Thursday 17 November 2011

Bonnier AG: "it's lawful if you do it lawfully .."

Case C-461/10 Bonnier Audio AB, Earbooks AB, Norstedts Förlagsgrupp AB, Piratförlaget Aktiebolag, Storyside AB v Perfect Communication Sweden AB is a reference to the Court of Justice of the European Union for a preliminary ruling which originates from the Swedish Högsta domstolen. Two questions were referred:
"1. Does Directive 2006/24 ... on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (the data storage directive), and in particular Articles 3, 4, 5 and 11 thereof, preclude the application of a national provision which is based on Article 8 of Directive 2004/48 ...on the enforcement of intellectual property rights and which permits an internet service provider in civil proceedings, in order to identify a particular subscriber, to be ordered to give a copyright holder or its representative information on the subscriber to whom the internet service provider provided a specific IP address, which address, it is claimed, was used in the infringement? The question is based on the assumption that the applicant has adduced evidence of the infringement of a particular copyright and that the measure is proportionate. 
2. Is the answer to Question 1 affected by the fact that the Member State has not implemented the data storage directive despite the fact that the period prescribed for implementation has expired?"
Today the Advocate General's Opinion was published in eight languages, none of them English. The advice given in the French version:
" La directive 2006/24 ...  modifiant la directive 2002/58/CE, ne s’applique pas au traitement des données à caractère personnel à d’autres fins que celles visées à l’article 1er, paragraphe 1, de cette directive. Par conséquent, ladite directive ne s’oppose pas à l’application d’une disposition nationale au titre de laquelle, dans le cadre d’une procédure civile, aux fins d’identifier un abonné déterminé, le juge enjoint à un fournisseur d’accès à Internet de divulguer au titulaire de droits d’auteur, ou à son ayant droit, des informations relatives à l’identité de l’abonné à qui ledit opérateur a attribué une adresse IP qui aurait servi à l’atteinte audit droit. Toutefois, ces informations doivent avoir été conservées pour pouvoir être divulguées et utilisées à cette fin conformément à des dispositions législatives nationales détaillées, qui ont été adoptées dans le respect du droit de l’Union en matière de protection des données à caractère personnel."
This being so, there is no need to answer the second question.  Google Translate renders this as follows:
"Directive 2006/24 ... and amending Directive 2002/58/EC does not apply to the processing of personal data for purposes other than those referred to in Article 1, paragraph 1 of this Directive. Therefore, the directive does not preclude the application of a national provision under which, in the context of civil proceedings, in order to identify a specific subscriber, the judge ordered a provider access to the Internet to disclose to the holder of copyright, or his successor in title, information concerning the identity of the subscriber to whom the trader has allocated an IP address that would have been used to achieve that right. However, this information must be retained in order to be disclosed and used for this purpose in accordance with detailed national legislation, which were adopted in compliance with EU law on the protection of personal data".
In other words, ordering an internet service provider to divulge subscriber information is lawful, as long as it's done lawfully.

We await further developments -- and corrections to the translation, if relevant.

1 comment:

Tor said...

Here's a summary based on the Swedish translation. Please keep in mind that I'm not a lawyer and this is based just on a quick reading of the material:

--------------------------------

A) - scope of the data retention directive

The data in this case is personal data that falls under the data protection of the EU.

The purpose of the data retention directive is to ensure that data is available to national authorities for the purposes of investigation and prosecution of serious crimes (the member states should also take measures to ensure that only competent authorities are given access to the data)

This national case is a civil case and it's not an authority by rather individuals who are requesting the data.

For that reason the circumstances in this case falls outside the area of applicability of the data retention directive.

B) - limitations to the protection of personal data

In order for the personal data to be transferred EU regulation demands that the national legislation should specify an obligation to store such data with a specification of what data should be retained, the purpose, duration etc. of the data. It would violate the principles of data protection to use databases that exist for some other purposes than those defined by the legislator.

--------------------------------

The B) part is quite interesting since it actually goes beyond the specific question and argues generally about the EU data protection. Basically it seems to imply that it's only legal to force the ISP to give up the data in case there is a Swedish law that specifies that the data should be retained for such purposes (which there isn't today).