EU: AG holds retention and access to civil identity data linked to IP address is allowed if necessary to investigate online copyright infringements
On September 28, 2023, the Court of Justice of the European Union (CJEU) published a press release containing a summary of the Advocate General (AG) Maciej Szpunar's opinion in Case C-470/21 La Quadrature du Net and Others. The CJEU clarified that the opinion was delivered in the context of the reopening of the proceedings in the case in question and that the AG had delivered their opinion for the first time in October 2022.
The CJEU explained that the request for a preliminary ruling originated from the French Council of State, following legal proceedings brought by four associations for the protection of rights and freedoms on the internet. The legal proceedings challenged a decree, adopted in 2010, which allows the French High Authority for the Dissemination of Works and the Protection of Rights on the Internet (Hadopi) to request electronic communications operators to provide the civil identity data of the user to whom an IP address, used to commit an infringement of copyright, is assigned.
Further to the above, the AG considered that EU law does not preclude providers of electronic communications services from being required to retain IP addresses and corresponding civil identity data and does not preclude an administrative authority responsible for protecting copyright from obtaining access to such addresses and data. In this regard, the AG considered that the IP address, the civil identity of the person having a right to internet access, and the information relating to the actions in question do not make it possible to draw precise conclusions about the private life of the person presumed to have infringed copyright. Instead, the AG held that all that is revealed is a viewing of content at a particular time which, taken on its own, does not make it possible to establish a detailed profile of the person who viewed the content.
In conclusion, the AG took the view that the retention of, and access to, civil identity data linked to the IP address used should be allowed in cases where that data is the only means of investigation that make it possible to identify the perpetrators of copyright infringements committed exclusively on the internet. According to the AG, the graduated response mechanism adopted by Hadopi under the challenged decree is compatible with the EU-law requirements in the field of personal data protection.
You can read the press release here.