As part of anti-piracy scheme featuring warning letters, fines, and ISP disconnections, France has monitored and stored data on millions of internet users since 2010.

Digital rights groups insist that as a general surveillance and data retention scheme, the ‘Hadopi’ program violates fundamental rights.

Any program that monitors citizens’ internet activities, retains huge amounts of data, and then links identities to IP addresses, must comply with EU rules. Activists said that under EU law, only “serious crime” qualifies and since petty file-sharing fails to make the grade, the whole program represents a mass violation of EU citizens’ fundamental rights.

Surveillance and Serious Crime

Seeking confirmation at the highest level, La Quadrature du Net, Federation of Associative Internet Service Providers, French Data Network, and Franciliens.net, began their challenge in France . The Council of State referred the matter to the Constitutional Council, which in turn referred questions to the Court of Justice of the European Union (CJEU) for interpretation under EU law.

EU member states may not pass national laws that allow for the general and indiscriminate retention of traffic and location data. Retention of traffic and location data is permitted on a targeted basis as a “preventative measure” but only when the purpose of retention is to fight “serious crime.”

In his non-binding opinion , CJEU Advocate General Szpunar described Hadopi’s access to personal data corresponding to an IP address as a “serious interference with fundamental rights,” the clearest sign yet that the right to privacy had already taken a blow.

CJEU judgments have balanced citizens’ rights and rightsholders’ right to copy many times over the years but here, case law was deemed potentially problematic. In fact so much so, AG Szpunar proposed “readjustment of the case-law of the Court” to ensure that rightsholders would not be left in a position where it was impossible to enforce their rights on BitTorrent and similar networks.

EU Law Shouldn’t Rule Surveillance Out

By last September, it was clear that a legal basis needed to be found to allow Hadopi and similar programs to continue. For example, the fluid nature of dynamic IP addresses was mentioned as an obstacle to comprehensive tracking.

Well-constructed arguments stated that balance could be found in securing the harvested data and, to protect fundamental rights, limitations on how much data could be used in the event an alleged file-sharer was prosecuted.

Ultimately, however, when infringement occurs exclusively online, an IP address may be the only means to track down an alleged infringer, leading to the conclusion that retention and access to civil identifying data is both “necessary” and “wholly proportionate.”

Copyrights Trump Privacy Rights

In its decision handed down Tuesday, initially only in French, the CJEU leaves no stone unturned in delivering a win for rightsholders. Despite the problematic case law, the judgment builds a framework for how monitoring and data retention can be conducted within the requirements of EU law.

The judgment deals with three key questions, summarized as follows:

1. Is civil identity data corresponding to an IP address included among the traffic and location data which, in principle, requires prior review by a court or administrative entity?

2. If yes, is EU law to be interpreted as precluding national legislation that provides for the collection of such data, corresponding to users’ IP addresses, without prior review by a court or administrative entity?

3. If yes, does EU law preclude the review from being performed in an adapted fashion, for example as an automated review?

In other words, are member states precluded from having a national law that authorizes a copyright authority to access stored IP addresses and civil identity data relating to users, collected by rightsholders monitoring their activities on the internet, for the purpose of taking further action, without a review by a court or administrative body?

Data collected includes date and time of alleged infringement, IP address, peer-to-peer protocol, user pseudonym, details of copyright works, filename, ISP name.

Ensuring Privacy and Data Security

The judgment notes that IP addresses can constitute both traffic data and personal data. However, IP addresses that are public and visible, as they are in file-sharing swarms, are not being used in connection with the provision of an ‘electronic communication service’.

The judgment also states that, if Member States seek to impose “an obligation to retain IP addresses in a general and indiscriminate manner, in order to attain an objective linked to combating criminal offenses in general”, they should lay down clear and precise rules in legislation relating to retention of data, meeting strict requirements.

IP and civil identity data must be separated from each other and all other data, in a secure and reliable computer system. When IP addresses and civil data need to be linked, a process that does not undermine the “watertight separation” should be used, and regularly inspected for effectiveness. When these rules are followed, even citizens’ data gathered indiscriminately cannot result in “serious interference” to fundamental rights.

The judgment notes that EU law does not “preclude the Member State concerned from imposing an obligation to retain IP addresses, in a general and indiscriminate manner, for the purposes of combating criminal offenses in general.”

Balancing Competing Rights

The CJEU says that while EU citizens using internet services “must have a guarantee that their privacy and freedom of expression” will be respected, those fundamental rights are not absolute. The prevention of crime or the protection of the rights and freedoms of others may see those rights deemed less important.

Then, with some fluidity, the CJEU pulls the rug on excuses and upgrades petty file-sharing to something, well, a bit more serious .

To prevent crime, it may be strictly necessary and proportional for IP addresses to be captured and retained for “combating criminal offenses such as offenses infringing copyright or related rights committed online.”

Indeed, not allowing the above “would carry a real risk of systemic impunity not only for criminal offenses infringing copyright or related rights, but also for other types of criminal offenses committed online or the commission or preparation of which is facilitated by the specific characteristics of the internet.”

Pirate Privacy? Not Here

The judgment adds that despite the strict security guarding private information, there’s always a chance that a person might find themselves profiled. And that, the court suggests, may be of their own making.

[S]uch a risk to privacy may arise, inter alia, where a person engages in activities infringing copyright or related rights on peer-to-peer networks repeatedly, or on a large scale, in connection with protected works of particular types that can be grouped together on the basis of the words in their title, revealing potentially sensitive information about aspects of that person’s private life.

Thus, in the present case, in the context of the graduated response administrative procedure, a holder of an IP address may be particularly exposed to such a risk to his or her privacy where that procedure reaches the stage at which Hadopi must decide whether or not to refer the matter to the public prosecution service with a view to the prosecution of that person for conduct liable to constitute the minor offense of gross negligence or the offense of counterfeiting.

Throughout the course of the next few paragraphs, the judgment mentions processing data for the “prevention, investigation, detection or prosecution of criminal offenses,” and a quote from the French government stating that “the measures adopted by Hadopi in the context of the graduated response procedure ‘are of a pre-criminal nature directly linked to the judicial proceedings’.”

That leads to the predictable conclusion that EU law does not preclude national legislation that allows for the surveillance of internet users and the retention of their data, for the purpose of identifying users and taking legal action against them.

Member states just need to follow the rules to ensure that those who didn’t have their privacy breached when their data was collected, don’t have it breached or leaked as they wait for whatever punishment arrives in the mail.

La Quadrature du Net says it’s disappointed with the judgment.

“[T]his decision from the CJEU has, above all, validated the end of online anonymity. While in 2020 it stated that there was a right to online anonymity enshrined in the ePrivacy Directive, it is now abandoning it.

Unfortunately, by giving the police broad access to the civil identity associated with an IP address and to the content of a communication, it puts a de facto end to online anonymity.”

The judgment is available here

From: TF , for the latest news on copyright battles, piracy and more.

Law professor Dan Solove has a new article on privacy regulation. In his email to me, he writes: “I’ve been pondering privacy consent for more than a decade, and I think I finally made a breakthrough with this article.” His mini-abstract:

In this Article I argue that most of the time, privacy consent is fictitious. Instead of futile efforts to try to turn privacy consent from fiction to fact, the better approach is to lean into the fictions. The law can’t stop privacy consent from being a fairy tale, but the law can ensure that the story ends well. I argue that privacy consent should confer less legitimacy and power and that it be backstopped by a set of duties on organizations that process personal data based on consent.

Full abstract:

Consent plays a profound role in nearly all privacy laws. As Professor Heidi Hurd aptly said, consent works “moral magic”—it transforms things that would be illegal and immoral into lawful and legitimate activities. As to privacy, consent authorizes and legitimizes a wide range of data collection and processing.

There are generally two approaches to consent in privacy law. In the United States, the notice-and-choice approach predominates; organizations post a notice of their privacy practices and people are deemed to consent if they continue to do business with the organization or fail to opt out. In the European Union, the General Data Protection Regulation (GDPR) uses the express consent approach, where people must voluntarily and affirmatively consent.

Both approaches fail. The evidence of actual consent is non-existent under the notice-and-choice approach. Individuals are often pressured or manipulated, undermining the validity of their consent. The express consent approach also suffers from these problems ­ people are ill-equipped to decide about their privacy, and even experts cannot fully understand what algorithms will do with personal data. Express consent also is highly impractical; it inundates individuals with consent requests from thousands of organizations. Express consent cannot scale.

In this Article, I contend that most of the time, privacy consent is fictitious. Privacy law should take a new approach to consent that I call “murky consent.” Traditionally, consent has been binary—an on/off switch—but murky consent exists in the shadowy middle ground between full consent and no consent. Murky consent embraces the fact that consent in privacy is largely a set of fictions and is at best highly dubious.

Because it conceptualizes consent as mostly fictional, murky consent recognizes its lack of legitimacy. To return to Hurd’s analogy, murky consent is consent without magic. Rather than provide extensive legitimacy and power, murky consent should authorize only a very restricted and weak license to use data. Murky consent should be subject to extensive regulatory oversight with an ever-present risk that it could be deemed invalid. Murky consent should rest on shaky ground. Because the law pretends people are consenting, the law’s goal should be to ensure that what people are consenting to is good. Doing so promotes the integrity of the fictions of consent. I propose four duties to achieve this end: (1) duty to obtain consent appropriately; (2) duty to avoid thwarting reasonable expectations; (3) duty of loyalty; and (4) duty to avoid unreasonable risk. The law can’t make the tale of privacy consent less fictional, but with these duties, the law can ensure the story ends well.

Read 22 remaining paragraphs | Comments

Read 17 remaining paragraphs | Comments

Read 15 remaining paragraphs | Comments

Read 22 remaining paragraphs | Comments

Following the creation of its Hadopi anti-piracy agency over 13 years ago, France monitored and stored data on millions of users suspected of infringing copyrights.

The majority were BitTorrent users and the plan was to use evidence of their piracy activities as a basis for escalating actions including warnings, fines, and ultimately, internet disconnections.

Operating the program for a decade cost French taxpayers 82 million euros ($86.5 million) but according to digital rights group La Quadrature du Net, Hadopi’s “mass internet surveillance” destroyed citizens’ fundamental right to privacy.

In its quest to hold Hadopi to account, La Quadrature du Net highlighted one of the program’s implementing decrees, which authorizes the creation of files containing internet users’ IP addresses plus personal identification data obtained from their internet service providers.

In the belief that represents a breach of EU data protection laws, the digital rights group, ISPs, and other like-minded supporters, took their fight to the French legal system.

Referral to the EU’s Highest Court

In the vast majority of cases, senior judges in EU member states have little need to consult Europe’s highest court. At least in theory, all countries are already in compliance with EU law but every now and again, the gravity of specific cases becomes apparent, resulting in a referral seeking clarification on how EU law should be interpreted.

In advance of a full ruling, the conundrum posed by the French referral was evident in a non-binding opinion handed down last October by CJEU Advocate General Maciej Szpunar.

Under EU law, member states may not pass national laws that allow for the general and indiscriminate retention of citizens’ traffic and location data. Retention of such data is permitted on a targeted basis, but only as a “preventative measure” for the purposes of fighting “serious crime.” In respect of the information held by Hadopi, the Advocate General found that when the data points are combined, it’s possible to link French citizens’ identities with the content they access.

The CJEU’s top legal advisor described the Hadopi situation as “serious interference with fundamental rights” but short of accepting “general impunity for offenses committed exclusively online,” something would have to give. The compromise suggested last year would require “readjustment of the case-law of the Court” to allow rightsholders to enforce their rights when an IP address is the only means by which an infringer can be identified (CJEU, pdf ) .

Advocate General Delivers Opinion (Case C-470/21)

The opinion delivered Thursday begins with an overview of Hadopi and the methods it uses to deter online piracy. By monitoring initial and subsequent acts of infringement and maintaining relevant databases, it’s possible to identify repeat infringers eligible for the next deterrent steps. A decree adopted in 2010 allows Hadopi to request subscriber information from ISPs in response to the provision of IP addresses, mostly obtained from BitTorrent swarms.

The legal proceedings brought by La Quadrature du Net and the Federation of Associative Internet Service Providers, French Data Network, and Franciliens.net, seek to establish whether the collection of civil identity data corresponding to IP addresses, and subsequent automated processing of data to protect of intellectual property, are compatible with EU law absent a review by a court or independent administrative body.

The short answer from the AG’s opinion is that Article 15(1) of Directive 2002/58 ( pdf ) must be interpreted as not precluding national legislation which allows ISPs and other electronic communications services to retain, and an administrative authority such as Hadopi to access, civil identity data corresponding to IP addresses for the purposes of identifying suspected infringers.

No court or review body needs to be involved, but use of such data is only permitted when it is the only means of investigation that can enable a suspected infringer to be identified.

Discussion and Reasoning

In the opinion of AG Szpunar, there is a need to reconcile the rights at issue; the protection of private life and personal data on one hand, and the right to property enshrined in Article 17 of the Charter , which the graduated response mechanism seeks to uphold by protecting copyright and related rights.

The opinion notes that “the great majority” of the IP addresses communicated by Hadopi are dynamic IP addresses, which only correspond to a specific identity at a single moment, which preclude any exhaustive tracking.

“I must emphasise that the protection of fundamental rights on the internet does not in my view justify access to the data relating solely to the IP address, the content of a work and the identity of the person who made it available in breach of copyright not being permitted, but means only that the retention of and access to those data must be accompanied by guarantees,” his opinion continues.

“To my mind, an analogy with the real world is telling: a person suspected of having committed theft cannot rely on his or her right to protection of his or her private life to prevent those responsible for prosecuting that offense from ascertaining what the content stolen is. On the other hand, that person may rightly rely on his or her fundamental rights to ensure that, during the proceedings, access will not be provided to more extensive data than just the data necessary for the classification of the alleged offense.”

No Mass Surveillance But a Proportionate Response

The digital rights groups’ legal action characterizes the Hadopi program as a general surveillance and data retention scheme, operating contrary to fundamental rights. AG Szpunar finds otherwise, noting that there doesn’t even appear to be general surveillance of the users present in peer-to-peer networks.

“That procedure does not involve monitoring their entire activity on a given network in order to determine whether they have made a work available in breach of copyright, but rather determining, on the basis of a file identified as counterfeit, the holder of the internet access through which the user made the content available,” his opinion reads.

“[I]t is not a question of monitoring the activity of all users of peer-to-peer networks, but only that of persons uploading infringing files, as the uploading of those files reveals much less information about the person’s private life because files may be uploaded for the sole purpose of enabling those users then to download other files.”

Inevitable Outcome in Favor of Rightsholders

The overall conclusion reached by the Attorney General considers the purpose for which the data is harvested and the challenges of identifying suspected online infringers by other means. The inability to establish a detailed profile of a person’s private life via a dynamic IP address is cited on one hand, while the critical value of an IP address in an investigation sits somewhat uncomfortably on the other.

“[I]t follows from the actual case-law of the Court that, where an offense is committed exclusively online, such as an infringement of copyright on a peer-to-peer network, the IP address may be the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the infringement to be identified,” the AG continues.

In closing, the retention and access to civil identifying data, corresponding to an IP address for the purposes of prosecuting online infringements, is described as “strictly necessary” and “wholly proportionate” to the objective pursued

“Such an interpretation is in my view inevitable,” the AG notes, “unless it is accepted that a whole range of criminal offenses may evade prosecution entirely.”

The CJEU’s summary and AG Szpunar’s full opinion are available here ( pdf ) and here .

CJEU note: The Advocate General’s Opinion is not binding on the Court of Justice. It is the role of the Advocates General to propose to the Court, in complete independence, a legal solution to the cases for which they are responsible. The Judges of the Court are now beginning their deliberations in this case. Judgment will be given at a later date

From: TF , for the latest news on copyright battles, piracy and more.

Read 12 remaining paragraphs | Comments

Read 11 remaining paragraphs | Comments