“You wait for ages for one and then two turn up at the same time!” The European Court of Justice issued two significant rulings this past November.
The first addressed the manner in which Spain enacted the Data Protection Directive. In Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) v Administración del Estado (C-468/10) and Federación de Comercio Electrónico y Marketing Directo (FECEMD) v Administración del Estado (C-469/10), the claimants challenged Spain’s national data protection law (Organic Law 15/1999) which imposed the extra condition that personal data must be in the public domain when processed, based upon a data controller’s legitimate interests. The ECJ ruled that Article 7(f) of the Data Protection Directive 95/46/EC was sufficiently precise to have direct effect in member states’ national laws because it sets out an exhaustive list of conditions to the processing of personal data and as such member states may not impose additional conditions.
The surprising aspect of this case, in our view, is that it has taken until now to gain a degree of consistency of interpretation for what is a relatively straightforward provision of EU data protection law. In our experience the misinterpretation of this provision in Spanish law has presented real practical difficulties to clients implementing run-of-the-mill applications involving non-sensitive personal data. The resulting emphasis in Spain on the need to gather consent has inevitably introduced increased bureaucracy and associated costs.
The other case, Scarlet Extended SA (Scarlet) v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) (Case C-70/10), stemmed from a referral to the ECJ by the Belgian court and has important implications for the practical enforcement of copyright infringement cases. SABAM, a management company representing owners of copyright-protected works, took legal action against Scarlet, an Internet Service Provider (ISP), because Scarlet’s users were downloading works in SABAM’s catalogue through peer-to-peer networks/file sharing and so infringing copyright.
In the legal proceedings SABAM asked the Belgian courts to make an order requiring the ISP to stop such infringements “by blocking, or making it impossible for its customers to send or receive in any way files containing a musical work using peer-to-peer software without permission”. The technical solution would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content was sent, which may also result in the blocking of lawful content. The local Belgian court granted SABAM’s request for an injunction.
Scarlet appealed, claiming that the injunction would be unlawful on several grounds, most notably in the context of data protection and privacy by breaching Belgian laws implementing Directive 2000/31, prohibiting the monitoring of communications and the general surveillance of all communications passing through the ISP’s network, and Directive 95/46/EC because the filtering system would involve the processing of IP addresses, which are personal data.
The ECJ ruled that the technical solution did not strike a fair or proportionate balance between the protection of the intellectual property right holders and the freedom to conduct a business, such as ISPs, nor was a fair balance struck between the protection of copyright and the fundamental rights of individuals, in this case the ISP’s customers.
Crucially, the ECJ noted the impact on the ISP’s customers and the infringement of their fundamental right to protection of their personal data (Article 8 of the Charter of Fundamental Rights of the EU) and their freedom to receive or impart information (Article 11 of the Charter).
This ruling essentially validates the Art. 29 Working Party’s opinion that in the hands of ISPs, IP addresses are personal data because “they allow those users to be precisely identified.” What is unclear from the ruling is whether IP addresses are also considered to be personal data when processed by organizations that would not have access to names and account information that would enable such precise identification.