IP addresses as personal data - the CJEU's judgment in C-582/14 Breyer

Marcin Kotula, Legal Officer at the European Commission

The views expressed are purely those of the author and may not in any circumstances be regarded as stating an official position of the European Commission

Background

In the Breyer case the CJEU was asked by the German Supreme Court (Bundesgerichtshof) if dynamic IP addresses are personal data within the meaning of the EU Data Protection Directive and to what extent they can be stored and processed to ensure the general operability of websites. Mr Breyer, the applicant in this case, is a German politician and privacy activist. He visited various websites of the German federal institutions. The information about the IP addresses of the visitors (or more precisely of the owners of the devices from which the websites were visited) as well as the information about the name of the accessed web page or file, the terms entered in the search fields, the time of access and the quantity of data transferred is stored in the log files after the visit.

One of the aims of the storage of those data is to prevent cyberattacks and enable prosecution of those who committed them. Mr Breyer did not agree with the storage of his IP address after the consultation of the websites and in the proceedings before the German court he requested the German government to cease this practice. The case eventually went up to the German Supreme Court which decided to seek interpretative guidance from the CJEU.

The questions of the German Supreme Court were specifically focussed on dynamic IP addresses. These are less privacy-invasive than static IP addresses. The difference between them is that the dynamic ones change with every new connection to the internet and the static ones do not. IP addresses are assigned by Internet Service Providers (ISPs) and take the form of a series of digits. In principle, in itself they do not reveal the identity of a specific natural person but can be combined with other information to identify the owner of a device that connects to the internet. Typically such other information is at the disposal of the ISP. In its Scarlet Extended judgment of 2011 the CJEU clarified that, from the perspective of the ISP, IP addresses are personal data. However, in the Breyer case the scenario was different. The German federal institutions which run the websites only had the IP addresses and the additional information that is needed to identify the visitors of those websites was held by the ISPs. The CJEU was asked to clarify if the German federal institutions (the data controllers) should treat the IP addresses as personal data even if they are not in possession of this additional information.

The CJEU's analysis

In its judgment of 19 October 2016 the CJEU referred to the definition of personal data in Article 2(a) of the Data Protection Directive 95/46/EC. This definition covers any information that relates to an individual who is identifiable, either directly or indirectly. In consequence, information can be regarded as personal data even if it does not itself identify a specific person.

Further indications on how to assess identifiability are given in Recital 26 of the Directive. This Recital clarifies that when determining if a given person is identifiable one should look at all the means that the data controller or any other person are likely to reasonably use to identify the person. On the basis of those indications the CJEU went on to examine if it is reasonably likely that the IP addresses held by the German federal institutions will be combined with the additional information held by the ISPs. The CJEU followed the line taken on this point in the Opinion of the Advocate General  (AG) and stated that the combination would not be reasonably likely if it was prohibited by law or disproportionately difficult in terms of time, cost and man-power. In the German scenario, the ISPs are not allowed to directly transmit such information to website providers. On the other hand, in the event of cyber-attacks the website providers can contact the competent authorities which then can obtain the additional information from the ISPs. The availability of this legal channel led the CJEU to conclude that, for the German federal institutions, the IP addresses of the visitors of their websites are personal data because these visitors can be identified with the help of the competent authorities and of the ISPs.

The CJEU then examined if the German federal institutions can store and process the IP addresses after the end of the visit of their website to ensure the general operability of the websites. Under the relevant provisions of the German Law on telemedia (Telemediengesetz - TMG) the collection and processing of users' data is allowed only in so far as this is necessary to facilitate and charge for the specific use of the online service. This does not seem to include the purpose of ensuring the general operability of the websites. The CJEU was therefore asked to clarify if the German provisions are compatible with Article 7(f) of the Data Protection Directive. The latter Article authorises the processing of personal data when it is necessary for the legitimate interests of the data controller or of third parties to whom the data are disclosed. This authorisation does not apply if the legitimate interests are overridden by the fundamental rights and freedoms of the person whose data is at stake (the data subject).

Since the maintenance of the operability of the websites and the prevention of cyberattacks might ultimately lead to criminal proceedings against the perpetrators the CJEU contemplated if the processing of IP addresses in such circumstances is not excluded from the Directive altogether. It looked into Article 3(2) first indent of the Directive which excludes the processing of personal data carried out in the context of criminal law activities of the State. It concluded that in the scenario at hand the German federal institutions are not acting as State authorities but rather as individuals.

As far as Article 7(f) is concerned the CJEU referred to its case-law (the ASNEF judgment of 2011). This judgment acknowledges that the legal bases for the processing of personal data that are set out in Article 7 of the Directive are exhaustive and that the Member States cannot add any new principles or impose additional requirements in that regard. Under Article 5 of the Directive the Member States can merely specify the conditions under which the processing is lawful but this needs to remain within the limits of Article 7 and of the objective of the Directive which seeks to strike a balance between the free movement of personal data and the protection of private life.

Against this background, the CJEU found that by excluding the possibility of processing to ensure the general operability of the websites the German provisions go further than just specifying the conditions of lawfulness. For the CJEU, these provisions should enable the balancing of the objective of ensuring the operability of the websites with the fundamental rights and freedoms of the users. Normally this balancing is to be carried out on a case-by-case basis. The German provisions exclude this possibility by categorically prescribing the result of this balancing from the outset. 

Comments

The judgment of the CJEU is generally in line with the previous case-law on the Data Protection Directive which tends to favour a wide interpretation of the main concepts of the Directive, such as the definitions of personal data and of processing. This interpretation is also compatible with the view of the Article 29 Data Protection Working Party which (in its Opinion of 2007) considers IP addresses as personal data with only one exception, i.e. of addresses allocated in cyber cafes or similar places where the users of computers are normally anonymous.

The reply of the CJEU to the second question, i.e. if the IP addresses can be processed to ensure the general operability of the websites might, to a certain extent, be open to interpretation. On the one hand, the CJEU acknowledges that the purpose of ensuring the operability of the website is a legitimate aim of the German federal institutions under Article 7(f) of the Data Protection Directive. On the other hand, it reminds that such legitimate aims must be weighed against the fundamental rights and freedoms of the data subjects. Thus, it would seem that the provider of the website might not always be allowed to retain IP addresses without any further considerations. Instead, he might need to weigh the opposing interests when assessing individual situations. The CJEU itself does not spell out the criteria which should be taken into account when carrying out this kind of assessment.

An interesting suggestion was made in the Opinion of the AG. When analysing the wording of Recital 26 which reads that the assessment of the identifiability of a person must look at all the means that might be used not only by the data controller but also by any other person he comes to the conclusion that the formulation "any other person" should rather be understood as meaning only certain third parties which are accessible to the data controller and which the latter might reasonably approach to obtain the additional information. The CJEU did not address this issue in its judgment but by analysing only the option where the German federal institutions turn to the authorities that are competent to prosecute cyberattacks which then approach the ISPs to obtain the additional information the Court stayed within the limits of the suggestion put forward by the AG because these two third parties were either directly or indirectly accessible to the federal institutions. On the other hand, the question of the German court specifically mentioned the ISPs as the source of the additional information and did not ask about other possible scenarios.

Another interesting point was made in the course of the CJEU's analysis of whether the processing of IP addresses can be excluded from the Data Protection Directive as an activity of the State in the area of criminal law. Both the Court and the AG did not see any room for this exclusion to apply in the case at hand because the German Federal institutions were not acting in their capacity of public authorities when they processed the IP addresses. For the CJEU and the AG they acted as individuals. However, the term "individual" is normally used as a synonym for "natural person". For example the full titles of EU and international data protection instruments refer to the "protection of individuals with regard to the processing of personal data" (Data Protection Directive 95/46, Regulation 45/2001, Convention No. 108 of the Council of Europe).

This might be important in the context of another exclusion under the Data Protection Directive, namely the exclusion of the processing of personal data by natural persons in the course of a purely personal or household activity. Although it seems counterintuitive for a public authority to invoke an exception that is intended for natural persons it does not seem to be impossible when looking at the case-law of the CJEU on the exclusions. Out of the three CJEU cases which dealt with the latter exclusion, two of them (Rynes, Lindqvist) related to situations where personal data was indeed processed by a natural person, but the Satamedia case involved the processing by a private  company.

 

In Satamedia, the CJEU on the one hand concluded that Satamedia and Markkinapörssi were private companies and therefore could not rely on the exception for the State activities in criminal law. On the other hand, it then analysed if their processing could not be excluded as a purely personal or household activity and rejected this option because the companies in question were making the collected data accessible to an unrestricted number of people. Given the CJEU's and the AG's firm assertion in the Breyer case that the German federal institutions were processing IP addresses as individuals and the fact that the CJEU did not rule out this option in the case of private companies it seems possible to envisage a public authority invoking the private and household exclusion. In any event, the substantive conditions attached to the personal and household exception are rather strict. In all of the three previous CJEU cases mentioned above this exclusion was rejected because the data in question was published on the internet, made accessible to an unrestricted number of people or was outside the private setting of the person who collected it (videosurveillance of public spaces).

Finally, the scenario in the Breyer case seems to be very similar to pseudonymisation of personal data, i.e. a concept introduced in the new General Data Protection Regulation (GDPR, which will apply from 25 May 2018) and defined therein as  "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person". Under the GDPR pseudonymous data are nevertheless treated as data relating to an identifiable person and hence personal data but pseudonymisation is taken into account in the application of some of its provisions.

Photo credit: Digiquip group 

EU copyright law: Is the REDA report a leap forward for the parody exception?

 

By Sabine Jacques

 In mid-January, Julia Reda (Pirate Party MEP) communicated a draft of her report on the implementation of the Information Society Directive (‘InfoSoc Directive) 2001/29/EC (it’s lengthy, but a summary can be found here). Described as ‘the most progressive official EU document on copyright since the first cat picture was published on the web’, but also as being ‘surprisingly extreme’ and even being ‘inacceptable’, this report attracted widespread interest and statements of support from different digital rights organisations.

While the report rightly urges for an ever-increasing ‘internet-friendly copyright law’, the report might have gone too far in relation to parodies. Article 5.3(k) of the InfoSoc Directive currently provides the possibility for EU Member States to introduce a parody exception for the purposes of parody, pastiche and caricature to the exclusive right of reproduction in their national copyright laws (this opportunity was seized by the UK which now includes a parody exception in section 30A CDPA). This provision was interpreted by the Court of Justice of the European Union in the Deckmyn case, guiding national courts in their application of the exception to particular facts (for comments on this decision see here and the AG’s opinion see here).

At 17 on page 6 of the report, Julia Reda suggests ‘that the exception for caricature, parody and pastiche should apply regardless of the purpose of the parodic use’. Without further explanations, such a broad exception raises concerns.

The parody exception is an exception to the right-holder’s exclusive right of reproduction. As such, international treaties subject it to the application of the three-step test (Berne Convention art. 9(2), TRIPS Agreement arts. 9(1) and 13; and, WCT arts. 1(4) and 10). This test requires any exceptions in national legislation to be limited to ‘certain special cases, provided that such reproduction does not conflict with a normal exploitation of the work and does not unreasonably prejudice the legitimate interests of the author’. The French authorities’ response appropriately expresses concerns that a parody exception applicable outside any purpose of parody is unlikely to meet the first step of ‘certain special cases’. As this requirement means that a shapeless provision exempting broad series of uses should not be tolerable and reflects the need for legislators to reconcile opposing interests.

The exception for the purpose of parody, caricature or pastiche aims to provide the possibility for parodists to copy copyrighted works in limited circumstances. The current parody exception is the result of a compromise in light of the objectives underlying the exception. The issue opposes the interests of right-holders (who are entitled to be rewarded for their creation) against the interest of the users (who need to reproduce prior works to create the new work). Removing its purpose is likely to amount to a shapeless exception rebuffed by international obligations.

Yet, La Quadrature du Net interprets Julia Reda’s proposal as: ‘to admit the parody exception for non-humorous creations’. If this is her aim, this could be achieved through the current wording of the exception for the purpose of parody.

The Court of Justice of the European Union has defined ‘parody’ through its requirements in Deckmyn. At para 20, the Court notes that a parody needs: ‘to evoke an existing work while being noticeably different from it, and, secondly, to constitute an expression of humour or mockery’.

The expression of humour or mockery does not exclude the expression of criticisms. By requiring the parodist to have a humorous intent, it is suggested that a broad interpretation should prevail as to include playful, homage or serious expressions (a glimpse at French case law which knows a long history of the application of the parody exception shows evidence of serious expressions and the inclusion of satire). The limit being that the expression should refrain from being prejudicial to the person of the author or his work(s). The failure to meet this requirement enables the right-holder to enforce his or her moral rights (especially the integrity right). Additionally, where an individual is defamed, this person can bring an action under defamation law.

Also, the primary justification to the introduction of a parody exception is to facilitate the exercise of one’s freedom of expression. While freedom of expression is already considered in the current InfoSoc Directive (Recital 3 reads: ‘The proposed harmonisation will help to implement the four freedoms of the internal market and relates to compliance with the fundamental principles of law and especially of property, including intellectual property, and freedom of expression and the public interest.’) and the interpretation of the parody exception in Deckmyn (at para 25), the report (recitals C and D) confirms the importance of the relationship between copyright and related rights and freedom of expression both protected under the Charter of Fundamental Rights of the European Union (respectively enshrined in article 17(2) and 11).

Yet, the concerns expressed by Julia Reda concerning the likelihood of achieving harmonisation of the exceptions throughout the EU territory under the current InfoSoc Directive (at 10) are shared. Additionally, her wish to make copyright exceptions mandatory is welcomed (at 11) and would certainly contribute to the objective of harmonisation desired.

To conclude, it must be reminded that this report is merely a draft. This one will now be handed over to the Legal Affairs Committee and to the Internal Market and Culture committees. Overall, the report makes important proposals but there is still room for improvement. Against this backdrop, care must be taken regarding the details of each provision such as for the parody exception to ensure that the impact of the exception applicable outside parody uses does not disrupt the balance desired between the interests of right-holders and parodists.

‘We can laugh at everything, but not with everyone!’ Parody and limits to freedom of expression: the CJEU decision in the Deckmyn case

By Sabine Jacques

PhD student focussing on the parody exception 

at the School of Law, University of Nottingham (UK)

Since the Advocate-General’s opinion (still not available in English; but this opinion has been commented upon here), parody has attracted a lot of attention. Today, the Court of Justice of the European Union (CJEU) issued its judgment which is likely to attract twice as much attention. As a reminder, the eventful introduction of a parody exception in UK copyright law is scheduled to enter into force on 1^st October 2014.

The facts

This dispute concerns copyright and more specifically the interpretation of Article 5(3)(k) of the Infosoc Directive which allows Member States to introduce an exception to the reproduction right (Article 2 of the Directive) and the right of communication to the public (Article 3 of the Directive) for the purpose of caricature, parody or pastiche. The facts relate to a calendar parodying a well-known Spike and Suzy (Suske and Wiske) album cover to promote a political message of the Vlaams Belang’s party (Flemish nationalist political party). The two works are illustrated above.

Against this background, the Belgian court of first instance granted an interim injunction preventing further distribution of the calendar. Subsequently, the defendants appealed this decision and the Brussels Court of Appeal decided to refer to the CJEU.

The Court’s judgment

First of all, the CJEU ruled, in conformity with the analysis of the Advocate-General in his opinion, that that ‘parody’ is an autonomous concept of EU law, which should be given uniform interpretation throughout the Union. The optional character of the exception does not rule out the principle of uniform application of EU law (see Padawan, C-467/08, paras 32-33).

Moving to the interpretation of the parody exception, the CJEU begins by reminding us that where no definition is provided, the usual meaning of terms is to be preferred. Expanding on the meaning of the term ‘parody’, the Court holds that ‘the essential characteristics of parody are, first, to evoke an existing work while being noticeably different from it, and, secondly, to constitute an expression of humour or mockery’.

Furthermore, the national court had asked if there were further requirements applicable before the parody exception could be invoked. The CJEU answered that parody does not have to be original (besides carrying apparent differences with the original work it is borrowing from), the new work does not have to be attributable to somebody else than the author of the original work nor does it have to relate to or mention its source.

Finally, the CJEU repeats the application of strict interpretation of exceptions to the rights of reproduction and communication, as these are derogations from exclusive rights. However, strict interpretation must enable the effectiveness of the exception (see recital 31 of the Directive, Football Association Premier League and Others, C‑403/08 and C‑429/08, para 163). The CJEU indicates that a fair balance needs to be achieved between the interests of authors and the users’ rights (see Padawan, C-467/08, para 43 and Painer, C-145/10, para 132). This means that courts must balance the exclusive rights of rightholders with the users’ freedom of expression.

To that end, the court takes the example of the facts before it. The drawing at issue presenting original characters distorted as to convey a discriminatory message is likely to have the effect of associating the message with the protected work. If the national court finds that such association is plausible, the court needs to balance freedom of expression with the principle of non-discrimination based on race, colour and ethnic origin (Article 21(1) of the Charter of Fundamental Rights) as rightholders have a legitimate interest in not having their work associated with such a message.

The ball is now in the Belgian court to first determine whether the alleged infringing work falls within the meaning of the Directive and whether the fair balance between rightholders and users is preserved.

Comments

It is not surprising that the Court ruled that parody is an autonomous concept. This is consistent with the CJEU’s case law on the other provisions of the Directive (most notably in Padawan, C-467/08). However it is interesting to see how the Court grasps the concept of parody. By referring to the ordinary meaning of the word, the Court acts as if parody has a similar meaning throughout the Member States. This is absurd as there are so many controversies as to the ordinary meaning of the term already within a single jurisdiction. As a reminder, parody is a multivalent term covering among others satire, pastiche, caricature, spoof, irony and burlesque.

This being said, the Court also established the only two requirements attached to the definition of ‘parody’ under the Directive. Firstly, the new work has to invoke the earlier work while being noticeably different. Essentially, this is the very nature of parody. Through the parody, the parodist aims to bring into the public’s mind the work it is based on without confusing the public as to its creative origin. By the distance operated, the parodist intends to avoid artistic confusion (whereby the public might believe that the new work is a continuation of the protected work) and economic confusion (signifying the public believes that the new work was authorised by the rightholder). In any case, parasitism is excluded.

According to the second requirement, parodies must have a humoristic character. Being a subjective term, this condition could be problematic in practice and calls for further case law. How should ‘humour’ be interpreted? Some jurisdictions have interpreted this concept strictly, but some have quite broadly expanded it to encompass homage and criticism.  Additionally, will this condition be interpreted based on the parodist’s intent or the reaction of the public exposed to the new work? Lastly, the target of the humoristic expression is not specified. Does it have to be the earlier work? The original author? A third subject? Following this, the humoristic element appears difficult to define.

Consequently, it is apparent that other conditions must be set aside. This means that the parodist does not have to acknowledge the borrowings, and the amount reproduced from the original, the motivation of the parodist (such as commercial exploitation), the encroachment of the rightholder’s economic rights, the possible alternatives to the dealing (such as the likelihood to acquire a license) and the originality (understood as the level required to attract copyright protection) are not conditions to the application of the parody exception as enshrined in the Directive.

If the above paragraph is not likely to arouse passion, the developments of the CJEU regarding the balance between the interests of rightholders and the users’ freedom of expression certainly will. The CJEU established that rightholders had a legitimate interest not to have their protected work associated with offensive messages conveyed by the parody. It is dubious how this will be interpreted in practice and whether this will annihilate the effectiveness of the exception. Parody has worn many coats since its origin in Ancient Greece from being playful to dark and acerbic. Today, some of these are likely to be jeopardised.

*The translation of the title quotation is mine. Quotation of Pierre Desproges (French comedian known for his acerbic and dark humour): “On peut rire de tout, mais pas avec tout le monde”.

Barnard & Peers: chapter 9, chapter 14