Sweden: Proposed legislation – Rights holders may request and process IP addresses of those alleged to be engaged in illegal file sharing

22 November 2007

Henrik Nilsson, Josefine Jonsson

Law enforcement agencies in Sweden and many other countries have been viewed as slow to act to investigate instances of illegal file sharing. One option for rights holders is to promote such investigations themselves by gathering information on perceived illegal activities.

The Swedish Data Inspection Board (the “Board”) however found in a decision in June 2005 that the activities of the Swedish “Antipiratbyrån” (Anti-Piracy Bureau), a film and computer gaming industry group, which had collected and processed IP addresses of suspected file sharers of illegal material, was a breach of Section 21 of the Personal Data Act (1998:204) (the “Act”). This Section of the Act prohibits parties other than public authorities to process personal data concerning criminal offences. This decision was later upheld by the Stockholm Administrative Court of Appeals in June 2007.

In October 2005 the Board granted the Anti-Piracy Bureau, and also the Swedish branch of IFPI (International Federation of the Phonographic Industry) an individual exemption from the prohibition. This exemption shows that the Act provides an appropriate opportunity for legitimate undertakings to process data in the form of IP addresses.

However, rights holders and their associations do not have the right to require ISPs and similar providers of electronic communication services to disclose information relating to their subscribers and users.

On 7 July 2007, the Swedish Ministry of Justice published a report proposing to implement Directive 2004/48/EC on the enforcement of intellectual property rights (IPRED I). The implementation should have been completed by 29 April 2006. It is noteworthy because of its suggestion that right holders should be given the right to seek court orders against natural and legal persons alleged to have infringed intellectual property rights. The court orders would require recipients to disclose the information required to investigate the allegations. The report proposed that ISPs and similar service providers should be required to disclose information regarding their subscriber’s activities including the identity of a subscriber using any IP address. The report further proposed that rights holders processing IP addresses in order to investigate and file charges against suspected illegal file sharers should be permitted and so individual exemptions would no longer be required.

The report derives its support for these proposed measures from Section 9 of the preamble to IPRED I, which refers to the internet as enabling pirated products to be distributed instantly around the globe. It also relies on Article 8.1 (c), which states that competent judicial authorities may order the infringer or any person providing services used in infringing activities on a commercial scale to provide information about the origin and distribution networks of goods or services which infringe an intellectual property right.

The report qualifies its proposals by reference to a matter currently before the European Court of Justice (ECJ). The report acknowledges that the ECJ may provide guidance on these issues in its decision in case C-275/06, Productores de Música de España (Promusuicae) v. Telefónica de España SAU.

In this case, a Spanish court sought guidance as to whether a regulation on data retention prohibiting disclosure of traffic data for purposes other than in the course of a criminal investigation or for national security purposes, is compatible with EU law. This regulation prohibits disclosure of traffic data in a civil dispute. The Spanish court lists a number of statutes in copyright law-related directives, including the IPRED I-article noted above, which may be interpreted as placing Member States under an obligation to enable rights holders to acquire such information.

The Advocate-General’s opinion in this case was delivered on 18 July 2007. In her opinion (paragraphs 125 – 127) she stated that the Spanish regulation is compatible with EU Copyright law. In adopting the Copyright Directives it was stated explicitly that they should not affect substantive law on personal data protection.

The Advocate-General’s opinion was seen by some participants in the Swedish debate as an argument against the approach taken in the IPRED implementation proposal. It is not clear however, whether the opinion also covers whether Member States may offer such a tool to rights holders. If the ECJ follows the opinion, we will know that Member States have the option not to offer such a tool to rights holders.