EU Court Of Justice Says ISPs Can Be Forced To Reveal Info On Accused Infringement

from the no-privacy-violations dept

A few years ago, we wrote about how Swedish ISP ePhone was refusing to hand over info on its subscribers who were accused of infringement, arguing that the country's IPRED (IP enforcement) law was in violation of EU law. That case bounced around the Swedish courts before hitting the EU Court of Justice, who recently decided that it is perfectly reasonable for ISPs to be ordered to hand over customer info -- if certain specific conditions are met to keep it in-line with the EU data retention rules.

While perhaps somewhat unfortunate from a privacy perspective, I don't actually find the ruling to be that surprising, and the impact is not all that far-reaching. It's pretty well-established that companies can be compelled to give up private info on people as part of a legal dispute. The larger concern should be over the standard of evidence required before such info is handed over (and also whether or not the accused has the opportunity to anonymously fight the release of info, should he or she believe that the release would be in error). The EU Court of Justice has had some good rulings lately, pushing back on copyright maximalism, but this particular ruling isn't really all that surprising, given the details. In fact, the full ruling suggests that it was tackling a very narrow question that really changes little. It doesn't even say that such info should always be given up -- just that, if certain conditions are met, it could be legal to require ISPs to hand it over.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Tor (profile), 24 Apr 2012 @ 6:13am

    "decided that it is perfectly reasonable for ISPs to be ordered to hand over customer info -- if certain specific conditions are met to keep it in-line with the EU data retention rules"

    I believe those specific conditions are set out in other directives -- not the EU data retention directive. The data retention directive quite explicitly states that data stored for the purpose of that directive can only be handed out to competent authorities - not private parties. Now if the data was stored in a database that was not mandated by the data retention directive, then it's another story.

    It's not entirely clear to me how one should reconcile this verdict with the earlier suggested verdict by the advocate general. Specifically point 60:
    "For the disclosure of personal data to be possible, EU law requires that an obligation to retain data be provided for in national law, in order to specify the types of data to be retained, the purposes of retaining the data, the period of retention and the persons with access to said data. It would be contrary to the principles of the protection of personal data to make use of databases that exist for purposes other than those thus defined by the legislature."

    There is no law in Sweden that says that IP address logs should be retained for the purpose of being used in civil suits. This verdict doesn't really seem to explicitly contradict the statement of the advocate general. I wonder if that's because the court disagrees, agrees but didn't find it relevant in its answer to the questions, or if I have misunderstood something (I'm not a lawyer after all).

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.