CJEU rules that systematic gathering of IP addresses is lawful
In a decision handed down on June the 17th, 2021, the Court of Justice of the European Union ruled that the systematic gathering by a rights holder of the IP addresses of internet users taking part in peer-to-peer networks was compliant with the GDPR.
A company with film rights found that users were illegally downloading films on peer-to-peer networks. After collecting the IP addresses of the illegal downloads, the company submitted a request for information to the internet provider of these IP addresses in order to be provided with the identification data, which the provider refused.
In this context, the Belgian court which was relevant to hear the case, referred a number of questions to the CJEU for a preliminary ruling, one of which concerned the lawfulness of the gathering of IP addresses and the request for information aimed at obtaining the identity of the holders of these IP addresses from the rights holder company in the light of the General Data Protection Regulation 2016/679 (GDPR) and the Directive on “privacy and electronic commerce” 2002/58/EC.
Relying on Article 6(1)(f) of the GDPR, the CJEU recalled the three conditions for the processing of personal data:
(i) The pursuit of a legitimate interest;
(ii) Necessity for the achievement of the legitimate interest pursued;
(iii) The interests or fundamental rights and freedoms of the data subject must not prevail, in which case the processing will be unlawful automatically.
The CJEU applied these conditions to the case in point, considering first that the defence of property rights constitutes a legitimate interest. As such, the gathering of IP addresses and the subsequent request for information can be considered necessary insofar as “the identification of the holder of the connection is often possible only on the basis of the IP address and the information provided by the Internet service provider“. Finally, “the mechanisms for striking a fair balance between the various rights and interests involved are enshrined in Regulation 2016/679 itself.”
Furthermore, the CJEU considers that the GDPR is not incompatible with “the systematic recording, by the holder of intellectual property rights as well as by a third party on its behalf, of IP addresses of users of peer-to-peer networks whose internet connections have allegedly been used in infringing activities nor with the communication of the names and postal addresses of those users to that holder or to a third party in order to enable it to bring an action for compensation before a civil court for damage allegedly caused by those users, provided, however, that such initiatives and claims by the rights holder or such a third party are justified, proportionate and not abusive and have their legal basis in a national legislative measure, within the meaning of Article 15(1) of Directive 2002/58“.
This decision therefore establishes the principle of striking a balance between the protection of personal data and intellectual property rights.
By Xenia Bodiansky and the IP-IT team of UGGC Avocats