi can contact the competent judicial authority to initiate criminal proceedings. The Hadopi must first be able to identify the offender in order to issue a warning. To this end, the French government issued a decree in 2010 allowing the Hadopi to request the identity data of the suspected offender from telecommunications operators via the IP address.

This decree was challenged in court by the four civil rights organizations La Quadrature du Net (LQDN), Fédération des fournisseurs d'accès à Internet associatifs, Franciliens.net and the French Data Network. The French Council of State then asked the ECJ whether it is compatible with EU law to collect identity data associated with IP addresses and to process this information automatically without prior control by a court in order to prevent copyright infringements. In Case C-470/21, the ECJ has now ruled that EU law does not preclude a national provision that allows the competent national authority to access the identity data that a provider can assign to an IP address for the sole purpose of identifying a criminal suspect (PDF).

Control not necessary under certain conditions

The prerequisite for this is that the Internet providers do not store the various pieces of information together from the outset. Employees who have access to the data system must be prohibited from disclosing information about the content of the files consulted. Furthermore, they may not track the websites visited under the IP addresses and may not use these identifiers for purposes other than identifying their owners with a view to any measures directed against them.

If these requirements are met, access to the data system does not have to be controlled by a court or an independent administrative body if the interference with fundamental rights associated with the measure "cannot be classified as serious", writes the ECJ. An additional authorization is only necessary if it were possible "by linking the data and information collected in the course of the various stages of that procedure" to shed light on the private lives of the persons concerned in detail.

"The end of anonymity on the internet"

In principle, the ECJ has repeatedly rejected the retention of connection and location data regardless of suspicion. However, the general and indiscriminate retention of IP addresses may be permissible to combat serious crime and prevent serious threats to public security, according to recent ECJ rulings. ECJ Advocate General Maciej Szpunar already suggested in September that this case law should be developed further "pragmatically".

LQDN was very disappointed with the ruling: the ECJ had "sealed the end of anonymity on the Internet" with its change, of course. The police would be given comprehensive access to the personal identity associated with an IP address and even communication content.

(dahe)