In SACEM v. Cyrille Saminadin (Cour de Cassation, chambre criminelle, 13 janvier 2009), the SACEM (a representative body of authors, composers, and music editors) asked one of its agents to carry out an investigation and to collect evidence of copyright infringements on a peer-to-peer network. After selecting a peer-to-peer network, the agent manually typed in the title of a song belonging to one of the rights holders and searched for all available files corresponding to this title. The agent then randomly selected one of these files and saved all the information relating to it (IP address, country of origin, name of the internet service provider, etc.) onto a CD-ROM as evidence for use in filing a complaint. The question raised in this case was whether such activity constitutes data processing requiring the prior authorization of the French Data Protection Authority (CNIL).
The French Intellectual Property Code provides that, apart from reports prepared by police investigators, evidence of copyright infringement may be adduced by the provision of a statement from a sworn agent designated by the rights holders’ representative bodies. Under Article 9 of the French Data Protection Act, processing relating to offences, convictions, and safety measures may be undertaken by the rights holders’ representative bodies and by sworn agents on behalf of rights holders or on behalf of victims of copyright infringements, and for the purpose of ensuring the defense of these rights. However, Article 25 of the same Act requires that such processing, whether automatic or not, be authorized by the CNIL.
On 22 May 2008, the Court of Appeal of Rennes rejected the statement issued by the SACEM agent on the grounds that he had not obtained the prior authorization of the CNIL to collect, preserve, and record a web user’s IP address. On 13 January 2009, the Court of Cassation quashed this decision. The Court of Cassation considered that a sworn agent who accesses manually an individual’s list of files that are uploaded onto a peer-to-peer network in violation of copyrights, without using an automatic monitoring device, does not require a prior authorization of the CNIL. The act of collecting an IP address for the purpose of obtaining an individual’s identity through his internet service provider falls within the powers of a sworn agent and does not constitute data processing. The Court of Cassation did not express a view as to whether an IP address qualifies as personal data. The full text of this decision can be found here (in French).