CJEU rules on seeding, trolls, and interplay between copyright enforcement and data protection rules

 Back in 2019, The IPKat reported on a referral from Belgium – Mircom, C-597/19 – asking the Court of Justice of the European Union (CJEU) to clarify the treatment of (i) seeding under the InfoSoc Directive and (ii) ‘trolls’ under the Enforcement Directive, as well as the interplay between copyright enforcement and data protection law (GDPR).


Earlier this week, the Court issued its ruling, substantially endorsing the earlier Opinion of Advocate General (AG) Szpunar.

Background

Also Bluebell received a worrying
request for damages in connection
with some suspicious online activities ...
Mircom is a Cypriot company holding rights (as an assignee) to several pornographic films. It is seeking an order from the Antwerp Companies Court against Belgian ISP Telenet that would allow it to identify the latter’s customers whose internet connections have been used to share illegal copies of Mircom’s films through seeding. Via other companies, Mircom has collected thousands of dynamic IP addresses used to infringe its rights. Supported by two other Belgian ISPs, Telenet is opposing Mircom’s action.

The Belgian court was uncertain as regards the points below and thus decided to refer the case to the CJEU for guidance:
  • First, is it an act of communication/making available to the public under Article 3 of the InfoSoc Directive to download pieces (unusable in themselves) of a digital file containing protected content while simultaneously making them available for automatic uploading and downloading by others?
  • Secondly, do the provisions of the Enforcement Directive apply to someone which does not exploit the rights in protected materials, but merely claim damages from alleged infringers? In other words: can a ‘copyright troll’ like Mircom be entitled to protection?
  • Thirdly, is the collection of IP addresses made on behalf of Mircom compatible with Article 6(1)(f) GDPR?

The judgment

No de minimis threshold to the application of the right of communication to the public

In relation to the first question, the CJEU endorsed the considerations that AG Szpunar had undertaken in his Opinion, also reasoning by analogy with how the World Wide Web functions: the pieces that are downloaded and re-uploaded are not of the films themselves; instead, they are pieces of the files containing the films. The circumstance that such pieces are unusable per se is irrelevant, considering that what is made available is the file containing the protected content. Indeed, users have ultimately access to the complete file containing the film.

From the above it follows that there is no minimum threshold to the number of pieces downloaded (and automatically re-uploaded) by individual users: what matters is whether protected content has been made available in such a way that the persons comprising that public may access it, from wherever and whenever they individually choose, irrespective of whether or not they avail themselves of that opportunity.

In the present case, if the users have consented to the automatic re-uploading of the pieces that they download, it should be considered that they act in full knowledge of the consequences of their actions and, as a result, perform acts restricted by Article 3 of the InfoSoc Directive. It is not required that users manually initiate the re-uploading: what matters is that they have consented to the use of the relevant software after receiving information regarding its characteristics.

Copyright trolls might be entitled to the measures, procedures and remedies under the Enforcement Directive

Turning to the second question, the CJEU intended it as encompassing:
  1. The legal standing of a subject like Mircom;
  2. Whether such a subject may have suffered a prejudice within the meaning of Article 13 of the Enforcement Directive; and
  3. Whether it is entitled to exercise the right of information under Article 8 of that directive.
As regards 1., the CJEU inter alia noted that the Enforcement Directive does not require IPR holders to actually use their rights to be eligible for the application of its rules.

Turning to 2., the referring court had considered that an IPR holder that does not use its rights is unlikely to suffer prejudice within the meaning of Article 13. To this the CJEU responded by noting that the simple circumstance that Mircom brings actions for damages as an assignee of rights/claims for damages does not rule out protection under the Enforcement Directive. Holding otherwise would run contrary to the Enforcement Directive’s objective to guarantee a high level of protection and undermine the attractiveness of outsourcing the recovery of damages to a specialized undertaking.

Kat troll
Moving on to 3., the CJEU noted that the right of information under Article 8 is an expression of the right to an effective remedy under Article 47 of the EU Charter. A request for information during a pre-litigation phase is not per se inadmissible, insofar as it is also justified and proportionate. Unlike, eg, Article 13, that provision is aimed at infringements committed on a commercial scale, not the fight against individual infringers. In the present case, Mircom’s right of information is being exercised against Telenet which, according to the CJEU, provides on a commercial scale services used in infringing activities.

All this said, the overarching limits within Article 3 of the Enforcement Directive must be complied with. This inter alia means (at [94]) that
the measures, procedures and remedies necessary to ensure the enforcement of the intellectual property rights covered by that directive, including the right of information referred to in Article 8, are fair and equitable and applied in such a way as to provide for safeguards against their abuse.
The CJEU noted that this is an assessment for the national court to undertake.

When copyright enforcement meets data protection

The CJEU highlighted that, in a case like that one at issue, there are two different types of personal data processing: one taking place upstream and relating to the systematic recording of IP addresses (they qualify as personal data in accordance with Breyer) and one taking place downstream and concerning the matching of such addressees to Telenet users and their disclosure to Mircom. The issue here was essentially whether Article 6(1)(f) precludes both or either processing.

That GDPR provision lays down 3 cumulative conditions for the processing of personal data:
  1. First, the pursuit of a legitimate interest by the data controller or by a third party;
  2. Secondly, the need to process personal data for the purposes of the legitimate interests pursued; and
  3. Thirdly, that the interests or freedoms and fundamental rights of the person concerned by the data protection do not take precedence.
With regard to 1., the Court noted that the retrieval of personal information of a subject who has damaged one’s own property may qualify as a legitimate interest. Turning to 2., identification of the owner of the connection is often only possible on the basis of the IP address and information provided by the ISP. Finally, in relation to 3., the mechanisms allowing the different rights and interests to be balanced are contained in the GDPR itself. The Court referred extensively to its La Quadrature du Net ruling and the need to comply with the provisions that embody users’ fundamental right to respect for private life and protection of personal data.

Ultimately, the CJEU ruled that Article 6(1)(f) GDPR, read in conjunction with Article 15(1) of Directive 2002/58, does not preclude either the upstream or downstream data processing requests, insofar they are justified, proportionate and not abusive and have their legal basis in a national legislative measure, within the meaning of Article 15(1) of Directive 2002/58, which limits the scope of the rules laid down in Articles 5 and 6 of that directive.

Comment

The ruling is important for and offers guidance in relation to three broader points.

Insofar as the right of communication to the public is concerned, the CJEU correctly endorsed AG Szpunar’s analysis. On a more general level, the judgment confirms a basic tenet: Article 3 of the InfoSoc Directive is about making copyright works and protected content available to the public. The focus should be, first of all, on assessing whether that is the case, rather than how such making available is done. As AG Szpunar reasoned by analogy with the functioning of the World Wide Web (at [49]),
The work as an object that is perceptible to humans exists on the web only from the point at which a client computer accesses the server in question, reproduces the file and displays that work on the screen (or reproduces its sounds). However, merely placing the file containing the work on a server which can be accessed using the World Wide Web is sufficient for there to be an act of communication (making available) … The right to make works available to the public was conceived precisely for the use of works on the internet, in the first place on the World Wide Web.
In any case, and even if this was not part of the referral, users who download illegal content from the internet would be also performing acts of reproduction and be ineligible for the application of the private copying exception in Article 5(2)(b) of the InfoSoc Directive, in accordance with ACI Adam.

Turning to the Enforcement Directive, the judgment – again correctly – does not premise the availability of protection upon the actual use of one’s own rights. This is also consistent with the principle, which however the Court did not expressly refer to, of copyright’s economic rights as being preventive in nature. All this said, the Court also reinstated the requirement of compliance with the overarching principles and limits found in Article 3 of the Enforcement Directive. In practice, this means that trolls of various types, including copyright ones, might be unable to invoke successfully protection under the Directive and its national transpositions.

Finally, the ruling offers some concrete guidance on how to balance copyright/IPR enforcement and data protection rules. This may be also useful when applying the provisions of the DSM Directive, including Article 17(9). Article 28 expressly requires any processing of personal data to be carried out in compliance with Directive 2002/58 and the GDPR.

[Originally published on The IPKat on 20 June 2021]

Comments

Popular posts from this blog

Filmspeler, the right of communication to the public, and unlawful streams: a landmark decision

Italian court finds Google and YouTube liable for failing to remove unlicensed content (but confirms eligibility for safe harbour protection)

Brands and online ecommerce platforms: a tainted relationship?