• Judgment of the Court of 29 January 2008, C-275/06, Promusicae

Promusicae is a non-profit-making organisation of producers and publishers of musical and audiovisual recordings. By letter of 28 November 2005 it made an application to the Juzgado de lo Mercantil No 5 de Madrid (Commercial Court No 5, Madrid) for preliminary measures against Telefónica, a commercial company whose activities include the provision of internet access services. Promusicae asked for Telefónica to be ordered to disclose the identities and physical addresses of certain persons whom it provided with internet access services, whose IP address and date and time of connection were known. According to Promusicae, those persons used the KaZaA file exchange program (peer-to-peer or P2P) and provided access in shared files of personal computers to phonograms in which the members of Promusicae held the exploitation rights. Promusicae claimed before the national court that the users of KaZaA were engaging in unfair competition and infringing intellectual property rights. It therefore sought disclosure of the above information in order to be able to bring civil proceedings against the persons concerned. By order of 21 December 2005 the Juzgado de lo Mercantil No 5 de Madrid ordered the preliminary measures requested by Promusicae. Telefónica appealed against that order, contending that under the LSSI the communication of the data sought by Promusicae is authorised only in a criminal investigation or for the purpose of safeguarding public security and national defence, not in civil proceedings or as a preliminary measure relating to civil proceedings. Promusicae submitted for its part that Article 12 of the LSSI must be interpreted in accordance with various provisions of Directives 2000/31, 2001/29 and 2004/48 and with Articles 17(2) and 47 of the Charter, provisions which do not allow Member States to limit solely to the purposes expressly mentioned in that law the obligation to communicate the data in question.

The Juzgado de lo Mercantil No 5 de Madrid asks whether Community law, specifically Articles 15(2) and 18 of Directive [2000/31], Article 8(1) and (2) of Directive [2001/29], Article 8 of Directive [2004/48] and Articles 17(2) and 47 of the Charter (…) permit Member States to limit to the context of a criminal investigation or to safeguard public security and national defence, thus excluding civil proceedings, the duty of operators of electronic communications networks and services, providers of access to telecommunications networks and providers of data storage services to retain and make available connection and traffic data generated by the communications established during the supply of an information society service.

The Court ruled that Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’), Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights, and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) do not require the Member States to lay down, in a situation such as that in the main proceedings, an obligation to communicate personal data in order to ensure effective protection of copyright in the context of civil proceedings. However, Community law requires that, when transposing those directives, the Member States take care to rely on an interpretation of them, which allows a fair balance to be struck between the various fundamental rights protected by the Community legal order. Further, when implementing the measures transposing those directives, the authorities and courts of the Member States must not only interpret their national law in a manner consistent with those directives but also make sure that they do not rely on an interpretation of them which would be in conflict with those fundamental rights or with the other general principles of Community law, such as the principle of proportionality.

Order of 19 Feb 2009, C-557/07 (LSG), see summary below “Enforcement”

• Judgment of the Court of 19 October 2016, C-582/14, Patrick Breyer c/ Bundersrepublik Deutschland

Mr Breyer has accessed several websites operated by German Federal institutions. Most of those websites store information on all access operations in logfiles. The information retained in the logfiles after those sites have been accessed include the name of the web page or file to which access was sought, the terms entered in the search fields, the time of access, the quantity of data transferred, an indication of whether access was successful, and the IP address of the computer from which access was sought. Mr Breyer brought an action before the German administrative courts seeking an order restraining the Federal Republic of Germany from storing, or arranging for third parties to store, after consultation of the websites accessible to the public run by the German Federal institutions’ online media services, the IP address of the applicant’s host system except in so far as its storage is unnecessary in order to restore the availability of those media in the event of a fault occurring.

The referring Court asks essentially whether Article 2(a) of Directive 95/46 must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that that provider makes accessible to the public constitutes, with regard to that service provider, personal data within the meaning of that provision, where, only a third party, in the present case the internet service provider, has the additional data necessary to identify him.

The referring court asks essentially whether Article 7(f) of Directive 95/46 must be interpreted as precluding the legislation of a Member State under which an online media services provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of those services by the user concerned, and under which the purpose of ensuring the general operability of those services cannot justify use of the data beyond the end of the particular use of them.

The Court ruled that Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.

It also considered that Article 7(f) of Directive 95/46 must be interpreted as precluding the legislation of a Member State, pursuant to which an online media services provider may collect and use personal data relating to a user of those services, without his consent, only in so far as that the collection and use of that data are necessary to facilitate and charge for the specific use of those services by that user, even though the objective aiming to ensure the general operability of those services may justify the use of those data after a consultation period of those websites.