Four associations for the protection of rights and freedoms on the internet in France, including La Quadrature du Net, issued proceedings in the Conseil d’État seeking repeal of legislation introducing automated personal data processing for the purposes of protecting certain copyright works online.

The claim was rejected at first instance. La Quadrature appealed.

Automated data processing was introduced so that individuals could be sent a warning of what is described in the French IP Code as “gross negligence” for not preventing access to the internet to those intent on committing copyright infringement. Under the IP Code, this is part of the “graduated response” process and involves making recommendations to the individual. La Quadrature said that allowing access to connection data in this way was disproportionate in respect of minor copyright infringements and was being carried out without prior review by an independent and impartial judge or authority, as required by CJEU case law.

The Conseil d’État noted that in order to implement the new legislation, a considerable amount of personal data of users is collected. Further, given the volume of warnings and recommendations issued, making that data collection subject to prior review would render the exercise impossible. The Conseil d’État therefore asked the CJEU for clarification of the scope of prior review and whether personal data corresponding to an IP address is subject to it.

In Advocate General Szpunar’s view, EU law should not be interpreted as precluding measures allowing the general and indiscriminate retention of IP addresses for a limited time, and provided it is strictly necessary for the purposes of preventing, investigating, detecting and prosecuting online criminal offences for which the IP address is the only means of identifying the person connected to the IP address at the time the offence was committed. In so doing, the AG has proposed that some adjustment to the case law on the retention of IP addresses should be made without, however, questioning the requirement for proportionality, given the serious nature of the interference with fundamental rights enshrined in the Charter of Fundamental Rights of the EU.

In the AG’s view, access to identity data linked to IP addresses is justified by the public interest objective according to which providers of electronic communications services can be ordered to retain data.

Further, the AG said, in this case EU law does not require any prior review by a court or independent administrative body because: (i) the access is limited to linking personal data to the IP address in question and to the file viewed at a certain point in time, and does not enable the authorities to reconstruct the clickstream of the user in question or to draw precise conclusions on his or her private life; and (ii) the access is strictly limited to what is necessary to achieve the objective pursued, i.e. the prevention, investigation, detection and prosecution of online criminal offences for which the IP address is the only is the only means of identifying the person connected to the IP address at the time the offence was committed.

Finally, the AG pointed out that the “graduated response” process is subject to the provisions of the Data Protection Law Enforcement Directive (2016/6801/EU) and that as such, the individuals targeted are protected by substantive and procedural guarantees. (Case C-470/21 La Quadrature du Net v Premier ministre EU:C:2022:838 (Opinion of Advocate General) (27 October 2022) — to read the Opinion in full, click here).