Privacy, Data Protection and Retention
Google Spain SL v. Agencia Española de Protección de Datos
Closed Expands Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
Promusicae, a non-profit organization composed of producers and publishers of musical and audiovisual recordings, asked the European Court of Justice (“ECJ”) to order Telefonica, an internet service provider, to reveal personal data about its users, since users were allegedly accessing the IP-protected work of Promusicae clients without permission. To that end, the Court examined whether read also in the light of Articles 17 and 47 of the Charter, must be interpreted as requiring Member States to lay down, in order to ensure effective protection of copyright, an obligation to communicate personal data in the context of civil proceedings.
The Court found that the Directives do not require Member States to impose such obligations for the purpose of initiating civil proceedings for the protection of IP rights, and that, when interpreting these Directives, Member States must strike a fair balance between the rights at issue and must take care to apply general principles of proportionality.
In 2005, Promusicae, a non-profit organization of producers and publishers of musical and audiovisual recordings, brought a claim at Commercial Court No. 5 in Madrid, asking for a preliminary measure against Telefonica, an internet service provider [para. 29]. Telefonica users had allegedly used the KaZaA file exchange program (peer-to-peer or P2P) to provide access to shared files to which members of Promusicae held exploitation rights [para.30]. Promusicae argued that this violated its members IP rights and asked the court to order Telefonica to disclose the identities and address of the KaZaA users so it could bring civil claims against them.
The court of first instance accepted this request, but Telefonica appealed on the ground that Spanish legislation allows disclosure of personal data only when “it is authorized…in a criminal investigation or for the purpose of safeguarding public security and national defense, not in civil proceedings or as a preliminary measure relating to civil proceedings” [para.33]. Promusicae argued that this legislation should be interpreted in accordance with Directives 2000/31, 2001/29 and Directive 2004/48, and Articles 17 and 47 of the UN Charter, which allow such request for other purposes. The appellate court stayed the proceedings and referred the following question to the ECJ for a preliminary ruling:
“Does Community law, specifically Articles 15(2) and 18 of Directive [2000/31], Article 8(1) and (2) of Directive [2001/29], Article 8 of Directive [2004/48] and Articles 17(2) and 47 of the Charter…permit Member States to limit to the context of a criminal investigation or to safeguard public security and national defense, thus excluding civil proceedings, the duty of operators of electronic communications networks and services, providers of access to telecommunications networks and providers of data storage services to retain and make available connection and traffic data generated by the communications established during the supply of an information society service?” [para. 34].
The main issue before the Court was whether an internet service provider (“ISP”) can be obliged to disclose data about its users in order to collect the information to start civil proceedings for sanctioning IP infringements made by its users.
The Court first agreed that the data Promusicae sought was processing personal data under Directive 2002/58. However, the provisions of that Directive specify that only public communications networks and publicly available electronic communications services can use such data, and only for specific purposes (as billing, etc.). Thus, Promusicae’s request was not compatible with Articles 2, 3, 5 and 6 of the Directive [para. 48].
Next, the ECJ examined the request under Article 15 of the Directive, which allows “Member States to adopt legislative measures to restrict the scope inter alia of the obligation to ensure the confidentiality of traffic data, where such a restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. state security), defense, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communications system, as referred to in Article 13(1) of Directive 95/46” [para.49]. Even though it is clear that this provision does not refer to civil proceedings, Article 13 of Directive 95/46 “authorizes the Member States to adopt legislative measures to restrict the obligation of confidentiality of personal data where that restriction is necessary inter alia for the protection of the rights and freedoms of others” [para. 53]. Therefore, the Court stated that the measure does not forbid Member States to reveal data in order to initiate civil proceedings, but the measure also cannot be interpreted to impose such an obligation. The Court found that a full examination of the 3 Directives on e-commerce and IP rights was required. These Directives require Member States to protect IP rights across borders.
The Court recognized that the Directives aim to ensure effective protection of IP rights and that, in order to do so, they allow certain measures for national courts to prevent infringement, but these measures do not include an obligation to disclose personal data.
Finally, the domestic court requested a preliminary ruling from the ECJ regarding the right to protect property (including IP) and for a clarification on effective remedy under Articles 17 and 47 of the Charter. The court was asked for clarification on the appropriate balance between the right to protect personal data and the right to private life. The Court stated that all previously mentioned Directives dealt with situations in which measures aimed at the protection of a right might affect personal data protection. However, the Court recognized that these measures must be transposed into national legislation, that the rules feature a high level of generality, and that they should be interpreted in light of the given facts in each situation. For these reasons, Member States must pay close attention to determining the fair balance between intellectual property rights and the right to private life and personal data, and take into account fundamental principles of community law such as the principle of proportionality.
Accordingly, the Court found that “Directives 2000/31, 2001/29, 2004/48 and 2002/58 do not require the Member States to lay down, in a situation such as that in the main proceedings, an obligation to communicate personal data in order to ensure effective protection of copyright in the context of civil proceedings. However, Community law requires that, when transposing those directives, the Member States take care to rely on an interpretation of them which allows a fair balance to be struck between the various fundamental rights protected by the Community legal order. Further, when implementing the measures transposing those directives, the authorities and courts of the Member States must not only interpret their national law in a manner consistent with those directives but also make sure that they do not rely on an interpretation of them which would be in conflict with those fundamental rights or with the other general principles of Community law, such as the principle of proportionality” [para.70].
Moreover, the Advocate General took the position that “it is compatible with Community law for Member States to exclude the communication of personal traffic data for the purpose of bringing civil proceedings against copyright infringements” [para.128].
Thus, the State was not required by law to allow provisions for the disclosure of the defendants’ personal data in the domestic case.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
The Court of Justice of the European Union (“ECJ”) reaffirmed the necessity of protecting the right to protection of personal data under Article 8 of the Charter of Fundamental Rights of the European Union and its counterpart in Article 8 of the European Convention on Human Rights (“ECHR”) in deciding whether Member States can impose an obligation to reveal personal data. The obligation would have required internet service providers to disclose information requited in order to initiate civil IP infringement proceedings against internet users. Also, in this regard the Court especially emphasized that some general legal principles in the EC, such as proportionality, had to be respected by all Members.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
This decision from the ECJ provides binding authority for the state that refers the issue to the Court as well as upon the contracting states of the European Union in similar cases. It also presents binding interpretation of the EU acquis.
The decisions of ECJ as highest judicial instance of EU are frequently used as guidance and in other jurisdictions outside EU, especially since they are dealing with interpenetration of the EU law.
Let us know if you notice errors or if the case analysis needs revision.