Access to civil identity data linked to IP addresses is permissible if such data are the only means to identify a person suspected of online copyright infringements. This is the view of Advocate General Szpunar in his Opinion of 27 October 2022 on Case C-470/21 (La Quadrature du Net, Fédération des fournisseurs d’accès à Internet associatifs, Franciliens.net, French Data Network v Premier ministre, Ministère de la Culture).

Facts of the case

The reference for a preliminary ruling by the Conseil d’État (France) is based on an action brought by data protection associations against a decree of the French Prime Minister. According to the decree, the “Haute Autorité pour la diffusion des œuvres et la protection des droits sur internet” (High Authority for the dissemination of works and the protection of rights on the internet” – “Hadopi”) shall have direct access to personal data held by electronic communications operators and is allowed to inspect the data in order to warn subscribers against offending conduct of copyright infringements in the internet. The purpose is to combat the offence described as “gross negligence”, which is the fact that a person does not prevent his/her access to the internet from being used to commit acts constituting an infringement of the Intellectual Property Code. Holders of relevant subscriptions receive recommendations, which are part of a “gradual response procedure”.

The applicants’ arguments

The applicants claimed that the decree violates provisions of Directive 2002/58 on privacy and electronic communications and the Charter of Fundamental Rights and relied on the respective CJEU’s case law on principal unlawfulness of data retention. They argued first, that the decree permits access to connection data in a manner which is disproportionate considering that only minor copyright infringements committed online are concerned. Second, there is no prior review by a court or an authority offering guarantees of independence and impartiality.

The questions referred

The Conseil d’État pointed out on the one hand that according to the CJEU’'s recent judgment in La Quadrature du Net and Others (→ eucrim 3/2020, 184-186), a general and indiscriminate data retention regime relating to the civil identity of users of electronic communications systems for the purposes of combating crime is not precluded by EU law. On the other hand, the French court referred to the CJEU’s judgment in Tele2 Sverige and Watson (→ eucrim 4/2016, 164), in which a prior review by a court or an independent administrative authority is requested for the access of retained data by the competent authority. The French court stressed, however, that Hadopi issues thousand of recommendations to subscribers per year, so that a prior review is impracticable.

As a result, the Conseil d’État wishes to know whether Art. 15(1) of Directive 2002/58, read in the light of Arts. 7, 8 and 11 and Art. 52(1) CFR, precludes the French legislation which allows an administrative authority to have access to civil identity data, corresponding to IP addresses, in order to protect copyright infringements, without that access being subject to a prior review by a court or an independent administrative body.

The AG’s opinion

AG Szpunar first took the view that in the case at issue a general and indiscriminate retention of IP addresses assigned to the source of a connection is justified and compatible with EU law. He argued that otherwise there is a risk of impunity for the commission of copyright offences on the internet. However, he stressed that such a data retention regime must be subject to proportionality requirements.

Second, AG Szpunar denies a mandatory prior control insofar as the data access does not allow for tracking the visited internet pages and is limited to the goal of law enforcement (i.e. the prevention, investigation, detection and prosecution of online criminal offences). He bases this result on the strict adherence to the principle of proportionality in data retention according to CJEU’s case law.

Put in focus

In essence, the AG proposes a “light” readjustment of the CJEU’s case law on national measures for the retention of certain data (here: IP addresses). In light of the recent CJEU’s judgment on French legislation holding a general and indiscriminate data retention regime for the purposes of combating market abuse offences incompatible with Directive 2002/58 and the CFR (→ separate news item) and taking into account the massive and extensive collection of data by the French administrative authority “Hadopi”, it is open whether the judges in Luxembourg will follow the AG’s conclusions. In this context, it should be additionally stressed that previous CJEU case law requires effective procedural safeguards against the abuse of access to retained data in the exceptional cases where data retention is allowed. Therefore, it should be more closely assessed whether the French legislation offers such yardsticks sufficiently.