Waiting for Constantin: Hague District Court orders release of ISP user data, including e-mail addresses
Directive 2004/48/EC (the Enforcement Directive) allows rightsholders to obtain, from intermediaries, information concerning infringers. But what kind of information can be requested? The District Court of the Hague addressed the question in a recent decision, ruling inter alia on the compatibility of such a request with Regulation 2016/679 (the General Data Protection Regulation, commonly known as GDPR).
The decision [here] is of particular interest because a closely related question is currently pending before the Court of Justice of the European Union (CJEU) in C-264/19 Constantin Film Verleih [here]. Advocate General (AG) Saugmandsgaard Øe recently issued his opinion in that case, [here, Katpost here], finding that "names and addresses" in Article 8(2)(a) Enforcement Directive is limited to names an physical addresses, thus excluding e-mail addresses or phone numbers.
The Hague district court, however, ordered the internet service provider (ISP) to also disclose the infringing users' e-mail addresses. Let's take a closer look to see why.
Background of the case & relation to Constantin Film
Dish Network provides a paid television service that allows users to stream content protected by copyright. WorldStream is an ISP that provides hosting services. Four WorldStream users had been providing illegal streaming services that infringed the copyrights held or licensed by Dish Network. The latter sent notice & take-down letters to WorldStream, which subsequently blocked the relevant IP-addresses.
The dispute arose when Dish Network requested information from WorldStream that would allow it to identify the users behind the IP-addresses. WorldStream was only willing to provide that information if Dish Network would indemnify it for any liability under the GDPR. Dissatisfied with the offer, Dish Network initiated proceedings against WorldStream. Dish Network was in possession of the users' IP addresses and requested the following information:
(A) Name and address of the users, including their e-mail address and, in the case of legal persons, their registration number in their home state's corporate register;
(B) The users' phone numbers, date of birth and user ID at WorldStream and, in the case of legal persons, all of this information for their legal representative; and
(C) A large swathe of other information, including payment information, users' traffic data, correspondence with WorldServe, users' other IP addresses, and more.
The facts in Constantin Film are rather similar: there, producer Constantin Film sued YouTube and Google to obtain information about users that uploaded infringing content. Constantin Film only knew the user name of the users and requested their e-mail address, phone number and IP addresses.
|You're not getting my sister's e-mail address, or her phone number!|
Legal basis for the decision
An important factor distinguishing the Dish Network case from Constantin Film is that the legal basis for Dish Network's claim was not the Dutch implementation of Article 8 Enforcement Directive (which would have been Article 1019f of the Dutch Code of Civil Procedure or DCCP), but rather a general access to evidence provision (Art. 843a DCCP) in conjunction with the implementation of Article 6 Enforcement Directive (Art. 1019a DCCP).
The general access to evidence provision allows any party to request from its counterparty evidence if: (1) it has a legitimate interest in obtaining it; (2) the request targets specifically identified evidence; (3) which is in the other party's possession; and (4) pertains to a legal relationship to which the claimant is a party. The District Court decided on Dish Network's claims by reference to these four requirements.
Because the legal basis was not Article 8 Enforcement Directive, the District Court did not have to address the proper interpretation of "names and addresses" in this provision. Most likely, Articles 843a and 1019a DCCP must be understood as national statutory provisions which "grant the rightholder rights to receive fuller information" within the meaning of Article 8(3)(a) Enforcement Directive. In his opinion, AG Øe noted that this provision is an expression of the minimum harmonisation intended in the Enforcement Directive. Hence, the Directive leaves open the possibility for Member States to provide further-reaching means of information assembly to rightholders, and it would seem that the Dutch legislator has opted to do so.
The District Court's analysis
The District Court held that conditions (1) and (4) were satisfied by Dish Network, i.e. it had a legitimate interest in obtaining the information and it made sufficiently credible that its IP rights were indeed being violated by WorldStream's clients to warrant disclosure.
Still, the District Court limited disclosure only to names, addresses, e-mail addresses and, in the case of legal persons, registration numbers (as outlined under (A) above). It refused ordering disclosure of further information as outlined under B. and C. above, i.e. phone numbers, dates of birth, payment information and other data. The reason for this was twofold.
First, the District Court considered the further data to be insufficiently identified within the meaning of Art. 843a DCCP's second requirement. That is somewhat surprising: this requirement seeks to prevent "fishing expeditions", i.e. vague and broad disclosure requests that are intended to turn up useful evidence of which the claimant was not aware beforehand. But many of the data requested by Dish Network was quite specific: there is nothing unspecified about, e.g., payment data or correspondence between the client and WorldStream.
Second, the District Court applied something of a proportionality test. It reasoned that names, addresses and e-mail addresses would be sufficient to identify the infringing users for purposes of targeting them for enforcement, so that the requests for the other data were rejected. The District Court also found that conversely, because the disclosure order was rather limited, it did not constitute an excessive burden on WorldStream.
Test for GDPR compliance
Lastly, the District Court addressed the allowability of the disclosure order under the GDPR. It did so on the basis of Article 6(1)(f) GDPR, which allows processing of personal data where this is "necessary for the purposes of the legitimate interests pursued … by a third party."
The District Court applied a proportionality and subsidiarity test to the question whether the processing was "necessary". It held that Dish Network had no other means to trace the infringing users so as to enforce its IP rights (subsidiarity) and disclosure was sufficiently limited to make it proportionate. It further held that Dish Network's interests in enforcing its IP outweigh the fundamental rights of the infringing users to privacy, since those latter rights do not entitle the users to anonymous infringement of Dish Network's exclusive rights.
A final complication was that Dish Network is an American entity. The GDPR sets additional requirements for data transfers to third countries, and it was not in dispute that those requirements were not met for Dish Network. However, the District Court held that a derogation was allowable because the transfer was necessary "for the establishment, exercise or defense legal claims" (Article 49(1)(e) GDPR).
In her recent post, fellow Kat Eleonora suggested that AG Øe's (literal) interpretation of "names and addresses" as excluding any information but physical addresses is rather narrow. I agree: in this day and age in general, and in the context of enforcement of IP rights in particular, one would expect "address" to be read broader. The good news brought by the District Court's decision is that, at least under Dutch law, a more pragmatic approach is possible. That may also alleviate some of the concerns on whether further-reaching national provisions can provide effective consolation for rightholders.
However, if it is correct, as AG Øe notes in para 58, that Article 8(2) Enforcement Directive was intended to strike a balance between IP holders' rights under Article 17(2) Charter and rights of infringers under Article 8 Charter, then this raises questions on the meaning of "minimum harmonisation".
Within the context of the Enforcement Directive, "minimum harmonisation" is commonly understood to mean a base level of enforcement possibilities for IPR holders, which Member States may expand. Some authors believe this to mean that safeguards for infringers may be overruled by Member States wishing to strengthen rightholders' positions at their expense. I believe this view to be flawed as it would render meaningless the balance struck by the Enforcement Directive between various competing interests. The safeguards that the Enforcement Directive provides to infringers constitute ceilings to allowable enforcement of IP rights.
However, if this latter view is correct, one wonders to what extent the balance struck in Article 8(2) Enforcement Directive likewise places a ceiling on "rights to receive fuller information" under Article 8(3). Presumably, Member States could not enact legislation that allows rightholders to claim any information they desire: some limits must exist. Indeed, the referring court in Constantin Film noted that provision of personal data beyond "names and addresses", as mandated by Article 8(2) Enforcement Directive, implicates the users' right to privacy. If the phrase "names and addresses" in Article 8(2) reflects the balance between IP rights and privacy, then how can national laws provide for further-reaching disclosure obligations that would upset this balance?
Waiting for Constantin: Hague District Court orders release of ISP user data, including e-mail addresses Reviewed by Léon Dijkman on Wednesday, May 13, 2020 Rating: