top of page
Writer's pictureRosie Burbidge

Can EU data protection law be used to stifle copyright enforcement?


red light switches with three lit up

The EU Court of Justice (CJEU) recently published a detailed judgment on the processing of personal data and the protection of privacy in electronic communications. The judgment concerned a dispute relating to data collected by the French copyright enforcement authority, Hadopi (Case C-470/21 La Quadrature du Net and Others)


Three questions on the scope of EU data protection law

The case concerned three questions referred from the French Council of State concerning the interpretation of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009.


It relates to two personal data processing operations (upstream and downstream) carried out for Hadopi.


  1. In the first operation, the rightsholder organisations collect IP addresses on peer-to-peer websites and send reports to Hadopi.

  2. In the second operation, internet service providers (ISPs) match an IP address with the civil identity data of its holder.

Four civil rights associations brought an action before the French Council of State, raising questions as to whether the data processing operations are compatible with EU law.


Identification data permissible

The Court held that the conditions under which personal data may be retained* do not prevent national laws that authorise copyright enforcement bodies to access identification data retained by providers of electronic communications services provided certain conditions are met.


In summary, these conditions are:

  • the possibility of drawing precise conclusions about people’s private lives is ruled out;

  • the data serves exclusively to identify the person suspected of having committed a criminal offence;

  • the possibility of linking the data with files containing information that reveals the title of protected works is subject, in cases of repeat infringement, to review by a court or other body, which must take place before any such linking; and

  • the data processing system is subject to regular review by an independent body.


What does this mean?

EU data protection law can sometimes be characterised by the media as being unduly burdensome and impractical for the real world. However, the law on the processing of personal data in the EU is well developed and comprehensive. This judgment provides specific, practical guidance on how data protection law applies to bodies that collect and/or process data for the purposes of IP enforcement.


Due to the nature of online piracy of music, movies, games etc, copyright holders depend on being able to identify, record and track cases of infringement. The judgment helpfully sets out the conditions under which the relevant data that is collected can be used.


*as set out in Article 15(1) of the directive, when read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union


To find out more about the issues raised in this blog contact Rosie Burbidge, Intellectual Property Partner at Gunnercooke LLP in London - rosie.burbidge@gunnercooke.com


#copyright #enforcement #IPlawyer #data #EU #infringement #dispute #judgment

bottom of page