Jusletter IT

The Story of the Two Disclosure Approaches – A comparative study on Austria and Poland

  • Author: Szymon Golebiowski
  • Category: Short Articles
  • Region: Poland
  • Field of law: LEFIS (Legal Framework for the Information Society)
  • Collection: Conference proceedings IRIS 2011
  • Citation: Szymon Golebiowski, The Story of the Two Disclosure Approaches – A comparative study on Austria and Poland, in: Jusletter IT 24 February 2011
The communication of the identity of the tortfeasor to the aggrieved party is an indispensable precondition of initiating civil proceedings. The disclosure of the identity of the alleged infringer constitutes one of the most crucial problems in the European system of the protection of personal data on the Internet. There is no direct provision in the EU legislation and case-law obliging the data controller to communicate the personal data of the alleged infringer on demand of the prospective plaintiff. Moreover, a specific nature of the IP address calls into question its affiliation to the personal data. Even in the Promusicae judgement, the European Court of Justice (ECJ) guided the Member States how to regulate the matter. The leeway left by ECJ for all EEA lawmakers is limited by fair balance between underlying fundamental rights, general principles of EU law and the principle of proportionality. Over recent years many legislative and judicial authorities within the EU had to face the problem of the disclosure of IP addresses for private entities. The problem in question is also connected with Member States’ data retention systems and its compliance with EU standards expressed namely in the E-privacy Directive and the Data Retention Directive. The purpose of this presentation will be to compare and contrast Polish and Austrian approaches towards the problem in the light of Promusicae standard.

Inhaltsverzeichnis

  • 1. Introduction
  • 2. IP address – personal data or something else?
  • 2.1. Promusicae – Solomon’s judgement
  • 2.2. Austrian P2P problem
  • 2.3. Poland – another dimension of disclosure
  • 2.4. Retention – anti-terrorist remedy employment in civil litigation
  • 3. Concluding remarks

1.

Introduction ^

[1]
It is a standard in contemporary legal systems that an infringement (a copyright violation, defamatory statement, press libel, unfair market practice, etc.) entitles an aggrieved party to commence judicial proceedings in order to obtain damages and cease the violation. The globalisation process and the widespread of electronic communication make things complicated. The anonymity of a particular user constitutes a barrier for the prospective plaintiff who cannot name the defendant and initiate civil action properly. To make things worse, the confidentiality of communications is an indispensable precondition of one’s right to privacy.1 The two liberties (i.e. privacy and access to the court) being expressed in several multilateral conventions, EU primary and secondary law and national constitutions are definitely in clash in case of on-line infringements. Leaving aside the problem of web abuses would make the Internet a field of acquiesced illegal activity. On the other hand, strengthening the surveillance over the electronic communication amounts to deprivation of the right to privacy and weaken the trustworthiness of the Internet Service Provider (ISP) who is bound by telecommunications secrecy. ISP would also incur the costs of monitoring what would not be in accordance with the economic interest of a private undertaking. The veil of anonymity is pierced only in the face of justified need thereof.

2.

IP address – personal data or something else? ^

[2]
A person using the Internet leaves traces of her activities therein. However, the technological development makes sometimes difficult or even unable to identify an individual only on the basis of these traces. The crucial piece of information left by a concrete user connecting to the web is an IP address. Being a unique sequence of digits it is attributable to a particular device (namely a computer) at one time. The IP address could be static (the same for one interface) or dynamic (changeable for every connection). This can also alter while changing the connection place and many people can share the same IP. The only entity which is able to link a concrete IP with a subscriber is the ISP.
[3]
The controversial legal issue is the affiliation of IP addresses to personal data. According to the Art. 2(a) of the DPD2 , ‹personal data› shall mean any information relating to an identified or identifiable natural person (‹data subject›); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Similar definitions were adopted by either Art. 6 of Polish Act on the Protection of Personal Data (DPA)3 and § 4 of Austrian Federal Act concerning the Protection of Personal Data (DSG).4 The question is whether the IP address enables the identification of a particular person as it refers only to a device which is not necessarily to be associated with a natural person. The number would be different for every change of network connection (e.g. placing a device in an Internet café or a Local Area Network) which is a common practice in case of mobile devices.5 The static IP is likely to fit in this definition. However, the problem becomes complicated when the dynamic IP address is at stake. According to Art. 29 Working Party Opinion 4/2007 on the concept of personal data, Internet access providers and managers of local area networks can, using reasonable means, identify Internet users to whom they have attributed IP addresses as they normally systematically «log» in a file the date, time, duration and dynamic IP address given to the Internet user. The same can be said about Internet Service Providers that keep a logbook on the HTTP server. In these cases there is no doubt about the fact that one can talk about personal data in the sense of Article 2 a) of the Directive. Further, the Art. 29 Working Party acknowledged that no every IP address enables to identify a particular user, but the ISP does not have a priori knowledge whether the natural person is identifiable or not by the reference to the IP so every address should be regarded as a component of personal data. Such is also the attitude of Polish Inspector General on the Protection of Personal Data (Generalny Inspektor Ochrony Danych Osobowych – GIODO)6 expressed in his official statement.7 The Austrian Telecommunications Act (Telekommunikationsgesetz – TKG8 ) seems to comply with this standard,9 notwithstanding the fact that the Austrian Supreme Court (Oberster Gerichtshof) did not acknowledged IPs to be a subject of telecommunications secrecy10 what raised many controversies.11

2.1.

Promusicae – Solomon’s judgement ^

[4]
In 2007, the ECJ decided thePromusicae case.12 Several users were downloading copyright protected files withpeer-to-peer file sharing method.Promusicae being a collecting society wanted to initiate civil proceedings. It demanded IP addresses from ISP who refused to transfer them claiming that he is not obliged to do so. Upon submission for preliminary ruling, the ECJ ruled that the relevant EU legislation,i.e. ECD13 , ISD14 , IPED15 and EPD16 do not require the Member States to lay down, in a situation such as that in the main proceedings, an obligation to communicate personal data in order to ensure effective protection of copyright in the context of civil proceedings .17 The ECJ reserved that the interpretation of the directives should be such thata fair balance [is]to be struck between the various fundamental rights protected by the Community legal order .18 The solution adopted by the Member States ought to be in accordance withfundamental rights or with the other general principles of Community law, such as the principle of proportionality .19 The reserved attitude expressed in the judgement is an allowance for the Member States to decide over their own solution over the problem of disclosure of IP addresses upon the demand of the aggrieved party.

2.2.

Austrian P2P problem ^

[5]
Shortly after Spanish request for a preliminary ruling inPromusicae , a similar matter was raised before Austrian jurisdiction20 when several users were downloading the files protected under copyright withpeer-to-peer method. Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH (LSG) – a collecting licensing association demanded IP addresses from ISP – Tele2 Telecommunication GmbH (Tele2). Paragraph 81(1a) of Federal Law on Copyright in Works of Literature and Art and on Related Rights (UrhG)21 stipulates that:

If the person who has committed such an infringement [i.e. of the copyright], or by whom there is a danger of such an infringement being committed, uses the services of an intermediary for that purpose, the intermediary shall also be liable to an injunction under subparagraph (1) [i.e. a restraining injunction].
[6]
Paragraph 87b(3) UrhG imposes on the intermediary an obligation togive the person whose rights have been infringed information as to the identity of the infringer (name and address) or the information necessary to identify the infringer, following an application in writing by the person whose rights have been infringed, such application to include sufficient reasons. The reasons given must include in particular sufficiently precise details as to the facts which give rise to a suspicion that there has been an infringement of rights. The person whose rights have been infringed shall pay the intermediary reasonable compensation for the costs incurred in the provision of that information.
[7]
The defendant refused to disclose the desired data on the ground that he is not the intermediary under relevant Austrian and EU legislation as he only provides the Internet access without exercising effective control over use of the service provided. Based on that fact the violations committed by the users are not attributable to the ISP and he cannot store IP addresses, the defendant claimed that such a practice is prohibited and not compliant with EU legislation. Moreover, Tele2 supported the statement that in accordance with the EU directives, the right to protection of personal data prevails over other values protected by law in the ongoing case. LSG, invoking the stipulations of domestic law, claimed that the ISP is obliged to disclose the IP addresses as he should be treated as the intermediary in accordance with the ISD to enable pursuing copyright violations by holders. Austrian court acknowledged the existence of the obligation to disclose and store the personal data what was the subject matter of appeal and revision.Oberster Gerichtshof being aware ofPromusicae proceedings being in course made reference to the Opinion of Advocate General who questioned the compliance of obligation to disclose and store subscribers‘ personal data for the purposes of civil proceedings. The court asked the ECJ for the preliminary ruling for determination whether the term «intermediary» from the Art. 5(1)(a) is applicable to ISP and whether there is an obligation to disclose and store IP addresses for the purposes of civil proceedings.
[8]
The ECJ delivered an order22 whereby it invokedPromusicae judgement and applicability of EPD in the case. The Court acknowledged that the exception from the personal data protection should notexclude from its [i.e. EPD]scope the protection of the right to property or situations in which authors seek to obtain that protection through civil proceedings .23 Further, the ECJ confirmed the standard expressed inPromusicae stating that there is no obligation imposed on the Member States whether to disclose or not personal data for the purposes of civil proceedings.A fair balance ,fundamental rights ,general rules of Community law andthe principle of proportionality remained safety precautions while exercising this discretionary power.
[9]
Interestingly, the Supreme Court acknowledged the lack of obligation to disclose the data because compliance with such a provision would be contrary to another obligation of ISP who is prohibited to store temporary IP addresses (regarded as traffic data as opposed to permanent ones which are master data and are allowed to be stored pursuant to § 99 para. 1 TKG).24 Prohibition of retention is expressed in EU law as well,inter alia under DPD (Art. 6(1)(e)) and EPD (Art. 6(1-3)). In the clash of two freedoms, the right to privacy preponderates according to Austrian domestic legislation.

2.3.

Poland – another dimension of disclosure ^

[10]
The problem of disclosure of personal data for the purposes of civil proceedings appeared before Polish jurisdiction as well. The point is the judgements concerning the problem were delivered not on the basis of copyright infringement but libels (according to Polish civil code25a violation of personal interest ). In 2004 the Provincial Administrative Court in Warsaw delivered a judgement which did not oblige the ISP to disclose the desired IP addresses26 . The prospective plaintiff felt offended by the content of some forum posts placed on the website by the users. In order to draft the statement of claim properly the civil court demanded the names of the defendants. The ISP refused to do it claiming that there is no provision in Polish legislation obliging the administrator of the data to disclose them to a private petitioner for the purposes of pursuing violations of one’s rights. The Court pointed out the mistake of the legislator who neglected to provide the data for the private sector units in case of justified demand thereof. As a result, DPA was amended in 2004 and the scope of application of the Art. 29 thereof embraced private controllers as well. However, the judgement delivered on the basis of previous legal background was not in favour of the plaintiff.
[11]
The second case concerning IP addresses took place in 2010 before the same court.27 Polish singer, Maryla Rodowicz, decided to sue the two users who wrote some offensive statements against her and her child. In order to commence a lawsuit she also had to place the family names of the defendants on the statement of claim. The ISP refused to reveal the IP addresses and attribute them to particular users as it claimed that they do not constitute personal data, they are protected by the telecommunications confidentiality and finally that despite amending the provision of DPA there is still no obligation to disclose the desired data. The argument concerning lack of IP affiliation to the personal data was quashed on the basis of the invoked Working Party Opinion. The problem in question was treated as a justified exception of confidentiality. However, many controversies were raised by the application of Art. 29 of DPA which lays down as following:

1. In case of providing the access to the data for the purposes other than including into the data filing system, the controller shall disclose the data kept in the data filing system to persons or subjects authorised by the law.
2. Personal data, exclusive of data referred to in Article 27 paragraph 1 [so-called «sensitive data»], may also be disclosed, for the purposes other than including into the data filing system, to persons and subjects other than those referred to in paragraph 1 above, provided that such persons or subjects present reliably their reasons for being granted the access to the data and that granting such access will not violate the rights and freedoms of the data subjects.
[12]
The expression «may» in the second paragraph does not point out the subject of the norm. It could be interpreted as a right to disclose the personal data upon controller’s will. This solution could be justified as the way of protecting the telecommunications confidentiality, trustworthiness of ISP and its pecuniary interest. However, it would constitute a great threat for person aggrieved by the on-line abuses and deprive them of any remedy against the tortfeasors. The second interpretation is to impose an obligation on the controller to disclose the data for private entity in case of justified need thereof. It is definitely not in accordance with the literal meaning of the act but is aimed to protect the justified interest of an injured party. The Court have chosen the second option, but ISP lodged an appeal for cassation to the Supreme Administrative Court and the case is still pending (however, SAC suspended the execution of the decision obliging to disclose the addresses28 ).

2.4.

Retention – anti-terrorist remedy employment in civil litigation ^

[13]
As can be understood by the Austrian example, the duty to store the data is an indispensable precondition for effective civil enforcement by right holders. EPD is an EU legal instrument governing data protection in electronic communication. The act obliges ISPs to erase traffic data (inter alia IP addresses) or make them anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to billing purposes, marketing economic services and public interest exceptions (enlisted in DPD, Art. 13(1)). On the other hand, DRD29 obliges Member States to establish a retention period from 6 to 24 months (Art. 6) for IP addresses regarded asdata necessary to trace and identify the source of a communication (Art. 5(1)(a)(2)(iii)). The said Directive raised many objections and fears among Member States and its compliance with ECHR30 and Charter of Fundamental Rights was doubtful. Moreover, the DRD was adopted in reaction to terrorist attacks in London and Madrid (see: Recitals 8 and 10) so it should have been an instrument of Common Foreign and Security Policy and Police and Judicial Co-operation in Criminal Matters (i.e. former Second and Third Pillars) and such were the objections of Ireland who brought an action before the ECJ in opposition against the DRD.31 The implementation of the Directive was also acknowledged to be unconstitutional by Constitutional Supreme Courts in Germany and Romania.32 Recital 25 of the DRD stipulates that Member States are freeto adopt legislative measures concerning the right of access to, and use of, data by national authorities, as designated by them. Issues of access to data retained pursuant to this Directive by national authorities for [activities of former 2nd and 3rd Pillars]fall outside the scope of Community law . In fact, this provision in connection with exception from the standard of protection of personal data prescribed by DPD, Art. 13(1) allows Member States to employ the data retention mechanism for any purposes according to relevant domestic legislation. For example, the period of retention provided by Polish Telecommunications Law,33 Art. 180a is 24 months. Adoption of maximum retention period was justified by transitory localization of the country and alleged threat of terrorist activity.34 In practice, DRD enables to make the exception from a general obligation to erase the data so vast that the guarantees provided by EPD become inapplicable.

3.

Concluding remarks ^

[14]
To sum up, the controversies whether an IP address is personal data in the legal meaning seem to be less fierce after issuance of Article 29 Working Party Opinion on the basis of DPD, Art. 2(a). Notwithstanding, a binding instrument or judicial decision of ECJ would be desirable. However, that is the only point wherewith Member States seem to agree. The problem of disclosure has already been brought before the courts in France35 and the UK36 . By the impact ofPromusicae Member States are free to adopt different solutions over the question of disclosure of IP addresses which are usually influenced by the shape of domestic legislation.
[15]
What can be easily observed by the reference to Austrian and Polish standards is that the obligation to disclose or prohibition thereof is usually not expressed directly and it is a matter of interpretation of national law not only regarding personal data protection and it is dependant on other obligations,e.g. telecommunications secrecy which can occur preponderant. The Austrian solution seems to be in favour of preponderance of communications privacy, which is the result of prohibition of retention. On the other hand, Polish lawmaker and judicial authorities decided otherwise – the right to sue prevailed over confidentiality of communications what was the result of interpretation of wrongly drafted national legislation. The standard can differ depending on Member State and the right protected what can lead to fragmentation of the single market.
[16]
However, the general obligation to disclose IP addresses upon legitimate demand of an aggrieved party seems to be acceptable in the absence of any other remedy protecting a right holder against infringements committed on the Internet. It ought to be limited by the due process requirements and the principle of proportionality (as pointed out by the ECJ inPromusicae) . Moreover, IP addresses collected in the course of retention procedures – implemented in order to combat serious crimes, especially of terrorist character – are likely to be used for the purposes of civil proceedings. In fact, such a framework can be easily circumvented and the right to access to the retained data is likely to be abused by the lawmakers. Undoubtedly, this situation is a result of a shortage of a precise regulation on the EU level.


Árpád Geréd, Rechtsanwalt, BMA Brandstätter Rechtsanwälte GmbH, Wallnerstraße 3, 1010 Wien, AT
arpad.gered@bma-law.com ,www.bma-law.com

  1. 1 See,e.g. Klass and others v Germany. No. 5029/71 A28 E.C.H.R. [1978], para 41.
  2. 2 Data Protection Directive – Directive 95/46/EC.
  3. 3 Act of August 29, 1997 on the Protection of Personal Data (Journal of Laws of July 6, 2002, No. 101, item 926 with amendments). Translation available at:http://www.giodo.gov.pl/144/id_art/171/j/en/ .
  4. 4 Datenschutzgesetz 2000 – DSG 2000 (Federal Law Gazette I No. 165/1999 with amendments).
  5. 5 Munir, Abu B. Teh, Tai Y.op.cit.

  6. 6 http://www.giodo.gov.pl/ .
  7. 7 Available at:http://www.giodo.gov.pl/319/id_art/2258/j/pl/ .
  8. 8 Available at:http://www.ris.bka.gv.at/Dokumente/Erv/ERV_2003_1_70/ERV_2003_1_70.pdf (non-official translation).
  9. 9 Enactment of a Telecommunications Act and Amendment of the Federal Act on Work Inspection in the Field of Transport and the KommAustria Act (NR: GP XXII RV 128 AB 184 S. 29. BR: 6800 AB 6804 S. 700.). Art. 92 TKG categorizes static IP addresses as master data and dynamic IP addresses as traffic data.
  10. 10 ORF.IP-Adressen und die Speicherpflicht . Available at:http://www.futurezone.at/it/stories/157236/ .
  11. 11 Bulut, Cevdet.Data Protection in Austria ;European Information Law. Good Governance in the Public Sector . Galewska, Ewa (Editor). Wrocław: published individually. 2010, 107.
  12. 12 Judgment C-275/06, Productores de Música de España (Promusicae) v. Telefónica de España SAU [2007], para 70.
  13. 13 E-Commerce Directive –Directive 2000/31/EC.
  14. 14 Information Society Directive – Directive 2001/29/EC.
  15. 15 Intellectual Property Enforcement Directive – Directive 2004/48/EC.
  16. 16 E-Privacy Directive – Directive 2002/58/EC.
  17. 17 Promusicae, para 70.
  18. 18 Ibidem.
  19. 19 Ibidem.
  20. 20 Judgement of 13.11.2007. Doc. No. 4Ob141/07z. Available at:http://www.ris.bka.gv.at .
  21. 21 Federal Law on Copyright in Works of Literature and Art and on Related Rights (BGBl. No. 111/1936, as last amended [BGBl. I No. 25/1998]) (Urheberrechtgesetz).
  22. 22 Order, C-557/07. LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten [2009].
  23. 23 Op.cit. , para. 26.
  24. 24 4Ob41/09x.
  25. 25 Act of April 23, 1964 – Civil Code (Kodeks cywilny) (Journal of Laws of May 18, 1964, No. 16, item 93 with amendments).
  26. 26 Judgement of 9 February 2005, Doc. No. II SA/Wa 1085/04.
  27. 27 Judgement of 3 February 20010, Doc. No. II SA/Wa 1598/09.
  28. 28 Order of 15 July 2010, Doc. No. I OSK 1079/10.
  29. 29 Data Retention Directive – Directive 2006/24/EC.
  30. 30 See,inter alia : Leander v Sweden. No. 9248/81. E.C.H.R. [1987], para 48.
  31. 31 Judgment C-301/06, Ireland v Council of the European Union, European Parliament, para 28-30.
  32. 32 Article 29 Data Protection Working Party. Report 01/2010 on the second joint enforcement action, p. 5. Available at:http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp172_en.pdf .
  33. 33 Act of July 16, 2004 Telecommunications Law (Journal of Laws of August 3, 2004, No. 171, item 1800 with amendments).
  34. 34 Krasuski, Andrzej.Prawo telekomunikacyjne. Komentarz . Warsaw: LexisNexis. 2007, p. 689-690.
  35. 35 Available at:http://www.legalis.net/breves-article.php3?id_article=1648 .
  36. 36 Available at:http://www.hrothgar.co.uk/YAWS/reps/totalise.htm .