On Thursday, 28 September, Advocate General Maciej Szpunar of the Court of Justice of the European Union (CJEU) delivered his second Opinion in the case that La Quadrature du Net, the Fédération des fournisseurs d’accès à Internet associatifs, Franciliens.net, and French Data Network brought against France. He believes that retention of and access to civil identity data coupled with the corresponding IP address should be permitted where that is the only means of investigation that makes it possible to identify the perpetrators of offences exclusively committed online.
A graduated response mechanism
In France, the High Authority for the dissemination of works and the protection of rights on the Internet (Hadopi) ensures that copyright is respected on the Internet. In the event of repeated infringements and after various warnings, it may refer the matter to the competent judicial authority so as to initiate criminal proceedings. However, this assumes that the institution can identify the perpetrator of the offence. As a result, a decree allows [Hadopi] to ask electronic communications operators to provide it with a user’s identity data when his or her IP address is linked to an offence.
While four data protection associations have challenged this decree in court, France’s Council of State has asked the CJEU whether this mechanism is compatible with EU law.
A “nuanced solution in particular [...] circumstances”
In his Opinion, the advocate general argues that communications service providers may be required to retain the IP address and corresponding user data. EU law also allows an administrative authority that is responsible for protecting copyright on the Internet to have access to such details.
In fact, he thinks that the IP address, the user’s identity, and the information relating to the work in question do not make it possible to create a detailed profile of the person in question or to draw precise conclusions about his or her private life. The purpose of [this information] is simply to enable Hadopi to identify suspected perpetrators and, if necessary, take action against them.
Furthermore, it is not necessary, from Mr Szpunar’s point of view, for such access to be subject to prior review by a court or an independent administrative authority insofar as such data are the only means of investigation enabling the alleged perpetrator to be identified.
Finally, he adds that his analysis has led to a “nuanced solution in particular and very narrowly defined circumstances” and is the result of balancing the various interests involved. Therefore, it does not change the CJEU’s case law on the retention of and access to data such as the IP addresses linked to identities but refines it to avoid “a systemic impunity of offences committed exclusively online”.
This is the advocate general’s second Opinion on the subject, following the CJEU’s decision to reopen the case in March 2023 (see EUROPE 13052/26).
Opinion: https://aeur.eu/f/8sc (Original version in French by Hélène Seynaeve)