OPINION OF ADVOCATE GENERAL
delivered on 17 November 2011 (1)
Bonnier Audio AB,
Norstedts Förlagsgrupp AB,
Perfect Communication Sweden AB (‘ePhone’)
(Reference for a preliminary ruling from the Högsta domstolen (Sweden))
(Copyright and related rights – Right to effective protection of intellectual property – Directive 2004/48/EC – Article 8 – Protection of personal data – Electronic communications – Retention of certain data generated – Transmission of personal data to individuals – Directive 2002/58/EC – Article 15 – Directive 2006/24/EC – Article 4 – Audio books – File sharing – Disclosure order to an internet service provider to provide the name and address of the user of an IP address)
I – Introduction
1. This reference for a preliminary ruling concerns the interpretation of Articles 3 to 5 and 11 of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (2) and the interpretation of Article 8 of Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights. (3)
2. The reference has been made by the Högsta domstolen (Supreme Court of Sweden) in the course of proceedings brought by Bonnier Audio AB, Earbooks AB, Norstedts Förlagsgrupp AB, Piratförlaget Aktiebolag and Storyside AB (‘Bonnier Audio and Others’) against Perfect Communication Sweden AB (‘ePhone’) concerning the latter’s challenge to the application by Bonnier Audio and Others for an order to disclose data for the purposes of identifying a particular subscriber.
3. The protection of personal data is a broad subject which continuously raises a number of questions in various domains. It constitutes a fundamental right (Article 8 of the Charter of Fundamental Rights of the European Union (‘Charter of Fundamental Rights’)), like the right to respect for private and family life (Article 7 of the Charter of Fundamental Rights), which often needs to be balanced against another fundamental right guaranteed by the European Union’s legal system, such as the protection of intellectual property (Article 17 of the Charter of Fundamental Rights). (4) In secondary legislation, two directives constitute the texts of reference, namely Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (5) and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). (6) Those directives were amended by Directive 2006/24.
4. The ground-breaking and often delicate questions relating to the protection of personal data also arise from the fact that a large number of cases brought before the Court have resulted in a judgment of the Grand Chamber, notably in relation to the interpretation of Directive 95/46. (7)
5. The Court has already had occasion to make several rulings on the interpretation of Directive 2006/24. The legal question raised by this case, however, differs from those in the cases dealt with so far. (8) In the present case, the referring court must in particular consider the question of whether there is a need to amend the interpretation given in Promusicae and the order in LSG‑Gesellschaft zur Wahrnehmung von Leistungsschutzrechten, (9) following the adoption of Directive 2006/24.
II – Legal context
A – European Union law
1. Intellectual property rights
6. Directive 2004/48 establishes rules relating to the enforcement of intellectual property rights.
7. Article 8 of Directive 2004/48 is worded as follows:
‘1. Member States shall ensure that, in the context of proceedings concerning an infringement of an intellectual property right and in response to a justified and proportionate application by the claimant, the competent judicial authorities may order that information on the origin and distribution networks of goods or services which infringe an intellectual property right be provided by the infringer and/or any other person who:
(a) was found in possession of the infringing goods on a commercial scale;
(b) was found to be using the infringing services on a commercial scale;
(c) was found to be providing on a commercial scale services used in infringing activities;
(d) was indicated by the person referred to in point (a), (b) or (c) as being involved in the production, manufacture or distribution of the goods or the provision of the services.
2. The information referred to in paragraph 1 shall, as appropriate, comprise:
(a) the names and addresses of the producers, manufacturers, distributors, suppliers and other previous holders of the goods or services, as well as the intended wholesalers and retailers;
(b) information on the quantities produced, manufactured, delivered, received or ordered, as well as the price obtained for the goods or services in question.
3. Paragraphs 1 and 2 shall apply without prejudice to other statutory provisions which:
(e) govern the protection of confidentiality of information sources or the processing of personal data.’
2. Protection of personal data
8. The relevant legal framework consists of three directives, namely Directives 95/46, 2002/58 and 2006/24.
a) Directive 95/46
9. Directive 95/46 obliges Member States to ensure the protection of the rights and freedoms of natural persons with regard to the processing of personal data by establishing guiding principles to determine the lawfulness of the processing.
b) Directive 2002/58
10. Directive 2002/58 translates the principles set out in Directive 95/46 into specific rules for the electronic communications sector.
11. Article 5(1) of Directive 2002/58 provides that Member States must ensure the confidentiality of communications by means of a public communications network and publicly available electronic communications services, and of the related traffic data, and must inter alia prohibit, in principle, the storage of those data by persons other than users, without the consent of the users concerned. The only exceptions to this principle are those in favour of persons lawfully authorised, within the meaning of Article 15(1) of the directive, and those relating to the technical storage necessary for conveyance of a communication. In addition, Article 6(1) of Directive 2002/58 provides that stored data relating to traffic must be erased or made anonymous when they are no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of that article and Article 15(1) of the directive.
12. According to Article 15(1) of Directive 2002/58, the Member States may adopt legislative measures to restrict the scope inter alia of the obligation to ensure the confidentiality of traffic data, when such a restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (that is State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communications system, as referred to in Article 13(1) of Directive 95/46.
c) Directive 2006/24
13. Directive 2006/24 concerns the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.
14. Article 1(1) of Directive 2006/24 states as follows:
‘This Directive aims to harmonise Member States’ provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.’
15. The provisions of Directive 2006/24 are designed to harmonise national laws on the obligation to retain data (Article 3), the categories of data to be retained (Article 5), the periods of retention of data (Article 6), data protection and data security (Article 7) and the conditions for data storage (Article 8).
16. Article 3(1) of the directive provides:
‘By way of derogation from Articles 5, 6 and 9 of Directive 2002/58/EC, Member States shall adopt measures to ensure that the data specified in Article 5 of this Directive are retained in accordance with the provisions thereof, to the extent that those data are generated or processed by providers of publicly available electronic communications services or of a public communications network within their jurisdiction in the process of supplying the communications services concerned.’
17. Article 4 of Directive 2006/24 states:
‘Member States shall adopt measures to ensure that data retained in accordance with this Directive are provided only to the competent national authorities in specific cases and in accordance with national law. The procedures to be followed and the conditions to be fulfilled in order to gain access to retained data in accordance with necessity and proportionality requirements shall be defined by each Member State in its national law, subject to the relevant provisions of European Union law or public international law, and in particular the ECHR as interpreted by the European Court of Human Rights.’
18. Article 5 of Directive 2006/24 states:
‘1. Member States shall ensure that the following categories of data are retained under this Directive:
(2) concerning [i]nternet access, [i]nternet e-mail and [i]nternet telephony:
(i) the user ID(s) allocated;
(ii) the user ID and telephone number allocated to any communication entering the public telephone network;
(iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;
(b) data necessary to identify the destination of a communication:
(c) data necessary to identify the data, time and duration of a communication:
(d) data necessary to identify the type of communication:
(e) data necessary to identify users’ communication equipment or what purports to be their equipment:
(f) data necessary to identify the location of mobile communication equipment:
2. No data revealing the content of the communication may be retained pursuant to this Directive.’
19. Finally, Article 11 of Directive 2006/24 inserts a new paragraph 1a into Article 15 of Directive 2002/58. Under this provision, Article 15(1) of Directive 2002/58 shall not apply to data specifically required by Directive 2006/24.
B – National law
20. Concerning copyright, the provisions of Directive 2004/48 were transposed into Swedish law by the introduction of new provisions in Law 1960:729 on copyright in literary and artistic works (lagen (1960:729) om upphovsrätt till litterära och konstnärliga verk; ‘Law on copyright’). These new provisions entered into force on 1 April 2009. (10)
21. Paragraph 53c of the Swedish Law on copyright states:
‘If the applicant shows clear evidence that someone has committed an infringement referred to in Paragraph 53, the court may order one or more of the persons referred to in the second subparagraph below, on penalty of a fine, to provide the applicant with information on the origin and distribution network of the goods or services affected by the infringement (order for disclosure of information). Such an order may be made at the request of an author or a successor in title of the author or by a person who, on the basis of a licence, is entitled to exploit the work. It may be made only if the information can be regarded as facilitating the investigation into an infringement concerning the goods or services.
The obligation to disclose information applies to any person who:
(1) has carried out or contributed to the infringement,
(2) has, on a commercial scale, exploited the goods affected by the infringement,
(3) has, on a commercial scale, exploited a service affected by the infringement,
(4) has, on a commercial scale, provided an electronic communications service or another service used in the infringement,
(5) has been identified by a person referred to in points (2) to (4) as participating in the production or distribution of goods or the supply of services affected by the infringement.
Information on the origin or distribution network of goods or services may include, inter alia:
(1) the names and addresses of producers, distributors, suppliers and others who have held the goods or supplied the services,
(2) the names and addresses of intended wholesalers and retailers,
(3) information concerning the quantities produced, supplied, received or ordered, and the price fixed for the goods or services.
The provisions in the first to third subparagraphs above also apply to attempts or preparations made to commit infringements referred to in Paragraph 53.’
22. Paragraph 53d of the Law on copyright provides:
‘An order for disclosure of information may be made only if the reasons for the measure outweigh the nuisance or harm which the measure otherwise entails for the person affected by it or for other parties with a conflicting interest.
The obligation to disclose information pursuant to Paragraph 53c does not cover information disclosure of which would reveal that the person disclosing of the information or persons close to him referred to in Chapter 36, Paragraph 3, of the Code of Judicial Procedure [rättegångsbalken] has committed a criminal act.
There are provisions in Law 1998:204 on personal data [personuppgiftslagen (1998:204)] which restrict the manner in which personal data received may be handled.’
2. Protection of personal data
23. Directive 2002/58 has been transposed into Swedish law in particular by Law 2003:389 on electronic communications (lagen (2003:389) om elektronisk kommunikation). Under the first sentence of Paragraph 20 of Chapter 6 of that law, a person who, in connection with the provision of an electronic communications network or an electronic communications service, has acquired or been given access to, inter alia, data on subscriptions may not without authorisation disseminate or exploit the data which he has acquired or to which he has been given access.
24. The referring court further notes that the obligation of confidentiality to which internet service providers in particular are subject has been conceived to prohibit only unauthorised disclosure or use of certain data. The obligation of confidentiality is relative since other provisions require that information to be disclosed, which means that such disclosure is not unauthorised. According to the Högsta domstolen, the right to information provided under Paragraph 53c of the Law on copyright, which also applies to internet service providers, was deemed not to require the implementation of specific legislative changes in order to enable the new provisions relating to disclosure to take precedence over the obligation of confidentiality. (11) The obligation of confidentiality is therefore overridden by the court’s decision on an order for disclosure of information.
25. Directive 2006/24 has not been transposed into Swedish law in the period prescribed for that purpose. (12)
III – The dispute in the main proceedings, the questions referred for a preliminary ruling and the procedure before the Court
26. Bonnier Audio and Others are a group of publishing companies which have exclusive rights to the reproduction, publishing and distribution to the public of 27 works in the form of audio books.
27. Bonnier Audio and Others claim that their exclusive rights have been infringed by the public distribution of these 27 works, without their consent, by means of an FTP (file transfer protocol) server which allows file sharing and data transfer between computers connected to the internet.
28. The internet service provider through which the alleged illegal file exchange took place is ePhone.
29. Bonnier Audio and Others applied to the Solna tingsrätten (Solna District Court) for a disclosure order for the purpose of communicating the name and address of the person using the IP address from which it is alleged that the files in question were sent during the period between 03.28 hrs and 05.45 hrs on 1 April 2009.
30. ePhone challenged this application, maintaining in particular that the requested order is contrary to Directive 2006/24.
31. At first instance, the Solna tingsrätten granted the application for disclosure of the data in question.
32. ePhone brought an appeal before the Svea hovrätten (Svea Court of Appeal, Stockholm), claiming that the application for the disclosure order should be dismissed. It also requested a referral to the Court of Justice for the purpose of specifying whether Directive 2006/24 precludes the disclosure to persons other than those authorities referred to in the directive of information relating to a subscriber to whom an IP address has been allocated.
33. The Svea hovrätten held that there is no provision in Directive 2006/24 which prevents a party to a civil dispute from being ordered to disclose subscriber data to someone other than a public authority. It also rejected the application for a reference to the Court of Justice.
34. The same court also found that the audio book publishers had not adduced clear evidence that there was an infringement of an intellectual property right. It therefore decided to set aside the disclosure order granted by the Solna tingsrätten. Bonnier Audio and Others then appealed to the Högsta domstolen, the referring court.
35. This court is of the opinion that, notwithstanding the judgment in Promusicae and the order in LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten, doubts remain as to whether European Union law precludes the application of Paragraph 53c of the Swedish Law on copyright, in so far as neither the judgment nor the order make reference to Directive 2006/24.
36. In those circumstances, the Högsta domstolen decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Does Directive 2006/24 …, and in particular Articles 3 [to] 5 and 11 thereof, preclude the application of a national provision which is based on Article 8 of Directive 2004/48 ... and which permits an internet service provider in civil proceedings, in order to identify a particular subscriber, to be ordered to give a copyright holder or its representative information on the subscriber to whom the internet service provider provided a specific IP address, which address, it is claimed, was used in the infringement? The question is based on the assumption that the applicant has adduced evidence of the infringement of a particular copyright and that the measure is proportionate.
(2) Is the answer to Question 1 affected by the fact that the Member State has not implemented [Directive 2006/24] despite the fact that the period prescribed for implementation has expired?’
37. Written observations were lodged by Bonnier Audio and Others, ePhone, the Swedish, Czech, Italian and Latvian Governments, as well as by the European Commission.
38. With the exception of the Czech and Latvian Governments, all parties that submitted written observations were represented at the hearing which took place on 30 June 2011.
IV – Analysis
A – The scope of Directive 2006/24
39. By its first question, the referring court is seeking to ascertain, in essence, whether Directive 2006/24 precludes the application of a national provision based on Article 8 of Directive 2004/48 which, in order to identify a particular internet subscriber or user, permits an internet service provider to be ordered to give a copyright holder or its representative the name and address of a subscriber provided with an IP address, which, it is claimed, was used in the infringement.
40. The referring court raises this question based on the assumption that, in the main proceedings, the applicants, Bonnier Audio and Others, have adduced evidence of the infringement of a particular copyright and that the measure is proportionate.
41. Furthermore, as is apparent from the order for reference, the action brought by Bonnier Audio and Others in the main proceedings for the purpose of obtaining personal data falls within the scope of a civil procedure.
42. The question to be addressed first is whether the requested data constitute personal data. For the legislation concerning the protection of personal data to apply, the data in question must be of this type. In the main proceedings, this involves the name and address of a subscriber, to be identified on the basis of an IP address. Therefore, we are indeed dealing with an area that falls within the scope of the rules relating to the protection of personal data.
43. It should be noted however that the identity of the individual alleged to have infringed the intellectual property rights cannot be proven on the sole basis of the IP address in cases where several individuals are able to access the network under this same IP address. This is the case, for example, with inadequately secured wireless networks, the hijacking of computers connected to the internet, as well as situations in which several individuals may be using the same computer. However, it appears to me that in certain Member States an IP address can be used as evidence of the identity of an individual alleged to have committed an infringement. (13)
44. Next, it should be verified whether Directive 2006/24 is indeed applicable to the main proceedings. In Promusicae, the directive was not applicable ratione temporis, which is why it was dismissed by the Court from the outset. (14)
45. For the purpose of verifying the applicability ratione materiæ of Directive 2006/24 to the present case, it must be noted that, according to Article 1 of that directive, it seeks to ensure ‘that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law’. (15) Furthermore, under Article 4 of the directive, the Member States are obliged to adopt measures to ensure that data referred to in the directive are provided only to the competent national authorities, in specific cases and in accordance with national law.
46. However, the main proceedings here involve a civil procedure and the data are requested not by a competent national authority, but by private persons.
47. Therefore, it appears to me that Directive 2006/24 is not applicable ratione materiæ to the main proceedings, even if the data retained for the purposes authorised by that directive would fall within the scope of the directives on the protection of personal data, inasmuch as the operator retained the data for other purposes.
48. Consequently, the second question, relating to the effect of the failure to transpose Directive 2006/24 into Swedish law on the answer to the first question, becomes irrelevant.
49. Notwithstanding the non-applicability of Directive 2006/24 in this case, the question of its relevance to the main proceedings should be examined. Before returning to this question, I must first deal with the provisions relating to the protection of personal data.
B – The restrictions on the protection of personal data
50. At this point, it is important to note some basic principles governing the protection of personal data under European Union law.
51. The fundamental principle set out in Article 6(1)(b) of Directive 95/46 is that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with these purposes. The collection of personal data and the manner in which this collection is carried out, as well as the purposes, must be decided beforehand. Further processing which would be incompatible with these predefined purposes is prohibited.
52. It must therefore be verified whether provisions corresponding to these requirements have been adopted at European Union level or at national level as regards the retention of personal data and the transmission of the personal data to third parties in cases of presumed infringements of intellectual property rights invoked by individuals.
1. Restrictions at European Union level
53. In respect of the European Union law which applies to data relating to telecommunications, Directive 2002/58, as amended by Directive 2006/24, explains the general framework set out by Directive 95/46 in more detail. However, an examination of Directives 2002/58 and 2006/24 clearly shows that they do not contain any specific provision concerning the retention or use of telecommunications data in the context of counteracting infringement of intellectual property rights at the initiative of private persons. Directive 2002/58 is centred on the rights and obligations of electronic communications service providers. Directive 2006/24, on the other hand, concerns the retention of data by public authorities for the purpose of detecting serious crime. In respect of the infringement of intellectual property rights invoked by private persons, neither Directive 2002/58 nor Directive 2006/24 provides for the possibility or the obligation to retain or use those data for this purpose, or for the use of existing data retained for other purposes.
54. As for Directive 2004/48, the only reference to personal data is found in Article 8(3)(e). According to this provision, paragraphs 1 and 2 of Article 8, governing access to information which may concern the infringement of an intellectual property right, apply without prejudice to other statutory provisions that govern the processing of personal data. Directive 2004/48 thus indicates that the statutory provisions and regulations which govern the processing of personal data must be observed. On the other hand, it does not specify which personal data may be retained, the aim of retaining those data, the period of retention, or the persons with access to those data in the case of an infringement of intellectual property rights.
55. Even if at European Union level one were to envisage the possibility of a directive that would supplement Directive 2002/58 by providing an obligation to retain data relating to infringements of an intellectual property right, and also define the purposes of the retention, the data to be retained, the period of retention and the individuals with access to the data, the fact remains that no such directive exists at this time. (16)
56. In the light of these factors, it must be stated that current European Union legislation does not provide the necessary procedures for the retention and transmission of personal data generated during electronic communications with a view to their transmission in a case of infringement of an intellectual property right invoked by private persons.
2. Restrictions at Member State level
57. In respect of the law of the Member States, Article 15 of Directive 2002/58 allows for the restricted application of the principles underpinning that directive.
58. The Court interpreted this article in Promusicae and in the order in LSG‑Gesellschaft zur Wahrnehmung von Leistungsschutzrechten. In these cases, it concluded that Directive 2002/58 did not preclude the possibility for the Member States to impose an obligation to disclose personal data in the context of civil proceedings, but that European Union law did not require the Member States to impose such an obligation. (17) The Court also established a link between Article 15(1) of that directive and Article 13(1) of Directive 95/46. (18)
59. Promusicae refers to the disclosure of personal data and, at the end, to the obligation of Member States, when transposing the directives mentioned, to take care to rely on an interpretation of the directives which allows a fair balance to be struck between the various fundamental rights protected by the European Union legal order. (19) My interpretation of this statement is that the basic principles of each domain – namely the protection of the confidentiality of electronic communications and the protection of copyright and related rights – must be observed in full.
60. For the disclosure of personal data to be possible, European Union law requires that an obligation to retain data be provided for in national law, in order to specify the types of data to be retained, the purposes of retaining the data, the period of retention and the persons with access to such data. It would be contrary to the principles of the protection of personal data to make use of databases that exist for purposes other than those thus defined by the legislature.
61. As a result, in order for the retention and transmission of personal data to be in accordance with Article 15 of Directive 2002/58, in a situation such as that described in the main proceedings, national legislation must have provided, in advance and in detail, restrictions prescribed by statute on the scope of the rights and obligations provided in Articles 5, 6, 8, paragraphs 1 to 4, and 9 of the directive. (20) Such a restriction must constitute a measure that is necessary, appropriate and proportionate. An obligation to disclose data, imposed on the internet service provider, and relating to personal data retained for another purpose, will not be sufficient to meet these requirements. (21)
62. By way of conclusion, it must be emphasised that the fundamental rights concerning the protection of personal data and privacy, on the one hand, and those concerning the protection of intellectual property, on the other hand, must receive equal protection. Therefore, copyright holders must not be favoured, by allowing them to make use of personal data which have been legally collected or retained for purposes not germane to the protection of their rights. The collection and use of such data for such purposes in compliance with European Union law concerning the protection of personal data would require the prior adoption of detailed provisions by the national legislature, in accordance with Article 15 of Directive 2002/58. (22)
V – Conclusion
63. In the light of the foregoing considerations, I propose that the Court should answer the questions referred by Högsta domstolen as follows:
(1) Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC does not apply to the processing of personal data for purposes other than those referred to in Article 1(1) of the directive. Consequently, that directive does not preclude the application of a national provision under which in civil proceedings, in order to identify a particular subscriber, a court may order an internet service provider to give a copyright holder or its representative information on the subscriber to whom the internet service provider provided a specific IP address which, it is claimed, was used in the infringement. However, this information must have been retained in order to be disclosed and used for that purpose in accordance with detailed national legislative provisions which have been adopted in compliance with European Union law on the protection of personal data.
(2) Having regard to the answer to the first question, the second question is irrelevant.