The Advocate General of the European Court M. SZPUNAR has issue an opinion in the case C‑470/21 La Quadrature du Net, Fédération des fournisseurs d’accès à Internet associatifs, Franciliens.net, French Data Network v Premier ministre, Ministère de la Culture.
The dispute concerns the scope of access to personal data in case of copyright infringements on the internet. The case has the following background:
By application of 12 August 2019 and two supplementary submissions of 12 November 2019 and 6 May 2021, La Quadrature du Net, the Fédération des fournisseurs d’accès à Internet associatifs, Franciliens.net and French Data Network brought an action before the Council of State for annulment of the implied decision by which the Prime Minister, France rejected their application for the repeal of the Decree of 5 March 2010, even though, in their view, that decree and the provisions constituting its legal basis unreasonably interfere with the rights guaranteed by the French Constitution and, in addition, infringe Article 15 of Directive 2002/58 and Articles 7, 8, 11, and 52 of the Charter.
In particular, the applicants in the main proceedings argue that the Decree of 5 March 2010 and the provisions constituting its legal basis permit access to connection data in a manner which is disproportionate to minor copyright infringements committed online, without prior review by a court or an authority offering guarantees of independence and impartiality.
In that regard, the referring court states, first of all, that the Court, in its most recent judgment in La Quadrature du Net and Others, held that Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, does not preclude legislative measures which, for the purposes of safeguarding national security, combating crime and safeguarding public security, provide for the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems. Thus, such retention is permissible, without any specific time limit being imposed, for the purposes of investigating, detecting and prosecuting criminal offences in general.
The referring court infers from this that the plea raised by the applicants in the main proceedings, alleging that the Decree of 5 March 2010 is unlawful because it was adopted in the context of action to combat minor offences, must therefore be dismissed.
Next, the referring court observes that the Court, in its judgment in Tele2 Sverige and Watson, held that Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation governing the protection and security of traffic and location data, and more particularly, the access of the competent national authorities to retained data, where that access is not subject to a prior review by a court or an independent administrative authority.
It states that the Court, in its judgment in Tele2, made clear that, in order to ensure, in practice, that those conditions are fully respected, it is essential that access of the competent national authorities to retained data should, as a general rule, except in cases of validly established urgency, be subject to the requirement of a prior review carried out either by a court or by an independent administrative body, and that the decision of that court or body should be made following a reasoned request by those authorities submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime.
The referring court points out that the Court recalled that requirement in its judgment in La Quadrature du Net and Others, concerning the real-time collection of connection data by the intelligence services, and in its judgment in Prokuratuur (Conditions of access to data relating to electronic communications), concerning national authorities’ access to connection data.
Finally, the referring court notes that, since its establishment in 2009, Hadopi has issued over 12.7 million recommendations to subscribers under the graduated response procedure provided for in Article L 331-25 of the CPI, of which 827 791 were issued in 2019 alone. To that end, the officials of Hadopi’s Committee for the protection of rights must be able to collect, each year, a considerable volume of data relating to the civil identity of the users concerned. The referring court considers that, given the volume of those recommendations, making such data collection subject to a prior review might make it impossible for recommendations to be issued at all.
In those circumstances, the Conseil d’État (Council of State) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Are the civil identity data corresponding to an IP address included among the traffic and location data to which, in principle, the requirement [of] prior review by a court or an independent administrative entity [whose decisions are binding] applies?
(2) If the first question is answered in the affirmative, and having regard to the fact that the data relating to the civil identity of users, including their contact details, are not particularly sensitive data, is Directive [2002/58], read in the light of the [Charter], to be interpreted as precluding national legislation which provides for the collection of those data, corresponding to the IP addresses of users, by an administrative authority, without prior review by a court or an independent administrative entity [whose decisions are binding]?
(3) If the second question is answered in the affirmative, and having regard to the fact that the data relating to civil identity are not particularly sensitive data, that only those data may be collected and they may be collected solely for the purposes of preventing failures to fulfil obligations which have been defined precisely, exhaustively and restrictively by national law, and that the systematic review of access to the data of each user by a court or a third-party administrative entity [whose decisions are binding] would be liable to jeopardise the fulfilment of the public service [mission] entrusted to the administrative authority which collects those data, which is itself independent, does [Directive 2002/58] preclude the review from being performed in an adapted fashion, for example as an automated review, as the case may be under the supervision of a department within the body which offers guarantees of independence and impartiality in relation to the officials who have the task of collecting the data?’
The Advocate’s opinion:
Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), read in the light of Articles 7, 8, 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union,
must be interpreted as not precluding national legislation which allows providers of electronic communications services to retain, and an administrative authority, responsible for protecting copyright and related rights against infringements of those rights committed on the internet, to access data which is limited to civil identity data corresponding to IP addresses, so that that authority can identify the holders of those addresses suspected of having committed those infringements and, if appropriate, take action against them, where that access is not subject to a prior review by a court or an independent administrative body, provided that those data are the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the infringement to be identified.