The Advocate General has issued his opinion in the case of Case C-470/21 La Quadrature du Net and others. He says that a national authority should be able to access civil identity data linked to IP addresses if such information is the only means of investigation enabling the identification of the holders of those addresses suspected of online copyright infringement.
Four associations for the protection of rights and freedoms on the internet brought an action before the French courts to annul an implied decision by which the Prime Minister rejected their application for the repeal of a decree. To protect certain intellectual works on the Internet, automated processing of personal data has been introduced.
The objective of that processing is to send individuals the warning provided for in the Intellectual Property Code, the purpose of which is to combat the offence described as ‘gross negligence’, which is when someone does not prevent their access to the internet from being used to commit acts constituting infringement of copyright. The recommendations sent to the holders of the relevant subscriptions are part of the ‘graduated response’ procedure.
The associations claimed that that decree authorises to connection data in a disproportionate manner for copyright offences committed online which are not serious, without prior review by a judge or authority offering guarantees of independence and impartiality, as required by EU case law.
The French court noted that the High Authority for the dissemination of works and the protection of rights on the internet (HADOPI) collects a considerable amount of data relating to the civil identity of the users concerned. Due to this high volume, making its collection subject to prior review would make it impossible to prepare those recommendations. It therefore referred the matter to the CJEU to ask about the scope of that prior review and, if the civil identity data corresponding to an IP address is subject to it.
Advocate General Szpunar takes the view that EU law should be interpreted as not precluding measures providing for the general and indiscriminate retention of IP addresses assigned to the course of a connection, for a period limited in time to what is strictly necessary, to prevent, investigate, detect and prosecute online criminal offences for which the IP address is the only means of investigation enabling the identification of the person to whom that address was assigned at the time of the commission of the offence.
He proposes that the Court update its case law on national measures for the retenti9on of IP addresses, without, however, calling into question the requirement of proportionality imposed for the retention of data, in the lights of the serious nature of the interference with the fundamental rights in the European Charter of Fundamental Rights of the European Union.
The Advocate General added that Hadopi’s access to civil identity data linked to an IP address also appears to be justified by the public interest objective for which providers of electronic communications services were ordered to retain the data.
In his view, EU law does not require prior review of Hadopi’s access to civil identity data linked to users’ IP addresses by a court or an independent administrative body, for two reasons. The first is that Hadopi’s access is limited to linking civil identity to the IP address used and to the file viewed at a given point in time; it does not enable the competent authorities to reconstruct the online clickstream of the user in question or, therefore, to draw precise conclusions concerning his or her private life beyond the identification of the specific file viewed when the infringement was committed. Secondly, Hadopi’s access to civil identity data linked to IP addresses is strictly limited to what is necessary to achieve the objective pursued, that is, the prevention, investigation, detection and prosecution of online criminal offences for which the IP address is the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the offence to be identified, of which the graduated response mechanism forms part.
Finally, the Advocate General pointed out that the graduated response procedure remains subject to the provisions of Directive 2016/680 and that, as such, people targeted by Hadopi are protected by substantive and procedural guarantees.
