When the Fight Against Online Piracy meets the GDPR

Order from the Paris Tribunal de grande instance, August 2, 2019

Online piracy has been an ongoing battle for over twenty years, and rights holders have developed several tools to fight it. Amongst these tools, numerous companies offer services consisting in the monitoring of content-sharing platforms in order to record the IP addresses of internet users who are caught sharing protected content unlawfully. This decades-old fight abruptly encountered EU’s shiny new GDPR in a ruling issued by the Paris first-level court on August 2, 2019.

The case opposed a Canadian movie producer and a French internet service provider. The former had noticed that some of the works it had produced were unlawfully shared online and entrusted a German company with the mission to gather and record data on the internet users who were doing the sharing. The data collected by the German company comprised the IP addresses of the internet users, as well as the dates and times of the downloads, the titles of the works downloaded and the names of the ISPs who had issued the IP addresses.

The Canadian producer then introduced emergency proceedings before the Paris Tribunal de grande instance, seeking an injunction against the French ISP which would force it to reveal the identity of the internet users hidden behind the collected IP addresses.

As its main defense, the French ISP raised the GDPR and the French act on the protection of personal data. It argued that the collection and processing of IP addresses by the Canadian producer did not comply with these two pieces of legislation, making the list of IP addresses illegal and therefore unusable by the Canadian procedure as a valid basis for its action.

The tribunal approved the French ISP’s argument and dismissed the Canadian producer’s action.

In details, the tribunal first concluded that the GDPR applied to the Canadian producer under its article 3. 2. (b) which provides that the “Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to […] the monitoring of their behavior as far as their behavior takes place within the Union”.

The tribunal stated that the Canadian producer’s argument that it was not “profiling” internet users was irrelevant to the issue of the GDPR’s territorial scope: article 3. 2. (b) concerns the monitoring of internet users’ behavior, which is different than the profiling of such users based on their behavior.

The tribunal then established the list of GDPR obligations that the Canadian producer should have complied with:

–        Designating a representative in the European Union;

–        Establishing and maintaining a record of processing;

–   Designating a DPO. On this point, the tribunal made the general statement that “the IP addresses collected as part of the fight against online piracy must be considered as a processing on a large scale of personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR”, which is one of the situations where a DPO is mandatory;

–        Implementing appropriate security measures;

–        Providing appropriate safeguards in relation to the transfer of personal data out of the E.U. As a reminder, Canada is considered “adequate” only in relation to processing carried out as part of commercial activities.

The Canadian producer failed to offer proof of compliance with these obligations. It only produced: (i) a 2017 declaration to the CNIL – which does not guarantee compliance and does not have any more legal value since the entry into application of the GDPR ; and (ii) a written statement by the German lawyers of the service provider who collected the IP addresses, certifying that their client complied with the laws pertaining to the protection of personal data. Because the attorney certificate only concerned the service provider and not the Canadian producer – who was acting as data controller – it could not serve as evidence of the Canadian producer’s own compliance.

As a consequence, the Canadian producer will not be able to take action against the internet users who unlawfully shared its productions. This decision could be considered harsh in some ways, as the Canadian producer was only trying to enforce legal rights. In any case, this decision illustrates the importance of the GDPR’s reach, extending well beyond the EU borders and day-to-day commercial processing.