Tuesday, July 12, 2005

Dutch ISPs Don't Have to Provide Customer's IDs to BREIN

Today a Court in the Netherlands has ruled in a summary proceeding that Internet Service Providers don't have to hand over the identifying information of their customers to anti-piracy organisation BREIN. BREIN had requested that the ISPs provided the identifying information behind the IP addresses of alleged file-sharers. The Court ruled that BREIN's collection of IP addresses was not in line with Dutch data protection law, amongst others because BREIN used a professional, American company for the collection.

The premise in this case is that IP addresses are personal data under the Dutch Personal Data Protection Act (WBP), as was confirmed by the main Dutch Data Protection Authority (CBP). BREIN did not contest this, thus accepting the stringent regime that comes with the Personal Data Protection Act. ISPs have to judge if a request by BREIN would be in line with the Personal Data Protection Act, balancing the interests of their customers against BREIN's and weighing the legitimacy of providing identifying information on itself. The ISPs claimed that BREIN's request didn't fulfill the conditions of the Personal Data Protection Act, most importantly in this case because BREIN used a (professional) third-party to collect and process the IP addresses: the American organisation MediaSentry. Last year the CBP decided that the collection and storage of IP addresses may only be legitimate if BREIN would do this themselves. The CBP has not ruled about BREIN's practice of using a third party, but the Court considered that in the current situation the third-party collection can not be deemed legitimate and it is likely that the CBP will rule it illegitimate in the future. Especially, because MediaSentry is an American company and "the United States can't be considered a country with a fitting protection level of personal data". MediaSentry also has not signed a so-called Safe Harbour agreement, conforming to the level of privacy protection under European law. The Court additionally noted that MediaSentry's software scanned all the content of the "shared folder" on the customer's hard disk, which could also contain non-infringing data and personal information. This strengthened the suspicion that BREIN's outsourcing was more privacy invasive.

On these grounds the Court decided that the ISPs not just don't have to hand over the identifying information to BREIN, but that they even "are obligated to deny the request to provide identifying information. The ISPs have to guard that they process personal data [i.c. IP addresses- RL] that have an illegitimate source." Additionally the Court noted that to grant a request like BREIN's it has to be beyond reasonable doubt that the IP addresses are actually connected to customers that really offer illegal music- or other files on their computer. The ISPs showed that BREIN had made considerable errors in making the right connection.

All in all this is a considerable defeat for BREIN, which will appeal the decision. However, the decision is not entirely unfavourable to the organisation. The Court also noted that under the European E-Commerce Directive and the Dutch Civil Code BREIN may request identifying information in a civil case. This was contested by the ISPs, which pointed to criminal proceedings as the road to follow. Also, it is unclear what will happen if BREIN starts to collect and store IP addresses themselves and does not outsource it to (an American) third-party, and is able to match IP addresses to "infringing" customers without substantial error. All questions for future legal deliberations, but for now it's up to BREIN again to make its case.
- - -
Dutch Personal Data Protection Act (unofficial English translation) [PDF]
Court decision [Dutch]
MediaSentry site


Post a Comment

<< Home