ISP’s cannot be forced to directly disclose personal data of copyright infringers to copyright holders, says ECJ advocate general
In an opinion issued on July 18, 2007, the Advocate General of the European Court of Justice (ECJ) took the position that the European data protection directives do not allow for a direct disclosure of personal data of copyright infringers to copyright holders willing to start civil infringement proceedings.
In 2006, a Spanish Court lodged an interesting reference for a preliminary ruling with the ECJ in a litigation between a Spanish ISP and a Spanish collecting society (case C-275/06). The question submitted to the ECJ was whether Member States are allowed to limit the duty of operators and service providers (Service Providers) to retain and make available connection and traffic information to situations where it is required in connection with a criminal investigation or the need to protect public safety and national defense, thereby excluding situations in which the data is needed by copyright holders wishing to lodge civil infringement proceedings.
On July 18, Advocate General Kokott issued her opinion in this case. According the Advocate General, Member States are indeed entitled to exclude civil proceedings from the scope of the Service Providers’ duty to retain and make available traffic information. She went even further by stating that Community legislation simply prohibits such direct disclosure of connection and traffic by service providers to copyright holders.
After an assessment of the relationship between Community legislation on e-commerce, copyright protection and IP enforcement on the one hand, and Community legislation on personal data protection (the Privacy Directives) on the other hand the Advocate General came to the conclusion that the latter should prevail. For example, the right to information provided for in the IP enforcement directive does not warrant derogations from the data protection principles laid down in the Privacy Directives. The Advocate-General also found that none of the exceptions to the prohibition to process traffic data would justify disclosing such data to copyright holders wishing to lodge infringement proceedings.
The Advocate General concluded that, for service providers to be forced/allowed to disclose personal traffic data to copyright holders with a view to entertaining civil proceedings, a reform of the current data protection directives would be required. As a matter of fact, under the current Community law framework, there is no legal basis for an obligation to directly disclose such data to copyright holders intending to start civil proceedings.
Should the ECJ follow the Advocate General’s opinion – which it does in the majority of cases – the consequences at the national level may be substantial. In particular, enforcement actions taken by copyright holders and collecting societies against ISPs, requiring the latter to disclose traffic and personal data relating to their subscribers may become impossible. This risks making direct private action against copyright infringers more difficult thereby increasing the focus and burden on criminal prosecution and on indirect actions against ISPs rather than infringers.
 Directive 2000/31/EC of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market; Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonization of certain aspects of copyright and related rights in the information society; Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector; Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.
 Reference can also be made to the Dutch Lycos/Pessers case (http://zoeken.rechtspraak.nl/default.aspx), in which a Dutch citizen, Mr. Pessers, obtained injunctive relief against Dutch ISP Lycos. Lycos was forced to disclose to Pessers the identity of one of its subscribers who was accused of defamation. The Dutch Supreme Court (Hoge Raad) ruled in this case that Dutch privacy law does not necessarily prohibit the disclosure of personal data by ISP’s to third parties wishing to entertain proceedings.