Member States may impose a general and undifferentiated obligation on Internet service providers to retain IP addresses in order to combat criminal offences.
This was the ruling of the Court of Justice of the EU on Tuesday 30 April in case C-470/21, in response to a request for a preliminary ruling in a dispute between four French associations (La Quadrature du Net, la Fédération des fournisseurs d’accès à Internet associatifs, Franciliens.net and French Data Network) against the French public authorities concerning the interpretation of Directive 2002/58/EC relating to the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC.
The associations were seeking the annulment of decrees authorising the automated processing of personal data to send warnings, as provided for in the Intellectual Property Code, to Internet subscription holders in order to prevent infringements of copyright and neighbouring rights on the Internet.
The French Conseil d’État had argued that the number of recommendations sent to the individuals concerned under the ‘graduated response’ procedure was considerable and that, in order to implement the procedure, the staff of the Hadopi High Authority’s rights protection commission needed to be able to collect a great deal of data relating to the civil identity of the users concerned. Furthermore, subjecting these recommendations to prior control would hamper their implementation.
As is often the case, the Court followed the Opinion of the Advocate General (see EUROPE 13052/26, 13260/21), in this case finding in favour of the French authorities and specifying certain requirements relating to the storage and access conditions for this data.
Thus, the Court ruled that European law did not preclude Member States from imposing a general and undifferentiated obligation on Internet service providers to retain IP addresses in order to combat criminal offences.
The authorities may, if necessary, take measures concerning the holders of these addresses, provided that they ensure that their retention does not allow precise conclusions to be drawn about the private lives of the data holders.
Lastly, Member States may, under certain conditions, authorise the competent authority to access civil identity data linked to IP addresses, provided that a watertight separation of the categories of data is guaranteed.
And if, in certain situations, the specifics of a procedure governing such access may make it possible to identify precise elements of the private life of an individual concerned, access must be controlled ex ante by an independent court or administration.
To find out more, go to https://aeur.eu/f/c0r (Original version in French by Émilie Vanderhulst)