Op-Ed: “Enforcing copyright in accordance with data protection law: the Court of Justice’s M.I.C.M. ruling” by Meinhard Schröder
The relationship between intellectual property (IP) and IT is an ambivalent one. On the one hand, IT enables creators to present their work to a large audience, in particular by way of streaming content. On the other hand, IT enables everyone to easily exchange files, including files with copyrighted content. Since the early 2000s, the sharing of copyrighted material has become a major economic problem (‘internet piracy’), in particular for the music and movie industry.
It had always been common sense that internet piracy could not be right, but a very low risk of negative consequences – at least for those who only received files and did not share in exchange, contrary to the Bible (Acts 20:35) and the idea of file sharing (Opinion of AG Szpunar in C-597/19, point 47) – let it become a mass phenomenon. Nowadays, following hundreds of court decisions interpreting copyright laws teleologically instead of over-emphasising ambiguities in their wording and technical details of the file sharing procedure, it is beyond question that the exchange of copyrighted material through the internet (including streaming) is illegal. The ‘legal grey area’, as it was sometimes called, has turned black.
The judgment of the Court of Justice in M.I.C.M. (C-597/19), released on 17 June 2021, is impressive in reflecting this development. It deals with the BitTorrent software, which enables the peer-to-peer exchange of files. These are transferred in sometimes very fragmented pieces. The Court of Justice ruled that the uploading of segments of files protected by intellectual property rights onto a peer-to-peer network amounts to a ‘communication to the public’ and ‘making them available to the public‘ within the meaning of Article 3(1) and (2) of Directive 2001/29 (paragraph 59). To reach this conclusion, the Court not only refers to previous case law describing an ‘act of communication’ as ‘any transmission of the protected works, irrespective of the technical means or process used’ (paragraph 47), but it also compares the operation of the peer-to-peer network with the operation of the world wide web in general (‘does not differ, in essence’, paragraph 44). In addition, the Court points out that, due to the swarm concept of BitTorrent, there is no ‘minimum threshold’ of previously downloaded pieces (paragraphs 45 and 46).
Other possible counter-arguments are tackled equally convincingly: it does not matter if the work has been previously published on a website by the IP rightholder (paragraphs 57 and 58), and it does not matter either that the upload is performed automatically by the BitTorrent software, ‘when the user, from whose terminal equipment that uploading takes place, has subscribed to that software by giving his or her consent to its application after having been duly informed of its characteristics’ (paragraph 59).
Even if an infringement of intellectual property rights can be clearly determined, as was the case in M.I.C.M., the enforcement of these rights remains difficult. In the past, the Court of Justice has contributed to these difficulties, especially when defining ‘addresses’ within the meaning of Article 8(2)(a) of Directive 2004/48 only as the postal address and not an email or IP address (Constantin Film Verleih, C-264/19). In M.I.C.M., the Court is more rightholder-friendly and (convincingly) interprets Directive 2004/48 ‘as meaning that a person who is the contractual holder of certain intellectual property rights, who does not however use them himself or herself, but merely claims damages from alleged infringers, may benefit, in principle, from the measures, procedures and remedies provided for in Chapter II of that directive, unless it is established, in accordance with the general obligation laid down in Article 3(2) of that directive and on the basis of an overall and detailed assessment, that his or her request is abusive’. The Court thereby deals with the problem of copyright trolls, but clearly distinguishes it from the situation in which a holder of intellectual property rights (legitimately) chooses ‘to outsource the recovery of damages to a specialised undertaking by assigning claims or another legal act’ (paragraphs 77 and 78).
The enforcement of intellectual property rights on the internet is also a data protection issue, as can be seen in M.I.C.M. Usually, the only traces of ‘internet pirates’ are their (dynamic) IP addresses. IP addresses can constitute personal data within the meaning of Article 4(1) GDPR, as the Court held in Breyer (C-582/14). Therefore, in order to take action against the ‘pirates’, their personal data must be processed, and it must be processed in accordance with data protection law. As the Court correctly points out (paragraph 97), two different types of data processing need to be examined: First, the recording of the IP addresses of the alleged pirates, performed upstream by M.I.C.M. in the case decided; and second, the identification of the holders of those IP addresses by the internet provider who assigned them, and the communication of their names and postal addresses to the copyright holder, as requested by M.I.C.M. in the Belgian case leading to the questions referred to the Court of Justice.
With regard to the first type of processing (recording of IP addresses), the Court starts with a standard application of the GDPR. Referring to Breyer, the Court first points out that the copyright owner has ‘a legal means of identifying the owners of the internet connections in accordance with the procedure provided for in Article 8 of Directive 2004/48’ (paragraph 104), therefore there is personal data.
Second, the processing of this data needs a legal basis, which the Court finds in Article 6(1)(f) GDPR. All in line with previous case law, in particular Rīgas satiksme (C‑13/16), the recovery of claims is considered as a legitimate interest (paragraphs 108 and 109), the necessity of processing the data derives from the absence of other possible means to identify the owner of the connection (paragraph 110), and the balancing of the opposing rights and interests at issue is, as usual, left to the referring court (paragraph 111). Although in cases of internet piracy the legitimate interest to recover claims is likely not to be ‘overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data’, this does not lead to overall lawfulness of the recording of IP addresses. As the Court notes, these addresses do not only constitute personal data within the meaning of the GDPR, but also traffic data within the meaning of Article 2(b) of Directive 2002/58 (paragraph 113). Articles 5 and 6 of that Directive require Member States to limit the processing of traffic data quite strictly, unless they make use of Article 15(1) of Directive 2002/58 and ‘adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5 [and] Article 6’. In M.I.C.M., the Court could only point out some general requirements for such legislative measures (paragraphs 116-119), as the referring court did not name the legal basis in Belgian law.
If one agrees with the Court that the IP address is traffic data (which is debatable from the perspective of a communication partner, to whom the data is visible anyway – in any case the need for special protection is doubtful), the side-by-side assessment of conformity with the GDPR and with the Directive 2002/58 (or the national laws transposing it) appears formally correct. In particular, Article 95 GDPR does not prevent it. However, it is a painful reminder of the incoherence in EU data protection law that is caused by the ongoing controversies about the long-planned e-Privacy Regulation.
With regard to the second type of processing, the identification of the holders of the IP addresses (through their access providers), the Court’s focus is again on the requirements of Directive 2002/58. This is certainly convincing because from the access providers’ perspective the IP addresses undoubtedly constitute traffic data. The Court reiterates the need for a legal basis in the national law for this type of processing, in accordance with Article 15(1) of Directive 2002/58 (paragraphs 125-128), and it refers to its case law on the retention of IP addresses, especially in La Quadrature du Net (C‑511/18, C‑512/18 and C‑520/18). In that judgment (paragraph 155), the Court had ruled that ‘a legislative measure providing for the general and indiscriminate retention of only IP addresses assigned to the source of a connection does not, in principle, appear to be contrary to Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, provided that that possibility is subject to strict compliance with the substantive and procedural conditions which should regulate the use of that data’. So, formally, the Court returns the ball to the Member States, but substantively, by interpreting the fundamental rights of the Charter, it decides under what circumstances data retention is lawful. Obviously, harmonisation on the EU level is the way out of this paradox, and it should be achieved by replacing Directive 2002/58 with a modern e-Privacy Regulation.
Meinhard Schröder holds the chair of Public Law, European Law and IT law at the University of Passau (Germany).