In the online environment direct infringers often act anonymously or are highly difficult to track identify. Hence, right holders face a strenuous task when trying to collect evidence against online infringers of their exclusive rights. In a strive to ensure that copyright can be effectively enforced in the online environment various national and international legislative measures have been adopted, providing right holders with the ability to compel disclosure of the details of the person standing behind an IP address from internet intermediaries. This, however, has led to many reasonable personal privacy arguments. Pursuant to data protection principles personal data must not be disclosed for purposes other than the ones for which the personal data was legitimately obtained from each subject in the first place. The right of copyright owners to protect their intellectual property is not an absolute right and therefore cannot be exercised in absolute contradiction with other fundamental rights, protected by the various international human rights treaties functioning in the EU. The question of finding a balance between enforcement of intellectual property rights and the protection of the right to privacy and the freedom of expression has produced a fair amount of case law in Europe. Nonetheless, the EU has still not outlined any definition for such an appropriate balance, which has given Member States a large field of manoeuvre and flexibility to adopt provisions in their national legislation which are in accordance with their national cultural specifics on the matter.
According to Article 47 of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) laying down the right of information:
‘Members may provide that the judicial authorities shall have the authority, unless this would be out of proportion to the seriousness of the infringement, to order the infringer to inform the right holder of the identity of third persons involved in the production and distribution of the infringing goods or services and of their channels of distribution.’
The same ‘right of information’ is provided in Article 8 of the Directive 2004/48 on the enforcement of intellectual property rights (called in short the IPRED), reading:
Member States shall ensure that, in the context of proceedings concerning an infringement of an intellectual property right and in response to a justified and proportionate request of the claimant, the competent judicial authorities may order that information on the origin and distribution networks of the goods or services which infringe an intellectual property right be provided by the infringer and/or any other person who: …
(c) was found to be providing on a commercial scale services used in infringing activities;…
The right of information set out in Article 8 is of crucial importance for right holders since it enables them to determine the identity of the infringer to take legal actions against the latter. When relating to infringements in the digital domain, this information is only receivable with the assistance of the service providers. This is the raison d'être behind Article 8 (3) of Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society, which states that:
Member States shall ensure that right holders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe a copyright or related right.
Going back to the IPRED Directive, however, we will see that Article 2 (3) thereof provides that the provisions of the Directive shall not affect Directive 95/46/EC (the Data Protection Directive), Directive 2000/31/EC (the e-Commerce Directive), in general, and Articles 12 to 15 of Directive 2000/31/EC, in particular, (the exemption from liability for providers of ‘internet society services’ and the prohibition of a general obligation to monitor information). Last but not least, Article 3 of the Directive states that the intellectual property enforcement measures, procedures and remedies provided in the Directive, ‘shall be fair and equitable’ and also ‘proportionate’.
The ambiguity, created by the seemingly conflicting provisions of EU legislation, has been clarified in Case C‑275/06, Productores de Música de España (Promusicae) v Telefónica de España SAU. The case was brought before the ECJ after the Spanish collecting society Promusicae demanded the service provider Telefonica to provide it with data identifying users who had used the KaZaA P2P file-sharing program for infringing activities. The CJEU ruled that the applicable EU acquis, which includes the Data Protection Directive, the e-Commerce Directive, the e-Privacy Directive, and the IPRED, does not require Member States to lay down an obligation to communicate personal information in order to ensure the effective protection of copyright. However, the applicable EU legislation does not preclude Member States from adopting such requirements; insofar the provisions strike a fair balance with the various fundamental rights ensured by the Community legal order.
The ECJ’s decision in Promusicae was later referred in a similar Case C‑557/07 LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v Tele2 Telecommunication GmbH. An important conclusion of the CJEU in this case is the aim of Directive 2001/29 (the InfoSoc Directive) to ensure an effective legal protection of copyright and related rights in the EU internal market. This protection would be substantially diminished if ‘intermediaries’, within the meaning of Article 8(3) of the Directive, were to be construed as not covering Internet access providers, which alone are in possession of the data making it possible to identify the users who have infringed those rights.
The interplay between Article 8 of the IPRED (the right of information) and the provisions of Directive 2006/24/EC on the retention of data (later invalidated by the CJEU due to interference with the fundamental rights to respect for private life and to the protection of personal data) were the subject of discussion in Case C-461/10 Bonnier Audio AB. The case included a group of publishing companies, holding exclusive copyright over audiobooks which were without their consent, shared and transferred by means of a file transfer protocol (FTP) server owned by the Internet service provider - ePhone. ePhone had been demanded to disclose information about the name and address of the subscriber, who had used the IP address from which it was assumed that the files in question had been sent. ePhone opposed the disclosure by arguing that such an obligation contradicted with the provisions of the Data Retention Directive, which allowed disclosure only in favour of public authorities, and hence denied to provide any information to the claimants in the main proceedings. Consequently, the case was referred to the CJEU for a preliminary ruling which stated that Directive 2006/24 did not preclude Member States from adopting and applying national legislation which allows an Internet service provider to be ordered to give a copyright holder or its representative information about a subscriber to whom the Internet service provider provided an IP address which was allegedly used in an infringement. However, such a provision will be admissible if the claimant has adduced reasonable evidence of the infringement of a particular copyright and if the measure is proportionate in relation to the infringers fundamental rights. The Court also ruled that EU legislation allowed national courts seized with an application for an order to disclose personal data to always weigh the conflicting interests involved on the basis of the facts of each case. Despite the Data Retention Directive being invalidated by the CJEU later in 2014 due to incompatibility with the EU Charter’s fundamental rights, the CJEU’s guidance in Bonnier Audio remains important and applicable in the current discussion as to the fair balance between intellectual property right enforcement and other fundamental rights, such as private life and personal data protection. If we have to sum up, the CJEU’s position on the matter has promoted flexibility and proportionality in such cases, allowing for Member States and their authorities to always weigh in the facts of each specific case before issuing in any side’s favour.
The lack of harmonisation between Member States on the right of information, ensured to copyright owners, has resulted in a patchwork of different provisions in different national legislations. Nonetheless, in general - a demand to disclose information for an alleged infringer can be only made if provisions allowing for such a right exists in the national legislation of Member States. If such a regulatory framework exists, it must be taking into account and thus safeguarding all the other fundamental rights involved, such as (but not only) the right to private life and the right to personal data protection. An order for the disclosure of personal data should be upheld, insofar as there are clear evidence of an infringement and not just allegations from the right owner and only when no less harmful measure can be employed in order to accomplish the wanted results (principle of proportionality). Furthermore, the demanded information should be regarded as facilitating the investigation and strictly necessary for the accomplishment of the objective, pursued in the civil proceedings.