You are currently browsing EDRi's old website. Our new website is available at https://edri.org

EDRI-gram

If you wish to help EDRI promote digital rights, please consider making a private donation.


Flattr this

logo

EDRi booklets

Is the IP address still a personal data in France?

12 September, 2007
» 

Although the answer to this question may be obvious not only in France, but also in Europe, two decisions from the Paris Appeal Court may well change this established understanding.

The decisions, respectively published on 27 April and 15 May 2007, concern individuals to the SCPP (a French collecting society of recording companies), in two cases of music counterfeit using P2P networks. The two appeal procedures included both civil and penal actions and were initiated in the former case by the individual and the public prosecutor and in the latter by the SCPP and the public prosecutor as well. In addition to the first instance decisions made on the counterfeit claims, the Paris Appeal Court had to decide on the conformity of the first instance procedures regarding the collection of IP addresses on the P2P network. In both cases, the individuals claimed that this collection should have been subject to prior authorization by the CNIL (French Data Protection Authority), and consequently concluded to the nullity of the procedure.

These claims were rejected by the Paris Appeal Court, which found that the IP addresses collection was conducted in full compliance with the law in both cases. The Court argued that 'the IP address doesn't allow the identification of the persons who used this computer since only the legitimate authority for investigation (the law enforcement authority) may obtain the user identity from the ISP' (27 April ruling). Surprisingly enough, the Court recognized in the same decision that 'it should also be reminded that each computer connected to the Internet is identified by a unique number called "Internet address" or IP address (internet protocol) that allows to find it among connected computers or to find back the sender of a message'. In its 25 May ruling, the Court considered that 'this series of numbers indeed constitutes by no mean an indirectly nominative data of the person in that it only relates to a machine, and not to the individual who is using the computer in order to commit counterfeit.' The Court conclusion was then that this collection of IP addresses does not constitute a processing of personal data, and consequently was not subject to CNIL prior authorization, as required by the French Data Protection Act.

The CNIL strongly reacted, expressing its worries after these decisions, and asking the French Ministry of Justice to consider filing a Cassation case in the interest of the law against these two rulings, a procedure that should be introduced by the General public prosecutor, and which purpose is to avoid either inconsistent jurisprudence or a jurisprudence not in harmony with the law. The CNIL reminded that, according to the French Data Protection Act, a personal data 'means information relating to a natural person who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to him. This is the case with a car plate number, a telephone number or an IP address.' The CNIL also noted that the Article 29 Working Party of EU DPAs, 'reminded in an opinion of 20 June 2007 on the concept of personal data, that the IP address attributed to an Internet user during her communications constitutes a personal data.'

In the mean time, the Advocate General of the European Court of Justice, in an entirely separate case lodged for reference by a Spanish Court under the preliminary ruling procedure, took the position that the EU legislation on personal data protection should prevail on the Community law on e-commerce, copyright protection and IP enforcement. The CNIL has obviously duly noted how much these conclusions from the Advocate General - which usually are followed by the ECJ - may influence the future shape of copyright holders actions both when they collect IP addresses and when they undertake enforcement actions to subsequently have Internet users' identity disclosed, making them far more difficult than they currently are in France and elsewhere in Europe. And wisely suggests that it would be appropriate to ask to further ask the ECJ for reference on the nature of the IP address.

Paris Appeal Court decision - Anthony G. vs. SCPP (27.04.2007)
http://www.legalis.net/jurisprudence-decision.php3?id_article=1954

Paris Appeal Court decision - Henri S. vs. SCPP (15.05.2007)
http://www.legalis.net/jurisprudence-decision.php3?id_article=1955

IP address is a personal data for all the European DPAs (2.08.2007)
http://www.cnil.fr/index.php?id=2244

French Data Protection Act (English version, 6.08.2004)
http://www.cnil.fr/fileadmin/documents/uk/78-17VA.pdf

EU Article 29 Working Party Opinion 4/2007 on the concept of personal data (20.06.2007)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en...

ECJ Advocate General Conclusions on case C-257/06 (18.07.2006)
http://curia.europa.eu/jurisp/cgi-bin/form.pl?lang=EN&Submit=Reche...

EDRI-gram: ECJ's Advocate General says no handing traffic information in civil cases (1.08.2007)
http://www.edri.org/edrigram/number5.15/traffic-data-civil-cases

(Contribution by Meryem Marzouki, EDRI-member IRIS - France)

‹ OOXML - negative vote at International Organization for StandardizationupUS gains new advantages in the EU-USA PNR agreement ›
Printer-friendly version
 
Site by Floatleft.

Syndicate:

Syndicate contentCreative Commons License

With financial support from the EU's Fundamental Rights and Citizenship Programme.
eu logo