OPINION OF ADVOCATE GENERAL
SZPUNAR
delivered on 27 October 2022 (1)
Case C‑470/21
La Quadrature du Net,
Fédération des fournisseurs d’accès à Internet associatifs,
Franciliens.net,
French Data Network
v
Premier ministre,
Ministère de la Culture
(Request for a preliminary ruling
from the Conseil d’État (Council of State, France))
(Reference for a preliminary ruling – Processing of personal data and protection of privacy in the electronic communications sector – Directive 2002/58/EC – Article 15(1) – Power of Member States to restrict the scope of certain rights and obligations – Requirement of prior review by a court or an independent administrative body whose decisions are binding – Civil identity data corresponding to an IP address)
I. Introduction
1. The retention of and access to certain data of internet users is a topic of perennial interest and has been considered by the Court in recent, yet already ample, case-law.
2. The present case affords the Court the opportunity to revisit that topic as part of renewed action to combat infringements of intellectual property rights committed exclusively online.
II. Legal context
A. European Union law
3. Recitals 2, 6, 7, 11, 22, 26 and 30 of Directive 2002/58/EC (2) state:
‘(2) This Directive seeks to respect the fundamental rights and observes the principles recognised in particular by the [Charter of Fundamental Rights of the European Union (‘the Charter’)]. In particular, this Directive seeks to ensure full respect for the rights set out in Articles 7 and 8 of that Charter.
…
(6) The Internet is overturning traditional market structures by providing a common, global infrastructure for the delivery of a wide range of electronic communications services. Publicly available electronic communications services over the Internet open new possibilities for users but also new risks for their personal data and privacy.
(7) In the case of public communications networks, specific legal, regulatory and technical provisions should be made in order to protect fundamental rights and freedoms of natural persons and legitimate interests of legal persons, in particular with regard to the increasing capacity for automated storage and processing of data relating to subscribers and users.
…
(11) Like Directive 95/46/EC [(3)], this Directive does not address issues of protection of fundamental rights and freedoms related to activities which are not governed by Community law. Therefore it does not alter the existing balance between the individual’s right to privacy and the possibility for Member States to take the measures referred to in Article 15(1) of this Directive, necessary for the protection of public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the enforcement of criminal law. Consequently, this Directive does not affect the ability of Member States to carry out lawful interception of electronic communications, or take other measures, if necessary for any of these purposes and in accordance with the European Convention for the Protection of Human Rights and Fundamental Freedoms [signed in Rome on 4 November 1950], as interpreted by the rulings of the European Court of Human Rights. Such measures must be appropriate, strictly proportionate to the intended purpose and necessary within a democratic society and should be subject to adequate safeguards in accordance with the European Convention for the Protection of Human Rights and Fundamental Freedoms.
…
(22) The prohibition of storage of communications and the related traffic data by persons other than the users or without their consent is not intended to prohibit any automatic, intermediate and transient storage of this information in so far as this takes place for the sole purpose of carrying out the transmission in the electronic communications network and provided that the information is not stored for any period longer than is necessary for the transmission and for traffic management purposes, and that during the period of storage the confidentiality remains guaranteed. …
…
(26) The data relating to subscribers processed within electronic communications networks to establish connections and to transmit information contain information on the private life of natural persons and concern the right to respect for their correspondence or concern the legitimate interests of legal persons. Such data may only be stored to the extent that is necessary for the provision of the service for the purpose of billing and for interconnection payments, and for a limited time. Any further processing of such data … may only be allowed if the subscriber has agreed to this on the basis of accurate and full information given by the provider of the publicly available electronic communications services about the types of further processing it intends to perform and about the subscriber’s right not to give or to withdraw his/her consent to such processing. …
…
(30) Systems for the provision of electronic communications networks and services should be designed to limit the amount of personal data necessary to a strict minimum. …’
4. Under Article 2 of that directive, headed ‘Definitions’:
‘…
The following definitions shall also apply:
(a) “user” means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service;
(b) “traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof;
(c) “location data” means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service;
(d) “communication” means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information;
…’
5. Article 3 of that directive, headed ‘Services concerned’, provides:
‘This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices.’
6. Article 5 of the directive, headed ‘Confidentiality of the communications’, provides:
‘1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.
…
3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive [95/46], inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’
7. Under Article 6 of Directive 2002/58, headed ‘Traffic data’:
‘1. Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1).
2. Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.
…’
8. Article 15(1) of that directive, headed ‘Application of certain provisions of Directive [95/46]’, provides:
‘Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive [95/46]. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of [Union] law, including those referred to in Article 6(1) and (2) [TEU].’
B. French law
1. Code de la propriété intellectuelle (Intellectual Property Code)
9. Article L. 331-12 of the code de la propriété intellectuelle (Intellectual Property Code; ‘the CPI’), provides:
‘The High Authority for the dissemination of works and the protection of rights on the internet [Haute Autorité pour la diffusion des œuvres et la protection des droits sur internet; “Hadopi”] is an independent public authority.’
10. Article L. 331-13 of the CPI provides:
‘[Hadopi] shall:
…
2. Protect [works and subject matter covered by copyright or a related right in electronic communications networks] from infringements of those rights committed in electronic communications networks used for the provision of online public communications services; …’
11. Under Article L. 331-15 of that code:
‘[Hadopi] shall consist of a College and a Committee for the protection of rights. ….
…
In the exercise of their functions, the members of the College and of the Committee for the protection of rights shall not receive instructions from any authority.’
12. Article L. 331-17 of the CPI provides:
‘The Committee for the protection of rights shall be responsible for taking the measures provided for in Article L. 331-25.’
13. Under Article L. 331-21 of the CPI:
‘In order for the Committee for the protection of rights to carry out its duties, [Hadopi] shall be staffed by sworn public officials authorised by [its] President in accordance with conditions laid down by decree made after hearing the Conseil d’État (Council of State, France). …
The members of the Committee for the protection of rights and the officials mentioned in the preceding paragraph shall receive referrals sent to that committee in the manner prescribed in Article L. 331-24. They shall examine the facts.
They may, where necessary for the purposes of the procedure, obtain any document, irrespective of the medium on which it is stored, including data that have been retained and processed by electronic communications operators pursuant to Article L. 34-1 of the code des postes et des communications électroniques (Post and Electronic Communications Code) and by the service providers mentioned in Article 6(I)(1) and (2) of Loi no 2004-575 du 21 juin 2004 pour la confiance dans l’économie numérique (Law No 2004-575 of 21 June 2004 promoting confidence in the digital economy).
They may also obtain copies of the documents mentioned in the preceding paragraph.
They may, in particular, obtain from electronic communications operators the identity, postal address, email address and telephone number of the subscriber whose access to online public communications services has been used for the purposes of the reproduction, representation, making available or communication to the public of protected works or subject matter without the authorisation of the holders of the rights … where such authorisation is required.’
14. Article L. 331-24 of the CPI states:
‘The Committee for the protection of rights shall act upon referral by sworn and authorised officials … appointed by:
– lawfully constituted professional defence bodies;
– collective management organisations;
– the Centre national du cinéma et de l’image animée (National Centre for Cinema and the Moving Image, France).
The Commission for the protection of rights may also act on the basis of information forwarded to it by the procureur de la République (Office of the Public Prosecutor, France).
Offending conduct dating back more than six months may not be referred to it.’
15. Under Article L. 331-25 of that code, which governs the ‘graduated response’ procedure:
‘Where the offending conduct referred to it is liable to constitute a failure to fulfil the obligation laid down in Article L. 336-3 [of the CPI], the Committee for the protection of rights may send the subscriber … a recommendation drawing his or her attention to the provisions of Article L. 336-3, ordering him or her to fulfil the obligation laid down in those provisions and warning him or her of the penalties which may be imposed pursuant to Articles L. 335-7 and L. 335-7-1. That recommendation shall also furnish information to the subscriber about lawfully available online cultural content, the existence of security measures to prevent failures to fulfil the obligation laid down in Article L. 336-3, and the risks to growth in artistic output and to the economy of the culture industry posed by practices that do not respect copyright and related rights.
If the subscriber again engages in conduct liable to constitute a failure to fulfil the obligation laid down in Article L. 336-3 within six months of the recommendation referred to in the first paragraph being sent, the Committee may issue a further recommendation by electronic means containing the same information as the previous recommendation …. It must attach to that recommendation a letter delivered against signature or any other means capable of proving the date of service of that recommendation.
Recommendations issued on the basis of this article shall state the date and time when the conduct liable to constitute a failure to fulfil the obligation laid down in Article L. 336-3 were detected. However, they shall not disclose the content of the protected works or subject matter affected by that failure. They shall state the telephone number, postal address and email address to which the recipient of the recommendation may direct, if he or she so wishes, his or her observations to the Committee for the protection of rights and obtain, upon express request, details of the content of the protected works or subject matter affected by the failure complained of.’
16. Article L. 331-29 of the CPI provides:
‘[Hadopi] is authorised to establish a system for the automated processing of personal data relating to individuals who are the subject of a procedure under this subsection.
The purpose of that processing shall be to enable the Committee for the protection of rights to implement the measures provided for in this subsection, to carry out any related procedural acts, and to implement the procedures for informing professional defence bodies and collective management organisations of any referrals to a judicial authority and of the notifications referred to in the fifth paragraph of Article L. 335-7.
Detailed rules for the application of this article shall be laid down by decree …. Those rules shall state, inter alia:
– the categories of data that may be recorded and the period of time for which they may be retained;
– the parties to which those data may be communicated, which shall include providers of access to online public communications services;
– the manner in which the individuals concerned may exercise, before [Hadopi], their right of access to data concerning them ….’
17. Article R. 331-37 of that code provides:
‘Electronic communications operators … and service providers … shall send, using a connection to the automated personal data processing system mentioned in Article L. 331-29 or using a recording medium which ensures their integrity and security, the personal data and the information mentioned in point 2 of the Annex to [décret no 2010-236, du 5 mars 2010, relatif au traitement automatisé de données à caractère personnel autorisé par l’article L. 331-29 du CPI dénommé ‘Système de gestion des mesures pour la protection des œuvres sur internet (Decree No 2010-236 of 5 March 2010 on the automated personal data processing system authorised by Article L. 331-29 of the CPI, known as the ‘System for the management of measures for the protection of works on the internet’) (4)], within a period of eight days of receiving from the Committee for the protection of rights the technical data required to identify the subscriber whose access to online public communications services has been used for the purposes of the reproduction, representation, making available or communication to the public of protected works or subject matter without the authorisation of the holders of the rights … where such authorisation is required.
…’
18. Article R. 335-5 of the CPI provides:
‘I. Where the conditions laid down in paragraph II are met, gross negligence, punishable by the fine laid down for summary offences in class 5, shall be committed by a person having a right of access to online public communications services who, without legitimate reason:
1. has failed to establish measures to make such access secure; or
2. has failed to exercise due care in the implementation of those measures.
II. The provisions of paragraph I shall not apply unless the following two conditions are met:
1. Under Article L. 331-25 and in accordance with the formal requirements laid down in that article, the Committee for the protection of rights has recommended to the person having a right of access to implement measures to make his or her access secure so as to prevent such access being used again for the purposes of the reproduction, representation, making available or communication to the public of works or subject matter protected by copyright or by a related right without the authorisation of the holders of those rights … where such authorisation is required;
2. During the year following receipt of that recommendation, that access is used on a further occasion for the purposes referred to in point 1 of paragraph II.’
19. Article L. 336-3 of that code provides:
‘A person having a right of access to online public communications services is under an obligation to ensure that that access is not used for the purposes of the reproduction, representation, making available or communication to the public of works or subject matter protected by copyright or by a related right without the authorisation of the holders … where such authorisation is required.
Failure by the person having access to comply with the obligation set out in the first paragraph shall not have the effect of rendering him or her liable under criminal law …’
2. Decree of 5 March 2010
20. Article 1 of the Decree of 5 March 2010, in the version applicable to the facts in the main proceedings, provides:
‘The purpose of the personal data processing system known as the “System for the management of measures for the protection of works on the internet” is to enable the Commission for the protection of rights of [Hadopi]:
1. to implement the measures provided for in Book III of the legislative part of the [CPI] (Title III, Chapter I, Section 3, Subsection 3) and Book III of the regulatory part of that code (Title III, Chapter I, Section 2, Subsection 2);
2. to refer conduct liable to constitute an offence under Articles L. 335-2, L. 335-3, L. 335-4 and R. 335-5 of the [CPI] to the Office of the Public Prosecutor and to inform professional defence bodies and collective management organisations of those referrals;
…’
21. Article 4 of that decree provides:
‘I.- The sworn public officials authorised by the President of [Hadopi] pursuant to Article L. 331-21 of the [CPI] and the members of the Committee for the protection of rights mentioned in Article 1 shall have direct access to the personal data and information referred to in the Annex to this Decree.
II.- The electronic communications operators and the providers referred to in point 2 of the Annex to this Decree shall be sent:
– the technical data required to identify the subscriber;
– the recommendations provided for in Article L. 331-25 of the [CPI] for notification by electronic means to their subscribers;
– the information necessary for the implementation of additional penalties of suspension of access to an online public communications service notified to the Commission for the protection of rights by the Office of the Public Prosecutor.
III.- Professional defence bodies and collective management organisations shall be informed of referrals to the Office of the Public Prosecutor.
IV.- Judicial authorities shall be sent the reports of conduct liable to constitute an offence under Articles L. 335-2, L. 335-3, L. 335-4, L. 335-7, R. 331-37, R. 331‑38 and R. 335-5 of the [CPI].
The enforcement of a penalty of suspension shall be notified to the automated criminal records system.’
22. The Annex to the Decree of 5 March 2010 provides:
‘The personal data and information recorded in the processing system known as the “System for the management of measures for the protection of works on the internet” shall be as follows:
1. Personal data and information from lawfully constituted professional defence bodies, collective management organisations, the National Centre for Cinema and the Moving Image, and the Public Prosecutor’s Office:
Regarding conduct liable to constitute a failure to fulfil the obligation laid down in Article L. 336-3 of the [CPI]:
Date and time of the occurrence;
IP address of the subscribers concerned;
Peer-to-peer protocol used;
Pseudonym used by the subscriber;
Information on the protected works or subject matter affected by the conduct;
File name as it appears on the subscriber station (where applicable);
Internet service provider through which access was arranged or which supplied the IP technical resource.
…
2. Personal data and information concerning the subscriber collected from electronic communications operators … and providers …:
Surname, forenames;
Postal address and email addresses;
Telephone number;
Address of the subscriber’s telephone installation;
Internet service provider, using the technical facilities of the service provider referred to in point 1 with which the subscriber has taken out a contract; reference number;
start date of suspension of access to an online public communications service.
…’
3. Code des postes et des télécommunications (Post and Telecommunications Code)
23. Article L. 34-1 of the code des postes et des communications électroniques, as amended by Article 17 of Law No 2021-998 of 30 July 2021 (5) (Post and Electronic Communications Code; ‘the CPCE’), provides, in paragraph IIa, that ‘electronic communications operators shall retain:
1. for the purposes of criminal proceedings, preventing threats to public security and safeguarding national security, information relating to the user’s civil identity until the expiry of a period of five years from the date on which his or her contract ends;
2. for the same purposes as those set out in paragraph IIa(1), other information supplied by the user when taking out a contract or creating an account and payment information until the expiry of a period of one year from the date on which his or her contract ends or his or her account is closed;
3. for the purposes of combating serious crime, preventing serious threats to public security and safeguarding national security, the technical data enabling the connection source to be identified or relating to the terminal equipment used until the expiry of a period of one year from the connection or use of the terminal equipment.’
III. The dispute in the main proceedings, the questions referred for a preliminary ruling and the procedure before the Court
24. By application of 12 August 2019 and two supplementary submissions of 12 November 2019 and 6 May 2021, La Quadrature du Net, the Fédération des fournisseurs d’accès à Internet associatifs, Franciliens.net and French Data Network brought an action before the Conseil d’État (Council of State) for annulment of the implied decision by which the Premier ministre (Prime Minister, France) rejected their application for the repeal of the Decree of 5 March 2010, even though, in their view, that decree and the provisions constituting its legal basis unreasonably interfere with the rights guaranteed by the French Constitution and, in addition, infringe Article 15 of Directive 2002/58 and Articles 7, 8, 11, and 52 of the Charter.
25. In particular, the applicants in the main proceedings argue that the Decree of 5 March 2010 and the provisions constituting its legal basis permit access to connection data in a manner which is disproportionate to minor copyright infringements committed online, without prior review by a court or an authority offering guarantees of independence and impartiality.
26. In that regard, the referring court states, first of all, that the Court, in its most recent judgment in La Quadrature du Net and Others, (6) held that Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, does not preclude legislative measures which, for the purposes of safeguarding national security, combating crime and safeguarding public security, provide for the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems. Thus, such retention is permissible, without any specific time limit being imposed, for the purposes of investigating, detecting and prosecuting criminal offences in general.
27. The referring court infers from this that the plea raised by the applicants in the main proceedings, alleging that the Decree of 5 March 2010 is unlawful because it was adopted in the context of action to combat minor offences, must therefore be dismissed.
28. Next, the referring court observes that the Court, in its judgment in Tele2 Sverige and Watson, (7) held that Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation governing the protection and security of traffic and location data, and more particularly, the access of the competent national authorities to retained data, where that access is not subject to a prior review by a court or an independent administrative authority.
29. It states that the Court, in its judgment in Tele2, (8) made clear that, in order to ensure, in practice, that those conditions are fully respected, it is essential that access of the competent national authorities to retained data should, as a general rule, except in cases of validly established urgency, be subject to the requirement of a prior review carried out either by a court or by an independent administrative body, and that the decision of that court or body should be made following a reasoned request by those authorities submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime.
30. The referring court points out that the Court recalled that requirement in its judgment in La Quadrature du Net and Others, (9) concerning the real-time collection of connection data by the intelligence services, and in its judgment in Prokuratuur (Conditions of access to data relating to electronic communications), (10) concerning national authorities’ access to connection data.
31. Finally, the referring court notes that, since its establishment in 2009, Hadopi has issued over 12.7 million recommendations to subscribers under the graduated response procedure provided for in Article L 331-25 of the CPI, of which 827 791 were issued in 2019 alone. To that end, the officials of Hadopi’s Committee for the protection of rights must be able to collect, each year, a considerable volume of data relating to the civil identity of the users concerned. The referring court considers that, given the volume of those recommendations, making such data collection subject to a prior review might make it impossible for recommendations to be issued at all.
32. In those circumstances, the Conseil d’État (Council of State) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Are the civil identity data corresponding to an IP address included among the traffic and location data to which, in principle, the requirement [of] prior review by a court or an independent administrative entity [whose decisions are binding] applies?
(2) If the first question is answered in the affirmative, and having regard to the fact that the data relating to the civil identity of users, including their contact details, are not particularly sensitive data, is Directive [2002/58], read in the light of the [Charter], to be interpreted as precluding national legislation which provides for the collection of those data, corresponding to the IP addresses of users, by an administrative authority, without prior review by a court or an independent administrative entity [whose decisions are binding]?
(3) If the second question is answered in the affirmative, and having regard to the fact that the data relating to civil identity are not particularly sensitive data, that only those data may be collected and they may be collected solely for the purposes of preventing failures to fulfil obligations which have been defined precisely, exhaustively and restrictively by national law, and that the systematic review of access to the data of each user by a court or a third-party administrative entity [whose decisions are binding] would be liable to jeopardise the fulfilment of the public service [mission] entrusted to the administrative authority which collects those data, which is itself independent, does [Directive 2002/58] preclude the review from being performed in an adapted fashion, for example as an automated review, as the case may be under the supervision of a department within the body which offers guarantees of independence and impartiality in relation to the officials who have the task of collecting the data?’
33. The applicants in the main proceedings, the Governments of France, Estonia, Sweden, Norway and the European Commission submitted written observations. Those interested parties, except for the Governments of Estonia, Denmark and Finland, were represented at the hearing held on 5 July 2022.
IV. Analysis
A. The first and second questions referred
34. By its first and second questions, which in my view should be considered together, the referring court asks, in essence, whether Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation which allows an administrative authority, responsible for protecting copyright and related rights against infringements of those rights committed on the internet, access to civil identity data, corresponding to IP addresses, so that that authority can identify the holders of those addresses suspected of having committed those infringements and, if appropriate, take action against them, without that access being subject to a prior review by a court or an independent administrative body.
1. Delimitation of the questions referred
(a) The prior collection of IP addresses by rightholder organisations
35. It follows from the order for reference that the graduated response mechanism at issue in the main proceedings involves two successive instances of data processing: first, the prior collection by rightholder organisations of IP addresses on the peer-to-peer networks of copyright infringers and, second, the linking of those IP addresses to the civil identity of persons by Hadopi upon receipt of a referral, so that a recommendation can be sent to the persons whose access to online public communications services was used in breach of the rules on copyright.
36. The first and second questions referred relate only to the second processing carried out by Hadopi.
37. The applicants in the main proceedings nonetheless maintain that the Court should examine the first processing, since if those IP addresses were obtained in breach of the provisions of Directive 2002/58, their use in the context of the second processing would necessarily be contrary to those provisions.
38. I am not convinced by that line of reasoning. Article 3(1) of Directive 2002/58 limits that directive’s scope to the ‘processing of personal data in connection with the provision of … electronic communications services’. As the French Government stated at the hearing, rightholder organisations obtain the IP addresses at issue not through providers of electronic communications services, but directly online, by consulting data available to the general public.
39. It may thus only be stated that the prior collection of IP addresses by rightholder organisations is not covered by the provisions of Directive 2002/58 and, as the Commission points out, could therefore be analysed in the light of the provisions of Regulation (EU) 2016/679. (11) Accordingly, such an analysis seems to me to go beyond the scope of the questions referred to the Court for a preliminary ruling, particularly since the referring court does not provide any clarification in respect of the prior collection that would enable the Court to provide it with a useful answer.
40. In those circumstances, I will focus my analysis on the issue of Hadopi’s access to the civil identity data corresponding to an IP address.
(b) The linking of IP addresses and civil identity data
41. The first and second questions submitted for a preliminary ruling are concerned with ‘the civil identity data corresponding to an IP address’, which, according to the referring court, are not particularly sensitive data. The referring court exclusively cites, in its decision, the paragraphs of the judgment in La Quadrature du Net and Others relating to the retention of civil identity data.
42. It is true that the Court’s case-law draws a distinction between the rules on retaining and accessing IP addresses and the rules on retaining and accessing data relating to the civil identity of users of electronic communications systems, the latter body of rules being less strict than the former. (12)
43. However, it seems to me that, in the present case, despite the wording of those two questions, the issue is not solely one of access to the civil identity data of users of electronic communications systems, but rather the linking of those data to the IP addresses held by Hadopi following the collection and transmission of the latter by rightholder organisations. As the Commission points out, the idea behind allowing Hadopi access to civil identity data is to unlock a wider range of data, in particular IP addresses and extracts from files viewed, and to enable them to be used, since civil identity data and IP addresses are, independently of one another, of no interest to national authorities inasmuch as neither civil identity nor an IP address alone furnishes information on the online activities of natural persons when they are not linked up.
44. It follows that the first two questions referred for a preliminary ruling should, in my view, be construed as covering not only the civil identity data of users of an electronic communications system, but also access to IP addresses enabling the source of a connection to be identified.
(c) The retention of IP addresses by providers of communications services
45. It is true, as the French Government and the Commission point out, that the questions referred to the Court are not formally concerned with the retention of data by providers of electronic communications services, but are limited to Hadopi’s access to civil identity data corresponding to IP addresses.
46. However, the issue of Hadopi’s access to such data seems to me, in actual fact, to be inseparable from the preliminary issue of their retention by providers of communications services. As the Court has made clear, data is retained only for the purpose, when necessary, of making those data accessible to the competent national authorities. (13) Put another way, the retention of data and access to data cannot be viewed separately, when the latter is dependent on the former.
47. It is true that the Court has already examined the compatibility with Article 15(1) of Directive 2002/58 of national legislation relating solely to the competent national authorities’ access to certain personal data, irrespective of whether the retention of the data at issue was compatible with that provision. (14) The questions referred in this case could therefore be answered without regard to whether the data at issue have been retained in accordance with the provisions of EU law.
48. However, I note, first of all, that in the judgment in Ministerio Fiscal, (15) the Court’s examination of the compatibility with EU law of national authorities’ access to certain personal data was conducted strictly in accordance with the same principles as those it applies when assessing the compatibility with EU law of the retention of such data. The Court refers exclusively to the case-law developed in connection with that latter scenario in order to transpose it to the issue of access to personal data. In other words, in the absence of an examination of whether the retention of certain data is compatible with EU law, that examination is deferred to the stage at which access to those data is considered, so that the compatibility of that access ultimately depends on the compatibility of retention.
49. Next, the Court has clearly stated that access to personal data may be granted only in so far as those data have been retained by a provider of electronic communications services in a manner that is consistent with Article 15(1) of Directive 2002/58 (16) and that access to personal data by private persons to enable them to bring civil proceedings for copyright infringements is compatible with EU law only if those data are retained in a manner compatible with that provision. (17)
50. Lastly, the Court has consistently held that access to traffic and location data retained by providers in accordance with a measure taken under Article 15(1) of Directive 2002/58, which must be given effect in full compliance with the conditions resulting from the case-law interpreting Directive 2002/58, may, in principle, be justified only by the public interest objective for which those providers were ordered to retain those data. (18) In other words, the compatibility with EU law of national authorities’ access to certain personal data is entirely dependent on the compatibility with EU law of the retention of those data.
51. It follows, in my view, that the analysis of the compatibility with EU law of national legislation allowing national authorities access to certain personal data presupposes that it has first been established that the retention of those data is compatible with EU law.
52. In those circumstances, I will begin my analysis by recalling the Court’s case-law on the retention of IP addresses assigned to the source of a connection, in order to demonstrate its limits and to propose an adjusted interpretation of the legislation at issue.
2. The case-law of the Court on the interpretation of Article 15(1) of Directive 2002/58 as regards measures for the retention of IP addresses assigned to the source of a connection
53. Article 5(1) of Directive 2002/58 enshrines the principle of confidentiality of both electronic communications and the related traffic data and requires, inter alia, that, in principle, persons other than users be prohibited from storing, without those users’ consent, those communications and those data. (19)
54. As regards the processing and storage by electronic communications service providers of subscribers’ and users’ traffic data, Article 6 of Directive 2002/58 provides, in paragraph 1 thereof, that those data must be erased or made anonymous when they are no longer needed for the purpose of the transmission of a communication. In paragraph 2 thereof, it states that the traffic data necessary for the purposes of subscriber billing and interconnection fees may only be processed up to the end of the period during which the bill may lawfully be challenged or payments pursued in order to obtain payment. As regards location data other than traffic data, Article 9(1) of that directive provides that those data may be processed only subject to certain conditions and after they have been made anonymous or the consent of the users or subscribers obtained. (20)
55. Thus, in adopting Directive 2002/58, the EU legislature gave concrete expression to the rights enshrined in Articles 7 and 8 of the Charter, so that the users of electronic communications services are entitled to expect, in principle, that their communications and data relating thereto will remain anonymous and may not be recorded, unless they have agreed otherwise. (21) Therefore, that directive does not merely create a framework for access to such data through safeguards to prevent abuse, but also enshrines, in particular, the principle of the prohibition of their storage by third parties.
56. In those circumstances, in so far as Article 15(1) of Directive 2002/58 permits Member States to adopt legislative measures that ‘restrict the scope’ of the rights and obligations laid down inter alia in Articles 5, 6 and 9 of that directive, such as those arising from the principles of confidentiality of communications and the prohibition on storing related data, that provision establishes an exception to the general rule laid down inter alia in Articles 5, 6 and 9 and must thus, in accordance with settled case-law, be the subject of a strict interpretation. Therefore, that provision cannot permit the exception to the obligation, in principle, to ensure the confidentiality of electronic communications and data relating thereto and, in particular, to the prohibition on storage of such data, laid down in Article 5 of Directive 2002/58, to become the rule, if the latter provision is not to be rendered meaningless. (22)
57. As regards the objectives that are capable of justifying a limitation of the rights and obligations laid down, in particular, in Articles 5, 6 and 9 of Directive 2002/58, the Court has previously held that the list of objectives set out in the first sentence of Article 15(1) of that directive is exhaustive, as a result of which a legislative measure adopted under that provision must correspond, genuinely and strictly, to one of those objectives. (23)
58. Furthermore, it is clear from the third sentence of Article 15(1) of Directive 2002/58 that measures taken by the Member States under that provision must comply with the general principles of EU law, which include the principle of proportionality, and ensure respect for the fundamental rights guaranteed by the Charter. In that regard, the Court has previously held that the obligation imposed on providers of electronic communications services by a Member State by way of national legislation to retain traffic data for the purpose of making them available, if necessary, to the competent national authorities raises issues of compatibility not only with Articles 7 and 8 of the Charter, relating to the protection of privacy and to the protection of personal data, respectively, but also with Article 11 of the Charter, relating to freedom of expression, given that that freedom constitutes one of the essential foundations of a pluralist, democratic society, and is one of the values on which, under Article 2 TEU, the Union is founded. (24)
59. That being said, in so far as Article 15(1) of Directive 2002/58 permits Member States to restrict the rights and obligations laid down in Articles 5, 6 and 9 of that directive, that provision reflects the fact that the rights enshrined in Articles 7, 8 and 11 of the Charter are not absolute rights, but must be considered in relation to their function in society. Indeed, as can be seen from Article 52(1) of the Charter, that provision allows limitations to be placed on the exercise of those rights, so long as those limitations are provided for by law, that they respect the essence of those rights and that, in compliance with the principle of proportionality, they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. Thus, in order to interpret Article 15(1) of Directive 2002/58 in the light of the Charter, account must also be taken of the importance of the objectives of protecting national security and combating serious crime in contributing to the protection of the rights and freedoms of others and of the importance of the rights enshrined in Articles 3, 4, 6 and 7 of the Charter, (25) which may give rise to positive obligations for public authorities. (26)
60. It is against the backdrop of those different positive obligations that the Court must strike a balance between the various legitimate interests and rights at issue. In that context, it is clear from the wording itself of the first sentence of Article 15(1) of Directive 2002/58 that the Member States may adopt a measure derogating from the principle of confidentiality where such a measure is ‘necessary, appropriate and proportionate within a democratic society’, and recital 11 of the directive specifies, in that respect, that a measure of that nature must be ‘strictly’ proportionate to the intended purpose. (27)
61. In that regard, it follows from the Court’s case-law that the question whether the Member States may justify a limitation on the rights and obligations laid down, inter alia, in Articles 5, 6 and 9 of Directive 2002/58 must be assessed by measuring the seriousness of the interference entailed by such a limitation and by verifying that the importance of the public interest objective pursued by that limitation is proportionate to that seriousness. (28)
62. I note, moreover, that the Court draws a distinction in its case-law between, on the one hand, interferences resulting from access to data which, as such, provide precise information on the communications at issue and, therefore, on the private life of a person, in respect of which the rules on retention are strict, and, on the other hand, interferences resulting from access to data, which may provide such information only if linked to other data, such as IP addresses. (29)
63. As regards IP addresses in particular, the Court has thus held that those addresses are generated independently of any particular communication and mainly serve to identify, through providers of electronic communications services, the natural person who owns the terminal equipment from which an internet communication is made. Therefore, provided that only the IP addresses of the source of the communication are retained and not the IP addresses of the recipient of the communication, that category of data is less sensitive than other traffic data. (30)
64. The Court points out at the same time that, since IP addresses may be used, among other things, to track an internet user’s complete clickstream and, therefore, his or her entire online activity, those data enable a detailed profile of the user to be produced and precise conclusions to be drawn concerning his or her private life. The retention and analysis of those IP addresses therefore constitute a serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter and may have a deterrent effect on the exercise of freedom of expression guaranteed in Article 11 of the Charter. (31)
65. However, the Court has consistently held that, in order to strike a balance between the rights and legitimate interests at issue as required by the case-law, account must be taken of the fact that, where an offence is committed online, the IP address might be the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the offence to be identified. (32)
66. Accordingly, the Court takes the view that a legislative measure providing for the general and indiscriminate retention of only IP addresses assigned to the source of a connection does not, in principle, appear to be contrary to Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, where that possibility is subject to strict compliance with the substantive and procedural conditions which should regulate the use of those data, it being understood that, in the light of the seriousness of the interference entailed by that retention, only action to combat serious crime and the prevention of serious threats to public security and national security are capable of justifying that interference. (33)
67. The Court also makes clear that the retention period must not exceed what is strictly necessary in the light of the objective pursued and that a measure of that nature must establish strict conditions and safeguards concerning the use of those data. (34)
3. The limits of the case-law on the interpretation of Article 15(1) of Directive 2002/58 as regards measures for the retention of IP addresses assigned to the source of a connection
68. The approach taken by the Court with regard to national measures for the retention of IP addresses assigned to the source of a connection, interpreted in the light of Article 15(1) of Directive 2002/58, seems to me to present two main difficulties.
(a) Reconciliation with the case-law on the disclosure of IP addresses assigned to the source of a connection in the context of actions to protect intellectual property rights
69. In the first place, as previously mentioned in my Opinion in M.I.C.M., (35) there is a certain degree of tension between that line of authority and the case-law on the disclosure of IP addresses in the context of actions to protect intellectual property rights to the holders of those rights, which focuses on the obligation on Member States to ensure that holders of intellectual property rights are actually able to obtain compensation for damages resulting from infringements of those rights. (36)
70. Concerning that second line of authority, the Court has consistently held that EU law does not preclude Member States from establishing an obligation to disclose personal data to private persons in order to enable them to bring civil proceedings for copyright infringements. (37)
71. The Court notes, in that regard, that the possibility for Member States to impose an obligation to disclose personal data in the context of civil proceedings flows primarily from the option to provide for such disclosure as part of the prosecution of criminal offences, (38) subsequently extended to civil proceedings.
72. At the same time, as regards IP addresses, the Court nonetheless insists that those data may be retained only in the context of combating serious crime and preventing serious threats to public security. (39)
73. In my view, attempts to reconcile those two lines of authority produce unsatisfactory results and are unconvincing.
74. First, contrary to the French Government’s submissions at the hearing, combating infringements of intellectual property rights does not fall within the ambit of combating serious crime. The concept of ‘serious crime’ must, to my mind, be given an autonomous interpretation. It cannot depend on the individual approach taken by each Member State as that would allow the requirements of Article 15(1) of Directive 2002/58 to be circumvented depending on whether or not Member States construe action to combat serious crime broadly. As I have already pointed out, the interests relating to the protection of intellectual property rights should not be confused with those underlying action to combat serious crime. (40)
75. Second, the acceptance that IP addresses may be disclosed to the holders of intellectual property rights in the context of proceedings for the protection of those rights, even though the retention of those addresses was facilitated only in the context of combating serious crime, would clearly be at variance with the Court’s case-law on the retention of connection data and would render ineffective the conditions for retaining such data, since they could be accessed anyway on a number of different grounds.
76. It follows, in my view, that the retention of IP addresses for the purpose of protecting intellectual property rights and their disclosure to the holders of those rights in the context of proceedings seeking such protection could be contrary to Article 15(1) of Directive 2002/58, as interpreted by the case-law of the Court. The obligation to disclose personal data to private persons to enable them to bring civil proceedings for copyright infringements, which was made possible by the Court itself, is therefore simultaneously cancelled out by the effect of its own case-law on the retention of IP addresses by providers of electronic communications services.
77. That outcome is not, however, a satisfactory one inasmuch as it upsets the balance between the various interests at stake which the Court sought to strike by depriving the holders of intellectual property rights of the main, if not only, means of identifying the persons responsible for online infringements of those rights. That consideration leads me to the second difficulty which may, in my view, arise from the case-law of the Court on national measures for the retention of IP addresses assigned to the source of a connection, interpreted in the light of Article 15(1) of Directive 2002/58.
(b) The risk of systemic impunity for offences committed exclusively online
78. Thus, in the second place, I take the view that that approach is the source of practical difficulties. As the Court itself has made clear, where an offence is committed exclusively online, the IP address might be the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the offence to be identified.
79. Nonetheless, it seems to me that that factor is not fully taken into account in the balancing of the interests at issue. By restricting the possibility of retaining IP addresses to action to combat serious crime, the Court simultaneously rules out the possibility of those data being retained in order to combat criminal offences in general, even though some of those offences can be prevented, detected or punished only by means of those data.
80. In other words, the case-law of the Court could result in national authorities being deprived of the only means of identifying the persons responsible for online offences not falling within the scope of serious crime, such as infringements of intellectual property rights. That would lead to de facto systemic impunity for offences committed exclusively online, not just infringements of intellectual property rights. My mind is drawn, in particular, to online defamation: EU law does indeed provide for injunctions against intermediaries whose services are used to commit such offences, (41) but the case-law of the Court might prevent the very persons responsible for such defamation from ever being prosecuted.
81. Short of accepting that a whole range of criminal offences may evade prosecution entirely, I take the view that the balance between the different interests at stake should be examined afresh.
82. Those various considerations lead me to propose to the Court a certain readjustment of the case-law on national measures for the retention of IP addresses interpreted in the light of Article 15(1) of Directive 2002/58.
4. Proposed readjustment of the case-law of the Court on the interpretation of Article 15(1) of Directive 2002/58 as regards measures for the retention of IP addresses assigned to the source of a connection
83. In view of the foregoing considerations, my view is that Article 15(1) of Directive 2002/58 should be interpreted as not precluding measures providing for the general and indiscriminate retention of IP addresses assigned to the source of a connection, for a period limited in time to what is strictly necessary, for the purposes of preventing, investigating, detecting and prosecuting online criminal offences for which the IP address is the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the offence to be identified.
84. I should point out, in that regard, that such a proposal does not, to my mind, affect the requirement that the retention of data must be proportionate, in the light of the seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter entailed by that interference. (42) On the contrary, it meets that requirement in full.
85. First, the limitation of the rights and obligations established in Articles 5, 6 and 9 of Directive 2002/58 resulting from the retention of IP addresses pursues a public interest objective proportionate to that seriousness, namely the prevention, investigation, detection and prosecution of criminal offences laid down in legislation which would otherwise have no effect.
86. Second, that limitation operates within the limits of what is strictly necessary. Such retention is restricted to specific situations, namely criminal offences committed online and in respect of which the identification of the person responsible is possible only through the IP address assigned to him or her. Put another way, it is not a question of allowing the general and indiscriminate retention of data without any further conditions, but only of permitting the prosecution of clearly defined criminal offences, not criminal offences in general.
87. However, although Article 15(1) of Directive 2002/58 does not preclude the general and indiscriminate retention of IP addresses assigned to the source of a connection for the purposes of preventing, investigating, detecting and prosecuting online criminal offences for which the IP address is the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the offence to be identified, it must also be made clear that, according to the case-law, that possibility must be subject ‘to strict compliance with the substantive and procedural conditions which should regulate the use of that data’. (43) The Court has also made clear that such a measure ‘must establish strict conditions and safeguards concerning the use of that data’. (44)
88. In other words, as I have already pointed out, the retention of data and access to those data cannot be viewed separately. In those circumstances, although Hadopi’s ability to access IP addresses is not automatically contrary to Article 15(1) of Directive 2002/58 as long as those data have been retained in compliance with the requirements laid down in that provision, it remains necessary, in order to answer the questions referred to the Court for a preliminary ruling, to examine whether the conditions governing Hadopi’s access to IP addresses assigned to the source of a connection are, in themselves, consistent with that provision, particularly as regards whether or not a prior review of such access by a court or an independent administrative authority is necessary.
89. Having analysed the preliminary issue of the retention of IP addresses assigned to the source of a connection, I will now examine the issue of Hadopi’s access to those data in the light of Article 15(1) of Directive 2002/58.
5. Access by HADOPI to civil identity data corresponding to IP addresses
90. It is apparent from the Court’s case-law concerning the objectives capable of justifying a national measure derogating from the principle of confidentiality of electronic communications that access to the data must correspond, strictly and objectively, to one of those objectives, and that the objective pursued by that measure must be proportionate to the seriousness of the interference with fundamental rights entailed by that access. (45)
91. Moreover, as explained above, (46) access to data retained by providers in accordance with a measure taken under Article 15(1) of Directive 2002/58 may, in principle, be justified only by the public interest objective for which those providers were ordered to retain those data. (47)
92. The Court has thus held, in accordance with the principle of proportionality, that serious interference can be justified, in areas of prevention, investigation, detection and prosecution of criminal offences, only by the objective of combating crime which must also be defined as serious. (48)
93. In that regard, I note that, contrary to the submissions of the French Government and the Commission, Hadopi’s access to civil identity data corresponding to an IP address indeed constitutes a serious interference with fundamental rights. This is not only a question of accessing civil identity data, which are not, in themselves, particularly sensitive data, but rather of linking those data to a wider range of data, namely IP addresses, as well as, as the applicants in the main proceedings point out, extracts from files downloaded in breach of copyright. It therefore involves connecting a person’s civil identity to the content of the file viewed and to the IP address through which that viewing took place.
94. However, just as I am in favour of also allowing the retention of data constituting a serious interference with fundamental rights for the purposes of preventing, investigating, detecting and prosecuting online criminal offences for which the IP address is the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the offence to be identified, (49) I believe that access to those data should be made possible so as to pursue the same objective, short of accepting general impunity for offences committed exclusively online.
95. Hadopi’s access to civil identity data linked to an IP address therefore appears to me to be justified by the public interest objective for which providers of electronic communications services were ordered to retain the data.
96. The case-law of the Court nevertheless makes clear that national legislation governing access by the competent authorities to retained traffic and location data cannot be limited to requiring that access should be consistent with the objective pursued by that legislation, but must also lay down the substantive and procedural conditions governing the competent national authorities’ access to the data concerned. (50)
97. In particular, the Court has held that since general access to all retained data, irrespective of whether there is any link with the intended purpose, cannot be regarded as limited to what is strictly necessary, the national legislation must be based on objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to users’ data, so as to verify that access is granted only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime. (51)
98. Thus, according to the case-law, in order to ensure, in practice, that those conditions are fully respected, it is essential that access of the competent national authorities to retained data should, as a general rule, be subject to a prior review carried out either by a court or by an independent administrative body. (52)
99. However, I note that the Court established that requirement of a prior review of access to personal data in specific circumstances which differ from those in the present case, involving particularly serious interferences with the private lives of users of electronic communications services.
100. Indeed, each of the judgments in which that requirement was stressed were concerned with national measures permitting access to all traffic and location data of users covering all electronic communications services (53) or, at least, fixed and mobile telephony. (54) More specifically, at issue was access to a ‘set of … data, that are liable to provide information regarding the communications made by a user of a means of electronic communication or regarding the location of the terminal equipment which he or she uses and to allow precise conclusions to be drawn concerning his or her private life’, (55) so that the requirement of a prior review of access to those data by a court or an independent administrative body arises, in my view, only in those circumstances.
101. First, Hadopi’s access is limited to linking civil identity data to the IP address used and to the file viewed at a given point in time; it does not enable the competent authorities to reconstruct the online clickstream of the user in question or, therefore, to draw precise conclusions concerning his or her private life beyond the identification of the specific file viewed when the infringement was committed. Accordingly, such access does not make it possible to track all the online activities of the user in question.
102. Second, those data cover only the data of persons who, as recorded in the reports drawn up by the rightholder organisations, have engaged in conduct liable to constitute a failure to fulfil the obligation laid down in Article L. 336-3 of the CPI. Hadopi’s access to civil identity data linked to IP addresses is thus strictly limited to what is necessary to achieve the objective pursued, namely the prevention, investigation, detection and prosecution of online criminal offences for which the IP address is the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the offence to be identified, of which the graduated response mechanism forms part.
103. In those circumstances, I take the view that Article 15(1) of Directive 2002/58 does not require a prior review of Hadopi’s access to civil identity data linked to users’ IP addresses by a court or an independent administrative body.
104. As to the remainder, I would point out, as the French Government does, that while Hadopi’s access to those data is not subject to a prior review by a court or an independent body, that access does not however entirely escape review, since the file sent by Hadopi to the electronic communications operators is compiled each day by a sworn official on the basis of the referrals received, a random sample of which are validated before being added to the file. (56) Above all, it should be noted that the graduated response procedure is subject to the provisions of Directive (EU) 2016/680. (57) As such, the natural persons targeted by Hadopi are protected by the package of substantive and procedural safeguards established by that directive. Those safeguards include the right of access, rectification and erasure of personal data processed by Hadopi, and the possibility of lodging a complaint with an independent supervisory authority, followed, where appropriate, by a judicial remedy under the conditions of general law. (58)
105. Accordingly, I propose that the following answer be given to the first and second questions referred for a preliminary ruling: Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as not precluding national legislation which allows providers of electronic communications services to retain, and an administrative authority, responsible for protecting copyright and related rights against infringements of those rights committed on the internet, to access data which is limited to civil identity data corresponding to IP addresses, so that that authority can identify the holders of those addresses suspected of having committed those infringements and, if appropriate, take action against them, where that access is not subject to a prior review by a court or an independent administrative body, provided that those data are the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the infringement to be identified.
B. Third question referred for a preliminary ruling
106. By its third question, the referring court seeks to ascertain whether, if the first and second questions are answered in the affirmative, and having regard to the fact that civil identity data are not particularly sensitive data, to the strict framework for access to the data and to the requirement not to jeopardise the public service mission entrusted to the administrative authority in question, Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding the prior review of access from being performed in an adapted fashion, for example as an automated review, where applicable under the supervision of a department within the body which offers guarantees of independence and impartiality in relation to the officials who have the task of collecting the data.
107. It follows from the wording of the third question and from the French Government’s written answer to the questions put by the Court that the adapted review methods referred to in the third question relate not to an existing review mechanism under national law, but to the avenues that may be explored to bring the French mechanism into line with EU law, if necessary.
108. It is settled case-law that the purpose of a request for a preliminary ruling is not to enable advisory opinions on general and hypothetical questions to be delivered, but rather to meet the need for the effective resolution of a dispute concerning EU law. (59)
109. Since the third question referred for a preliminary ruling is, in my view, hypothetical, it must be declared inadmissible.
110. In any event, in the light of the answers which I propose be given to the first and second questions referred for a preliminary ruling, there is no need to answer the third question
V. Conclusion
111. In the light of all of the foregoing considerations, I propose that the Court give the following answers to the questions referred for a preliminary ruling by the Conseil d’État (Council of State, France):
Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), read in the light of Articles 7, 8, 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union,
must be interpreted as not precluding national legislation which allows providers of electronic communications services to retain, and an administrative authority, responsible for protecting copyright and related rights against infringements of those rights committed on the internet, to access data which is limited to civil identity data corresponding to IP addresses, so that that authority can identify the holders of those addresses suspected of having committed those infringements and, if appropriate, take action against them, where that access is not subject to a prior review by a court or an independent administrative body, provided that those data are the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the infringement to be identified.