The E-Privacy Directive (2002/58/EC) prohibits access to the content and related traffic data of electronic communications without the user’s consent. Member States must also ensure that access to information stored on a user’s terminal equipment is only allowed with the user’s consent.  Member States can restrict the scope of these laws where it is a necessary, appropriate and proportionate measure to safeguard, amongst other things, the prevention, investigation, detection and prosecution of criminal offences (Article 15(1)).

Hadopi, the French administrative authority responsible for protecting copyright against online infringements (now part of Arcom), operates a graduated response mechanism to combat the sharing of copyright-protected content on peer-to-peer networks without the rightsholder’s consent. The mechanism involves the collection, retention and access to the IP addresses of individuals uploading content which is then linked by Hadopi to the uploader’s identity and contact details, enabling Hadopi to identify, contact and pursue legal proceedings against perpetrators of copyright infringements. The Court of Justice of the EU was asked to consider whether the access and storage of this data by Hadopi satisfies the conditions of Article 15(1).

Case law establishes that the proportionality requirement under Article 15(1) is determined by the seriousness of the interference with the privacy of the individual concerned and the necessity of the measure adopted. Also, access to traffic data, such as IP address, should be subject to a prior review by a court or independent administrative independent body, something lacking in Hadopi’s processes.

In line with his first opinion given a year ago, the AG has held that the Hadopi mechanism satisfies the requirements of Article 15(1). In the AG’s view, the data is used solely to link an individual with file upload in breach of copyright law and the data does not enable a detailed profile of the person who uploaded the content to be produced. The Hadopi process does not entail collecting a person’s entire traffic or location data. In addition, the retention and access to the identity of a person corresponding to their IP address is the only means of identifying users committing online infringements. As for the requirement for a prior review by a court or administrative body, in the AG’s view the case law suggests that this is dependent on the seriousness of the privacy interference. In this case, the data which Hadopi collects is limited to what is strictly necessary and does not enable precise conclusions to be drawn concerning the private lives of users.

AG’s Opinions are influential, not binding. The EU court will deliver its judgment in due course.

To access the Opinion, click here.