Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

At the federal level, data processing by public bodies is supervised by the Federal Commissioner for the protection of personal data and freedom of information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit).  At the regional level, supervision is carried out by the commissioners responsible for regional data protection (Landesdatenschutzbeauftragte).  These commissioners are responsible solely to their respective parliaments and normally are not subject to any scrutiny, instruction or other influence from the public bodies they supervise.  However, the organization of the authorities responsible for supervising private entities’ data processing varies among the regions, and all the laws at the regional level expressly subject those supervisory authorities to state scrutiny.

In the judgment, the European Court of Justice emphasized that the EU Data Protection Directive requires “complete independence” of the work of the competent DPAs.  It held that the Federal Republic of Germany had implemented this requirement incorrectly by subjecting the DPAs to state control.  In this regard, the Court’s opinion differed from the view of Advocate General Mazák, who stated in October 2009 that state supervision over DPAs does not mean the DPAs cannot execute their work completely independently.  In contrast, the European Court of Justice held that the DPAs for the private sector should not be subject to any outside influence.

Even before the Court’s decision, some of the German federal states had already begun to reorganize the responsibilities for supervision of data protection and to unify supervision.  This judgment will force the remaining federal states to do so as well, and could lead to an overhaul of the organization of DPAs in Germany.  Moreover, the judgment will most likely also have broader implications across Europe, given that a number of DPAs in other Member States are also not believed to work with complete independence.  Reorganization of DPAs to give them more independence could also result in more compliance and enforcement actions, and may raise the threshold for the European Commission to issue adequacy decisions concerning the level of data protection in other countries.

Dr. Jörg Hladjk, an associate in the Brussels office of Hunton & Williams, discussed the decision in an article published in the BNA’s Privacy Law Watch™ on March 10, 2010.

The following are the major findings of the study:

At the European level:

• As confirmed by the European Court of Justice in the Promusicae (Productores de Música de España (Promusicae) v. Telefónica de España SAU (C-275/06)) and Tele2 (LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v. Tele2 Telecommunication GmbH (C-557/07)) cases, there is no direct legal conflict between the European legal framework for data protection and online copyright enforcement.
• However, the Court’s decisions leave open several important questions, such as how to apply the proportionality principle in practice and how to strike a fair balance between the various rights involved (i.e., data protection and the right to property).  These issues thus seem to be left to the Member States, and there is little or no harmonization of them at the EU level.

At the Member State level:

• IP addresses are generally considered by DPAs and courts to be personal data, although courts in some countries (e.g., France) have taken conflicting positions on this issue.
• IP addresses are generally considered to be traffic data, which means that they may only be processed in a limited number of circumstances and for specific purposes (such as billing and invoicing), and that consent is generally required to process them for other purposes (such as online copyright enforcement).
• IP addresses processed in the context of online copyright enforcement may be considered to be sensitive data (judicial data), except in Spain.
• ISPs cannot store IP addresses for the specific purpose of online copyright enforcement (except in France, where retention for the purpose of making information available to certain governmental authorities is allowed).
• The processing of IP addresses by ISPs to pass on infringement warning notices is generally prohibited or subject to strict restrictions.
• The general monitoring of P2P networks by right holders resulting in the creation of a database of potential copyright infringers is usually prohibited.
• The disclosure of P2P users’ identities by ISPs to judicial authorities in the context of criminal proceedings is generally authorized.
• The disclosure of P2P users’ identities by ISPs to right holders for civil enforcement is generally restricted by data protection law.  In particular, ISPs generally may not disclose P2P users’ identities to right holders outside the context of judicial (administrative) proceedings.
• In most Member States, it seems that little consideration was given to the interaction between data protection rules and implementation of the IP Enforcement Directive.

As the study demonstrates, the relationship between data protection law and online copyright enforcement is far from being settled.  This issue will certainly be discussed in the coming months during the ongoing debate on the review of the General Data Protection Directive at the European level, and in the context of the debate around possible graduated response mechanisms at the national level.