10 august 2021

CJEU in C-597/19 Mircom: Users of P2P networks might be infringing the right of making works available to the public

On 17 June 2021, the CJEU delivered its judgment in C-597/19 Mircom. It has been established that (automatic) uploading of pieces of a file containing a protected work on P2P networks infringes the making available right under article 3(1) and (2) of the Copyright Directive when a user actively chooses to use sharing software after having been duly informed of its characteristics. Further, a contractual holder of IP rights may in principle benefit from measures under the Enforcement Directive irrespective of actual use of the rights. Last but not least, systematic recording of IP addresses of users of P2P networks allegedly engaging in infringing activity for the purpose of bringing a claim for damages is in line with the GDPR and the Privacy and Electronic Communications Directive.

Javier Domínguez Ferreiro, CC BY-NC-SA 2.0

Mircom is a company holding licenses for communicating to the public erotic films on P2P networks and internet file-sharing platforms. Under those licenses Mircom is required to investigate acts of infringement of film producers’ rights and take legal actions against infringers, passing on 50% of compensation to the film producers.

Mircom (with the help of a third party) collected IP addresses of users whose Internet connection was used to share the files in question on P2P networks. The company then brought an action before the Belgian court seeking that internet service providers provide identification data of its customers based on the collected IP addresses; internet service providers challenged the claim. The Belgian court stayed the proceedings and referred a couple of questions to the CJEU. Those questions relate to the scope of exclusive rights under the Copyright Directive, the admissibility of Mircom’s request under the Enforcement Directive, and the lawfulness of processing of personal data under the GDPRboth in the context of an initial gathering of the IP addresses and request for identifying individuals based on collected IP addresses.

Findings

Communication to the public by users of P2P networks

The first question (as customary, reformulated by the CJEU) was whether uploading via P2P network pieces of a media file containing a protected work, which happens automatically when running sharing software, constitutes making available of that work to the public under the Copyright Directive article 3 (1) and (2), hence, requiring authorisation from the right holder.

First, the CJEU held that there is no de minimis threshold in the P2P context and that the fact that transmitted pieces form a part of a file and are unusable in themselves is irrelevant. What is made available through transmission, the Court reasoned, is a file containing a work, hence, a work in digital format [para. 43]. Even if an individual user might not be possessing or sharing the entire file, he or she contributes to the situation in which users participating in P2P networks have access to the complete file [para 45].

Next, the Court found there an act of making available taking place, as it is sufficient that a work is made available in a way that the public may access it irrespective if they avail themselves to that opportunity [para 47]. The finding was also confirmed by referring to the previous C-610/15 Ziggo (The Pirate Bay) case concerning P2P networks, where operating a platform indexing metadata of torrent files was performing an act of communication to the public [para. 52]. The existence of the public in the present case was further confirmed through a considerable number of persons using the P2P network (as per the list of IP addresses provided by Mircom), able to access protected works at any time and simultaneously [paras 54-55].


"Seeding"
Foto: Pxfuel

Finally, the Court took a stand on the relevance of users’ knowledge of the consequences of using sharing software, namely that such software automatically uploads downloaded pieces of files. The AG in his opinion took the view that the actual knowledge of the consequences was not relevant in the present case as it concerned not an intermediary but rather users performing initial and autonomous communication [paras 54-61]. The CJEU, on the other hand, held that it is for the referring court to determine that the relevant users gave their consent to use the software after having been duly informed of its characteristics [para 49]. Once an active consent is established, the Court held, the deliberate nature of the conduct is confirmed regardless of the fact that uploading is started automatically by the software [49].


Benefiting from measures under the Enforcement Directive without actually using the rights

The second question, slightly reformulated by the CJEU, was whether a contractual holder of IP rights who herself does not use the rights may benefit from measures provided under the Enforcement Directive. The CJEU held that Mircom could have standing as either a contractual holder of the rights or as a person authorised to use IP, which would be for the national court to verify [paras 66-69]. Further, the fact that the party does not use IP rights but merely brings an action does not exclude it from the benefits of the measures provided under the Directive as it would be contrary to the objective of the high level of protection of IP; consequently, non-use cannot affect nature of the rights infringed [paras 74-77].

Lastly, the Court held that the request for information such as that by Mircom could not be regarded as inadmissible on the sole ground that Mircom does not make serious use of the rights. Rather, it would be for the national court to determine whether the request as specifically formulated by Mircom is well-founded and whether Mircom has abused measures, which could lead to a refusal of the request [78-93]. Hence, in principle, the contractual holder of IP rights not using them herself may benefit from the measures under the Enforcement Directive unless it is established, on the basis of a detailed assessment, that a request is abusive, unjustified or disproportionate [para. 96].

Balance between IP enforcement and safeguarding respect for private life and data protection

The third question (in essence, reformulated third and fourth questions) was whether the systematic registration of IP addresses of users on P2P networks who allegedly were involved in an infringement of IP rights and communication of names and postal addresses of those users to right holders or third parties, enabling them to bring a claim for damages, is precluded under the GDPR. The CJEU found that upstream processing, meaning the gathering of IP addresses of P2P network users by a third party on behalf of Mircom could be regarded as lawful for the purposes of filing a request for disclosure of the names and postal addresses. However, it would be for the national court to ascertain such processing under the national law and whether it runs contrary to the Privacy and Electronic Communications Directive protecting the confidentiality of users of electronic communications [paras 102-119].

When it comes to the downstream processing, meaning the request to provide names and addresses for identified IP addresses, the CJEU stated that it is consistent with the objective of striking a fair balance between IP and personal data protection rights and that processing names and addresses cannot, in principle, be classified as a serious interference [paras 120-121]. Although internet services providers do not have an obligation under the GDPR to communicate personal data (here traffic data) to third parties for the purpose of prosecuting for copyright infringements, they could be obliged to communicate data on the basis of the Privacy and Electronic Communications Directive if Member State adopted measures for retention of data for a limited period [paras 126-127]. Hence, if measures for retention of data are in place in a Member State, and if Mircom has legal standing and its request is justified, proportionate and not abusive (all for the national court to investigate), such processing of data must be regarded as lawful under the GDPR [para. 131].

Comment

After the  C-610/15 Ziggo (Pirate Bay) ruling on the management of an online sharing platform indexing torrent files, it was only a matter of time until the CJEU had to rule whether users of P2P networks make works available to the public, even if they do not possess a complete file. In the line of previous development, the Mircom judgment allows finding an infringement of copyright where users of P2P networks use sharing software automatically uploading pieces of files containing a protected work. However, it must be established that that user has actively chosen to use that software by giving consent after being duly informed of its characteristics. Hence, a user ought to be informed in some way about the consequences of using such sharing software, i.e. that upload of already downloaded pieces takes place automatically.  


It is noteworthy that the Court did not follow AG, who proposed to rule that users make a work available to the public by automatically uploading pieces of a file on P2P networks irrespective of the knowledge of the consequences of that act. In this author’s view, the Court’s answer provides a more balanced approach. Even if many internet users would associate the use of P2P networks with piracy or infringing activities and also potentially have knowledge of the automatic uploading feature of such software, it seems too far-reaching to assume a particular level of digital literacy from virtually any internet user. Holding users liable for using software sharing pieces of a file containing a work potentially without them having knowledge of it would set a precedent for targeting individual users unintentionally engaging in some kind of infringing activity.

In the aftermath of the judgment, it remains to be seen how the parties will argue for the presence or absence of user’s active choice to use software in full knowledge of its characteristics, as it would possibly require a case-by-case assessment of a particular situation, analysis of the terms of use and of the notion of duly informed. Could it lead to (another) knowledge presumption for particular user groups or software involved in infringing the exclusive rights?The right holders are likely to argue for knowledge presumption in P2P context, as it would otherwise be difficult to prove an infringement on the sole basis of collected IPs.  Furthermore, the national court’s view on the presence of consent and notion of being duly informed would influence the presence of an alleged infringement and, in turn, grounds for the processing of personal data for the purpose of identifying individuals, such as gathering IP addresses.

The use of a third party for gathering IP addresses in this case is also noteworthy given the CJEU judgment in C-264/19 Constantin Film Verleih, holding that the concept of address under the Enforcement Directive does not cover IP or email addresses. Consequently, right holders can request service providers to disclose only names and postal addresses of alleged infringers unless the national law allows disclosure of further data such as IP or email addresses. In the present case, Mircom had used a third party to collect IP addresses and then, in line with Constantin Film Verleih, requested an internet service provider to match them to a name and address. Whereas such a solution is possible for tracking down infringers in the context of P2P networks through tracking down peers, monitoring, for instance, YouTubes upload traffic is hardly feasible.

Bilde: Marco Verch, CC BY 2.0

Further, on the question of copyright trolls and the possibility to invoke the measures under the Enforcement Directive by the right holder or licensee who does not use the rights herself, the Court rightfully did not concentrate on who suffered prejudice as a result of the alleged infringement, as it is up to the right holder to decide how to assign and exploit the rights. It also appears well-founded not to take the line of AG, according to whom the Directive ought to be interpreted as not allowing parties not exploiting the rights to benefit from measures under the Directive, whereas the Member States remain free to attribute the claims to an assignee. Instead, in principle, the Directive does not preclude the contractual holder from benefiting from the measures, but it is for the national court with all the details at hand to examine whether the request is abusive, unjustified or disproportionate.

In the answer to the last question, the Court stated that collection and matching of IP addresses to names and addresses constitute lawful processing of personal data resulting in no substantial interference when it is done for a legitimate purpose such as to enable raising a claim for damages from allegedly infringing users. However, there needs to be a lawful basis for retaining such data (here IP addresses) by internet service providers under the national law. The fact that it is up to the Member States to adopt measures providing a lawful basis for retaining data by internet service providers highlights that the enforcement of IP is relying heavily on the national law provisions and that Member States have leeway in sanctioning retention of traffic data for a reasonable period which is also in line with the GDPR. It remains to be seen if the Member States will see a need to adopt special measures on the retention of traffic data in the aftermath of the Mircom case to the extent such measures are not already in place.

Liliia Oprysk er førsteamanuensis ved Juridisk fakultet ved Universitetet i Bergen